Disclosure of Invention
The application provides a data transmission method, a data transmission device and electronic equipment, which realize the safety control of a data packet based on a safety label and reduce the consumption of memory resources and CPU resources.
In a first aspect, the present application provides a data transmission method applied to a first virtual switch of a private network, in which a first virtual machine is disposed in a subnet of the first virtual switch, the private network further includes a second virtual switch, in which a second virtual machine is disposed in a subnet of the second virtual switch, the method including:
Receiving a target data packet, wherein the target data packet comprises encrypted data and a security tag, the encrypted data is obtained by encrypting an original data packet of the first and second virtual machines by adopting a key of the second virtual switch, the original data packet comprises a quintuple and address information of data to be transmitted, and the security tag is generated based on the address information quintuple and the key;
decrypting the encrypted data by adopting the key of the first virtual switch, and checking the security tag based on the address information quintuple obtained by decryption and the key of the first virtual switch;
And under the condition that the security tag passes the verification, sending the decrypted original data packet to the second first virtual machine, wherein the second first virtual machine corresponds to the destination address in the address information five-tuple.
In a second aspect, the present application provides a data transmission method applied to a second virtual switch of a proprietary network, where a second virtual machine is disposed in a subnet of the second virtual switch, the method includes:
Encrypting an original data packet of the second virtual machine by adopting a key of the second virtual switch to obtain encrypted data, wherein the original data packet comprises address information;
and encapsulating and transmitting a target data packet based on the encrypted data and a security tag, wherein the security tag is generated based on the address information.
In a third aspect, the present application provides a data transmission method applied to a forwarding network element between a first virtual switch and a second virtual switch of a private network, where a first virtual machine is disposed in a subnet of the first virtual switch, and a second virtual machine is disposed in a subnet of the second virtual switch, the method comprising:
Receiving a target data packet, wherein the target data packet comprises encrypted data and a security tag, the encrypted data is obtained by encrypting an original data packet of the second virtual machine by adopting a secret key, the original data packet comprises address information, the security tag is generated based on the address information, and a destination address in the address information corresponds to the first virtual machine;
Decrypting the encrypted data by adopting the key of the forwarding network element, and checking the security tag based on address information obtained by decryption and the key of the forwarding network element;
And under the condition that the security label passes the verification, the target data packet is sent to a next-hop network element, wherein the next-hop network element is other forwarding network elements between the first virtual switch and the second virtual switch, or the next-hop network element is the first virtual switch.
In a fourth aspect, the present application provides a data transmission apparatus applied to a first virtual switch of a private network, in which a first virtual machine is disposed in a subnet of the first virtual switch, the private network further includes a second virtual switch, in which a second virtual machine is disposed in a subnet of the second virtual switch, the apparatus comprising:
the receiving module is used for receiving a target data packet, wherein the target data packet comprises encrypted data and a security tag, the encrypted data is obtained by encrypting an original data packet of the first and second virtual machines by adopting a key of the second virtual switch, the original data packet comprises a quintuple and address information of data to be transmitted, and the security tag is generated based on the address information quintuple and the key;
The verification module is used for decrypting the encrypted data by adopting the key of the first virtual switch, and verifying the security tag based on the address information quintuple obtained by decryption and the key of the first virtual switch;
and the sending module is used for sending the original data packet obtained by decryption to the second first virtual machine under the condition that the security tag passes the verification, and the second first virtual machine corresponds to the destination address in the address information five-tuple.
In a fifth aspect, the present application provides a data transmission apparatus applied to a second virtual switch of a private network, in which a second virtual machine is disposed within a subnet of the second virtual switch, the apparatus comprising:
the encryption module is used for encrypting an original data packet of the second virtual machine by adopting a key of the second virtual switch to obtain encrypted data, wherein the original data packet comprises address information;
And the sending module is used for packaging and sending the target data packet based on the encrypted data and a security tag, wherein the security tag is generated based on the address information.
In a sixth aspect, the present application provides a data transmission apparatus applied to a forwarding network element between a first virtual switch and a second virtual switch of a private network, where a first virtual machine is deployed in a subnet of the first virtual switch, and a second virtual machine is deployed in a subnet of the second virtual switch, the apparatus comprising:
the receiving module is used for receiving a target data packet, wherein the target data packet comprises encrypted data and a security tag, the encrypted data is obtained by encrypting an original data packet of the second virtual machine by adopting a secret key, the original data packet comprises address information, the security tag is generated based on the address information, and a destination address in the address information corresponds to the first virtual machine;
the verification module is used for decrypting the encrypted data by adopting the key of the forwarding network element, and verifying the security tag based on address information obtained by decryption and the key of the forwarding network element;
And the sending module is used for sending the target data packet to a next-hop network element under the condition that the security label passes the verification, wherein the next-hop network element is other forwarding network elements between the first virtual switch and the second virtual switch or the next-hop network element is the first virtual switch.
In a seventh aspect, the present application provides an electronic device comprising a memory and a processor;
The memory is used for storing a computer program;
the processor is configured to execute a computer program stored in the memory, which when executed causes the processor to perform the method of the first, second or third aspect.
In an eighth aspect, the present application provides a computer readable storage medium having a computer program stored therein, which when executed by a processor causes the processor to perform the method according to the first, second or third aspects.
In a ninth aspect, the present application provides a computer program product comprising a computer program which, when executed by a processor, implements the method according to the first, second or third aspects.
According to the data transmission method, the data transmission device and the electronic equipment, after the second virtual switch encrypts the original data packet, the security tag is added to the encrypted data based on the address information of the original data packet to obtain the target data packet, the security tag can identify and track the source and the flow direction of the original data packet, each network element forwarding or receiving the target data packet checks the security tag, the target data packet can be allowed to be transmitted under the condition that the check is passed, the security control of the data packet is realized by utilizing the security tag, the creation and the storage of a large number of session table items by each network element are avoided, and the consumption of memory resources and CPU resources is reduced.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Terms related to the embodiments of the present application will be described.
The five-tuple refers to a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol, and can uniquely identify a session.
Session table-containing five tuples and corresponding security policies such as allow, reject.
Security tags, which are used to identify and track the source and flow direction of data to ensure the security of the data.
Virtual switch is basic network equipment for composing VPC, the switch can be connected with different cloud resources, when creating cloud resources in VPC, virtual switch connected with cloud resources must be specified.
The network access control list (Network Access Control List, ACL) is the network access control function in the VPC. And supporting the custom setting of a network ACL rule, binding the network ACL with the virtual switch, and realizing the access control of the ECS instance flow in the virtual switch.
The security group is a virtual firewall used for controlling the input flow and the output flow of the ECS instance in the security group, thereby improving the security of the ECS instance.
In table 1, part of the information of the session table of the network element in the VPC is illustrated, as shown in table 1, each table entry in the session table includes five tuples and corresponding policies, each five tuple covers the traffic in the ingress direction and the egress direction of the network element, and the policies are used for indicating whether to allow the traffic to pass through, so as to ensure the security of the data packet. For each five-tuple identified session, the network element determines the policy to be enforced by looking up the session table.
TABLE 1
| Source IP address | Destination IP address | Protocol(s) | Source port | Destination port | Annotating | Strategy |
| 1 | 10.1.1.1 | 10.2.2.2 | TCP | 6543 | 22 | ssh | Allow for |
| 2 | 10.1.1.1 | 10.2.2.2 | TCP | 3001 | 443 | https | Allow for |
| 3 | 10.2.3.4 | 10.2.2.2 | TCP | 6001 | 8080 | https | Refusing |
| ... | ... | ... | ... | ... | ... | ... | ... |
| n | 10.2.2.2 | 10.3.3.3 | TCP | 8080 | 122 | https | Refusing |
Fig. 1 is a schematic diagram of a VPC architecture according to an embodiment of the present application. As shown in fig. 1, the network elements included in the VPC may have a first virtual switch and a second virtual switch, and optionally, paths between the first virtual switch and the second virtual switch may also include other network elements, such as a virtual firewall, a gateway, and the like, where the first virtual machine is disposed in a subnet of the first virtual switch, and the second virtual machine is disposed in a subnet of the second virtual switch, where the virtual machine in the embodiment of the present application may be an ECS instance.
For example, the data packet generated by the second virtual machine in fig. 1 is transmitted to the first virtual machine through the second virtual switch, the virtual firewall and the first virtual switch, where in the transmission process, the second virtual switch, the virtual firewall and the first virtual switch all need to look up a session table to determine whether to allow or reject the data packet. Because each network element through which each data packet is transmitted needs to search a session table, in the scheme, each network element needs to create a session table with a great number of table entries, the storage of the session table occupies a great amount of memory resources, and the creation and search of the session table consume a great amount of CPU resources.
Therefore, in the embodiment of the present application, a data transmission method is provided, in which after an original data packet is encrypted, a security tag is added to the data packet based on address information, and each network element forwarding or receiving the data packet checks the security tag, so that the data packet can be allowed to be transmitted under the condition that the verification is passed, thereby avoiding that each network element creates and stores a large number of session entries, and reducing consumption of memory resources and CPU resources.
Fig. 2 is a flowchart illustrating a data transmission method according to an embodiment of the present application. As shown in fig. 2, the method includes:
s201, the second virtual switch encrypts an original data packet of the second virtual machine by adopting a key of the second virtual switch to obtain encrypted data, wherein the original data packet comprises address information.
Referring to the architecture shown in fig. 1, the second virtual machine is a virtual machine within a subnet of the second virtual switch, and the first virtual machine is a virtual machine within a subnet of the first virtual switch. The original data packet is a data packet generated by the second virtual machine, and the original data packet contains data which needs to be sent to the first virtual machine by the second virtual machine, namely data to be transmitted. The address information in the original data packet comprises a source address and a destination address, wherein the source address comprises a source IP address and a source port, the source IP address and the source port are the IP address and the port of the second virtual machine, the destination address comprises a destination IP address and a destination port, and the destination IP address and the destination port are the IP address and the port of the first virtual machine. Optionally, taking the data structure of the original data packet as an example, the data structure of the original data packet includes a quintuple, and the address information in the original data packet is the source IP address, the source port, the destination IP address and the destination port in the quintuple.
After the original data packet of the second virtual machine reaches the second virtual switch, the second virtual switch encrypts the original data packet, wherein a key of the second virtual switch used for encryption is issued by a controller of the VPC, the controller of the VPC may issue the key to each network element in the VPC in advance, including the second virtual switch and other network elements, that is, each network element in the VPC may have the same key issued by the controller.
S202, the second virtual switch encapsulates and transmits the target data packet based on the encrypted data and a security tag, wherein the security tag is generated based on the address information.
The second virtual switch, in addition to encrypting the original data packet, adds a security tag to it that is generated based on the address information and that can be used to identify and track the source and flow direction of the original data packet. In the case that a five tuple is included in the data structure of the original data packet, the security tag may be generated based on the five tuple. The target data packet is obtained by encapsulating the encrypted data and the security tag, and as illustrated in fig. 3, when the target data packet is encapsulated, the target data packet may further include an underlying network address, that is, an IP address and a port of the underlying network, and may also include a cyclic redundancy check code (Cyclic Redundancy Check, CRC), where the CRC may be used to check the integrity and accuracy of the data packet in a subsequent transmission process. The second virtual switch encapsulates the target data packet and sends the target data packet to the next-hop network element, and there may be a forwarding network element in the path from the second virtual switch to the first virtual switch, so the next-hop network element of the second virtual switch may be the forwarding network element or the first virtual switch.
And S203, after receiving the target data packet, the forwarding network element decrypts the encrypted data by adopting the key of the forwarding network element, and verifies the security tag based on the address information obtained by decryption and the key of the forwarding network element.
The forwarding network element in this step refers to other network elements in the path from the second virtual switch to the first virtual switch, and the forwarding network element may be one or more, and the steps performed by the forwarding network elements are similar. The forwarding network element decrypts the encrypted data in the target data packet by adopting the key of the forwarding network element, so that the address information in the encrypted data is obtained, and the security tag in the target data packet is further verified based on the address information obtained by decryption and the key of the forwarding network element. In the case that the data structure of the original data packet includes a quintuple, the security tag may be generated based on the quintuple, and the forwarding network element decrypts the encrypted data in the target data packet by using the key of the forwarding network element, so as to obtain the quintuple therein, and further verifies the security tag in the target data packet based on the quintuple obtained by decryption and the key of the forwarding network element.
The method for checking the security tag is corresponding to the method for generating the security tag by the second virtual switch, and if the operation of generating the security tag by the second virtual switch is reversible, the method for checking the forwarding network element may be to check based on the corresponding inverse operation of the security tag, and if the operation of generating the security tag by the second virtual switch is irreversible, the method for checking the forwarding network element may be to check whether the security tag is matched by generating the security tag again through the address information obtained by decryption.
And S204, the forwarding network element sends the target data packet to the next hop network element under the condition that the security label passes the verification.
The forwarding network element may be one or more forwarding network elements, and the forwarding network element sends the target data packet to the next hop network element, which may be another forwarding network element or the first virtual switch. The step S203-S204 is performed by the transmission of one or more forwarding network elements, that is, one or more forwarding network elements, and in the case that the security tag is checked by each forwarding network element, the target data packet is finally sent to the first virtual switch.
S205, after the first virtual switch receives the target data packet, the first virtual switch decrypts the encrypted data by adopting the key of the first virtual switch, and the security tag is checked based on the address information obtained by decryption and the key of the first virtual switch.
The processing of the first virtual switch after receiving the target data packet is similar to that of the forwarding network element, the first virtual switch decrypts the encrypted data in the target data packet by adopting the key of the first virtual switch, so that the address information in the encrypted data is obtained, and the security tag in the target data packet is further verified based on the address information obtained by decryption and the key of the first virtual switch. In the case that the data structure of the original data packet includes a quintuple, the security tag may be generated based on the quintuple, and the first virtual switch decrypts the encrypted data in the target data packet by using the key of the first virtual switch, so as to obtain the quintuple therein, and further verifies the security tag in the target data packet based on the quintuple obtained by decryption and the key of the first virtual switch. The verification method may refer to S203, and only the key in which the forwarding network element is used needs to be replaced by the key that uses the first virtual switch.
In addition, in S203 and S205, before the encrypted data is decrypted by using the key of the forwarding network element or the key of the first virtual switch, the CRC in the target data packet may be checked, and if the check is passed, the encrypted data may be decrypted by using the key.
S206, the first virtual switch sends the original data packet obtained through decryption to the first virtual machine under the condition that the security tag passes verification.
The destination address of the original data packet is the first virtual machine, and under the condition that the target data packet reaches the first virtual switch and passes verification, the first virtual switch sends the decrypted original data packet to the first virtual machine, so that transmission of the original data packet from the second virtual machine to the first virtual machine is realized.
In the method of the embodiment of the application, after the second virtual switch encrypts the original data packet, the second virtual switch adds the security tag to the encrypted data based on the address information to obtain the target data packet, the security tag can identify and track the source and the flow direction of the original data packet, each network element forwarding or receiving the target data packet checks the security tag, the target data packet can be allowed to be transmitted under the condition that the check is passed, the security control of the data packet is realized by utilizing the security tag, a large number of session table entries are prevented from being created and stored by each network element, and the consumption of memory resources and CPU resources is reduced.
On the basis of the above embodiments, a process of processing an original data packet or a target data packet by each network element is further described. It should be noted that, in the following embodiments, address information may be replaced with a five-tuple, and the implementation principle is the same.
In one case, where the original data packet includes the first data packet of the session identified by the address information, then, for the first data packet, the second virtual switch may perform security check on the first data packet based on the access control rule to determine whether the transmission of the first data packet is allowed, before performing S201 encryption of the original data packet using the key of the second virtual switch. The access control rules may be security group rules or network ACL rules, among others. In case the first data packet is security checked based on the access control rule, it is determined that the transmission of the first data packet is allowed, the second virtual switch re-performs S201 encryption of the first data packet with the key of the second virtual switch.
After encrypting the first data packet, the second virtual switch generates a security tag based on the address information and a key of the second virtual switch.
In one implementation, the second virtual switch hashes the address information and the key of the second virtual switch, and determines the resulting hash value as the security tag. The Algorithm of the hash calculation in the embodiment of the present application is not limited, and may be, for example, message-Digest Algorithm 5 (md5), secure hash Algorithm (Secure Hash Algorithm, SHA), or the like.
Correspondingly, when the security tag is obtained by carrying out hash calculation on the address information and the key of the second virtual switch, the step S203 of checking the security tag by the forwarding network element based on the address information obtained by decryption and the key of the forwarding network element comprises the steps of carrying out hash calculation on the address information obtained by decryption and the key of the forwarding network element, and checking to pass if the result obtained by calculation is consistent with the security tag, otherwise checking to fail. The verification of the security tag by the first virtual switch based on the decrypted address information and the key of the first virtual switch in S205 includes performing hash computation on the decrypted address information and the key of the first virtual switch, and if the result obtained by the computation is consistent with the security tag, the verification is passed, otherwise the verification is not passed.
In one implementation, the second virtual switch performs a reversible operation on the address information and a key of the second virtual switch, and determines a result of the reversible operation as the security tag. Alternatively, the reversible operation may employ a symmetric encryption algorithm, such as an advanced encryption standard (Advanced Encryption Standard, AES) algorithm, a data encryption standard (Data Encryption Standard, DES) algorithm, or the like, or the reversible operation may be an operation implemented using an arbitrary reversible function.
In the case that the security tag is obtained by performing a reversible operation on the address information and the key of the second virtual switch, the step S203 of checking the security tag by the forwarding network element based on the decrypted address information and the key of the forwarding network element includes performing a reversible operation on the decrypted address information and the security tag, and if the result of the reversible operation is identical to the key of the forwarding network element, checking to pass, otherwise checking to fail, or performing a reversible operation on the key of the forwarding network element and the security tag, and if the result of the reversible operation is identical to the decrypted address information, checking to pass, otherwise checking to fail. The verification of the security tag by the first virtual switch based on the address information obtained by decryption and the key of the first virtual switch in S205 includes performing a reverse operation of a reversible operation on the five-tuple obtained by decryption and the security tag, and if the result of the reverse operation is identical to the key, the verification passes, otherwise the verification does not pass, or performing a reverse operation of the reversible operation on the key and the security tag, and if the result of the reverse operation is identical to the five-tuple obtained by decryption, the verification passes, otherwise the verification does not pass.
For example, the second virtual switch performs a reversible operation on the address information and the key of the second virtual switch by using a symmetric encryption algorithm, and in one implementation manner, the second virtual switch performs an encryption operation on the key of the second virtual switch by using the address information to obtain a security tag, so that the forwarding network element or the first virtual switch decrypts the security tag by using the address information obtained by decryption, and if the obtained result is consistent with the key of the forwarding network element or the first virtual switch, the verification is passed. In another implementation manner, the second virtual switch adopts the key of the second virtual switch to encrypt the address information to obtain the security tag, and then the forwarding network element or the first virtual switch correspondingly adopts the respective key to decrypt the security tag, and if the decryption result is consistent with the address information obtained by decrypting the encrypted data, the verification is passed.
After the second virtual switch generates the security tag, the second virtual switch creates an entry corresponding to the address information of the original data packet in the session table, where the entry includes a policy that allows transmission and the security tag. In this way, subsequent packets of the same address information can all use the security tag without having to be recalculated.
In one case, the original data packet includes a second data packet of the session identified by the address information or a data packet after the second data packet, that is, after the first data packet is transmitted, the second virtual machine continues to send the data packet with the same address information five-tuple as the first data packet to the first virtual machine, and then, for the second data packet or the data packet after the second data packet, the second virtual switch searches the session table for an entry matching the address information of the second data packet or the data packet after the second data packet, and obtains the security tag from the entry. Since the second virtual switch has calculated the security tag based on the address information and the key and stored it in the session table when transmitting the first data packet, the security tag does not need to be calculated again for the second data packet or the data packet following the second data packet during transmission, improving transmission efficiency and reducing consumption of calculation resources.
In the data transmission method provided by the embodiment of the application, for the second virtual switch, only the session table of the direction is needed to be created, and the session table of the direction is not needed to be created, and if the second virtual switch receives the backhaul data packet of the first virtual machine switch, the second virtual switch only needs to check the security tag added by the first virtual machine by referring to the method of the embodiment. For the first virtual machine switch, since the received target data packet is checked through the security tag, the session table does not need to be searched, so that the session table in the incoming direction does not need to be created, and for the case that the first virtual machine switch needs to send out the data packet, the method in the foregoing embodiment is referred to create the session table in the incoming direction when the second data packet of the session corresponding to the five-tuple is sent. Compared with the prior art that the session tables of the outgoing direction and the incoming direction are required to be created, the method provided by the embodiment of the application can reduce the number of half of the session tables, thereby reducing the occupation of memory resources and reducing the CPU resource consumption for creating and searching the session tables. For the forwarding network element between the second virtual switch and the first virtual machine switch, as the forwarding target data packet is verified based on the security label, the receiving and sending do not need to search the session table, so that the session table does not need to be created, and the consumption of memory resources and CPU resources is reduced.
The method of the embodiment of the application utilizes the calculation force to replace the memory space, and in practical application, the calculation force is cheap and fast, and the memory is expensive and slow, so that the method not only can improve the transmission efficiency and the performance, but also can reduce the cost. In addition, the method can effectively protect the security of network data and prevent network message unauthorized access and attack.
Fig. 4 is a second flowchart of a data transmission method according to an embodiment of the present application. The method is applied to a first virtual switch of a private network, and comprises the following steps:
s401, receiving a target data packet, wherein the target data packet comprises encrypted data and a security tag, the encrypted data is obtained by encrypting an original data packet of a second virtual machine by adopting a key of the second virtual switch, the original data packet comprises address information, and the security tag is generated based on the address information.
S402, decrypting the encrypted data by adopting the key of the first virtual switch, and checking the security tag based on the address information obtained by decryption and the key of the first virtual switch.
And S403, when the security tag passes the verification, the decrypted original data packet is sent to a first virtual machine, and the first virtual machine corresponds to the destination address in the address information.
The method executed by the first virtual switch in the embodiment of the present application may refer to the foregoing embodiment, and will not be described herein again.
Fig. 5 is a flowchart illustrating a data transmission method according to an embodiment of the present application. The method is applied to a second virtual switch of the private network and comprises the following steps:
s501, encrypting an original data packet of the second virtual machine by adopting a key of the second virtual switch to obtain encrypted data, wherein the original data packet comprises address information.
S502, packaging and transmitting the target data packet based on the encrypted data and the security tag, wherein the security tag is generated based on the address information.
The method executed by the second virtual switch in the embodiment of the present application may refer to the foregoing embodiment, and will not be described herein.
Fig. 6 is a flowchart of a data transmission method according to an embodiment of the present application. A forwarding network element for use between a second virtual switch and a first virtual switch of a private network, comprising:
S601, receiving a target data packet, wherein the target data packet comprises encrypted data and a security tag, the encrypted data is obtained by encrypting an original data packet of a second virtual machine by adopting a key of the second virtual switch, the original data packet comprises address information, the security tag is generated based on the address information, and a destination address in the address information corresponds to the first virtual machine.
S602, decrypting the encrypted data by adopting a key of the forwarding network element, and checking the security tag based on the address information obtained by decryption and the key of the forwarding network element.
And S603, under the condition that the security label passes the verification, the target data packet is sent to a next-hop network element, wherein the next-hop network element is other forwarding network elements between the first virtual switch and the second virtual switch, or the next-hop network element is the first virtual switch.
The method for forwarding the network element in the embodiment of the present application may refer to the foregoing embodiment, and will not be described herein.
Fig. 7 is a schematic structural diagram of a data transmission device according to an embodiment of the present application. The data transmission apparatus is applied to a first virtual switch of a private network, as shown in fig. 7, and the data transmission apparatus 700 includes:
The receiving module 701 is configured to receive a target data packet, where the target data packet includes encrypted data and a security tag, the encrypted data is obtained by encrypting an original data packet of the second virtual machine by using a key of the second virtual switch, the original data packet includes address information, and the security tag is generated based on the address information;
The verification module 702 is configured to decrypt the encrypted data using the key of the first virtual switch, and verify the security tag based on the address information obtained by decryption and the key of the first virtual switch;
And the sending module 703 is configured to send the decrypted original data packet to a first virtual machine, where the first virtual machine corresponds to a destination address in the address information, if the security tag passes the verification.
In one implementation, the security tag is obtained by hashing address information and a key of the second virtual switch, and the verification module 702 is configured to:
And carrying out hash calculation on the address information obtained by decryption and the secret key of the second virtual switch, if the result obtained by calculation is consistent with the security tag, checking to pass, otherwise, checking to fail.
In one implementation, the security tag is obtained by performing a reversible operation on address information and a key of the second virtual switch, and the verification module 702 is configured to:
performing reversible operation on the decrypted address information and the security tag, if the result of the reversible operation is consistent with the key of the first virtual switch, checking to pass, otherwise, checking to fail, or
And performing inverse operation of reversible operation on the key and the security tag of the first virtual switch, if the result of the inverse operation is consistent with the address information obtained by decryption, checking to pass, otherwise, checking to fail.
The device of the embodiment of the present application may be used to execute the data transmission method of the foregoing embodiment, and its implementation principle and technical effects are similar, and will not be described herein.
Fig. 8 is a schematic diagram of a data transmission device according to an embodiment of the present application. The data transmission apparatus is applied to a second virtual switch of a private network, as shown in fig. 8, and the data transmission apparatus 800 includes:
An encryption module 801, configured to encrypt an original data packet of the second virtual machine by using a key of the second virtual switch to obtain encrypted data, where the original data packet includes address information;
a transmitting module 802, configured to encapsulate and transmit the target data packet based on the encrypted data and a security tag, where the security tag is generated based on the address information.
In one implementation, the original data packet includes a first data packet of the session identified by the address information, the apparatus further comprising:
And a tag module for generating a security tag based on the address information and a key of the second virtual switch.
In one implementation, the tag module is to:
And carrying out hash calculation on the address information and the key of the second virtual switch, and determining the obtained hash value as a security tag.
In one implementation, the tag module is to:
And performing reversible operation on the address information and the key of the second virtual switch, and determining the result of the reversible operation as a security tag.
In one implementation, the apparatus further comprises:
And the security module is used for carrying out security check on the first data packet based on the access control rule so as to determine that the first data packet is allowed to be transmitted.
In one implementation, the apparatus further comprises:
and the creation module is used for creating an entry corresponding to the address information in the session table, wherein the entry comprises a transmission-allowed strategy and a security tag.
In one implementation, the original data packet includes a second data packet or a data packet following the second data packet of the session identified by the address information, and the apparatus further includes:
and the searching module is used for searching an item matched with the address information of the second data packet or the data packet after the second data packet from the session table and acquiring the security tag from the item.
The device of the embodiment of the present application may be used to execute the data transmission method of the foregoing embodiment, and its implementation principle and technical effects are similar, and will not be described herein.
Fig. 9 is a schematic diagram of a data transmission device according to an embodiment of the present application. The data transmission apparatus applies a forwarding network element between a first virtual switch and a second virtual switch of a private network, as shown in fig. 9, and the data transmission apparatus 900 includes:
The receiving module 901 is configured to receive a target data packet, where the target data packet includes encrypted data and a security tag, the encrypted data is obtained by encrypting an original data packet of the second virtual machine by using a key of the second virtual switch, the original data packet includes address information, the security tag is generated based on the address information, and a destination address in the address information corresponds to the first virtual machine;
The verification module 902 is configured to decrypt the encrypted data using a key of the forwarding network element, and verify the security tag based on the address information obtained by decryption and the key of the forwarding network element;
The sending module 903 is configured to send the target data packet to a next hop network element, where the next hop network element is another forwarding network element between the first virtual switch and the second virtual switch, or the next hop network element is the first virtual switch, if the security tag passes the security tag verification.
In one implementation, the security tag is obtained by hashing address information and a key of the second virtual switch, and the verification module 902 is configured to:
And carrying out hash calculation on the address information obtained by decryption and the key of the forwarding network element, if the result obtained by calculation is consistent with the security label, checking to pass, otherwise, checking to fail.
In one implementation, the security tag is obtained by performing a reversible operation on address information and a key of the second virtual switch, and the verification module 902 is configured to:
performing reversible operation on the address information obtained by decryption and the security tag, if the result of the reversible operation is consistent with the key of the forwarding network element, checking to pass, otherwise, checking to fail, or
And performing inverse operation of reversible operation on the key of the forwarding network element and the security tag, if the result of the inverse operation is consistent with the address information obtained by decryption, checking to pass, otherwise, checking to fail.
The device of the embodiment of the present application may be used to execute the data transmission method of the foregoing embodiment, and its implementation principle and technical effects are similar, and will not be described herein.
Fig. 10 is a schematic block diagram of an electronic device provided by an embodiment of the present application. As shown in fig. 10, the electronic device 1000 may include at least one processor 1001 for implementing the data transmission method provided by the embodiment of the present application.
Optionally, the electronic device 1000 also includes at least one memory 1002 for storing program instructions and/or data. The memory 1002 is coupled to the processor 1001. The coupling in the embodiments of the present application is an indirect coupling or communication connection between devices, units, or modules, which may be in electrical, mechanical, or other forms for information interaction between the devices, units, or modules. The processor 1001 may operate in conjunction with the memory 1002. The processor 1001 may execute program instructions stored in the memory 1002. At least one of the at least one memory may be included in the processor.
Optionally, the electronic device 1000 also includes a communication interface 1003 for communicating with other devices over a transmission medium for the electronic device 1000 to communicate with other devices. The communication interface 1003 may be, for example, a transceiver, an interface, a bus, a circuit, or a device capable of implementing a transmitting/receiving function. The processor 1001 may utilize the communication interface 1003 to transceive data and/or information and is configured to implement the methods provided by embodiments of the present application. Reference is made specifically to the foregoing embodiments, and details are not described here.
The specific connection medium between the processor 1001, the memory 1002, and the communication interface 1003 is not limited in the embodiment of the present application. In fig. 10, the processor 1001, the memory 1002 and the communication interface 1003 are connected by a bus 1004. The bus 1004 is shown by a thick line in fig. 10, and the connection between other components is merely schematically illustrated, and is not limited thereto. The bus may be classified as an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in fig. 10, but not only one bus or one type of bus.
It should be appreciated that the processor in embodiments of the present application may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method embodiments may be implemented by integrated logic circuits of hardware in a processor or instructions in software form. The processor may be a general purpose processor, a digital signal processor (DIGITAL SIGNAL processor, DSP), an Application SPECIFIC INTEGRATED Circuit (ASIC), a field programmable gate array (field programmable GATE ARRAY, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in a memory, and the processor reads the information in the memory and, in combination with its hardware, performs the steps of the above method.
It should also be appreciated that the memory in embodiments of the present application may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The nonvolatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an erasable programmable ROM (erasable PROM), an electrically erasable programmable EPROM (EEPROM), or a flash memory. The volatile memory may be random access memory (random access memory, RAM) which acts as external cache memory. By way of example, and not limitation, many forms of RAM are available, such as static random access memory (STATIC RAM, SRAM), dynamic random access memory (DYNAMIC RAM, DRAM), synchronous Dynamic Random Access Memory (SDRAM), double data rate synchronous dynamic random access memory (doubledata RATE SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (ENHANCED SDRAM, ESDRAM), synchronous link dynamic random access memory (SYNCHLINK DRAM, SLDRAM), and direct memory bus random access memory (direct rambus RAM, DR RAM). It should be noted that the memory of the systems and methods described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
The present application also provides a computer-readable storage medium storing a computer program (which may also be referred to as code, or instructions). The computer program, when executed by a processor, causes the computer to perform the method as in any of the preceding embodiments.
The application also provides a computer program product comprising a computer program which, when executed by a processor, implements the method of any of the preceding embodiments.
The terms "unit," "module," and the like as used in this specification may be used to refer to a computer-related entity, either hardware, firmware, a combination of hardware and software, or software in execution.
Those of ordinary skill in the art will appreciate that the various illustrative logical blocks (illustrative logical block) and steps (steps) described in connection with the embodiments disclosed herein can be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application. In the several embodiments provided by the present application, it should be understood that the disclosed apparatus, device and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
In the above-described embodiments, the functions of the respective functional units may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions (programs). When the computer program instructions (program) are loaded and executed on a computer, the processes or functions according to embodiments of the present application are fully or partially produced. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, e.g., from one website, computer, server, or data center, via wired (e.g., coaxial cable, fiber optic, digital subscriber line (digital subscriber line, DSL), or wireless (e.g., infrared, wireless, microwave, etc.) means to another website, computer, server, or data center, e.g., a floppy disk, hard disk, magnetic tape), optical medium (e.g., digital video disc (digital video disc, DVD)), or semiconductor medium (e.g., solid state disk (solid STATE DISK, SSD)), etc.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method of the embodiments of the present application. The storage medium includes various media capable of storing program codes such as a U disk, a mobile hard disk, a ROM, a RAM, a magnetic disk or an optical disk.
The user information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or fully authorized by each party, and the collection, use and processing of related data is required to comply with the relevant laws and regulations and standards of the relevant country and region, and is provided with corresponding operation entries for the user to select authorization or rejection.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.