CN114172930B - Large-scale Internet of things service domain isolated communication method and device, electronic equipment and storage medium - Google Patents

Abstract

Translated fromChinese

本申请属于计算机网络技术领域，涉及一种大规模物联网服务域隔离通信方法、装置、电子设备及存储介质。本方法引入基于身份的访问控制实现物联网服务域初始状态下拓扑和性能上的逻辑隔离；同时结合密钥管理服务，对服务域的数据通信服务进行隐私保护，确保物联网服务域“端‑网‑云”数据全生命期逻辑隔离，包括拓扑、性能、服务三方面隔离。首先，在物联网终端的接入网位置，采用接入网真实源地址验证技术以及基于网络地址的真实身份机制，建立终端身份标识；在管理域内通过软件定义网络切片机制，为不同服务域划分分片并分配资源，实现不同服务域的拓扑和性能隔离；最后，基于访问控制机制实现服务隔离，并使用对称密钥交换实现数据加密。

The application belongs to the technical field of computer networks, and relates to a large-scale Internet of Things service domain isolation communication method, device, electronic equipment, and storage medium. This method introduces identity-based access control to realize the logical isolation of topology and performance in the initial state of the Internet of Things service domain; at the same time, combined with the key management service, the data communication service of the service domain is protected to ensure that the Internet of Things service domain is "end-to-end". Network-Cloud" data life-cycle logical isolation, including topology, performance, and service isolation. First of all, at the access network location of the IoT terminal, the real source address verification technology of the access network and the real identity mechanism based on the network address are used to establish the terminal identity; in the management domain, the software-defined network slicing mechanism is used to divide different service domains. Fragment and allocate resources to realize topology and performance isolation of different service domains; finally, implement service isolation based on access control mechanism, and use symmetric key exchange to implement data encryption.

Description

Translated fromChinese

一种大规模物联网服务域隔离通信方法、装置、电子设备及存储介质A large-scale Internet of Things service domain isolation communication method, device, electronic equipment, and storage medium

技术领域technical field

本申请属于计算机网络技术领域，具体而言，涉及一种大规模物联网服务域隔离通信 方法、装置、电子设备及存储介质。The application belongs to the technical field of computer networks, and in particular, relates to a large-scale Internet of Things service domain isolation communication method, device, electronic equipment, and storage medium.

背景技术Background technique

随着计算技术和网络技术的飞速发展和广泛应用，万物互联为社会和经济带来巨大便 利和发展的同时，其庞大的用户资源、设备数量和自身的脆弱性也成为安全攻击的首选目 标。如何在开放共享的网络中采用有效的技术手段确保物联网各服务域在初始状态下彼此 隔离，以保护不同服务域通信过程中的数据安全和隐私，成为物联网安全研究需要解决的 重要问题。With the rapid development and wide application of computing technology and network technology, while the Internet of Everything has brought great convenience and development to society and the economy, its huge user resources, number of devices and its own vulnerability have also become the first choice for security attacks . How to adopt effective technical means in an open and shared network to ensure that the service domains of the Internet of Things are isolated from each other in the initial state, so as to protect the data security and privacy in the communication process of different service domains, has become an important issue to be solved in the security research of the Internet of Things.

逻辑隔离是解决大型分布式系统中，不同服务域之间核心数据隐私保护和访问控制问 题的一种通用手段，它确保不同隔离区域的资源不能相互任意访问，仅可在可控条件下进 行必要的数据交换。随着SDN技术的普及，基于SDN的网络切片成为了实现逻辑隔离的主 要技术之一。网络切片是一种虚拟化的端到端逻辑网络，它与虚拟化技术紧密相连，可在 同一物理网络中提供一种或多种服务承载网，是网络共享和虚拟化管理的一种高效方式。 然而，仅仅基于SDN的网络切片无法有效抵抗IP地址伪造攻击，且无法有效支撑服务隔离。Logical isolation is a common means to solve the core data privacy protection and access control issues between different service domains in large-scale distributed systems. perform the necessary data exchange. With the popularization of SDN technology, SDN-based network slicing has become one of the main technologies for logical isolation. Network slicing is a virtualized end-to-end logical network, which is closely connected with virtualization technology and can provide one or more service bearer networks in the same physical network. It is an efficient way of network sharing and virtualization management . However, only SDN-based network slicing cannot effectively resist IP address forgery attacks, and cannot effectively support service isolation.

安全高效的网络切片和面向服务的认证框架(Efficient，Secure network-Sliced and Service-oriented Authentication framework，ES3A)是在基于SDN的网络切片基础上， 针对不同物联网服务的需求，设计面向服务的高效认证协议，并在此基础上采用组密钥协 商技术，通过组密钥实现服务内部的数据加密。在抵抗IP地址伪造上，ES3A依靠服务层 面认证技术确保伪造IP地址依然无法非法访问服务；然而，服务层面对IP伪造攻击的抵 抗无法有效支撑基于SDN网络切片的逻辑隔离机制，因为伪造IP的数据包仍然可以绕过 切片机制到达目的端，消耗网络切片资源，因此无法避免DDoS等网络层面的流量攻击。Secure and efficient network slicing and service-oriented authentication framework (Efficient, Secure network-Sliced and Service-oriented Authentication framework, ES3A) is based on SDN-based network slicing, and designs service-oriented efficient Authentication protocol, and on this basis, group key negotiation technology is used to realize data encryption inside the service through group keys. In resisting IP address forgery, ES3A relies on service-level authentication technology to ensure that forged IP addresses cannot illegally access services; however, the service-level resistance to IP forgery attacks cannot effectively support the logical isolation mechanism based on SDN network slicing, because forged IP The data packets can still bypass the slicing mechanism to reach the destination, consuming network slicing resources, so traffic attacks at the network level such as DDoS cannot be avoided.

可扩展的虚拟局域网(Scalable Virtual Local Area Networking，SVLAN)是针对 Vxlan技术存在的安全问题进行的改进。由于Vxlan技术无法抵抗针对数据包头部进行篡 改、伪造的攻击，因此SVLAN在发送数据包之前引入了授权请求过程，转发的数据包则携带授权证明，中间转发节点可以担任验证者进行验证，若验证失败则认为数据包头部被伪造，然后进行过滤。SVLAN从网络层面对源IP伪造的数据包进行过滤，可以有效缓解DDoS 问题，因为未经过授权的IP所发出的数据包以及篡改源IP的数据包都会在转发过程中被 过滤。SVLAN技术采用分片路由等技术，主要部署在数据中心网络，无法有效适用于物联 网领域，实现“端-网-云”全生命周期隔离。Scalable Virtual Local Area Networking (SVLAN) is an improvement for the security problems of Vxlan technology. Since Vxlan technology cannot resist tampering and forgery attacks on the header of the data packet, SVLAN introduces an authorization request process before sending the data packet, and the forwarded data packet carries the authorization certificate, and the intermediate forwarding node can act as a verifier for verification. If the verification fails, it is considered that the header of the data packet is forged, and then it is filtered. SVLAN filters the source IP forged data packets from the network level, which can effectively alleviate the DDoS problem, because the data packets sent by the unauthorized IP and the data packets that tamper with the source IP will be filtered during the forwarding process. SVLAN technology adopts slice routing and other technologies, which are mainly deployed in data center networks, and cannot be effectively applied to the field of Internet of Things to achieve "device-network-cloud" full life cycle isolation.

发明内容Contents of the invention

有鉴于此，本公开提出了一种大规模物联网服务域隔离通信方法、装置、电子设备及 存储介质，以解决修改技术中的技术问题。In view of this, the present disclosure proposes a large-scale Internet of Things service domain isolation communication method, device, electronic equipment, and storage medium to solve technical problems in the modification technology.

根据本公开的第一方面，提出大规模物联网服务域隔离通信方法，包括：According to the first aspect of the present disclosure, a large-scale Internet of Things service domain isolation communication method is proposed, including:

将物联网中用户终端的IPv6地址、用户终端的MAC地址和相应交换机进行相互绑定；Bind the IPv6 address of the user terminal in the Internet of Things, the MAC address of the user terminal and the corresponding switch to each other;

根据物联网中用户终端的IPv6地址中用户终端的真实身份，在通信前对物联网的通信 进行分配；According to the real identity of the user terminal in the IPv6 address of the user terminal in the Internet of Things, the communication of the Internet of Things is allocated before communication;

根据大规模物联网服务域的资源使用状态，对不同数据流带宽进行分配；According to the resource usage status of the large-scale Internet of Things service domain, the bandwidth of different data streams is allocated;

根据用户终端的真实身份对访问目的进行切分，使得非授权用户不能访问权限外的服 务资源；Segment the access purpose according to the real identity of the user terminal, so that unauthorized users cannot access service resources beyond their authority;

同一服务域内的各用户终端，采用密钥交换算法，实现加密通信。Each user terminal in the same service domain adopts a key exchange algorithm to realize encrypted communication.

本公开提出大规模物联网服务域隔离通信方法，在各管理域配置分布式服务域中心， 包括真实身份管理、资源隔离、性能管理、访问控制和加密管理模块。需要说明的是，管理域是一个物理概念，相对固定，如一个智慧小区，智慧校园；而服务域是一个逻辑概念，根据服务应用场景动态变化，如位于小区的某个用户，可以加入智慧校园服务域，控制位于校园的某个摄像头。强逻辑隔离机制的目的，是在万物互联的场景下，为动态建立的服务域提供动态可控的隔离策略。本公开方法首先基于真实地址建立分布式身份管理及认证平台，确保各服务域节点身份的真实性；然后在真实身份机制的基础上，结合软件定义技术和虚拟网络切片技术为不同服务域动态分配链路带宽、计算、存储等资源，确保逻辑上相互独立的虚拟网络资源供各个服务域的切片网络使用；然后建立服务访问控制和通信数据加密机制，确保跨服务域通信完全隔离。This disclosure proposes a large-scale Internet of Things service domain isolation communication method, and configures a distributed service domain center in each management domain, including real identity management, resource isolation, performance management, access control and encryption management modules. It should be noted that the management domain is a physical concept that is relatively fixed, such as a smart community or smart campus; while the service domain is a logical concept that changes dynamically according to the service application scenario. For example, a user located in the community can join the smart campus The service domain controls a camera located on the campus. The purpose of the strong logical isolation mechanism is to provide a dynamically controllable isolation strategy for dynamically established service domains in the context of the Internet of Everything. The disclosed method first establishes a distributed identity management and authentication platform based on the real address to ensure the authenticity of the identity of each service domain node; then, on the basis of the real identity mechanism, it combines software-defined technology and virtual network slicing technology to dynamically allocate different service domains. Link bandwidth, computing, storage and other resources ensure that logically independent virtual network resources are used by slice networks in each service domain; then establish service access control and communication data encryption mechanisms to ensure complete isolation of cross-service domain communications.

可选地，所述将物联网中用户终端的IPv6地址、用户终端的MAC地址和相应交换机进 行相互绑定，包括：Optionally, binding the IPv6 address of the user terminal in the Internet of Things, the MAC address of the user terminal and the corresponding switch to each other includes:

(1)将物联网中用户终端的IPv6地址分布式存储到大规模物联网的各服务域中心；(1) Distributed storage of IPv6 addresses of user terminals in the Internet of Things to each service domain center of the large-scale Internet of Things;

(2)各服务域中心根据物联网中接入网内用户终端的真实源地址，对服务域接入网内 用户终端的身份进行验证；(2) Each service domain center verifies the identity of the user terminal in the service domain access network according to the real source address of the user terminal in the access network in the Internet of Things;

(3)在用户终端的IPv6地址后64位嵌入用户终端身份的标识信息。(3) The identification information of the identity of the user terminal is embedded in the last 64 bits of the IPv6 address of the user terminal.

(4)将物联网中用户终端的IPv6地址、用户终端的MAC地址和相应交换机进行相互绑定。(4) Binding the IPv6 address of the user terminal in the Internet of Things, the MAC address of the user terminal and the corresponding switch to each other.

可选地，所述根据物联网中用户终端的IPv6地址中用户终端的真实身份，对物联网的 通信进行分配，包括：Optionally, according to the real identity of the user terminal in the IPv6 address of the user terminal in the Internet of Things, the communication of the Internet of Things is allocated, including:

(1)在通信前，用户终端向所属大规模物联网的服务域中心发送通信请求，通信请求 中包含用户终端的IP地址和目标用户终端的IP地址；(1) Before communication, the user terminal sends a communication request to the service domain center of the large-scale Internet of Things to which it belongs, and the communication request includes the IP address of the user terminal and the IP address of the target user terminal;

(2)所述物联网各服务域中心对所述用户终端的IP地址和所述通信目标的IP地址进 行判断，若所述用户终端的IP地址和所述通信目标的IP地址在同一服务域，则向与所述用户终端连接的交换机发送一个允许通信指令，若所述用户终端的IP地址和所述通信目标的IP地址不在同一服务域，则直接向所述用户终端发送拒绝指令。(2) Each service domain center of the Internet of Things judges the IP address of the user terminal and the IP address of the communication target, if the IP address of the user terminal and the IP address of the communication target are in the same service If the IP address of the user terminal and the IP address of the communication target are not in the same service domain, then directly send a denial instruction to the user terminal.

可选地，所述根据大规模物联网服务域的资源使用状态，对不同数据流带宽进行分配， 包括：Optionally, the allocation of different data flow bandwidths according to the resource usage status of the large-scale Internet of Things service domain includes:

(1)大规模物联网的各服务域的中心建立本服务域的标识符ID与本服务域分别在多 个交换机上的带宽信息映射关系，所述带宽信息包括服务域的总带宽和现有带宽；(1) The center of each service domain of the large-scale Internet of Things establishes the mapping relationship between the identifier ID of the service domain and the bandwidth information of the service domain on multiple switches respectively, and the bandwidth information includes the total bandwidth of the service domain and the existing bandwidth;

(2)当用户终端发送通信请求时，服务域中心根据标识符ID，对与该发送通信请求用户终端相连接的交换机的带宽信息进行判断，若该服务域的现有带宽大于或等于所述交换机上的带宽，则服务域中心进行带宽分配，并向该发送通信请求用户终端相连接的交换机端口发送带宽分配结果，若该服务域的现有带宽小于所述交换机上的带宽，则直接向该发送通信请求用户终端发送拒绝通信指令。(2) When the user terminal sends a communication request, the service domain center judges the bandwidth information of the switch connected to the user terminal that sends the communication request according to the identifier ID, if the existing bandwidth of the service domain is greater than or equal to the bandwidth on the switch, the service domain center performs bandwidth allocation, and sends the bandwidth allocation result to the switch port connected to the user terminal that sends the communication request. If the existing bandwidth of the service domain is less than the bandwidth on the switch, then directly to the The sending communication requests the user terminal to send a communication rejection instruction.

可选地，所述根据用户终端的真实身份对访问目的进行切分，使得非授权用户不能访 问权限外的服务资源，包括：Optionally, the segmentation of the access purpose according to the real identity of the user terminal, so that unauthorized users cannot access service resources outside the authority, includes:

(1)所述服务域中心根据用户终端的真实身份，分别设定各用户终端的访问权限和相 应访问标记；(1) The service domain center sets the access rights and corresponding access marks of each user terminal respectively according to the true identity of the user terminal;

(2)当用户终端向服务域中心发送通信请求时，服务域中心根据用户终端的访问权限， 对用户终端请求访问的合法性进行判断，若该用户终端具有访问权限，则向被访问目标发 送该用户终端的访问标记，若该用户终端不具有访问权限，则直接向该用户终端发送拒绝 指令。(2) When the user terminal sends a communication request to the service domain center, the service domain center judges the legitimacy of the user terminal's request for access according to the access authority of the user terminal, and if the user terminal has access authority, it sends a communication request to the accessed target. Send the access mark of this user terminal, if this user terminal does not have access authority, then directly send to this user terminal the denial instruction.

可选地，所述同一服务域内的各用户终端，采用密钥交换方法，实现加密通信，包括：Optionally, each user terminal in the same service domain adopts a key exchange method to realize encrypted communication, including:

(1)所述服务域中心为同一服务域内的各用户终端生成一对公钥和私钥，并将所述公 钥发送到本服务域的所有用户终端，所述私钥根据用户终端的真实身份发送到相应用户终 端；(1) The service domain center generates a pair of public key and private key for each user terminal in the same service domain, and sends the public key to all user terminals in the service domain. The identity is sent to the corresponding user terminal;

(2)发起通信请求的用户终端根据所述目标用户终端的IP地址，利用所述目标用户 终端的公钥对目标用户终端的IP地址进行加密，得到一个加密后的密文，即auth_S＝Encrypt(IP_D)；(2) The user terminal that initiates a communication request utilizes the public key of the target user terminal to encrypt the IP address of the target user terminal according to the IP address of the target user terminal, and obtains an encrypted ciphertext, i.e. auth_S = Encrypt(IP_D );

(3)发起通信请求的用户终端根据目标用户终端的IP地址、发起通信请求的用户终 端的IP地址和发起通信请求的时间戳，计算得到一个哈希值K_S：(3) The user terminal that initiates the communication request calculates a hash value K_S according to the IP address of the target user terminal, the IP address of the user terminal that initiates the communication request, and the time stamp that initiates the communication request:

K_S＝H(IP_D||IP_S||T_STAMP)，K_S ＝H(IP_D ||IP_S ||T_STAMP ),

其中，||表示字符串串接，IP_D表示目标用户终端地址，IP_S表示发起通信请求的用户 终端地址，T_STAMP表示时间戳；H()表示一种哈希算法；Wherein, || represents string concatenation, IP_D represents the target user terminal address,_IPS represents the user terminal address that initiates the communication request, T_STAMP represents the timestamp; H() represents a hash algorithm;

(4)发起通信请求的用户终端将所述哈希值K_S的前128位作为本次通信的第一对称密 钥K，并使用目标用户终端的公钥对密钥K进行加密，得到一个密文R_S，R_S＝Encrypt(K)；(4) The user terminal that initiates the communication request uses the first 128 bits of the hash value K_S as the first symmetric key K for this communication, and uses the public key of the target user terminal to encrypt the key K to obtain a Ciphertext R_S , R_S =Encrypt(K);

(5)发起通信请求的用户终端向目标用户终端发送密文R_S和密文auth_S；(5) The user terminal that initiates the communication request sends the ciphertext_RS and the ciphertext auth_S to the target user terminal;

(6)目标用户终端利用本终端的私钥，对密文auth_S进行解密，得到目标用户终端的 待认证IP地址，将该待认证IP地址与目标用户终端的IP地址进行比较，若待认证IP地址与目标用户终端的IP地址不相同，则直接向发起通信请求的用户终端发送拒绝指令， 若待认证IP地址与目标用户终端的IP地址相同，则认证成功，并对所述密文R_S进行解密， 得到一个第二对称密钥K′；(6) The target user terminal uses the private key of the terminal to decrypt the ciphertext auth_S to obtain the IP address to be authenticated of the target user terminal, compare the IP address to be authenticated with the IP address of the target user terminal, if the IP address to be authenticated is If the IP address is different from the IP address of the target user terminal, a rejection instruction is sent directly to the user terminal that initiated the communication request. If the IP address to be authenticated is identical to the IP address of the target user terminal, the authentication is successful, and the ciphertext R_S decrypts to obtain a second symmetric key K';

(7)目标用户终端利用第二对称密钥K′对发起通信请求的用户终端的IP地址进行加 密，得到一个密文auth_D，auth_D＝Encrypt_K′(IP_S)；(7) the target user terminal utilizes the second symmetric key K ' to encrypt the IP address of the user terminal that initiates the communication request, and obtains a ciphertext auth_D , auth_D =Encrypt_K '(_IPS );

(8)目标用户终端向发起通信请求的用户终端发送所述密文auth_D；(8) The target user terminal sends the ciphertext auth_D to the user terminal that initiates the communication request;

(9)发起通信请求的用户终端使用第一对称K对所述密文auth_D进行解密，若得不到 发起通信请求的用户终端的IP地址，则密钥交换失败，若得到发起通信请求的用户终端的IP地址，则密钥交换成功，将第一密钥K作为对称密钥用于本次数据加密通信。(9) The user terminal that initiates the communication request uses the first symmetric K to decrypt the ciphertext auth_D , if the IP address of the user terminal that initiates the communication request cannot be obtained, then the key exchange fails, if the IP address of the user terminal that initiates the communication request is obtained, IP address of the user terminal, the key exchange is successful, and the first key K is used as the symmetric key for this encrypted data communication.

根据本公开的第二方面，提出了大规模物联网服务域隔离通信装置，包括：According to the second aspect of the present disclosure, a large-scale Internet of Things service domain isolation communication device is proposed, including:

地址绑定模块，用于将物联网中用户终端的IPv6地址、用户终端的MAC地址和相应交 换机进行相互绑定；The address binding module is used to bind the IPv6 address of the user terminal in the Internet of Things, the MAC address of the user terminal and the corresponding switch;

通信分配模块，用于根据物联网中用户终端的IPv6地址中用户终端的真实身份，在通 信前对物联网的通信进行分配；The communication allocation module is used to allocate the communication of the Internet of Things before communication according to the real identity of the user terminal in the IPv6 address of the user terminal in the Internet of Things;

带宽分配模块，用于根据大规模物联网服务域的资源使用状态，对不同数据流带宽进 行分配；The bandwidth allocation module is used to allocate different data flow bandwidths according to the resource usage status of the large-scale Internet of Things service domain;

资源切分模块，用于根据用户终端的真实身份对访问目的进行切分，使得非授权用户 不能访问权限外的服务资源；The resource segmentation module is used to segment the access purpose according to the real identity of the user terminal, so that unauthorized users cannot access service resources outside the authority;

通信模块，用于同一服务域内的各用户终端，采用密钥交换算法，实现加密通信。The communication module is used for each user terminal in the same service domain, and adopts a key exchange algorithm to realize encrypted communication.

根据本公开的第三方面，提出一种电子设备，包括：According to a third aspect of the present disclosure, an electronic device is proposed, including:

存储器，用于存储计算机可执行的指令；memory for storing computer-executable instructions;

处理器，所述处理器被配置执行：a processor configured to perform:

将物联网中用户终端的IPv6地址、用户终端的MAC地址和相应交换机进行相互绑定；Bind the IPv6 address of the user terminal in the Internet of Things, the MAC address of the user terminal and the corresponding switch to each other;

根据物联网中用户终端的IPv6地址中用户终端的真实身份，在通信前对物联网的通信 进行分配；According to the real identity of the user terminal in the IPv6 address of the user terminal in the Internet of Things, the communication of the Internet of Things is allocated before communication;

根据大规模物联网服务域的资源使用状态，对不同数据流带宽进行分配；According to the resource usage status of the large-scale Internet of Things service domain, the bandwidth of different data streams is allocated;

根据用户终端的真实身份对访问目的进行切分，使得非授权用户不能访问权限外的服 务资源；Segment the access purpose according to the real identity of the user terminal, so that unauthorized users cannot access service resources beyond their authority;

同一服务域内的各用户终端，采用密钥交换算法，实现加密通信。Each user terminal in the same service domain adopts a key exchange algorithm to realize encrypted communication.

根据本公开的第四方面，提出了计算机可读存储介质，其上存储有计算机程序，所述 计算机程序用于使所述计算机执行：According to a fourth aspect of the present disclosure, a computer-readable storage medium is provided, on which a computer program is stored, the computer program is used to cause the computer to perform:

将物联网中用户终端的IPv6地址、用户终端的MAC地址和相应交换机进行相互绑定；Bind the IPv6 address of the user terminal in the Internet of Things, the MAC address of the user terminal and the corresponding switch to each other;

根据物联网中用户终端的IPv6地址中用户终端的真实身份，在通信前对物联网的通信 进行分配；According to the real identity of the user terminal in the IPv6 address of the user terminal in the Internet of Things, the communication of the Internet of Things is allocated before communication;

根据大规模物联网服务域的资源使用状态，对不同数据流带宽进行分配；According to the resource usage status of the large-scale Internet of Things service domain, the bandwidth of different data streams is allocated;

根据用户终端的真实身份对访问目的进行切分，使得非授权用户不能访问权限外的服 务资源；Segment the access purpose according to the real identity of the user terminal, so that unauthorized users cannot access service resources beyond their authority;

同一服务域内的各用户终端，采用密钥交换算法，实现加密通信。Each user terminal in the same service domain adopts a key exchange algorithm to realize encrypted communication.

本公开针对大规模物联网跨服务域应用，提供一种“端-网-云”全生命周期服务域间 强逻辑隔离策略，兼顾效率和鲁棒性。用源地址验证框架SAVA的真实源地址验证技术从网络层面实现子网和网间真实源地址认证，解决源地址伪造问题；然后结合基于SDN的网络切片、密钥管理技术实现拓扑隔离、性能隔离和服务隔离，从而实现强逻辑隔离，提高 网络的安全性。This disclosure provides a "device-network-cloud" full life cycle service domain strong logical isolation strategy for large-scale Internet of Things cross-service domain applications, taking into account efficiency and robustness. Use the real source address verification technology of the source address verification framework SAVA to realize the subnet and inter-network real source address verification from the network level, and solve the problem of source address forgery; then combine the SDN-based network slicing and key management technology to realize topology isolation and performance isolation It is isolated from services to achieve strong logic isolation and improve network security.

与已有技术相比，本公开的实施例具有以下优点：Compared with the prior art, the embodiments of the present disclosure have the following advantages:

1、从物联网节点接入、网络传输到应用服务，基于SDN的网络切片、密钥管理技术、访问控制等技术，实现物联网服务域拓扑、性能和服务三方面隔离，最终实现物联网数据全生命周期的强逻辑隔离。1. From Internet of Things node access, network transmission to application services, based on SDN network slicing, key management technology, access control and other technologies, the isolation of Internet of Things service domain topology, performance and service is realized, and finally the Internet of Things data Strong logical isolation of the whole life cycle.

2、采用真实源地址认证技术，从网络层面解决源地址伪造问题，防止通过篡改IP地 址绕过逻辑隔离机制的同时，有效预防针对网络的DDoS流量攻击。2. Adopt the real source address authentication technology to solve the problem of source address forgery from the network level, prevent the bypassing of the logical isolation mechanism by tampering with the IP address, and effectively prevent DDoS traffic attacks against the network.

本公开附加的方面和优点将在下面的描述中部分给出，部分将从下面的描述中变得明 显，或通过本发明的实践了解到。Additional aspects and advantages of the present disclosure will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.

附图说明Description of drawings

为了更清楚的说明本发明实施例或现有技术中的技术方案，下面将对实施例或现有技 术描述中所需要使用的附图作简单地介绍。显然，下面描述中的附图仅仅是本发明的一些 实施例，对于本领域普通技术人员来说，在不付出创造性劳动的前提下，还可以根据这些 附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the accompanying drawings that need to be used in the description of the embodiments or the prior art. Apparently, the accompanying drawings in the following description are only some embodiments of the present invention, and those of ordinary skill in the art can also obtain other accompanying drawings according to these drawings without creative work.

图1是根据本公开的一个实施例示出的大规模物联网服务域中心与用户终端设备、交 换机连接示意图。Fig. 1 is a schematic diagram showing the connection between a large-scale Internet of Things service domain center, a user terminal device, and a switch according to an embodiment of the present disclosure.

图2是根据本公开的一个实施例示出的网关代理申请节点真实地址及维护示意图。Fig. 2 is a schematic diagram showing a gateway agent to apply for a real address of a node and maintain it according to an embodiment of the present disclosure.

图3是根据本公开的一个实施例示出的服务域中心实现资源隔离示意图。Fig. 3 is a schematic diagram showing resource isolation implemented by a service domain center according to an embodiment of the present disclosure.

图4是根据本公开的一个实施例示出的服务域中心为用户终端分配带宽示意图。Fig. 4 is a schematic diagram showing a service domain center allocating bandwidth to a user terminal according to an embodiment of the present disclosure.

图5是根据本公开的一个实施例示出的服务域中心为目标用户终端下发访问控制授 权代码示意图。Fig. 5 is a schematic diagram showing an access control authorization code delivered by a service domain center to a target user terminal according to an embodiment of the present disclosure.

图6是根据本公开的一个实施例示出的用户终端之间完成通信密钥交换示意图。Fig. 6 is a schematic diagram showing completion of communication key exchange between user terminals according to an embodiment of the present disclosure.

图7是根据本公开的一个实施例示出的一种大规模物联网服务域隔离通信装置的结构 框图。Fig. 7 is a structural block diagram of a large-scale Internet of Things service domain isolation communication device according to an embodiment of the present disclosure.

图8是根据本公开的一个实施例示出的一种大规模物联网服务域隔离通信装置建立强 逻辑隔离的步骤图。Fig. 8 is a step diagram showing a strong logical isolation for a large-scale Internet of Things service domain isolation communication device according to an embodiment of the present disclosure.

具体实施方式Detailed ways

下面将结合本申请实施例中的附图，对本申请实施例中的技术方案进行清楚、完整地 描述，显然，所描述的实施例仅仅是本申请一部分实施例，而不是全部的实施例。基于本 申请中的实施例，本领域普通技术人员在没有做出创造性劳动的前提下所获得的所有其他 实施例，都属于本申请保护的范围。The technical solutions in the embodiments of the present application will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present application. Obviously, the described embodiments are only a part of the embodiments of the present application, rather than all embodiments. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without creative work, all belong to the scope of protection of this application.

根据本公开的一个实施例示出的一种大规模物联网服务域隔离通信方法，可以包括以 下步骤：According to an embodiment of the present disclosure, a large-scale Internet of Things service domain isolation communication method may include the following steps:

在步骤1中，将物联网中用户终端的IPv6地址分布式存储到大规模物联网的各服务域 的中心如图1所示，将物联网中用户终端的IPv6地址、用户终端的MAC地址和相应交换机进行相互绑定。Instep 1, the IPv6 address of the user terminal in the Internet of Things is distributed and stored in the center of each service domain of the large-scale Internet of Things, as shown in Figure 1, the IPv6 address of the user terminal in the Internet of Things, the MAC address of the user terminal and The corresponding switches are bound to each other.

在一个实施例中，所述将物联网中用户终端的IPv6地址、用户终端的MAC地址和相应 交换机进行相互绑定，可以包括以下步骤：In one embodiment, binding the IPv6 address of the user terminal in the Internet of Things, the MAC address of the user terminal and the corresponding switch to each other may include the following steps:

(1)将物联网中用户终端的IPv6地址分布式存储到大规模物联网的各服务域中心；(1) Distributed storage of IPv6 addresses of user terminals in the Internet of Things to each service domain center of the large-scale Internet of Things;

(2)各服务域中心根据物联网中接入网内用户终端的真实源地址，对服务域接入网内 用户终端的身份进行验证；建立分布式真实身份管理机制，为各服务域在公共资源上提供 域间逻辑隔离提供基础。确保用户终端接入身份真实可信。(2) Each service domain center verifies the identity of the user terminal in the service domain access network according to the real source address of the user terminal in the access network of the Internet of Things; Resources provide the basis for logical isolation between domains. Ensure that user terminal access identities are authentic and credible.

(3)在用户终端的IPv6地址后64位嵌入用户终端身份的标识信息。以此实现数据包 级别的身份验证和溯源能力，从接入位置即保证服务域内设备的真实可信。真实地址生成 过程是现有机制，不在本专利保护范围，但将真实地址及对应的真实身份用于跨服务域隔 离属于本专利保护范围。特别地，当节点通过ZigBee、蓝牙等组网方式接入物联网，未使用IPv6地址时，由对应的网关代理实现。网关为每个节点申请对应的IPv6地址，并存储 该IPv6地址与节点真实地址的对应关系，如图1所示，网关代理用户终端设备获取IPv6 地址，后续资源隔离、性能管理和访问控制也通过网关代理实现。(3) The identification information of the identity of the user terminal is embedded in the last 64 bits of the IPv6 address of the user terminal. In this way, the identity verification and traceability capabilities at the data packet level can be realized, and the authenticity of the devices in the service domain can be guaranteed from the access location. The real address generation process is an existing mechanism, which is not within the protection scope of this patent, but the use of real addresses and corresponding real identities for cross-service domain isolation is within the protection scope of this patent. In particular, when a node accesses the Internet of Things through ZigBee, Bluetooth and other networking methods, and does not use an IPv6 address, it will be implemented by the corresponding gateway agent. The gateway applies for the corresponding IPv6 address for each node, and stores the corresponding relationship between the IPv6 address and the real address of the node. As shown in Figure 1, the gateway obtains the IPv6 address on behalf of the user terminal equipment, and subsequent resource isolation, performance management and access control are also passed. Gateway proxy implementation.

(4)将物联网中用户终端的IPv6地址、用户终端的MAC地址和相应交换机进行相互绑定。(4) Binding the IPv6 address of the user terminal in the Internet of Things, the MAC address of the user terminal and the corresponding switch to each other.

在步骤2中，根据物联网中用户终端的IPv6地址中用户终端的真实身份，在通信前对 物联网的通信进行分配。Instep 2, according to the real identity of the user terminal in the IPv6 address of the user terminal in the Internet of Things, the communication of the Internet of Things is allocated before communication.

在一个实施例中，所述根据物联网中用户终端的IPv6地址中用户终端的真实身份，对 物联网的通信进行分配，可以包括以下步骤：In one embodiment, according to the real identity of the user terminal in the IPv6 address of the user terminal in the Internet of Things, distributing the communication of the Internet of Things may include the following steps:

(1)在通信前，用户终端向所属大规模物联网的服务域中心发送通信请求，通信请求 中包含用户终端的IP地址和目标用户终端的IP地址；(1) Before communication, the user terminal sends a communication request to the service domain center of the large-scale Internet of Things to which it belongs, and the communication request includes the IP address of the user terminal and the IP address of the target user terminal;

(2)所述物联网各服务域中心对所述用户终端的IP地址和所述通信目标的IP地址进 行判断，若所述用户终端的IP地址和所述通信目标的IP地址在同一服务域，则向与所述用户终端连接的交换机发送一个允许通信指令，若所述用户终端的IP地址和所述通信目标的IP地址不在同一服务域，则直接向所述用户终端发送拒绝指令。如图3所示，资源隔离 模块通过控制多个交换机端口，完成对网络的虚拟化，具体地，将划分好的网络切片与服 务域的IP地址块进行绑定，并在每个交换机建立端口过滤策略，只有源端和目的端IP同 属于一个切片的流量能才允许经过，其余的流量在端口直接过滤，实现每个切片间的资源 隔离。(2) Each service domain center of the Internet of Things judges the IP address of the user terminal and the IP address of the communication target, if the IP address of the user terminal and the IP address of the communication target are in the same service If the IP address of the user terminal and the IP address of the communication target are not in the same service domain, then directly send a denial instruction to the user terminal. As shown in Figure 3, the resource isolation module completes the virtualization of the network by controlling multiple switch ports. Specifically, it binds the divided network slices to the IP address blocks of the service domain, and establishes Port filtering strategy, only the traffic whose source and destination IPs belong to the same slice is allowed to pass, and the rest of the traffic is directly filtered on the port to realize resource isolation between each slice.

在步骤3中，根据大规模物联网服务域的资源使用状态，对不同数据流带宽进行分配； 从而实现服务域之间性能平衡和隔离。In step 3, according to the resource usage status of the large-scale Internet of Things service domain, the bandwidth of different data streams is allocated; thereby realizing performance balance and isolation between service domains.

在一个实施例中，所述根据大规模物联网服务域的资源使用状态，对不同数据流带宽 进行分配，可以包括以下步骤：In one embodiment, the allocation of different data flow bandwidths according to the resource usage status of the large-scale Internet of Things service domain may include the following steps:

(1)大规模物联网的各服务域的中心建立本服务域的标识符ID与本服务域分别在多 个交换机上的带宽信息映射关系，所述带宽信息包括服务域的总带宽和现有带宽；(1) The center of each service domain of the large-scale Internet of Things establishes the mapping relationship between the identifier ID of the service domain and the bandwidth information of the service domain on multiple switches respectively, and the bandwidth information includes the total bandwidth of the service domain and the existing bandwidth;

(2)当用户终端发送通信请求时，服务域中心根据标识符ID，对与该发送通信请求用户终端相连接的交换机的带宽信息进行判断，若该服务域的现有带宽大于或等于所述交换机上的带宽，则服务域中心进行带宽分配，并向该发送通信请求用户终端相连接的交换机端口发送带宽分配结果，若该服务域的现有带宽小于所述交换机上的带宽，则直接向该发送通信请求用户终端发送拒绝通信指令。如图4所示，网络中各服务域中心根据服务域业务需求动态制定相关传输性能规则，建立<服务域ID，带宽>对应关系，并将其与服务域相应的网络切片进行关联形成流表规则下发至管理域内的接入交换机，通过控制服务域对应物理设备的出口带宽，使得每个切片使用分配的网络资源为本服务域提供数据传输服务， 在共享物理设施上为各服务域建立具有传输性能保证的网络通道，确保传输性能得到满足。(2) When the user terminal sends a communication request, the service domain center judges the bandwidth information of the switch connected to the user terminal that sends the communication request according to the identifier ID, if the existing bandwidth of the service domain is greater than or equal to the bandwidth on the switch, the service domain center performs bandwidth allocation, and sends the bandwidth allocation result to the switch port connected to the user terminal that sends the communication request. If the existing bandwidth of the service domain is less than the bandwidth on the switch, then directly to the The sending communication requests the user terminal to send a communication rejection instruction. As shown in Figure 4, each service domain center in the network dynamically formulates relevant transmission performance rules according to the business requirements of the service domain, establishes the corresponding relationship of <service domain ID, bandwidth>, and associates it with the corresponding network slice of the service domain to form a flow table The rules are sent to the access switches in the management domain. By controlling the egress bandwidth of the corresponding physical equipment in the service domain, each slice uses the allocated network resources to provide data transmission services for the service domain. Establish a network for each service domain on the shared physical facility. Network channel with transmission performance guarantee to ensure that the transmission performance is satisfied.

在数据传输过程中，为确保数据包在网络中动态传输时满足性能需求，服务域中心基 于本服务域内链路全局视图进行路由设备动态管理，避免数据传输链路拥塞。链路全局视 图为路由设备各端口间连接关系及链路容量记录，包括每个服务域需要的链路信息，设 Link＝{Link₁，Link₂，......，Link_n}为每个服务域的每一条链路总带宽，Remain＝{Remain₁，Remain₂，......，Remain_n}为当前各服务域每一条链路剩余带宽。当有通信请求到 达时，服务域中心判断当前链路带宽是否满足通信需求，根据链路状况，控制各服务域带 宽，动态调整注入网络的数据包速率，保证各网络切片正常业务传输基础上实现全局拥塞 避免。During the data transmission process, in order to ensure that the data packets meet the performance requirements when the data packets are dynamically transmitted in the network, the service domain center performs dynamic management of the routing equipment based on the global view of the links in the service domain to avoid data transmission link congestion. The link global view shows the connection relationship and link capacity records between the ports of the routing device, including the link information required by each service domain. Let Link＝{Link₁ , Link₂ ,..., Link_n } be The total bandwidth of each link in each service domain, Remain={Remain₁ , Remain₂ , . . . , Remain_n } is the remaining bandwidth of each link in each current service domain. When a communication request arrives, the service domain center judges whether the current link bandwidth meets the communication requirements, controls the bandwidth of each service domain according to the link status, and dynamically adjusts the rate of data packets injected into the network to ensure the normal business transmission of each network slice. Global congestion avoidance.

在步骤4中，根据用户终端的真实身份对访问目的进行切分，使得非授权用户不能访 问权限外的服务资源；保证隐私数据不泄露，阻止非法操作和控制，提升服务可靠性。In step 4, the access purpose is segmented according to the real identity of the user terminal, so that unauthorized users cannot access service resources outside the authority; to ensure that private data is not leaked, to prevent illegal operation and control, and to improve service reliability.

在一个实施例中，所述根据用户终端的真实身份对访问目的进行切分，使得非授权用 户不能访问权限外的服务资源，如图5所示，可以包括以下步骤：In one embodiment, the access purpose is segmented according to the real identity of the user terminal, so that unauthorized users cannot access service resources outside the authority, as shown in Figure 5, may include the following steps:

(1)所述服务域中心根据用户终端的真实身份，分别设定各用户终端的访问权限和相 应访问标记；(1) The service domain center sets the access rights and corresponding access marks of each user terminal respectively according to the true identity of the user terminal;

(2)当用户终端向服务域中心发送通信请求时，服务域中心根据用户终端的访问权限， 对用户终端请求访问的合法性进行判断，若该用户终端具有访问权限，则向被访问目标发 送该用户终端的访问标记，若该用户终端不具有访问权限，则直接向该用户终端发送拒绝 指令。为更好地实现服务隔离，有效防止非法入侵、数据泄露等安全威胁，本公开实施例 对服务域内的应用进行安全等级的划分，并基于端设备的真实身份和角色对其行为进行访 问控制，使得在服务域内，用户仅能访问在安全等级授权之内的应用，从而有效实现服务 域内不同应用访问的服务隔离。具体地，如表1所示，每台设备有对应的访问权限，不同 的权限对应不同的权限代码，通信前，服务域中心将权限代码与真实身份对应关系写入被 访问设备(或者管理设备的物联网网关)，被访问设备根据身份权限实现相应等级的访问 控制。(2) When the user terminal sends a communication request to the service domain center, the service domain center judges the legitimacy of the user terminal's request for access according to the access authority of the user terminal, and if the user terminal has access authority, it sends a communication request to the accessed target. Send the access mark of this user terminal, if this user terminal does not have access authority, then directly send to this user terminal the denial instruction. In order to better realize service isolation and effectively prevent security threats such as illegal intrusion and data leakage, the disclosed embodiment divides the security level of the application in the service domain, and controls the access to its behavior based on the real identity and role of the end device , so that in the service domain, users can only access applications within the authorization of the security level, so as to effectively realize the service isolation of different application access in the service domain. Specifically, as shown in Table 1, each device has corresponding access permissions, and different permissions correspond to different permission codes. Before communication, the service domain center writes the corresponding relationship between the permission code and the real identity into the accessed device (or management device) Internet of Things gateway), the accessed device realizes the corresponding level of access control according to the identity authority.

表1基于真实身份的服务域访问权限管理Table 1 Management of service domain access rights based on real identity

在步骤5中，同一服务域内的各用户终端，采用密钥交换算法，实现加密通信。Instep 5, each user terminal in the same service domain implements encrypted communication by using a key exchange algorithm.

在一个实施例中，所述同一服务域内的各用户终端，采用密钥交换方法，实现加密通 信，可以包括以下：In one embodiment, each user terminal in the same service domain adopts a key exchange method to realize encrypted communication, which may include the following:

(1)所述服务域中心为同一服务域内的各用户终端生成一对公钥和私钥，并将所述公 钥发送到本服务域的所有用户终端，所述私钥根据用户终端的真实身份发送到相应用户终 端；(1) The service domain center generates a pair of public key and private key for each user terminal in the same service domain, and sends the public key to all user terminals in the service domain. The identity is sent to the corresponding user terminal;

(2)发起通信请求的用户终端根据所述目标用户终端的IP地址，利用所述目标用户 终端的公钥对目标用户终端的IP地址进行加密，得到一个加密后的密文，即auth_S＝Encrypt(IPD)；(2) The user terminal that initiates a communication request utilizes the public key of the target user terminal to encrypt the IP address of the target user terminal according to the IP address of the target user terminal, and obtains an encrypted ciphertext, i.e. auth_S = Encrypt(IPD);

(3)发起通信请求的用户终端根据目标用户终端的IP地址、发起通信请求的用户终 端的IP地址和发起通信请求的时间戳，计算得到一个哈希值K_S：(3) The user terminal that initiates the communication request calculates a hash value K_S according to the IP address of the target user terminal, the IP address of the user terminal that initiates the communication request, and the time stamp that initiates the communication request:

K_S＝H(IP_D||IP_S||T_STAMP)，K_S ＝H(IP_D ||IP_S ||T_STAMP ),

其中，||表示字符串串接，IP_D表示目标用户终端地址，IP_S表示发起通信请求的用户 终端地址，T_STAMP表示时间戳；H()表示一种哈希算法；Wherein, || represents string concatenation, IP_D represents the target user terminal address,_IPS represents the user terminal address that initiates the communication request, T_STAMP represents the timestamp; H() represents a hash algorithm;

(4)发起通信请求的用户终端将所述哈希值K_S的前128位作为本次通信的第一对称密 钥K，并使用目标用户终端的公钥对密钥K进行加密，得到一个密文R_S，R_S＝Encrypt(K)；(4) The user terminal that initiates the communication request uses the first 128 bits of the hash value K_S as the first symmetric key K for this communication, and uses the public key of the target user terminal to encrypt the key K to obtain a Ciphertext R_S , R_S =Encrypt(K);

(5)发起通信请求的用户终端向目标用户终端发送密文R_S和密文auth_S；(5) The user terminal that initiates the communication request sends the ciphertext_RS and the ciphertext auth_S to the target user terminal;

(6)目标用户终端利用本终端的私钥，对密文auth_S进行解密，得到目标用户终端的 待认证IP地址，将该待认证IP地址与目标用户终端的IP地址进行比较，若待认证IP地址与目标用户终端的IP地址不相同，则直接向发起通信请求的用户终端发送拒绝指令， 若待认证IP地址与目标用户终端的IP地址相同，则认证成功，并对所述密文R_S进行解密， 得到一个第二对称密钥K′；(6) The target user terminal uses the private key of the terminal to decrypt the ciphertext auth_S to obtain the IP address to be authenticated of the target user terminal, compare the IP address to be authenticated with the IP address of the target user terminal, if the IP address to be authenticated is If the IP address is different from the IP address of the target user terminal, a rejection instruction is sent directly to the user terminal that initiated the communication request. If the IP address to be authenticated is identical to the IP address of the target user terminal, the authentication is successful, and the ciphertext R_S decrypts to obtain a second symmetric key K';

(7)目标用户终端利用第二对称密钥K′对发起通信请求的用户终端的IP地址进行加 密，得到一个密文auth_D，auth_D＝Encrypt_K′(IP_S)；(7) the target user terminal utilizes the second symmetric key K ' to encrypt the IP address of the user terminal that initiates the communication request, and obtains a ciphertext auth_D , auth_D =Encrypt_K '(_IPS );

(8)目标用户终端向发起通信请求的用户终端发送所述密文auth_D；(8) The target user terminal sends the ciphertext auth_D to the user terminal that initiates the communication request;

(9)发起通信请求的用户终端使用第一对称K对所述密文auth_D进行解密，若得不到 发起通信请求的用户终端的IP地址，则密钥交换失败，若得到发起通信请求的用户终端的IP地址，则密钥交换成功，将第一密钥K作为对称密钥用于本次数据加密通信。(9) The user terminal that initiates the communication request uses the first symmetric K to decrypt the ciphertext auth_D , if the IP address of the user terminal that initiates the communication request cannot be obtained, then the key exchange fails, if the IP address of the user terminal that initiates the communication request is obtained, IP address of the user terminal, the key exchange is successful, and the first key K is used as the symmetric key for this encrypted data communication.

上述整个密钥交换过程如图6所示。公私钥管理可以基于现有PKI(公钥基础设施)等方案进行实现，其中服务域内每个设备的公钥与IP地址相对应。每台设备都可以通过 自己的身份信息向密钥管理模块申请属于自己的私钥，服务域内节点之间可以通过公私钥完成相互认证，并进行通信密钥协商，得到本次会话的对称密钥，用于加密通信数据。The entire key exchange process above is shown in FIG. 6 . Public and private key management can be implemented based on existing PKI (Public Key Infrastructure) and other schemes, in which the public key of each device in the service domain corresponds to the IP address. Each device can apply for its own private key from the key management module through its own identity information. Nodes in the service domain can complete mutual authentication through public and private keys, and negotiate communication keys to obtain the symmetric key for this session. , used to encrypt communication data.

本公开的一个实施例提供了一个采用本方法的域间可信度共识实施例，如图1所示为 该实施例的网络拓扑，该实施例中涉及的主要参数如下：An embodiment of the present disclosure provides an embodiment of an inter-domain credibility consensus using this method, as shown in Figure 1 is the network topology of this embodiment, the main parameters involved in this embodiment are as follows:

1、该实施例中，如图1所示，共在学校1，小区，学校2三个物理位置部署2个服务域，分别为智慧校园与智慧小区服务域，“服务域1-智慧校园”的服务域中心位于学校1，“服务域2-智慧小区”的服务域中心位于小区。所有设备通过互联网连接，共用互联网设施。本实施例中，用户终端为4台，用户终端1为学生A智能手表，同时属于智慧校园和 智慧小区服务域；用户终端2为小区摄像头，属于智慧小区服务域；用户终端3为学生B 智能手表，同时属于智慧校园和智慧小区服务域；用户终端4为学生C智能手表，属于智 慧校园服务域。本实施例的目的是为万物互联场景下各用户终端设备在服务域间建立强逻 辑隔离机制。1. In this embodiment, as shown in Figure 1, two service domains are deployed at the three physical locations ofschool 1, community, andschool 2, which are respectively the smart campus and smart community service domains, "service domain 1-smart campus" The center of the service domain is located inschool 1, and the center of the service domain of "service domain 2-smart community" is located in the community. All devices are connected via the Internet and share Internet facilities. In this embodiment, there are 4 user terminals, anduser terminal 1 is a smart watch of student A, which belongs to the service domain of smart campus and smart community;user terminal 2 is a community camera, which belongs to the service domain of smart community; user terminal 3 is a smart watch of student B. The watch belongs to the service domain of smart campus and smart community at the same time; the user terminal 4 is a smart watch of student C, which belongs to the service domain of smart campus. The purpose of this embodiment is to establish a strong logical isolation mechanism between service domains for each user terminal device in the Internet of Everything scenario.

2、该实施例中，学校1表示某校园，学校1中部署了一台支持真实地址管理的交换机，一台智慧校园服务域中心。交换机提供真实源地址及真实身份验证的功能，确保接入设备的真实可信，以及根据服务域中心指令控制端口速率；服务域中心实现对设备动态虚拟身份的高效生成、分配和身份标识管理，同时提供虚拟网络切片服务，实现流量的隔离与管理；同时负责为服务域内设备基于标识生成及发送通信目的端私钥，用于协商对称密钥。服务域1中有一名佩戴智能手表的学生A，学生A同时也是智慧小区(服务域2)的 居民，其智能手表属于智慧小区服务域，仅对智慧小区的设备具有使用权，不具有管理权 限。因此，该用户终端同时属于智慧校园和智慧小区两个服务域。2. In this embodiment,school 1 represents a certain campus, and a switch supporting real address management and a smart campus service domain center are deployed inschool 1. The switch provides the function of real source address and real identity verification to ensure the authenticity of the access device, and control the port speed according to the instructions of the service domain center; the service domain center realizes the efficient generation, distribution and identity management of the dynamic virtual identity of the device, At the same time, it provides virtual network slicing services to realize traffic isolation and management; at the same time, it is responsible for generating and sending communication destination private keys based on identifiers for devices in the service domain to negotiate symmetric keys. Inservice domain 1, there is a student A wearing a smart watch. Student A is also a resident of the smart community (service domain 2). His smart watch belongs to the service domain of the smart community, and only has the right to use the equipment of the smart community, but not the right to manage it. limit. Therefore, the user terminal belongs to two service domains of the smart campus and the smart community at the same time.

3、该实例中，智慧小区环境，配置与服务域1相同，部署了一台支持真实地址管理的交换机，一台智慧小区服务域中心。部署了一台摄像头设备，只有属于智慧小区服务域的用户能访问设备，属于智慧小区且具备管理员身份的设备才能与摄像头进行交互控制。3. In this example, the configuration of the smart community environment is the same as that ofservice domain 1. A switch supporting real address management and a smart community service domain center are deployed. A camera device is deployed, and only users belonging to the service domain of the smart community can access the device, and devices belonging to the smart community and having administrator status can interact with the camera.

4、该实施例中，学校2中部署了一台支持真实地址管理的交换机，以及两名学生(学 生B和C)使用的用户终端设备(智能手表)，其中学生B也是智慧小区的管理员，属于智慧小区服务域，可以通过佩戴的智能手表和小区里的设备进行通信，因此，学生B同时属 于智慧校园和智慧小区两个服务域；学生C仅属于智慧校园服务域。4. In this embodiment, a switch that supports real address management is deployed inschool 2, and user terminal devices (smart watches) used by two students (students B and C), where student B is also the manager of the smart community Student B belongs to the service domain of the smart community and can communicate with the devices in the community through the smart watch worn. Therefore, student B belongs to both the service domains of the smart campus and the smart community; student C only belongs to the service domain of the smart campus.

5、该实施例中，互联网连接2个服务域。强逻辑隔离建立过程如图8所示，其中第①步为步骤1，第②步为步骤2-5。5. In this embodiment, the Internet connects two service domains. The establishment process of strong logical isolation is shown in Figure 8, wherestep ① isstep 1, andstep ② is step 2-5.

步骤1)地址绑定，实现用户终端身份管理。设IP前缀为64位分配值，学校1分配 地址前缀为2001：：0000，学校2分配地址前缀为2002：：0000，小区分配地址前缀为C为 2003：：0000，IP地址后64位为根据用户身份号码等基础信息经过哈希、加密等运算得到 的包含用户信息的IPv6后64位信息，为学生A智能手表分配的IPv6后64位信息为1000：：0001，学生B智能手表分配的IPv6后64位信息为2000：：0002，学生C智能手表分 配的IPv6地址后64位信息为3000：：0003，摄像头分配的IPv6后64位信息为4000：：0004。 如表1所示，建立相应的服务域ID及IPv6后64位对应关系。切片管理及密钥管理服务 器通过分布式管理信息同步IPv6后64位信息及相应的服务域信息。Step 1) Address binding to realize user terminal identity management. Set the IP prefix as a 64-bit assigned value, the address prefix assigned byschool 1 is 2001::0000, the address prefix assigned byschool 2 is 2002::0000, the address prefix assigned by the community is 2003::0000, and the last 64 bits of the IP address are based on The last 64 bits of IPv6 information including user information obtained through hashing, encryption, and other basic information such as user ID numbers, the last 64 bits of IPv6 information allocated to Student A’s smart watch is 1000::0001, and the IPv6 information allocated to Student B’s smart watch The last 64-bit information is 2000::0002, the last 64-bit information of the IPv6 address assigned by Student C’s smart watch is 3000::0003, and the last 64-bit information of the IPv6 address assigned by the camera is 4000::0004. As shown in Table 1, establish the correspondence between the corresponding service domain ID and the last 64 bits of IPv6. The slice management and key management server synchronizes the post-IPv6 64-bit information and corresponding service domain information through distributed management information.

步骤2)通信分配，实现用户终端之间资源隔离。智慧校园的学生C请求与智慧小区的摄像头通信，学生C尝试用自己的地址与智慧小区的摄像头进行通信时，服务域中心根据服务域信息，智慧校园与智慧小区分别属于不同的服务域，因此资源隔离模块不构建相应的网络切片实现学生C的访问请求，如果学生C直接发送数据包，数据包在学生C用户 终端与交换机连接的端口处被过滤，确保了不同服务域之间无法进行通信交互。与之相对 的是，学生A请求与学生C通信时，服务域中心向交换机写入对应的允许通过的指令，数 据包可以通过交换机实现交互。Step 2) communication allocation, realizing resource isolation between user terminals. Student C on the smart campus requests to communicate with the camera of the smart community. When student C tries to communicate with the camera of the smart community with his own address, the service domain center determines that the smart campus and the smart community belong to different service domains according to the service domain information. The resource isolation module does not construct corresponding network slices to implement student C's access request. If student C sends data packets directly, the data packets will be filtered at the port where student C's user terminal is connected to the switch, ensuring that communication between different service domains cannot be performed. interact. In contrast, when student A requests to communicate with student C, the service domain center writes the corresponding allowable instruction to the switch, and the data packets can interact through the switch.

步骤3)带宽分配，实现用户终端通信时的性能管理。不同服务域的内部通信将对应 不同的网络切片，分配到相应的资源。设各交换机到互联网的链路带宽为10Gbps，对服务 域智慧校园而言，交换机1，2，3为服务域提供的链路总带宽为Link＝{Link₁，Link₂，Link₃}， 学校2的总带宽为其中的Link₃，对应当前剩余带宽Remain₃＝3Mbps。学生C请求与学 生A进行通信，申请1Mbps的速率，智慧校园服务域中心向学校2的交换机3与学生C用 户终端连接的端口设置速率限制策略，如分配带宽1Mbps。学生B和摄像头同属于智慧小 区，通过智慧小区服务域中心在交换机3上分配带宽2Mbps。两个服务域占用相互独立的 网络资源，无法造成相互影响，如果智慧教育对应的网络分片遭受DDoS攻击，最多消耗 智慧教育分配的带宽资源，超出分配的流量在交换机处被过滤掉，有效实现了性能保证。Step 3) Bandwidth allocation to realize performance management during user terminal communication. The internal communication of different service domains will correspond to different network slices and be allocated to corresponding resources. Assuming that the link bandwidth of each switch to the Internet is 10Gbps, for the service domain smart campus, the total link bandwidth provided by switches_{1, 2, and 3 for the service domain is Link={Link 1} , Link₂ , Link₃ }, school The total bandwidth of 2 is Link₃ among them, corresponding to the current remaining bandwidth Remain₃ =3 Mbps. Student C requests to communicate with student A and applies for a rate of 1Mbps. The smart campus service domain center sets a rate limit policy on the port connected to the switch 3 ofschool 2 and the user terminal of student C, such as allocating a bandwidth of 1Mbps. Student B and the camera belong to the smart community, and the bandwidth of 2 Mbps is allocated on switch 3 through the service domain center of the smart community. The two service domains occupy independent network resources and cannot affect each other. If the network fragment corresponding to Smart Education is attacked by DDoS, the bandwidth resources allocated by Smart Education will be consumed at most, and the traffic exceeding the allocation will be filtered out at the switch, effectively realizing performance guarantee.

步骤4)资源切分，实现服务隔离：智慧小区服务域部署了服务隔离机制，通过基于身份的访问控制对服务域内的设备进行管理。学生A属于智慧小区服务域，可以与摄像头进行通信，查看视频内容，由于服务域中心已经在通信前将真实地址及设备权限(0)写 入摄像头(或者管理摄像头的物联网网关)，摄像头鉴别其不具有管理摄像头的权限，如 果学生A发送关闭摄像头指令，无法通过摄像头的身份访问控制检查，有效防止了未授权 的非法访问。Step 4) Resource segmentation to realize service isolation: The service domain of the smart community deploys a service isolation mechanism, and manages devices in the service domain through identity-based access control. Student A belongs to the service domain of the smart community, and can communicate with the camera and view video content. Since the service domain center has written the real address and device permission (0) into the camera (or the IoT gateway that manages the camera) before communication, the camera can identify It does not have the authority to manage the camera. If student A sends a command to turn off the camera, it cannot pass the identity access control check of the camera, which effectively prevents unauthorized access.

步骤5)通信管理，实现物联网用户终端设备之间加密通信。最后，所有通信数据都经过加密，才能确保流量不能被恶意用户窃听、利用(比如访问控制指令被重用)。在部 署了强逻辑隔离机制的智慧校园和智慧小区中，所有通信数据均受加密保护。学生B与摄 像头通信，基于目的端摄像头的公钥，认证信息为目标用户终端摄像头的IP地址，即auth_S＝Encrypt(2003：：4000：0000：0000：0004)，当前时间戳为3f56425d，计算密钥 K_S＝H(2003：：4000：0000：0000：0004||2002：：2000：0000：0000：0002||3f56425d)，取前 128位作为本次会话对称密钥K，并对密钥K使用公钥进行加密，得到R_S＝Encrypt(K)， 向目的端发送R_S、auth_S。摄像头根据自己的私钥SK_D，解密auth_S认证成功后，再解密得 到对称密钥K′，摄像头用协商的密钥K′加密学生B设备IP地址，向学生B发送，学生 B进行验证，验证通过后，K作为对称密钥用于本次数据加密通信。学生B与摄像头交互 过程中的流量经过数据加密，即使被学生C监听到，但这些流量都是密文，由于其无法获 得学生B与摄像头通信加密用的对称密钥，因此无法得到明文数据，密钥交换机制为各服 务域间流量强隔离提供了保障。Step 5) Communication management, realizing encrypted communication between user terminal devices of the Internet of Things. Finally, all communication data is encrypted to ensure that the traffic cannot be eavesdropped and used by malicious users (for example, access control instructions are reused). In smart campuses and smart communities that deploy strong logical isolation mechanisms, all communication data is protected by encryption. Student B communicates with the camera, based on the public key of the target camera, the authentication information is the IP address of the target user terminal camera, that is, auth_S = Encrypt(2003::4000:0000:0000:0004), the current timestamp is 3f56425d, calculate Key K_S ＝H(2003::4000:0000:0000:0004||2002::2000:0000:0000:0002||3f56425d), take the first 128 bits as the session symmetric key K, and encrypt The key K is encrypted with the public key to obtain R_S =Encrypt(K), and the R_S and auth_S are sent to the destination. According to its own private key SK_D , the camera decrypts the auth_S after the authentication is successful, and then decrypts to obtain the symmetric key K′. The camera encrypts the IP address of student B’s device with the negotiated key K′ and sends it to student B. Student B performs verification. After the verification is passed, K is used as a symmetric key for this data encryption communication. The traffic during the interaction between student B and the camera is encrypted. Even if it is monitored by student C, the traffic is all ciphertext. Since student B cannot obtain the symmetric key used to encrypt the communication between student B and the camera, he cannot obtain plaintext data. The key exchange mechanism provides a guarantee for strong isolation of traffic between service domains.

本公开实施例充分考虑大规模物联网服务域动态变化且需要建立隐私保护等安全需求， 通过分布式服务域中心建立了以真实身份为信任基础的服务域间隔离策略，提供了一种高 效可靠服务域强逻辑隔离机制，并能在提升系统安全性的同时保证设备通信性能，为物联 网设备间安全通信提供可靠支撑。The embodiment of the disclosure fully considers the dynamic changes of large-scale Internet of Things service domains and the need to establish security requirements such as privacy protection, and establishes a service domain isolation strategy based on real identity as the trust through the distributed service domain center, providing an efficient The reliable service domain has a strong logical isolation mechanism, and can ensure device communication performance while improving system security, providing reliable support for secure communication between IoT devices.

与上述大规模物联网服务域隔离通信方法相对应地，本公开还提出了大规模物联网服 务域隔离通信装置，如图7所示，包括：Corresponding to the above-mentioned large-scale Internet of Things service domain isolation communication method, this disclosure also proposes a large-scale Internet of Things service domain isolation communication device, as shown in Figure 7, including:

地址绑定模块，用于将物联网中用户终端的IPv6地址、用户终端的MAC地址和相应交 换机进行相互绑定；The address binding module is used to bind the IPv6 address of the user terminal in the Internet of Things, the MAC address of the user terminal and the corresponding switch;

通信分配模块，用于根据物联网中用户终端的IPv6地址中用户终端的真实身份，在通 信前对物联网的通信进行分配；The communication allocation module is used to allocate the communication of the Internet of Things before communication according to the real identity of the user terminal in the IPv6 address of the user terminal in the Internet of Things;

带宽分配模块，用于根据大规模物联网服务域的资源使用状态，对不同数据流带宽进 行分配；The bandwidth allocation module is used to allocate different data flow bandwidths according to the resource usage status of the large-scale Internet of Things service domain;

资源切分模块，用于根据用户终端的真实身份对访问目的进行切分，使得非授权用户 不能访问权限外的服务资源；The resource segmentation module is used to segment the access purpose according to the real identity of the user terminal, so that unauthorized users cannot access service resources outside the authority;

通信模块，用于同一服务域内的各用户终端，采用密钥交换算法，实现加密通信。The communication module is used for each user terminal in the same service domain, and adopts a key exchange algorithm to realize encrypted communication.

本公开的实施例还提出了一种电子设备，包括：Embodiments of the present disclosure also propose an electronic device, including:

存储器，用于存储计算机可执行的指令；memory for storing computer-executable instructions;

处理器，所述处理器被配置执行：a processor configured to perform:

将物联网中用户终端的IPv6地址、用户终端的MAC地址和相应交换机进行相互绑定；Bind the IPv6 address of the user terminal in the Internet of Things, the MAC address of the user terminal and the corresponding switch to each other;

根据物联网中用户终端的IPv6地址中用户终端的真实身份，在通信前对物联网的通信 进行分配；According to the real identity of the user terminal in the IPv6 address of the user terminal in the Internet of Things, the communication of the Internet of Things is allocated before communication;

根据大规模物联网服务域的资源使用状态，对不同数据流带宽进行分配；According to the resource usage status of the large-scale Internet of Things service domain, the bandwidth of different data streams is allocated;

根据用户终端的真实身份对访问目的进行切分，使得非授权用户不能访问权限外的服 务资源；Segment the access purpose according to the real identity of the user terminal, so that unauthorized users cannot access service resources beyond their authority;

同一服务域内的各用户终端，采用密钥交换算法，实现加密通信。Each user terminal in the same service domain adopts a key exchange algorithm to realize encrypted communication.

本公开的一个实施例还提出了一种计算机可读存储介质，其上存储有计算机程序，所 述计算机程序用于使所述计算机执行：An embodiment of the present disclosure also proposes a computer-readable storage medium, on which a computer program is stored, and the computer program is used to cause the computer to execute:

将物联网中用户终端的IPv6地址、用户终端的MAC地址和相应交换机进行相互绑定；Bind the IPv6 address of the user terminal in the Internet of Things, the MAC address of the user terminal and the corresponding switch to each other;

根据物联网中用户终端的IPv6地址中用户终端的真实身份，在通信前对物联网的通信 进行分配；According to the real identity of the user terminal in the IPv6 address of the user terminal in the Internet of Things, the communication of the Internet of Things is allocated before communication;

根据大规模物联网服务域的资源使用状态，对不同数据流带宽进行分配；According to the resource usage status of the large-scale Internet of Things service domain, the bandwidth of different data streams is allocated;

根据用户终端的真实身份对访问目的进行切分，使得非授权用户不能访问权限外的服 务资源；Segment the access purpose according to the real identity of the user terminal, so that unauthorized users cannot access service resources beyond their authority;

同一服务域内的各用户终端，采用密钥交换算法，实现加密通信。Each user terminal in the same service domain adopts a key exchange algorithm to realize encrypted communication.

需要说明的是，本公开的实施例中，所称处理器可以是中央处理单元(CentralProcessing Unit，CPU)，还可以是其他通用处理器、数字信号处理器(Digital SignalProcessor，DSP)、专用集成电路(Application Specific Integrated Circuit，ASIC)、 现成可编程门阵列(FieldProgrammableGate Array，FPGA)或者其他可编程逻辑器件、分 立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器 也可以是任何常规的处理器等，所述存储器可用于存储所述计算机程序和/或模块，所述 处理器通过运行或执行存储在所述存储器内的计算机程序和/或模块，以及调用存储在存 储器内的数据，实现所述汽车配件图片数据集制作设备的各种功能。所述存储器可主要 包括存储程序区和存储数据区，其中，存储程序区可存储操作系统、至少一个功能所需 的应用程序(比如声音播放功能、图像播放功能等)等；存储数据区可存储根据手机的使 用所创建的数据(比如音频数据、电话本等)等。此外，存储器可以包括高速随机存取存 储器，还可以包括非易失性存储器，例如硬盘、内存、插接式硬盘，智能存储卡(Sma rt Med ia Ca rd，SMC)，安全数字(Secure Digital，SD)卡，闪存卡(Flash Card)、至少 一个磁盘存储器件、闪存器件、或其他易失性固态存储器件。风电系统运行稳定域的构建 装置的模块/单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时，可以 存储在一个计算机可读取存储介质中。基于这样的理解，本公开实现上述实施例方法中 的全部或部分流程，也可以通过计算机程序来指令相关的硬件来完成，所述的计算机程 序可存储于一计算机可读存储介质中，该计算机程序在被处理器执行时，可实现上述各 个方法实施例的步骤。其中，所述计算机程序包括计算机程序代码，所述计算机程序代 码可以为源代码形式、对象代码形式、可执行文件或某些中间形式等。所述计算机可读 介质可以包括：能够携带所述计算机程序代码的任何实体或装置、记录介质、U盘、移动 硬盘、磁碟、光盘、计算机存储器、只读存储器(ROM，ReadOnly Memory)、随机存取存储 器(RAM，Random Access Memory)、电载波信号、电信信号以及软件分发介质等。需说明 的是，以上所描述的装置实施例仅仅是示意性的，其中所述作为分离部件说明的单元可以 是或者也可以不是物理上分开的，作为单元显示的部件可以是或者也可以不是物理单元， 即可以位于一个地方，或者也可以分布到多个网络单元上。可以根据实际的需要选择其 中的部分或者全部模块来实现本实施例方案的目的。另外，本发明提供的装置实施例附 图中，模块之间的连接关系表示它们之间具有通信连接，具体可以实现为一条或多条通 信总线或信号线。本领域普通技术人员在不付出创造性劳动的情况下，即可以理解并实 施。It should be noted that, in the embodiments of the present disclosure, the so-called processor may be a central processing unit (Central Processing Unit, CPU), and may also be other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application-specific integrated circuits (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate array (Field Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general-purpose processor can be a microprocessor or the processor can also be any conventional processor, etc., and the memory can be used to store the computer program and/or module, and the processor stores the program in the memory by running or executing The computer programs and/or modules in the memory, and call the data stored in the memory, realize the various functions of the auto parts picture data set production equipment. The memory may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program (such as a sound playback function, an image playback function, etc.) required by at least one function; the storage data area may store Data (such as audio data, phone book, etc.) created according to the use of the mobile phone. In addition, the memory can include high-speed random access memory, and can also include non-volatile memory, such as hard disk, internal memory, plug-in hard disk, smart memory card (Smart Media Card, SMC), secure digital (Secure Digital (SD) card, flash card (Flash Card), at least one disk storage device, flash memory device, or other volatile solid-state storage device. Construction of wind power system operation stability domain If the module/unit of the device is realized in the form of a software function unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on such an understanding, the present disclosure realizes all or part of the processes in the methods of the above embodiments, and can also be completed by instructing related hardware through computer programs, and the computer programs can be stored in a computer-readable storage medium. When the computer program is executed by the processor, it can realize the steps of the above-mentioned various method embodiments. Wherein, the computer program includes computer program code, and the computer program code may be in the form of source code, object code, executable file or some intermediate form. The computer-readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a USB flash drive, a removable hard disk, a magnetic disk, an optical disk, a computer memory, a read-only memory (ROM, ReadOnly Memory), random Access memory (RAM, Random Access Memory), electrical carrier signal, telecommunication signal and software distribution medium, etc. It should be noted that the device embodiments described above are only illustrative, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physically separated. A unit can be located in one place, or can be distributed to multiple network units. Part or all of the modules can be selected according to actual needs to realize the purpose of the solution of this embodiment. In addition, in the drawings of the device embodiments provided by the present invention, the connection relationship between the modules indicates that there is a communication connection between them, which can be specifically implemented as one or more communication buses or signal lines. Those of ordinary skill in the art can understand and implement without paying creative efforts.

以上所述是本公开的优选实施方式，应当指出，对于本技术领域的普通技术人员来说， 在不脱离本发明原理的前提下，还可以做出若干改进和润饰，这些改进和润饰也视为本发 明的保护范围。The above description is a preferred embodiment of the present disclosure. It should be pointed out that for those of ordinary skill in the art, without departing from the principle of the present invention, some improvements and modifications can also be made, and these improvements and modifications are also considered Be the protection scope of the present invention.

Claims (8)

1. A large-scale Internet of things service domain isolated communication method is characterized by comprising the following steps:

binding the IPv6 address of the user terminal in the Internet of things, the MAC address of the user terminal and a corresponding switch with each other;

according to the real identity of the user terminal in the IPv6 address of the user terminal in the Internet of things, the communication of the Internet of things is distributed before communication;

allocating different data stream bandwidths according to the resource use state of the large-scale Internet of things service domain;

segmenting the access purpose according to the real identity of the user terminal so that an unauthorized user cannot access the service resource outside the authority;

each user terminal in the same service domain adopts a key exchange algorithm to realize encrypted communication;

each user terminal in the same service domain adopts a key exchange method to realize encrypted communication, and the method comprises the following steps:

(1) The service domain center generates a pair of public key and private key for each user terminal in the same service domain, and sends the public key to all user terminals in the service domain, and the private key is sent to the corresponding user terminal according to the real identity of the user terminal;

(2) The user terminal initiating the communication request encrypts the IP address of the target user terminal by using the public key of the target user terminal according to the IP address of the target user terminal to obtain an encrypted ciphertext, namely auth_S ＝Encrypt(IP_D )；

(3) The user terminal initiating the communication request initiates communication according to the IP address of the target user terminalCalculating the IP address of the user terminal of the communication request and the time stamp for initiating the communication request to obtain a hash value K_S ：

k_S ＝H(IP_D ||IP_S ||T_STAMP ),

Where, | | denotes string concatenation, IP_D Indicating the destination user terminal address, IP_S Indicating the address of the user terminal initiating the communication request, T_STAMP A presentation time stamp; h () represents a hash algorithm;

(4) The user terminal initiating the communication request sends the hash value K_S The first 128 bits are used as a first symmetric key K of the communication, and the key K is encrypted by using a public key of the target user terminal to obtain a ciphertext R_S ，R_S ＝Encrypt(K)；

(5) User terminal initiating communication request sends cipher text R to target user terminal_S And ciphertext auth_S ；

(6) The target user terminal utilizes the private key of the terminal to encrypt the ciphertext auth_S Decrypting to obtain the IP address to be authenticated of the target user terminal, comparing the IP address to be authenticated with the IP address of the target user terminal, if the IP address to be authenticated is not the same as the IP address of the target user terminal, directly sending a rejection instruction to the user terminal initiating the communication request, if the IP address to be authenticated is the same as the IP address of the target user terminal, successfully authenticating, and comparing the ciphertext R_S Decrypting to obtain a second symmetric key K';

(7) The target user terminal encrypts the IP address of the user terminal initiating the communication request by using the second symmetric key K' to obtain a ciphertext auth_D ，auth_D ＝Encrypt_K′ (IP_S )；

(8) The target user terminal sends the ciphertext auth to the user terminal initiating the communication request_D ；

(9) The user terminal initiating the communication request uses the first symmetric K to pair the ciphertext auth_D Decrypting, if the IP address of the user terminal initiating the communication request can not be obtained, the key exchange fails, if the IP address of the user terminal initiating the communication request is obtainedAnd if the IP address is the IP address, the key exchange is successful, and the first key K is used as a symmetric key for the data encryption communication.

2. The large-scale internet of things service domain isolated communication method according to claim 1, wherein the binding the IPv6 address of the user terminal in the internet of things, the MAC address of the user terminal, and the corresponding switch to each other comprises:

(1) Storing IPv6 addresses of user terminals in the Internet of things in a distributed manner to service domain centers of the large-scale Internet of things;

(2) Each service domain center verifies the identity of the user terminal in the service domain access network according to the real source address of the user terminal in the access network in the Internet of things;

(3) Embedding the identification information of the identity of the user terminal 64 bits behind the IPv6 address of the user terminal;

(4) And binding the IPv6 address of the user terminal in the Internet of things, the MAC address of the user terminal and the corresponding switch with each other.

3. The large-scale internet of things service domain isolated communication method of claim 1, wherein the allocating communication of the internet of things according to the real identity of the user terminal in the IPv6 address of the user terminal in the internet of things comprises:

(1) Before communication, a user terminal sends a communication request to a service domain center of a large-scale Internet of things, wherein the communication request comprises an IP address of the user terminal and an IP address of a target user terminal;

(2) And each service domain center of the Internet of things judges the IP address of the user terminal and the IP address of the communication target, if the IP address of the user terminal and the IP address of the communication target are in the same service domain, a communication permission instruction is sent to a switch connected with the user terminal, and if the IP address of the user terminal and the IP address of the communication target are not in the same service domain, a rejection instruction is directly sent to the user terminal.

4. The large-scale internet of things service domain isolated communication method according to claim 1, wherein the allocating different data stream bandwidths according to the resource usage state of the large-scale internet of things service domain comprises:

(1) The method comprises the steps that the center of each service domain of the large-scale Internet of things establishes the mapping relation between the identifier ID of the service domain and the bandwidth information of the service domain on a plurality of switches respectively, wherein the bandwidth information comprises the total bandwidth and the existing bandwidth of the service domain;

(2) When a user terminal sends a communication request, a service domain center judges bandwidth information of an exchanger connected with the user terminal sending the communication request according to an identifier ID, if the existing bandwidth of the service domain is larger than or equal to the bandwidth on the exchanger, the service domain center distributes the bandwidth and sends a bandwidth distribution result to an exchanger port connected with the user terminal sending the communication request, and if the existing bandwidth of the service domain is smaller than the bandwidth on the exchanger, a communication rejection instruction is directly sent to the user terminal sending the communication request.

5. The large-scale internet of things service domain isolated communication method according to claim 1, wherein the splitting of the access purpose according to the real identity of the user terminal to make an unauthorized user unable to access a service resource outside the right comprises:

(1) The service domain center respectively sets the access authority and the corresponding access mark of each user terminal according to the real identity of the user terminal;

(2) When a user terminal sends a communication request to a service domain center, the service domain center judges the legality of the access request of the user terminal according to the access authority of the user terminal, if the user terminal has the access authority, an access mark of the user terminal is sent to an accessed target, and if the user terminal does not have the access authority, a rejection instruction is directly sent to the user terminal.

6. A large-scale IOT service domain isolated communication device for performing the large-scale IOT service domain isolated communication method of any one of claims 1-5, comprising:

the address binding module is used for binding the IPv6 address of the user terminal in the Internet of things, the MAC address of the user terminal and the corresponding switch;

the communication distribution module is used for distributing the communication of the Internet of things before the communication according to the real identity of the user terminal in the IPv6 address of the user terminal in the Internet of things;

the bandwidth allocation module is used for allocating different data stream bandwidths according to the resource use state of the large-scale Internet of things service domain;

the resource segmentation module is used for segmenting the access purpose according to the real identity of the user terminal so that an unauthorized user cannot access the service resources outside the authority;

and the communication module is used for each user terminal in the same service domain and adopts a key exchange algorithm to realize encrypted communication.

7. An electronic device, comprising:

a memory for storing computer-executable instructions;

a processor configured to perform the large-scale internet of things service domain isolated communication method of any of claims 1-5.

8. A computer-readable storage medium having stored thereon a computer program for causing a computer to execute the large-scale internet of things service domain isolated communication method of any one of claims 1-5.

Images