技术领域Technical Field
本发明属于计算机技术领域,具体涉及一种在Android设备中实施动态访问控制的方法和系统。The present invention belongs to the field of computer technology, and in particular relates to a method and system for implementing dynamic access control in an Android device.
背景技术Background technique
在Android系统中,现有的动态访问技术基于虚拟网卡技术与云端动态访问控制网关协作来实现。如图1所示,其基本思想是在Android设备中安装一个客户端程序,利用该客户端程序与动态访问控制网关建立数据传输隧道,以隧道为粒度进行动态访问控制。基本原理是客户端程序读取Android系统TUN虚拟网卡中的数据,根据隧道封装格式对数据包进行封装,从而与动态访问控制网关建立数据传输隧道,使Android系统中的应用数据经由传输隧道发送至动态访问控制网关,并由动态访问控制网关转发/代理至应用服务端。In the Android system, the existing dynamic access technology is implemented based on the virtual network card technology and the cloud dynamic access control gateway. As shown in Figure 1, the basic idea is to install a client program in the Android device, use the client program to establish a data transmission tunnel with the dynamic access control gateway, and perform dynamic access control at the tunnel granularity. The basic principle is that the client program reads the data in the Android system TUN virtual network card, encapsulates the data packet according to the tunnel encapsulation format, and then establishes a data transmission tunnel with the dynamic access control gateway, so that the application data in the Android system is sent to the dynamic access control gateway via the transmission tunnel, and forwarded/proxyed by the dynamic access control gateway to the application server.
现有方案的基本流程如下:The basic process of the existing solution is as follows:
a)系统启动时动态访问控制客户端启动TUN网卡,并绑定该网卡,同时在操作系统中配置路由表项,指明需要路由至TUN网卡的数据包;a) When the system starts, the dynamic access control client starts the TUN network card and binds it. At the same time, it configures the routing table entry in the operating system to indicate the data packets that need to be routed to the TUN network card;
b)应用app客户端发起业务访问时,终端操作系统根据路由表信息将数据包转发至TUN网卡;b) When the application app client initiates service access, the terminal operating system forwards the data packet to the TUN network card according to the routing table information;
c)动态访问控制客户端监听TUN网卡并读取数据包,根据自身与动态访问控制网关之间的通讯协议格式对数据包进行封装;c) The dynamic access control client monitors the TUN network card and reads the data packet, and encapsulates the data packet according to the communication protocol format between itself and the dynamic access control gateway;
d)动态访问控制客户端将封装完成的数据包再次经由操作系统协议栈发送出去;d) The dynamic access control client sends the encapsulated data packet again through the operating system protocol stack;
e)终端操作系统根据路由信息将动态访问控制客户端封装后的数据包转发至物理网卡;e) The terminal operating system forwards the data packets encapsulated by the dynamic access control client to the physical network card according to the routing information;
f)数据通过物理网卡发送至动态访问控制网关;f) Data is sent to the dynamic access control gateway through the physical network card;
g)动态访问控制网关根据协议格式对数据包进行解封装,并由动态访问控制网关将业务数据转发或代理至应用服务端。g) The dynamic access control gateway decapsulates the data packet according to the protocol format, and forwards or proxies the business data to the application server.
现有的Android动态访问控制技术在用户设备TUN网卡已被其他应用程序占用的情况下将无法正常工作。由于Android操作系统的限制,Android设备上同时只能有1块TUN网卡处于工作状态,若动态访问控制客户端再启动一块TUN网卡,将导致原先的TUN网卡停止工作,从而影响业务正常运行。The existing Android dynamic access control technology will not work properly if the user device's TUN network card is already occupied by other applications. Due to the limitations of the Android operating system, only one TUN network card can be in working state on an Android device at the same time. If the dynamic access control client starts another TUN network card, the original TUN network card will stop working, thus affecting the normal operation of the business.
例如,在Android设备使用VPN远程访问企业内部网络时,将导致动态访问控制技术无法与VPN技术同时正常运行。因为VPN技术的实现也依赖于TUN网卡,其基本原理是在Android设备中运行VPN客户端,该客户端读取Android系统TUN虚拟网卡中的数据,将数据按照VPN协议格式进行封装,最终经由Android设备物理网卡发送至VPN网关,从而建立VPN安全传输通道。但是,由于Android操作系统的限制,系统同一时刻只能使用一个TUN网卡,这使得在已运行VPN客户端的Android设备中,无法进行动态访问控制。然而在企业日常生产工作中,由于员工可能会出差等原因,需要借助VPN技术实现在企业外部通过互联网接入企业内部网络的场景十分常见,因此需要解决动态访问控制客户端与VPN客户端同时工作的问题。For example, when an Android device uses VPN to remotely access the enterprise internal network, the dynamic access control technology will not be able to run normally at the same time as the VPN technology. Because the implementation of VPN technology also relies on the TUN network card, its basic principle is to run a VPN client in the Android device. The client reads the data in the Android system TUN virtual network card, encapsulates the data according to the VPN protocol format, and finally sends it to the VPN gateway via the Android device physical network card to establish a VPN secure transmission channel. However, due to the limitations of the Android operating system, the system can only use one TUN network card at a time, which makes it impossible to perform dynamic access control in an Android device that has already run a VPN client. However, in the daily production work of an enterprise, it is very common to use VPN technology to access the enterprise internal network through the Internet outside the enterprise due to reasons such as employees may be on business trips. Therefore, it is necessary to solve the problem of the dynamic access control client and the VPN client working at the same time.
发明内容Summary of the invention
本发明的目的是解决在Android设备中TUN网卡已被VPN客户端占用的情况下,如何实现动态访问控制的问题。The purpose of the present invention is to solve the problem of how to implement dynamic access control when a TUN network card in an Android device is occupied by a VPN client.
本发明采用的技术方案如下:The technical solution adopted by the present invention is as follows:
一种在Android设备中实施动态访问控制的方法,包括以下步骤:A method for implementing dynamic access control in an Android device comprises the following steps:
VPN客户端与动态访问控制客户端进行协商,确定数据交互端口与兴趣流;The VPN client negotiates with the dynamic access control client to determine the data interaction port and interest flow;
VPN客户端从TUN网卡第一次读取数据包,并根据与动态访问控制客户端协商的兴趣流通过协商的数据交互端口将对应数据包转发至动态访问控制客户端;The VPN client reads the data packet from the TUN network card for the first time, and forwards the corresponding data packet to the dynamic access control client through the negotiated data exchange port according to the interest flow negotiated with the dynamic access control client;
动态访问控制客户端根据自身与动态访问控制网关的通讯协议格式对数据包进行第一次封装,操作系统根据路由表信息将第一次封装后的数据包转发至TUN网卡;The dynamic access control client performs the first encapsulation of the data packet according to the communication protocol format between itself and the dynamic access control gateway, and the operating system forwards the first encapsulated data packet to the TUN network card according to the routing table information;
VPN客户端从TUN网卡第二次读取数据包,根据VPN格式进行第二次封装,操作系统根据路由表信息将第二次封装后的数据包转发至物理网卡,通过物理网卡将第二次封装后的数据包发送至VPN网关。The VPN client reads the data packet from the TUN network card for the second time, and encapsulates it for the second time according to the VPN format. The operating system forwards the second encapsulated data packet to the physical network card according to the routing table information, and sends the second encapsulated data packet to the VPN gateway through the physical network card.
进一步地,上述方法还包括以下步骤:Furthermore, the above method further comprises the following steps:
VPN网关收到数据包后,进行第一次解封装操作,将第一次解封装后的数据包转发至动态访问控制网关;After receiving the data packet, the VPN gateway performs the first decapsulation operation and forwards the first decapsulated data packet to the dynamic access control gateway;
动态访问控制网关对数据包进行第二次解封装操作,并将第二次解封装后的数据包转发至应用服务端。The dynamic access control gateway performs a second decapsulation operation on the data packet, and forwards the second decapsulated data packet to the application server.
进一步地,所述动态访问控制客户端对数据包进行所述第一次封装时,将数据包目的地址填写为动态访问控制网关地址,然后将封装后的数据包经由操作系统协议栈发送出去;所述VPN客户端对数据包进行所述第二次封装后,将封装后的数据包经由操作系统协议栈发送出去。Furthermore, when the dynamic access control client performs the first encapsulation on the data packet, the destination address of the data packet is filled in as the dynamic access control gateway address, and then the encapsulated data packet is sent out via the operating system protocol stack; after the VPN client performs the second encapsulation on the data packet, the encapsulated data packet is sent out via the operating system protocol stack.
进一步地,在所述TUN网卡已被所述VPN客户端占用的情况下,所述动态访问控制客户端采用普通用户态App与所述VPN客户端交互的方式,依次封装数据包。Furthermore, in the case that the TUN network card has been occupied by the VPN client, the dynamic access control client uses a common user-mode App to interact with the VPN client to encapsulate data packets in sequence.
进一步地,所述VPN客户端与所述动态访问控制客户端交互的方式为AIDL或本地Socket通信等;所述VPN客户端与所述动态访问控制客户端交互的信息包括兴趣流、数据交互端口号、动态访问控制网关IP地址信息。Furthermore, the VPN client interacts with the dynamic access control client in the form of AIDL or local Socket communication, etc.; the information interacted between the VPN client and the dynamic access control client includes interest streams, data interaction port numbers, and dynamic access control gateway IP address information.
进一步地,所述VPN客户端与所述动态访问控制客户端的保活机制,包括:将动态访问控制客户端加入操作系统白名单,或者VPN客户端检查动态访问控制客户端的服务,若服务不存在则主动启动动态访问控制客户端。Furthermore, the keep-alive mechanism of the VPN client and the dynamic access control client includes: adding the dynamic access control client to the operating system whitelist, or the VPN client checks the service of the dynamic access control client and actively starts the dynamic access control client if the service does not exist.
进一步地,所述动态访问控制网关获取当前Android终端的环境状态变化,自动编排访问控制策略,动态地对用户访问行为进行阻断。Furthermore, the dynamic access control gateway obtains the environmental status change of the current Android terminal, automatically compiles the access control strategy, and dynamically blocks the user's access behavior.
一种Android终端,所述Android终端包括VPN客户端、动态访问控制客户端、TUN网卡和物理网卡;其中:An Android terminal, comprising a VPN client, a dynamic access control client, a TUN network card and a physical network card; wherein:
VPN客户端与动态访问控制客户端进行协商,确定数据交互端口与兴趣流;The VPN client negotiates with the dynamic access control client to determine the data interaction port and interest flow;
VPN客户端从TUN网卡第一次读取数据包,并根据与动态访问控制客户端协商的兴趣流通过协商的数据交互端口将对应数据包转发至动态访问控制客户端;The VPN client reads the data packet from the TUN network card for the first time, and forwards the corresponding data packet to the dynamic access control client through the negotiated data exchange port according to the interest flow negotiated with the dynamic access control client;
动态访问控制客户端根据自身与动态访问控制网关的通讯协议格式对数据包进行第一次封装,操作系统根据路由表信息将第一次封装后的数据包转发至TUN网卡;The dynamic access control client performs the first encapsulation of the data packet according to the communication protocol format between itself and the dynamic access control gateway, and the operating system forwards the first encapsulated data packet to the TUN network card according to the routing table information;
VPN客户端从TUN网卡第二次读取数据包,根据VPN格式进行第二次封装,操作系统根据路由表信息将第二次封装后的数据包转发至物理网卡,通过物理网卡将第二次封装后的数据包发送至VPN网关。The VPN client reads the data packet from the TUN network card for the second time, and encapsulates it for the second time according to the VPN format. The operating system forwards the second encapsulated data packet to the physical network card according to the routing table information, and sends the second encapsulated data packet to the VPN gateway through the physical network card.
一种在Android设备中实施动态访问控制的系统,包括Android终端、VPN网关、动态访问控制网关和应用服务端;所述Android终端包括VPN客户端、动态访问控制客户端、TUN网卡和物理网卡;其中:A system for implementing dynamic access control in an Android device, comprising an Android terminal, a VPN gateway, a dynamic access control gateway and an application server; the Android terminal comprises a VPN client, a dynamic access control client, a TUN network card and a physical network card; wherein:
VPN客户端与动态访问控制客户端进行协商,确定数据交互端口与兴趣流;The VPN client negotiates with the dynamic access control client to determine the data interaction port and interest flow;
VPN客户端从TUN网卡第一次读取数据包,并根据与动态访问控制客户端协商的兴趣流通过协商的数据交互端口将对应数据包转发至动态访问控制客户端;The VPN client reads the data packet from the TUN network card for the first time, and forwards the corresponding data packet to the dynamic access control client through the negotiated data exchange port according to the interest flow negotiated with the dynamic access control client;
动态访问控制客户端根据自身与动态访问控制网关的通讯协议格式对数据包进行第一次封装,操作系统根据路由表信息将第一次封装后的数据包转发至TUN网卡;The dynamic access control client performs the first encapsulation of the data packet according to the communication protocol format between itself and the dynamic access control gateway, and the operating system forwards the first encapsulated data packet to the TUN network card according to the routing table information;
VPN客户端从TUN网卡第二次读取数据包,根据VPN格式进行第二次封装,操作系统根据路由表信息将第二次封装后的数据包转发至物理网卡,通过物理网卡将第二次封装后的数据包发送至VPN网关;The VPN client reads the data packet from the TUN network card for the second time, and encapsulates it for the second time according to the VPN format. The operating system forwards the second encapsulated data packet to the physical network card according to the routing table information, and sends the second encapsulated data packet to the VPN gateway through the physical network card;
VPN网关收到数据包后,进行第一次解封装操作,将第一次解封装后的数据包转发至动态访问控制网关;After receiving the data packet, the VPN gateway performs the first decapsulation operation and forwards the first decapsulated data packet to the dynamic access control gateway;
动态访问控制网关对数据包进行第二次解封装操作,并将第二次解封装后的数据包转发至应用服务端。The dynamic access control gateway performs a second decapsulation operation on the data packet, and forwards the second decapsulated data packet to the application server.
本发明的有益效果如下:The beneficial effects of the present invention are as follows:
a)在Android设备虚拟网卡已被VPN客户端占用的情况下,能够以对上层应用客户端无感知的形式,实现动态访问控制;a) When the Android device virtual network card is occupied by the VPN client, dynamic access control can be implemented without the upper-layer application client being aware of it;
b)本方法不改变现有的业务访问方式,不颠覆已有的业务对接成果,应用客户端和应用系统服务端对于数据交互的调用方式不变,用户使用体验没有改变,更易于用户使用。b) This method does not change the existing business access method, does not overturn the existing business docking results, the calling method for data interaction between the application client and the application system server remains unchanged, the user experience is not changed, and it is easier for users to use.
c)本方法中,动态访问控制网关可以支持采用旁路部署或串接方式部署。旁路方式不改变业务系统现有设备部署模式,系统改造量小;串接部署可使动态访问控制网关成为业务系统数据的必经之路,进一步增强业务系统安全性。c) In this method, the dynamic access control gateway can support bypass deployment or serial deployment. The bypass method does not change the existing equipment deployment mode of the business system, and the system transformation is small; the serial deployment can make the dynamic access control gateway the only way for the business system data to further enhance the security of the business system.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1是现有方案的总体架构图。FIG1 is a general architecture diagram of the existing solution.
图2是本发明的总体架构图。FIG. 2 is a diagram showing the overall structure of the present invention.
具体实施方式Detailed ways
为使本发明的上述目的、特征和优点能够更加明显易懂,下面通过具体实实例和附图,对本发明做进一步详细说明。In order to make the above-mentioned objects, features and advantages of the present invention more obvious and easy to understand, the present invention is further described in detail below through specific examples and drawings.
1.总体工作流程1. Overall workflow
本发明的总体架构如图2所示,在Android终端上,VPN客户端占用了TUN网卡,动态访问控制客户端以普通用户态app的形式运行。在服务端,动态访问控制网关置于VPN网关之后。本发明的一种在Android设备中实施动态访问控制的方法,其基本思想是:VPN客户端与动态访问控制客户端进行协商,确定数据交互端口与兴趣流;由VPN客户端从TUN网卡第一次读取数据包,根据与动态访问控制客户端协商的兴趣流通过协商的数据交互端口将对应数据包转发至动态访问控制客户端;动态访问控制客户端根据自身与动态访问控制网关的通讯协议格式对数据包进行第一次封装,之后将第一次封装之后的数据包经由操作系统协议栈发送,操作系统根据路由表信息,将第一次封装的数据包转发至TUN网卡;由VPN客户端从TUN网卡第二次读取数据包,根据VPN格式进行第二次封装,之后将第二次封装之后的数据包经由操作系统协议栈发送,操作系统根据路由表信息,将第二次封装的数据包转发至物理网卡,最终通过Android设备物理网卡将第二次封装后的数据包发送至VPN网关;VPN网关收到数据包后,进行第一次解封装操作,将第一次解封装后的数据包转发至动态访问控制网关,由动态访问控制网关对数据包进行第二次解封装操作,并将第二次解封装后的数据包转发/代理至应用服务端。The overall architecture of the present invention is shown in Figure 2. On the Android terminal, the VPN client occupies the TUN network card, and the dynamic access control client runs in the form of a common user-mode app. On the server side, the dynamic access control gateway is placed behind the VPN gateway. The invention discloses a method for implementing dynamic access control in an Android device. The basic idea is that a VPN client negotiates with a dynamic access control client to determine a data exchange port and an interest stream; the VPN client reads a data packet from a TUN network card for the first time, and forwards the corresponding data packet to the dynamic access control client through the negotiated data exchange port according to the interest stream negotiated with the dynamic access control client; the dynamic access control client performs a first encapsulation on the data packet according to the communication protocol format between itself and a dynamic access control gateway, and then sends the data packet after the first encapsulation through an operating system protocol stack, and the operating system forwards the data packet after the first encapsulation to the TUN network card according to routing table information; the VPN client reads a data packet from the TUN network card for the second time, and performs a second encapsulation according to a VPN format, and then sends the data packet after the second encapsulation through an operating system protocol stack, and the operating system forwards the data packet after the second encapsulation to a physical network card according to routing table information, and finally sends the data packet after the second encapsulation to a VPN gateway through the physical network card of an Android device; after receiving the data packet, the VPN gateway performs a first decapsulation operation, and forwards the data packet after the first decapsulation to the dynamic access control gateway, and the dynamic access control gateway performs a second decapsulation operation on the data packet, and forwards/proxy the data packet after the second decapsulation to an application server.
2.业务访问流程2. Business access process
a)系统启动时,动态访问控制客户端与VPN客户端进行协商,协商的内容包括但不限于数据交互端口,以及动态访问控制针对哪些数据包进行,即动态访问控制的兴趣流,并配置操作系统相关路由表项;a) When the system starts, the dynamic access control client negotiates with the VPN client. The content of the negotiation includes but is not limited to the data exchange port and the data packets for which the dynamic access control is performed, that is, the interest flow of the dynamic access control, and configures the operating system related routing table items;
b)APP客户端发起业务访问请求,操作系统根据路由表信息将数据包转发至TUN网卡;b) The APP client initiates a service access request, and the operating system forwards the data packet to the TUN network card according to the routing table information;
c)VPN客户端从TUN网卡中读取数据包(第一次读取数据包);c) The VPN client reads data packets from the TUN network card (the first time to read data packets);
d)VPN客户端根据步骤a)中的协商信息,将符合条件的数据包并发送至动态访问控制客户端;d) The VPN client sends the qualified data packet to the dynamic access control client according to the negotiation information in step a);
e)动态访问控制客户端根据自身与动态访问控制网关的通讯协议格式,对数据包进行第一次封装,并将数据包目的地址填写为动态访问控制网关地址,然后将数据包经由操作系统协议栈发送出去;e) The dynamic access control client performs the first encapsulation of the data packet according to the communication protocol format between itself and the dynamic access control gateway, fills in the destination address of the data packet with the address of the dynamic access control gateway, and then sends the data packet out through the operating system protocol stack;
f)操作系统根据路由表,将第一次封装的数据包转发至TUN网卡,VPN客户端再次从TUN网卡读取数据包(第二次读取数据包),根据VPN协议格式对数据包进行第二次封装,并将封装之后的数据包经由操作系统协议栈发送出去;VPN客户端和动态访问控制客户端不决定是由哪个网卡发送,由哪个网卡发送由操作系统根据系统路由表来决定;f) The operating system forwards the first encapsulated data packet to the TUN network card according to the routing table, and the VPN client reads the data packet from the TUN network card again (reads the data packet for the second time), encapsulates the data packet for the second time according to the VPN protocol format, and sends the encapsulated data packet through the operating system protocol stack; the VPN client and the dynamic access control client do not decide which network card sends the data, and which network card sends the data is determined by the operating system according to the system routing table;
g)操作系统根据路由表信息将步骤f)中的数据包转发至Android设备物理网卡,最终通过物理网卡发送出去;g) The operating system forwards the data packet in step f) to the physical network card of the Android device according to the routing table information, and finally sends it out through the physical network card;
h)数据包到达VPN网关,由VPN网关对数据包进行第一次解封装,并将解封装后的数据包转发至动态访问控制网关;h) When the data packet arrives at the VPN gateway, the VPN gateway decapsulates the data packet for the first time and forwards the decapsulated data packet to the dynamic access control gateway;
i)动态访问控制网关收到第一次解封装后数据包,根据自身协议格式对数据包进行第二次解封装,并将解封装后的数据包转发或者代理至应用服务端。i) The dynamic access control gateway receives the data packet after the first decapsulation, decapsulates the data packet for the second time according to its own protocol format, and forwards or proxies the decapsulated data packet to the application server.
3.本发明的关键点3. Key points of the present invention
a)Android设备虚拟网卡已被VPN客户端占用的情况下,动态访问控制客户端采用普通用户态App与VPN客户端交互的方式,依次封装数据包;a) When the Android device virtual network card is occupied by the VPN client, the dynamic access control client uses the method of ordinary user state app to interact with the VPN client and encapsulate data packets in sequence;
b)VPN客户端与动态访问控制客户端交互的方式,包括但不限于AIDL,本地Socket通信等等;VPN客户端与动态访问控制客户端交互的信息,包括但不限于兴趣流、数据交互端口号、动态访问控制网关IP地址信息等等;b) The way the VPN client interacts with the dynamic access control client, including but not limited to AIDL, local Socket communication, etc.; The information that the VPN client interacts with the dynamic access control client, including but not limited to interest streams, data interaction port numbers, dynamic access control gateway IP address information, etc.;
c)VPN客户端与动态访问控制客户端保活机制(VPN客户端与动态访问控制客户端的进程不能被用户杀死),包括但不限于将动态访问控制客户端加入操作系统白名单,或者VPN客户端检查动态访问控制客户端的服务,若服务不存在则主动启动动态访问控制客户端等等;c) VPN client and dynamic access control client keep-alive mechanism (VPN client and dynamic access control client processes cannot be killed by users), including but not limited to adding the dynamic access control client to the operating system whitelist, or the VPN client checking the dynamic access control client service and actively starting the dynamic access control client if the service does not exist, etc.;
d)动态访问控制网关可获取当前Android终端如手机的环境状态变化,自动编排访问控制策略,动态的对用户访问行为进行阻断。d) Dynamic access control gateway can obtain the environmental status changes of the current Android terminal such as mobile phone, automatically compile access control strategies, and dynamically block user access behavior.
其中,“自动编排访问控制策略,动态的对用户访问行为进行阻断”具体是指:通过移动终端设备管理(MDM),移动应用管理(MAM),移动病毒扫描、漏洞扫描等模块,采集Android终端的设备信息、用户信息、安全风险信息、地理位置信息、网络连接信息等,上传至与动态访问控制网关配套工作的访问控制策略中心,由访问控制策略中心根据采集到的终端信息,编排访问控制策略,并将访问控制策略下发至动态访问控制网关,由动态访问控制网关根据访问控制策略决定是否阻断某些用户行为。Among them, "automatically choreograph access control policies and dynamically block user access behaviors" specifically means: through mobile device management (MDM), mobile application management (MAM), mobile virus scanning, vulnerability scanning and other modules, collect device information, user information, security risk information, geographic location information, network connection information, etc. of Android terminals, and upload them to the access control policy center that works with the dynamic access control gateway. The access control policy center choreographs access control policies based on the collected terminal information and sends the access control policies to the dynamic access control gateway. The dynamic access control gateway decides whether to block certain user behaviors based on the access control policies.
本发明中,动态访问控制网关可以支持采用旁路部署或串接部署两种方式。其中串接是指动态访问控制网关部署在用户访问服务端的必经之路上,旁路是指动态访问控制网关不是部署在必经之路上。In the present invention, the dynamic access control gateway can support bypass deployment or serial deployment. Serial deployment means that the dynamic access control gateway is deployed on the necessary path for users to access the server, and bypass deployment means that the dynamic access control gateway is not deployed on the necessary path.
本发明的另一实施例提供一种Android终端,所述Android终端包括VPN客户端、动态访问控制客户端、TUN网卡和物理网卡;其中:Another embodiment of the present invention provides an Android terminal, the Android terminal includes a VPN client, a dynamic access control client, a TUN network card and a physical network card; wherein:
VPN客户端与动态访问控制客户端进行协商,确定数据交互端口与兴趣流;The VPN client negotiates with the dynamic access control client to determine the data interaction port and interest flow;
VPN客户端从TUN网卡第一次读取数据包,并根据与动态访问控制客户端协商的兴趣流通过协商的数据交互端口将对应数据包转发至动态访问控制客户端;The VPN client reads the data packet from the TUN network card for the first time, and forwards the corresponding data packet to the dynamic access control client through the negotiated data exchange port according to the interest flow negotiated with the dynamic access control client;
动态访问控制客户端根据自身与动态访问控制网关的通讯协议格式对数据包进行第一次封装,操作系统根据路由表信息将第一次封装后的数据包转发至TUN网卡;The dynamic access control client performs the first encapsulation of the data packet according to the communication protocol format between itself and the dynamic access control gateway, and the operating system forwards the first encapsulated data packet to the TUN network card according to the routing table information;
VPN客户端从TUN网卡第二次读取数据包,根据VPN格式进行第二次封装,操作系统根据路由表信息将第二次封装后的数据包转发至物理网卡,通过物理网卡将第二次封装后的数据包发送至VPN网关。The VPN client reads the data packet from the TUN network card for the second time, and encapsulates it for the second time according to the VPN format. The operating system forwards the second encapsulated data packet to the physical network card according to the routing table information, and sends the second encapsulated data packet to the VPN gateway through the physical network card.
本发明的另一实施例提供一种在Android设备中实施动态访问控制的系统,包括Android终端、VPN网关、动态访问控制网关和应用服务端;所述Android终端包括VPN客户端、动态访问控制客户端、TUN网卡和物理网卡;其中:Another embodiment of the present invention provides a system for implementing dynamic access control in an Android device, comprising an Android terminal, a VPN gateway, a dynamic access control gateway and an application server; the Android terminal comprises a VPN client, a dynamic access control client, a TUN network card and a physical network card; wherein:
VPN客户端与动态访问控制客户端进行协商,确定数据交互端口与兴趣流;The VPN client negotiates with the dynamic access control client to determine the data interaction port and interest flow;
VPN客户端从TUN网卡第一次读取数据包,并根据与动态访问控制客户端协商的兴趣流通过协商的数据交互端口将对应数据包转发至动态访问控制客户端;The VPN client reads the data packet from the TUN network card for the first time, and forwards the corresponding data packet to the dynamic access control client through the negotiated data exchange port according to the interest flow negotiated with the dynamic access control client;
动态访问控制客户端根据自身与动态访问控制网关的通讯协议格式对数据包进行第一次封装,操作系统根据路由表信息将第一次封装后的数据包转发至TUN网卡;The dynamic access control client performs the first encapsulation of the data packet according to the communication protocol format between itself and the dynamic access control gateway, and the operating system forwards the first encapsulated data packet to the TUN network card according to the routing table information;
VPN客户端从TUN网卡第二次读取数据包,根据VPN格式进行第二次封装,操作系统根据路由表信息将第二次封装后的数据包转发至物理网卡,通过物理网卡将第二次封装后的数据包发送至VPN网关;The VPN client reads the data packet from the TUN network card for the second time, and encapsulates it for the second time according to the VPN format. The operating system forwards the second encapsulated data packet to the physical network card according to the routing table information, and sends the second encapsulated data packet to the VPN gateway through the physical network card;
VPN网关收到数据包后,进行第一次解封装操作,将第一次解封装后的数据包转发至动态访问控制网关;After receiving the data packet, the VPN gateway performs the first decapsulation operation and forwards the first decapsulated data packet to the dynamic access control gateway;
动态访问控制网关对数据包进行第二次解封装操作,并将第二次解封装后的数据包转发至应用服务端。The dynamic access control gateway performs a second decapsulation operation on the data packet, and forwards the second decapsulated data packet to the application server.
以上公开的本发明的具体实施例,其目的在于帮助理解本发明的内容并据以实施,本领域的普通技术人员可以理解,在不脱离本发明的精神和范围内,各种替换、变化和修改都是可能的。本发明不应局限于本说明书的实施例所公开的内容,本发明的保护范围以权利要求书界定的范围为准。The specific embodiments of the present invention disclosed above are intended to help understand the content of the present invention and implement it accordingly. It can be understood by those skilled in the art that various replacements, changes and modifications are possible without departing from the spirit and scope of the present invention. The present invention should not be limited to the contents disclosed in the embodiments of this specification, and the scope of protection of the present invention shall be subject to the scope defined in the claims.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211303626.0ACN117938408A (en) | 2022-10-24 | 2022-10-24 | A method and system for implementing dynamic access control in Android devices |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211303626.0ACN117938408A (en) | 2022-10-24 | 2022-10-24 | A method and system for implementing dynamic access control in Android devices |
| Publication Number | Publication Date |
|---|---|
| CN117938408Atrue CN117938408A (en) | 2024-04-26 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211303626.0APendingCN117938408A (en) | 2022-10-24 | 2022-10-24 | A method and system for implementing dynamic access control in Android devices |
| Country | Link |
|---|---|
| CN (1) | CN117938408A (en) |
| Publication | Publication Date | Title |
|---|---|---|
| US8006296B2 (en) | Method and system for transmitting information across a firewall | |
| RU2269873C2 (en) | Wireless initialization device | |
| US6891842B2 (en) | System and method for enabling mobile edge services | |
| EP1705855B1 (en) | Method and System for establishing a Peer-to-peer communications channel | |
| US10813154B2 (en) | Enabling interface aggregation of mobile broadband network interfaces | |
| CN104521249B (en) | Method and apparatus | |
| US8817815B2 (en) | Traffic optimization over network link | |
| US10454880B2 (en) | IP packet processing method and apparatus, and network system | |
| CN110505244B (en) | Remote tunnel access technology gateway and server | |
| CN112422397B (en) | Service forwarding method and communication device | |
| CN103023898A (en) | Method and device for accessing intranet resource of virtual private network (VPN) server | |
| US11824685B2 (en) | Method for implementing GRE tunnel, access point and gateway | |
| CN101228762A (en) | System and method for accessing a web device residing in a firewall with a dynamic IP-address | |
| US7627681B2 (en) | Relaying messages through a firewall | |
| CN112566164A (en) | Communication system and service quality control method | |
| CN104993993A (en) | Message processing method, device, and system | |
| US12432144B2 (en) | Global visibility for virtual private network (VPN) conditions for routing optimizations | |
| CN108064441B (en) | A method and system for accelerating network transmission optimization | |
| CN111130978B (en) | Network traffic forwarding method and device, electronic equipment and machine-readable storage medium | |
| CN116800605B (en) | Network implementation method, system, equipment and medium for running virtual machine in container | |
| CN101465858A (en) | Method for implementing private network penetration of monitoring business, network appliance and server | |
| CN117938408A (en) | A method and system for implementing dynamic access control in Android devices | |
| CN113596192B (en) | Communication method, device, equipment and medium based on gatekeeper networking | |
| CN101510901B (en) | Communication method, communication apparatus and system between distributed equipment | |
| CN110086702B (en) | Message forwarding method and device, electronic equipment and machine-readable storage medium |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |