[go: up one dir, main page]

CN114143113A - Safety tracing device suitable for IPv6/IPv4 access service - Google Patents

Safety tracing device suitable for IPv6/IPv4 access service Download PDF

Info

Publication number
CN114143113A
CN114143113A CN202111495152.XA CN202111495152A CN114143113A CN 114143113 A CN114143113 A CN 114143113A CN 202111495152 A CN202111495152 A CN 202111495152A CN 114143113 A CN114143113 A CN 114143113A
Authority
CN
China
Prior art keywords
traceability
tracing
ipv6
ipv4
interface
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111495152.XA
Other languages
Chinese (zh)
Other versions
CN114143113B (en
Inventor
王桥倩
韩国梁
包丛笑
李星
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Indirect Network Technology Co ltd
Original Assignee
Beijing Indirect Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Indirect Network Technology Co ltd filed Critical Beijing Indirect Network Technology Co ltd
Priority to CN202111495152.XA priority Critical patent/CN114143113B/en
Publication of CN114143113A publication Critical patent/CN114143113A/en
Application granted granted Critical
Publication of CN114143113B publication Critical patent/CN114143113B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0213Standardised network management protocols, e.g. simple network management protocol [SNMP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/686Types of network addresses using dual-stack hosts, e.g. in Internet protocol version 4 [IPv4]/Internet protocol version 6 [IPv6] networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to a security traceability device suitable for IPv6/IPv4 access service, which comprises the stateless translation gateway and the traceability device. Based on the stateless translation technology, the encryption-safe real-time tracing method and the history tracing method are invented to form a unified stateless safe tracing device. The device can realize real-time IPv4/IPv6 tracing directly through an encrypted API without inquiring logs, has extremely low consumption on system resources and can greatly reduce the system overhead; the device is based on network layer stateless translation technology and is therefore applicable to all applications, including encryption and private applications; the device does not modify the content of the data message, is compatible with the existing IPv4 firewall, does not increase the security risk, ensures the end-to-end information hiding of the tracing query by using an encryption technology, cannot intercept and tamper by a man in the middle, and greatly protects the stability and the security of the tracing system.

Description

Safety tracing device suitable for IPv6/IPv4 access service
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a security tracing apparatus and method suitable for IPv6/IPv4 access services.
Background
As an internationally recognized next generation internet core protocol, IPv6 has sufficient address space and advanced protocol features. However, IPv6 is not compatible with IPv4, and therefore, for the inventory of IPv4 services, additional upgrading techniques are required to ensure that it interworks with the IPv6 internet.
One possible approach is dual stack technology, i.e., the IPv4 server and the internal network are modified to an IPv4/IPv6 dual stack, so that IPv6 users can access the newly upgraded IPv6 services through an IPv6 link, and IPv4 users can access the original IPv4 services through an IPv4 link. However, according to the references of the "IPv 6 network security white paper" in the chinese communication institute, the dual stack technology increases the security exposure of network nodes, enriches the attack options of attackers, and brings about greater security risks. Meanwhile, all internal network service systems need to be upgraded to support users of two types of IPv4 and IPv6, and due to the wide existence of the dual-stack client, a large amount of extra work is needed to link the IPv6 user and the IPv4 user for user management and traceability management, so that the cost is high and the management is difficult.
If the dual stack technique is not used, then IPv4/IPv6 translation techniques need to be used. The translation techniques include application layer translation techniques and network layer translation techniques. The application layer translation technology terminates the IPv6 connection of a user and initiates a new IPv4 connection to a background IPv4 server, the data of the front connection and the back connection are transmitted as a channel, adaptation needs to be carried out according to different application types, if the connection of the user is an encryption or private protocol, the application layer translation technology needs to be deeply coupled with the protocol and needs to acquire a security key of the user, and the security risk is high. In contrast, network layer translation techniques may support any application layer protocol, including encryption and proprietary protocols. The network layer translation techniques include stateful translation techniques and stateless translation techniques.
The stateful translation technology realizes dynamic mapping between IPv6 addresses and IPv4 addresses by saving, tracking and searching all connection states. Therefore, if the IPv4 address needs to be traced to find the original IPv6 address, connection-based log information needs to be saved and searched. The operation requires a large amount of logs, consumes high resources of the system, is difficult to trace the source in real time, and is easy to make mistakes and lose data due to faults or attacks. In order to realize real-time tracing, patent No. CN110351396A provides a class of IPv4/IPv6 data transmission processing method, which receives an IPv4 data transmission packet with a source IPv6 address, and stores the source IPv6 address in an option byte at the head of the IPv4 data transmission packet, thereby realizing the tracing function. This function requires additional data length to be added to the data packet, which may result in the added packet length exceeding the MTU and failing to be transmitted. Meanwhile, the function stores the IPv6 address in the plaintext and has no verification function, so that the vulnerability of impersonation, tampering and attack exists, and new safety risk is brought.
Correspondingly, patent number CN103856580B discloses a method for an IPv6 client to access an IPv4 server, which defines a stateless translation technology for an IPv6 client to access an IPv4 server, and not only can support any application layer protocol, and has good security, but also does not store any connection state, and realizes translation by a pre-configured IPv4/IPv6 address mapping rule, thereby realizing static mapping between an IPv6 address and an IPv4 address. But the technology of safe tracing in the stateless translation is not invented.
Therefore, in the scenario that the IPv6 client accesses the IPv4 server, in all current technologies, there is no source tracing method which is safe and reliable enough, has low overhead, and is suitable for all applications.
Disclosure of Invention
In view of this, in order to solve the problems of high security risk, high resource overhead and difficult application adaptation of the existing IPv4/IPv6 tracing method, the invention discloses an encryption-safe real-time tracing method and a history tracing method based on a stateless translation technology, and forms a unified stateless security tracing device. The device can realize real-time IPv4/IPv6 tracing directly through an encrypted API without inquiring logs, has extremely low consumption on system resources and can greatly reduce the system overhead; the device is based on network layer stateless translation technology and is therefore applicable to all applications, including encryption and private applications; the device does not modify the content of the data message, is compatible with the existing IPv4 firewall, does not increase the security risk, ensures the end-to-end information hiding of the tracing query by using an encryption technology, cannot intercept and tamper by a man in the middle, and greatly protects the stability and the security of the tracing system.
According to a first aspect of the present disclosure, a security tracing apparatus suitable for IPv6/IPv4 access service is provided, which includes a stateless translation gateway and a tracing apparatus connected in communication, wherein,
the stateless translation gateway: the mapping table is used for configuring an IPv6/IPv4 stateless flexible mapping table, and performing stateless mapping on the received IPv6/IPv4 address based on the IPv6/IPv4 stateless flexible mapping table to obtain IPv6/IPv4 address mapping records;
the tracing device: the system is used for sending a tracing request to the stateless translation gateway and obtaining the IPv6/IPv4 address mapping record according to the tracing request so as to realize real-time tracing and historical tracing.
In one possible implementation manner, optionally, the tracing apparatus includes an encryption-secure real-time tracing facility and an encryption-secure history tracing facility, wherein,
the real-time tracing facility: the system is used for inquiring the IPv6/IPv4 stateless flexible mapping table based on a stateless translation algorithm, acquiring data, counting the browsing amount and the user portrait based on the IP address and monitoring in real time;
the history tracing facility: the mapping table is used for inquiring the IPv6/IPv4 stateless flexible mapping table based on a stateless translation algorithm, acquiring data, and performing user tracking and behavior analysis;
the real-time tracing facility and the history tracing facility are respectively connected to the stateless translation gateway.
In a possible implementation manner, optionally, an encrypted and secure tracing interface is provided on the tracing apparatus, and the tracing interface is used for a user to obtain real-time tracing data in the real-time tracing facility and/or historical tracing data in the historical tracing facility from the stateless translation gateway.
In a possible implementation manner, optionally, the tracing interface includes:
at least one cryptographically secure native query tracing interface: the local query traceability interface is used for querying traceability information on the stateless translation gateway based on an identity authentication and authorized administrator and a limited set of request parameters; and the number of the first and second groups,
at least one cryptographically secure high performance remote query tracing interface: the high-performance remote query traceability interface is used for butting and realizing traceability query between an external service/query system and the stateless translation gateway by using an HTTPS/TLS/SSH encryption mode; and the number of the first and second groups,
at least one cryptographically secure management trace-to-source interface: the management tracing interface is used for the management system to trace the source and history in real time by using a standard SNMP protocol.
In a possible implementation manner, optionally, a tracing MIB for storing tracing resources is configured on the stateless translation gateway, where the tracing MIB includes a real-time tracing MIB and a history tracing MIB, and both the real-time tracing MIB and the history tracing MIB are configured with an OID tracing interface, and the OID tracing interface is used to call a management tracing interface on the real-time tracing facility or a management tracing interface on the history tracing facility.
In a possible implementation manner, optionally, a pre-judging component and a logging module are further configured on the stateless translation gateway, wherein,
the preposed judging component: the system comprises a tracing interface, a tracing interface and a plurality of tracing interfaces, wherein the tracing interface is used for receiving a tracing request, judging the facility and the interface type of the tracing interface according to the tracing request and distributing the tracing request to the matched tracing interface;
the log recording module: and recording a strong log record formed by the access record and the query record associated with the source tracing request on a local log server or a separate log server.
According to a second aspect of the present disclosure, a method for implementing the above-mentioned security tracing apparatus adapted for IPv6/IPv4 access service is provided, including the following steps:
s100, installing and configuring the stateless translation gateway, and normally operating service flow based on the stateless translation gateway;
s200, installing the real-time tracing facility and the history tracing facility on the stateless translation gateway, and respectively configuring at least one local query tracing interface, the high-performance remote query tracing interface and the management tracing interface;
s300, sending an encrypted tracing request, judging the facility and the interface type of a tracing interface according to the tracing request through a front judgment component, and distributing the tracing request to the matched tracing interface; and carrying out user authority verification on the encrypted tracing request through the matched tracing interface: if the request is a legal request, normally decrypting the request, and generating a source address and/or other parameters according to the input parameters and a stateless mapping algorithm to realize tracing; if the request is an illegal request, access is refused;
s400, recording strong log records formed by the access records and the query records associated with the tracing request on a local log server or an independent log server through a log recording module.
According to a third aspect of the present disclosure, a tracing method for performing native query based on the above security tracing apparatus adapted for IPv6/IPv4 access service is provided, including the following steps:
s111, a management user logs in the stateless translation gateway to check and authenticate the user authority;
s121, inputting a source tracing request containing source tracing parameters;
s131, judging whether the tracing parameter matches the limited format of the local query tracing interface through the local query tracing interface: if yes, real-time query is carried out through the local query traceability interface according to the IPv6/IPv4 stateless flexible mapping table, and structured output data are returned; otherwise, discarding the tracing request;
and S141, acquiring the output data and returning the output data to the user.
According to a fourth aspect of the present disclosure, a tracing method for performing high-performance remote query based on the above security tracing apparatus suitable for IPv6/IPv4 access service is provided, which includes the following steps:
s211, a remote user logs in the stateless translation gateway to check and authenticate the user authority;
s221, inputting a source tracing request containing source tracing parameters;
s231, judging whether the IPv4/IPv6 address of the remote user is within a preset allowable range through the high-performance remote query traceability interface: if yes, the tracing request is decrypted, and whether the tracing parameter matches the limited format of the high-performance remote query tracing interface is judged; otherwise, discarding the tracing request;
s241, if the tracing parameter matches the limited format of the high-performance remote query tracing interface, performing real-time query through the high-performance remote query tracing interface according to the IPv6/IPv4 stateless flexible mapping table, and returning structured output data; otherwise, discarding the tracing request;
and S251, acquiring the output data and returning the output data to the remote user.
According to a fifth aspect of the present disclosure, a tracing method for managing based on the above-mentioned security tracing apparatus adapted for IPv6/IPv4 access service is provided, which includes the following steps:
s311, installing a source tracing MIB base on the stateless translation gateway and the network management system, and configuring SNMP parameters and SNMP modes;
s321, a network management user logs in the stateless translation gateway to check and authenticate the user authority;
s331, inputting a tracing request containing tracing parameters;
s341, judging whether the IPv4/IPv6 address of the network management user is within a preset allowable range through the management tracing interface: if yes, the tracing request is decrypted, and whether the tracing parameter matches the limited format of the management tracing interface is judged; otherwise, discarding the tracing request;
s351, if the tracing parameters match the limited format of the management tracing interface, performing real-time query through the management tracing interface according to the IPv6/IPv4 stateless flexible mapping table, and returning structured output data; otherwise, discarding the tracing request;
and S361, obtaining the output data and returning the output data to the network management user.
The technical effects of this application:
the invention provides the stateless translation gateway: the mapping table is used for configuring an IPv6/IPv4 stateless flexible mapping table, and performing stateless mapping on the received IPv6/IPv4 address based on the IPv6/IPv4 stateless flexible mapping table to obtain IPv6/IPv4 address mapping records; and the tracing device: and the system is used for sending a tracing request to the stateless translation gateway and acquiring the IPv6/IPv4 address mapping record according to the tracing request so as to realize history tracing and real-time tracing. Based on the stateless translation technology, the encryption-safe real-time tracing method and the history tracing method are invented to form a unified stateless safe tracing device. The device can realize real-time IPv4/IPv6 tracing directly through an encrypted API without inquiring logs, has extremely low consumption on system resources and can greatly reduce the system overhead; the device is based on network layer stateless translation technology and is therefore applicable to all applications, including encryption and private applications; the device does not modify the content of the data message, is compatible with the existing IPv4 firewall, does not increase the security risk, ensures the end-to-end information hiding of the tracing query by using an encryption technology, cannot intercept and tamper by a man in the middle, and greatly protects the stability and the security of the tracing system.
Other features and aspects of the present disclosure will become apparent from the following detailed description of exemplary embodiments, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate exemplary embodiments, features, and aspects of the disclosure and, together with the description, serve to explain the principles of the disclosure.
FIG. 1 is a schematic diagram illustrating the components of a security tracing apparatus suitable for IPv6/IPv4 access service;
fig. 2 is a schematic flow chart showing the implementation of embodiment 2 of the present invention.
Detailed Description
Various exemplary embodiments, features and aspects of the present disclosure will be described in detail below with reference to the accompanying drawings. In the drawings, like reference numbers can indicate functionally identical or similar elements. While the various aspects of the embodiments are presented in drawings, the drawings are not necessarily drawn to scale unless specifically indicated.
The word "exemplary" is used exclusively herein to mean "serving as an example, embodiment, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.
Furthermore, in the following detailed description, numerous specific details are set forth in order to provide a better understanding of the present disclosure. It will be understood by those skilled in the art that the present disclosure may be practiced without some of these specific details. In some instances, methods, means, elements and circuits that are well known to those skilled in the art have not been described in detail so as not to obscure the present disclosure.
Example 1
The invention discloses a real-time tracing method and a history tracing method for encryption security based on a stateless translation technology, and a unified stateless security tracing device is formed. The device can realize real-time IPv4/IPv6 tracing directly through an encrypted API without inquiring logs, has extremely low consumption on system resources and can greatly reduce the system overhead; the device is based on network layer stateless translation technology and is therefore applicable to all applications, including encryption and private applications; the device does not modify the content of the data message, is compatible with the existing IPv4 firewall, does not increase the security risk, ensures the end-to-end information hiding of the tracing query by using an encryption technology, cannot intercept and tamper by a man in the middle, and greatly protects the stability and the security of the tracing system.
As shown in fig. 1, according to a first aspect of the present disclosure, a security tracing apparatus suitable for IPv6/IPv4 access service is provided, which includes a stateless translation gateway and a tracing apparatus, which are communicatively connected, wherein,
1) the stateless translation gateway: the mapping table is used for configuring an IPv6/IPv4 stateless flexible mapping table, and performing stateless mapping on the received IPv6/IPv4 address based on the IPv6/IPv4 stateless flexible mapping table to obtain IPv6/IPv4 address mapping records;
in this embodiment, a constructed IPv6/IPv4 stateless flexible mapping table is configured in the stateless translation gateway, and a construction rule of the IPv6/IPv4 stateless flexible mapping table is constructed according to a preset mapping rule, where the preset mapping rule is specifically designed by a user. The details of the implementation of the translation gateway configuration interface, the deployment location of the translation gateway device, and the like are not limited in the present invention.
The IPv6/IPv4 stateless flexible mapping table represents the IPv6/IPv4 static mapping relationship of the target address, namely the static mapping relationship between the real IPv4 server address and the virtual IPv6 published address.
The construction mode can comprise the following construction modes: in the IPv6/IPv4 stateless flexible mapping table, each row represents an IPv6/IPv4 mapping rule, and each mapping rule may be one-to-one, that is, one IPv6 address corresponds to one IPv4 address, or may be aggregated in many-to-many manner, that is, a one-to-one mapping relationship is implemented between a plurality of IPv6 addresses in one IPv6 prefix a and a plurality of IPv4 addresses in one IPv4 prefix B. The IPv6/IPv4 stateless flexible mapping table may include a plurality of mapping rules, different mapping rules may have an overlapped IPv6 address range and/or an overlapped IPv4 address range, and if there is an overlap, an optimal rule is selected according to a longest prefix matching rule.
In the IPv6/IPv4 stateless flexible mapping table, each mapping rule includes 5 fields:
1) the mapping rule type is as follows: including a fixed mapping type and/or an address embedding mapping type. Wherein the fixed mapping type is that a single IPv6 address corresponds to a single IPv4 address; the address embedding mapping type is "IPv 4-Embedded IPv6 address format" as specified in RFC 6052.
2) IPv6 prefix: the IPv6 address part of the mapping rule may be an IPv6 prefix or an IPv6 address, that is, an IPv6 prefix with a prefix length of 128.
3) IPv6 prefix length: prefix length of the IPv6 prefix described above.
4) IPv4 prefix: the IPv4 address part of the mapping rule may be an IPv4 prefix or an IPv4 address, that is, an IPv4 prefix with a prefix length of 32.
5) IPv4 prefix length: prefix length of the IPv4 prefix described above.
Any two IPv6/IPv4 stateless flexible mapping rules can not be completely the same in the above 5 fields; if this occurs, the system issues an alarm that it is not configurable.
If the IPv4 prefix conflicts with a certain existing mapping rule when a mapping rule is configured, an IPv6/IPv4 stateless flexible mapping table E1 is newly built on a translation gateway, the address ranges of the source IPv4 of the two mapping tables are distinguished, and for a message returned by the IPv4 server, the routing based on a target address leads the two mapping tables.
If a plurality of IPv4 prefixes correspond to the same IPv6 prefix, the mapping rules can be aggregated into one mapping rule, after aggregation, in the process of mapping from IPv6 to IPv4, a plurality of mapping rules are searched according to IPv6 addresses, IPv6 prefixes are removed according to the length of IPv6 prefixes in the searched rules, IPv4 addresses are obtained, traversal matching is conducted in the searched mapping rules according to IPv4 addresses, and the final mapping rule is obtained.
When an IPv6 client accesses an IPv4 server, the IPv4 server can issue an IPv6 address freely defined by a user to the IPv6 Internet, and realize static mapping between the virtual IPv6 address and a real IPv4 address of the server, and insert the address into an IPv6/IPv4 stateless flexible mapping table of a translation gateway.
The IPv6/IPv4 stateless flexible mapping table is only corresponding to the IPv6/IPv4 mapping algorithm of the real IPv4 address of the server, and the IPv6/IPv4 mapping algorithm in the other direction is not limited. And the upper layer interface and operation mode of adding the IPv6/IPv4 flexible mapping table entry are not limited.
Traversing the IPv6/IPv4 stateless flexible mapping table, and configuring a corresponding DNS AAAA record for each server terminal IPv4 address; requesting to return the DNS AAAA record to a DNS server through an IPv6 client, converting the DNS AAAA record to obtain an IPv6 group and sending the group; and receiving the IPv6 packet through the translation gateway, respectively carrying out secondary mapping in the IPv6/IPv4 stateless flexible mapping table according to an IPv6 destination address and an IPv4 source address to obtain an IPv6 mapping address and send the mapping address. The stateless translation gateway receives the first IPv6 group, firstly, an IPv4 source address is obtained according to the IPv6 source address mapping, then a first mapping rule corresponding to the IPv6 destination address is searched in a stateless flexible mapping table E according to the IPv6 destination address and a first longest prefix matching principle, if the corresponding first mapping rule is searched, the destination address of the first IPv4 group is obtained through calculation, and the first IPv4 group is sent; and if the corresponding first mapping rule cannot be found, discarding. The IPv4 server receives the first type IPv4 packet for processing, and generates and sends the second type IPv4 packet to the stateless translation gateway.
The stateless translation gateway receives the second type IPv4 packet, and firstly obtains an IPv6 destination address according to the IPv4 destination address mapping. Searching a second mapping rule corresponding to the IPv4 source address in an IPv6/IPv4 stateless flexible mapping table E according to the IPv4 source address (namely the IPv4 server address) and a second longest prefix matching principle, if the corresponding second mapping rule is searched, calculating to obtain a source IPv6 address of a second IPv6 group, and sending the second IPv6 group; and if the corresponding second mapping rule cannot be found, discarding the mapping rule.
The data packet sent by the IPv6 client passes through the stateless translation gateway, the stateless translation gateway maps the IPv6 address into an IPv4 address, the mapping record of the source IPv6 address is stored, and the obtained IPv4 data packet is sent to the IPv4 server. And the IPv4 server processes and forwards the received IPv4 data packet. The stateless translation gateway receives the IPv4 data packet, queries the address mapping record F to obtain an IPv6 data packet, and sends the IPv6 data packet to the IPv6 client.
According to the configured IPv6/IPv4 stateless flexible mapping table, traversing the mapping table, configuring corresponding DNS AAAA records for each server terminal IPv4 address in the mapping table, wherein the method comprises the following steps:
if the mapping rule type is a fixed mapping type, the IPv6 address in the mapping rule is used as the IPv6 address corresponding to the DNS AAAA record, and the DNS server is configured with the AAAA record to publish the AAAA record;
if the mapping rule type is the address embedding mapping type, according to the RFC6052 address mapping rule, embedding the IPv4 address into the IPv6 prefix of the mapping rule, taking the IPv6 prefix as the IPv6 address corresponding to the DNS AAAA record, and configuring the AAAA record on the DNS server to publish the DNS AAAA record.
An IPv6 client in the IPv6 Internet requests an AAAA record of an IPv4 server from a DNS server, the DNS server returns the AAAA record of the IPv4 server to the IPv6 client, and the IPv6 client sends a first-type IPv6 group; the stateless translation gateway receives the first IPv6 group, firstly, an IPv4 source address is obtained according to the IPv6 source address mapping, then a first mapping rule corresponding to the IPv6 destination address is searched in a stateless flexible mapping table E according to the IPv6 destination address and a first longest prefix matching principle, if the corresponding first mapping rule is searched, the destination address of the first IPv4 group is obtained through calculation, and the first IPv4 group is sent; and if the corresponding first mapping rule cannot be found, discarding. The process of the first longest prefix matching principle is as follows:
searching an IPv6/IPv4 stateless flexible mapping table, matching IPv6 destination addresses of the first class IPv6 grouping, and finding out all matched mapping rules. The rule for judging whether the matching is carried out is as follows:
1) if the destination address of the IPv6 is not matched with the prefix of the IPv6 of the current mapping rule, the destination address of the IPv6 is marked as not matched;
if the destination address of the IPv6 is matched with the IPv6 prefix of the current mapping rule, judging the type of the mapping rule;
2) if the mapping is fixed mapping, directly judging the mapping to be matching; if the address is embedded and mapped, extracting an IPv4 address from an IPv6 destination address, and judging whether the IPv4 address is matched with a certain IPv4 prefix of the current mapping rule;
3) if the matching is available, finding out the matching item with the longest prefix length of the IPv4, and judging the matching item to be matched; if the matching can not be carried out, the judgment is mismatching.
The algorithm of the search, whether linear or non-linear, whether time complexity or space complexity, is not limited in this patent.
After the mapping rule searching process is finished, finding out the mapping rule which is optimally matched according to the 5 fields included in the mapping rule:
if the searching process does not find a matching mapping rule, discarding the first IPv6 packet;
if the mapping rule is matched, the mapping rule with the longest prefix length of IPv6 is found.
If the above process finds only one mapping rule with the longest prefix length of IPv6, it is marked as the optimal rule.
If a plurality of mapping rules with the longest IPv6 prefix length exist, the IPv4 prefix lengths are compared, and the mapping rule with the longest IPv4 prefix length is found. Since it was previously stated that two mapping rules with exactly the same 5 fields cannot exist at the same time, only one mapping rule must be found here. It is denoted as the optimal rule.
The IPv4 server receives the first type IPv4 packet for processing, and generates and sends the second type IPv4 packet to the translation gateway.
The translation gateway receives the second IPv4 packet, and firstly obtains an IPv6 destination address according to the IPv4 destination address mapping. Searching a second mapping rule corresponding to the IPv4 source address in an IPv6/IPv4 stateless flexible mapping table E according to the IPv4 source address (namely the IPv4 server address) and a second longest prefix matching principle, if the corresponding second mapping rule is searched, calculating to obtain a source IPv6 address of a second IPv6 group, and sending the second IPv6 group; and if the corresponding second mapping rule cannot be found, discarding the mapping rule.
The process of the second longest prefix matching principle is as follows:
searching an IPv6/IPv4 stateless flexible mapping table, matching IPv4 source addresses of the second type IPv4 grouping, and finding out all matched mapping rules. The rule for judging whether the matching is carried out is as follows:
finding a corresponding mapping table according to the destination IPv4 address route; if the IPv4 source address does not match the IPv4 prefix of the current mapping rule, the address is marked as not matching; if the IPv4 source address matches the IPv4 prefix of the current mapping rule, then it is marked as a match.
The algorithm of the search, whether linear or non-linear, whether time complexity or space complexity, is not limited in this patent.
After the mapping rule searching process is finished, finding out the mapping rule with the optimal matching: if the searching process does not find a matching mapping rule, discarding the second IPv4 packet; if the mapping rule is matched, finding the mapping rule with the longest prefix length of IPv 4; if the prefixes of the IPv4 of the two mapping rules are the same, the mapping rules are not in one mapping table, so that the prefixes of the IPv4 of any two mapping rules in one mapping table are different, and therefore the process can only find one optimal mapping rule and mark the optimal mapping rule as the optimal rule.
By the stateless mapping described above, it is possible to implement:
according to the IPv6/IPv4 stateless flexible mapping algorithm, a plurality of fixed mapping table items between the designated IPv6 address and the designated IPv4 address can be added according to needs and are fused with the IPv6/IPv4 mapping algorithm table items specified by RFC6052, so that the uniform IPv6/IPv4 flexible mapping table based on the longest prefix matching is realized, and various different application scenes accessed by IPv6/IPv4 and user requirements can be adapted. The static mapping between the dynamically allocated IPv6 address and the server IPv4 address can be realized, and any deployment scene is met. The real IPv4 address of the server hidden for the IPv6 user is supported, the encrypted IPv6 address issued by the IPv4 server is supported, and a certain degree of security protection effect is realized. The fixed IPv6 address release is supported, no matter how the IPv4 address of the internal server changes, the IPv6 address released outside always keeps unchanged, the stability of the user access service is kept, and the method can be applied to upgrading the IPv4 service based on cloud service to the IPv6 service.
2) In order to obtain a correct source IPv6 address and ensure the function of tracing in security protection or user quantity statistics, the system is provided with a tracing device for requesting to obtain different mapping records from the stateless translation gateway.
The tracing device: the system is used for sending a tracing request to the stateless translation gateway and obtaining the IPv6/IPv4 address mapping record according to the tracing request so as to realize real-time tracing and historical tracing.
In this embodiment, the tracing apparatus includes two parts: the encrypted safe real-time tracing facility and the encrypted safe history tracing facility can send a tracing request to the stateless translation gateway according to the tracing request, and obtain the IPv6/IPv4 address mapping record according to the tracing request, so that history tracing and real-time tracing are realized.
When a tracing request reaches a stateless translation gateway, a preposed judging component judges the facility and the interface type of a tracing interface and distributes the request to a corresponding interface; and the corresponding interface carries out user authority verification on the encrypted tracing request, normally decrypts if the encrypted tracing request is a legal request, and generates a source address and/or other parameters in a stateless mode according to the input parameters and a stateless mapping algorithm so as to realize the purpose of tracing.
The real-time tracing facility can be used for counting browsing amount, real-time monitoring, user portrait based on IP address and the like; the history traceability facility can be used for user tracking, behavior analysis, and the like. The real-time tracing facility and the historical tracing facility inquire the stateless algorithm and the stateless mapping table based on the stateless translation algorithm, so that the method has the characteristics of being suitable for all applications and low in cost. According to different use requirements, the real-time tracing facility and the history tracing facility open a plurality of encryption safe interfaces for users to use, including but not limited to: and a local inquiry tracing interface with encryption safety, a high-performance remote inquiry tracing interface with encryption safety, a management tracing interface with encryption safety and the like are used, and strong log records are made.
In one possible implementation, as shown in fig. 1, optionally, the tracing apparatus includes an encryption-secure real-time tracing facility and an encryption-secure history tracing facility, wherein,
the real-time tracing facility: the system is used for inquiring the IPv6/IPv4 stateless flexible mapping table based on a stateless translation algorithm, acquiring data, counting the browsing amount and the user portrait based on the IP address and monitoring in real time;
the history tracing facility: the mapping table is used for inquiring the IPv6/IPv4 stateless flexible mapping table based on a stateless translation algorithm, acquiring data, and performing user tracking and behavior analysis;
the real-time tracing facility and the history tracing facility are respectively connected to the stateless translation gateway.
The time tracing facility can be used for counting the browsing amount, monitoring in real time, user portrait based on IP address and the like; the history traceability facility can be used for user tracking, behavior analysis, and the like. The real-time tracing facility and the historical tracing facility inquire the stateless algorithm and the stateless mapping table based on the stateless translation algorithm, so that the method has the characteristics of being suitable for all applications and low in cost. According to different use requirements, the real-time tracing facility and the history tracing facility open a plurality of encryption safe interfaces for users to use, including but not limited to: the method comprises the steps of encrypting a safe local inquiry tracing interface, an encrypted safe high-performance remote inquiry tracing interface, an encrypted safe management tracing interface and the like, and making strong log records.
In this embodiment, the real-time tracing facility and the history tracing facility may both request tracing data from the stateless translation gateway through one tracing interface, and obtain mapping records in the stateless translation gateway according to tracing parameters included in the tracing request. According to the source tracing request and the corresponding different source tracing parameters, different types of source tracing management can be carried out. And an encrypted safe real-time tracing facility and an encrypted safe historical tracing facility are installed on the stateless translation gateway, each facility reads data from a stateless mapping algorithm and a mapping table of the stateless translation gateway, and an encrypted safe local query tracing interface, an encrypted safe high-performance remote query tracing interface and an encrypted safe management tracing interface are respectively provided.
In a possible implementation manner, optionally, an encrypted and secure tracing interface is provided on the tracing apparatus, and the tracing interface is used for a user to obtain real-time tracing data in the real-time tracing facility and/or historical tracing data in the historical tracing facility from the stateless translation gateway.
Specifically, as shown in fig. 1.
In a possible implementation manner, optionally, the tracing interface includes:
at least one cryptographically secure native query tracing interface: the local query traceability interface is used for querying traceability information on the stateless translation gateway based on an identity authentication and authorized administrator and a limited set of request parameters; the encrypted and secure native query tracing interface is used for a system administrator or a device administrator to directly query corresponding tracing information on the translation device, and may be a command line/webpage portal query or other forms without limitation. The interface is based on strict user identity authentication and authorization, and an unregistered user or an unauthorized user cannot inquire corresponding traceability information and needs to be authenticated again after a period of time. Meanwhile, the interface only accepts a limited set of parameter ranges, so that the interface can fully guarantee the effectiveness and the truthfulness and the credibility of the source tracing query.
And at least one cryptographically secure high performance remote query tracing interface: the high-performance remote query traceability interface is used for butting and realizing traceability query between an external service/query system and the stateless translation gateway by using an HTTPS/TLS/SSH encryption mode; the encryption security high-performance remote query tracing interface comprises: the method is used for connecting an external service system or an inquiry system, the specific calling form can be Restful/gPC/NETCONF or other, and the form and the format are not limited. The interface uses HTTPS/TLS/SSH to carry out end-to-end encryption, realizes end-to-end safe and reliable transmission on the basis of low cost and suitability for all applications, and ensures that a man in the middle cannot intercept and tamper, thereby greatly protecting the stability and the safety of a traceability system. In an application scenario with large concurrency, the interface can improve the support quantity of concurrent requests as much as possible by using an asynchronous design, and high-performance traceability query is realized.
And at least one encryption-secure management tracing interface: the management tracing interface is used for the management system to trace the source and history in real time by using a standard SNMP protocol. The encrypted safe management tracing interface is used for service systems such as a network management system, a monitoring system and the like, and real-time tracing and historical tracing are carried out by using a standard SNMP protocol. The interface uses an SNMP protocol encrypted end to end, realizes end to end safe and reliable transmission on the basis of low cost and suitability for all applications, and ensures that a man in the middle cannot intercept and tamper, thereby greatly protecting the stability and the safety of the tracing system.
In a possible implementation manner, optionally, a tracing MIB for storing tracing resources is configured on the stateless translation gateway, where the tracing MIB includes a real-time tracing MIB and a history tracing MIB, and both the real-time tracing MIB and the history tracing MIB are configured with an OID tracing interface, and the OID tracing interface is used to call a management tracing interface on the real-time tracing facility or a management tracing interface on the history tracing facility.
And installing a stateless translation tracing related MIB (management information base) on the stateless translation gateway and the network management system, wherein the MIB comprises a real-time tracing MIB and a history tracing MIB, and configuring an OID (object identifier) of the MIB for calling encryption security management tracing interfaces of the real-time tracing facility and the history tracing facility.
In a preferred embodiment, firstly, an SNMP agent end is installed on a stateless translation gateway, and an SNMP tracing module is loaded through the SNMP agent end; the SNMP tracing module actively reports tracing records to an SNMP management server through the SNMP tracing trap.
In the working process of the stateless translation gateway, the SNMP agent collects the information in the IPv6/IPv4 address mapping record and stores the information in a source-tracing mib (management information base) library. An administrator or a user can send a request for obtaining the tracing record to the SNMP agent end through the SNMP management server, and after the SNMP agent end receives the request, the corresponding result is searched in the tracing MIB base and returned to the SNMP management server. SNMP is an application layer protocol defined by Internet architecture Committee (IAB), is widely used for managing and monitoring network equipment, provides an interface for accessing a unified network management node by a traceability module based on SNMPv1/v2c/v3 protocol, facilitates remote traceability query and supports real-time query and historical query.
In a possible implementation manner, optionally, a pre-judging component and a logging module are further configured on the stateless translation gateway, wherein,
the preposed judging component: the system comprises a tracing interface, a tracing interface and a plurality of tracing interfaces, wherein the tracing interface is used for receiving a tracing request, judging the facility and the interface type of the tracing interface according to the tracing request and distributing the tracing request to the matched tracing interface;
the log recording module: and recording a strong log record formed by the access record and the query record associated with the source tracing request on a local log server or a separate log server.
When a tracing request reaches a stateless translation gateway, a preposed judging component judges the facility and the interface type of a tracing interface and distributes the request to a corresponding interface; and the corresponding interface carries out user authority verification on the encrypted tracing request, normally decrypts if the encrypted tracing request is a legal request, and generates a source address and/or other parameters in a stateless mode according to the input parameters and a stateless mapping algorithm so as to realize the purpose of tracing. If the request is an illegal request, access is denied.
Whether the request is legal or illegal, the relevant access record and query record form a strong log record, and the log recording module records the strong log record on a local machine or an independent log server, and the recording mode is not limited.
It should be noted that, by default, the network management system queries the tracing device in an SNMP Get manner. In certain cases, the SNMP Trap/Inform may be used to report from the tracing device to the network management system, but those skilled in the art will understand that the disclosure should not be limited thereto. In fact, the user can flexibly set the network mode according to personal preference and/or practical application scene, as long as the source tracing request query between the source tracing device and the stateless translation gateway is realized.
The encrypted and secure native query tracing interface may be a command line/web portal query or other forms without limitation. The user can input parameters to the command line tracing module through the command line: the IPv4 address, the input parameter can be a single or a plurality of IPv4 addresses to carry out batch query, and can also comprise other required parameters such as time and the like; and the command line tracing module inquires in the mapping record F according to the input parameters and outputs an inquiry result to the command line terminal, wherein the inquiry structure is that an IPv6 address corresponding to the IPv4 address is input, and time can also be included. The command line tracing module can be installed on stateless translation gateway equipment, an administrator or a user can input an IPv4 address through a command line of the translation equipment to query the IPv6 address of the user, the query result is intuitive, and the IPv6 address can be quickly positioned when needed.
The encrypted high-performance remote query tracing interface can be called in a Restful/gPC/NETCONF mode or other modes, and the modes and formats are not limited. A user initiates a tracing request to a Restful API tracing module through a Restful client based on a Restful framework, wherein the request parameter is an IPv4 address or a batch IPv4 address, and the request parameter can also comprise parameters such as time and the like; and the Restful API tracing module inquires in the IPv6/IPv4 address mapping record according to the input parameters, encapsulates the result and returns the result to the requesting client. The standard Restful API tracing interface provides single query and batch query, has good performance and high flexibility, and is easy to access other tracing systems based on the Restful architecture.
The SNMP version used by the secure management trace source interface is not limited. The SNMP tracing trap set based on the SNMPv1/v2c/v3 protocol actively reports the tracing record to an SNMP management server, collects the IPv6/IPv4 address mapping record and stores the mapping record in a tracing MIB base; and the SNMP tracing module: and the SNMP management server is used for sending a tracing record acquisition request to the SNMP agent terminal, acquiring a tracing record from the tracing MIB base and returning the tracing record to the SNMP management server.
The log information formed by the access record of the tracing query and the query record is recorded on the local or an independent log server, and the recording mode is not limited.
Although the above example description of the packet address mapping to IPv4 destination address according to IPv6 has been made in accordance with the IPv6/IPv4 stateless flexible mapping table, those skilled in the art will appreciate that the present disclosure should not be limited thereto. In fact, the user can flexibly set the mapping direction according to personal preference and/or practical application scene, the IPv6/IPv4 stateless flexible mapping table is only corresponding to the IPv6/IPv4 mapping algorithm of the real IPv4 address of the server, and the IPv6/IPv4 mapping algorithm in the other direction is not limited. The address access can be realized according to the establishment principle of the mapping rule and the realization principle and thought of the address mapping. When the mapping of IPv6 to IPv4 is realized, the mapping direction is the translation of IPv6 to IPv4 of the destination address; when the mapping of IPv4- > IPv6 is implemented, the mapping direction is the IPv4-IPv6 translation of the source address.
Therefore, the encryption-safe real-time tracing method and the history tracing method are invented based on the stateless translation technology through the stateless translation gateway and the tracing device, and a unified stateless safe tracing device is formed. The device can realize real-time IPv4/IPv6 tracing directly through an encrypted API without inquiring logs, has extremely low consumption on system resources and can greatly reduce the system overhead; the device is based on network layer stateless translation technology and is therefore applicable to all applications, including encryption and private applications; the device does not modify the content of the data message, is compatible with the existing IPv4 firewall, does not increase the security risk, ensures the end-to-end information hiding of the tracing query by using an encryption technology, cannot intercept and tamper by a man in the middle, and greatly protects the stability and the security of the tracing system.
Example 2
Based on the implementation of embodiment 1, this embodiment provides a method for implementing the security tracing apparatus applicable to IPv6/IPv4 access service described in embodiment 1. As shown in fig. 2.
According to a second aspect of the present disclosure, a method for implementing the above-mentioned security tracing apparatus adapted for IPv6/IPv4 access service is provided, including the following steps:
s100, installing and configuring the stateless translation gateway, and normally operating service flow based on the stateless translation gateway;
s200, installing the real-time tracing facility and the history tracing facility on the stateless translation gateway, and respectively configuring at least one local query tracing interface, the high-performance remote query tracing interface and the management tracing interface;
s300, sending an encrypted tracing request, judging the facility and the interface type of a tracing interface according to the tracing request through a front judgment component, and distributing the tracing request to the matched tracing interface; and carrying out user authority verification on the encrypted tracing request through the matched tracing interface: if the request is a legal request, normally decrypting the request, and generating a source address and/or other parameters according to the input parameters and a stateless mapping algorithm to realize tracing; if the request is an illegal request, access is refused;
s400, recording strong log records formed by the access records and the query records associated with the tracing request on a local log server or an independent log server through a log recording module.
When a tracing request reaches a stateless translation gateway, a preposed judging component judges the facility and the interface type of a tracing interface and distributes the request to a corresponding interface; and the corresponding interface carries out user authority verification on the encrypted tracing request, normally decrypts if the encrypted tracing request is a legal request, and generates a source address and/or other parameters in a stateless mode according to the input parameters and a stateless mapping algorithm so as to realize the purpose of tracing. If the request is an illegal request, access is denied. Whether the request is legal or illegal, the relevant access record and query record form a strong log record, and the log record is recorded on the local or a separate log server, and the recording mode is not limited.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and they may alternatively be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, or fabricated separately as individual integrated circuit modules, or fabricated as a single integrated circuit module from multiple modules or steps. Thus, the present invention is not limited to any specific combination of hardware and software.
The technical effects of this application:
the invention discloses a real-time tracing method and a history tracing method for encryption security based on a stateless translation technology, and a unified stateless security tracing device is formed. The device can realize real-time IPv4/IPv6 tracing directly through an encrypted API without inquiring logs, has extremely low consumption on system resources and can greatly reduce the system overhead; the device is based on network layer stateless translation technology and is therefore applicable to all applications, including encryption and private applications; the device does not modify the content of the data message, is compatible with the existing IPv4 firewall, does not increase the security risk, ensures the end-to-end information hiding of the tracing query by using an encryption technology, cannot intercept and tamper by a man in the middle, and greatly protects the stability and the security of the tracing system.
Example 3
Based on the implementation of embodiment 1, this embodiment provides a native query tracing method in combination with a native query tracing interface.
According to a third aspect of the present disclosure, a tracing method for performing native query based on the above security tracing apparatus adapted for IPv6/IPv4 access service is provided, including the following steps:
s111, a management user logs in the stateless translation gateway to check and authenticate the user authority;
s121, inputting a source tracing request containing source tracing parameters;
s131, judging whether the tracing parameter matches the limited format of the local query tracing interface through the local query tracing interface: if yes, real-time query is carried out through the local query traceability interface according to the IPv6/IPv4 stateless flexible mapping table, and structured output data are returned; otherwise, discarding the tracing request;
and S141, acquiring the output data and returning the output data to the user.
The specific implementation steps are as follows,
step 1: and logging in the translation equipment by a system administrator to perform user authentication. If the authentication is successful and the authority for inquiring the tracing log exists, turning to the step 2, and if the authentication is failed or the authority for inquiring the tracing log does not exist, refusing to carry out tracing inquiry;
step 2: the system administrator enters the traceability parameters and starts the query. If the query is a real-time query, inputting one or more source IPv4 addresses; if the query is a historical query, on the basis of inputting one or more source IPv4 addresses, information such as a time range and the like may need to be input;
and step 3: the encryption secure native query traceback interface checks whether the parameters are in a defined format. If yes, continuing to step 4; otherwise the request is discarded directly.
And 4, step 4: and the encryption security native query tracing interface carries out real-time query according to the stateless translation mapping algorithm and the mapping table and returns structured output data. The output data can comprise a traced IPv6 address, or a plurality of IPv4-IPv6 stateless mapping records, or other required tracing results;
and 5: the structured output data is organized into a user-friendly output form and can be exported.
Example 4
Based on the implementation of embodiment 1, this embodiment provides a high-performance remote query tracing method in combination with a high-performance remote query tracing interface.
According to a fourth aspect of the present disclosure, a tracing method for performing high-performance remote query based on the above security tracing apparatus suitable for IPv6/IPv4 access service is provided, which includes the following steps:
s211, a remote user logs in the stateless translation gateway to check and authenticate the user authority;
s221, inputting a source tracing request containing source tracing parameters;
s231, judging whether the IPv4/IPv6 address of the remote user is within a preset allowable range through the high-performance remote query traceability interface: if yes, the tracing request is decrypted, and whether the tracing parameter matches the limited format of the high-performance remote query tracing interface is judged; otherwise, discarding the tracing request;
s241, if the tracing parameter matches the limited format of the high-performance remote query tracing interface, performing real-time query through the high-performance remote query tracing interface according to the IPv6/IPv4 stateless flexible mapping table, and returning structured output data; otherwise, discarding the tracing request;
and S251, acquiring the output data and returning the output data to the remote user.
The specific implementation steps are as follows,
step 1: and the external business system or the query system carries out user authentication on the tracing device. If the authentication is successful and the authority for inquiring the tracing log exists, turning to the step 2, and if the authentication is failed or the authority for inquiring the tracing log does not exist, refusing to carry out tracing inquiry;
step 2: and the external business system or the query system inputs the source tracing parameters through the interface and starts to query. If the query is a real-time query, inputting one or more source IPv4 addresses; if the query is a historical query, information such as a time range may need to be input on the basis of inputting one or more source IPv4 addresses. The related information is packaged in a message in an encrypted form and is sent to the stateless translation gateway;
and step 3: the encrypted safety high-performance remote query traceability interface judges whether the IPv4/IPv6 address of the traceability inquirer is in an allowable range, if so, the step 4 is continued; otherwise, directly discarding the request;
and 4, step 4: and the encryption safety high-performance remote query traceability interface decrypts the request and judges whether the parameters of the querier are in a limited format. If yes, continuing to step 5; otherwise the request is discarded directly.
And 5: and performing real-time query according to the stateless translation mapping algorithm and the mapping table, and returning structured output data. The output data can comprise a traced IPv6 address, or a plurality of IPv4-IPv6 stateless mapping records, or other required tracing results; optionally, the query may be performed in an asynchronous manner, so as to further improve the query performance.
Step 6: and organizing the structured output data into a standard interface output form, and sending the standard interface output form to the source-tracing inquirer in an encrypted mode.
Example 5
Based on the implementation of embodiment 1, this embodiment provides a management query traceability method in combination with a management traceability interface.
According to a fifth aspect of the present disclosure, a tracing method for managing based on the above-mentioned security tracing apparatus adapted for IPv6/IPv4 access service is provided, which includes the following steps:
s311, installing a source tracing MIB base on the stateless translation gateway and the network management system, and configuring SNMP parameters and SNMP modes;
s321, a network management user logs in the stateless translation gateway to check and authenticate the user authority;
s331, inputting a tracing request containing tracing parameters;
s341, judging whether the IPv4/IPv6 address of the network management user is within a preset allowable range through the management tracing interface: if yes, the tracing request is decrypted, and whether the tracing parameter matches the limited format of the management tracing interface is judged; otherwise, discarding the tracing request;
s351, if the tracing parameters match the limited format of the management tracing interface, performing real-time query through the management tracing interface according to the IPv6/IPv4 stateless flexible mapping table, and returning structured output data; otherwise, discarding the tracing request;
and S361, obtaining the output data and returning the output data to the network management user.
The specific implementation steps are as follows,
step 1: relevant parameters of the SNMP are configured, and the parameters can comprise a unique number, an authentication user name/password, a white list address of a network management system and the like. And installing a stateless translation tracing related MIB library on the stateless translation gateway and the network management system, wherein the MIB library comprises a real-time tracing MIB library and a history tracing MIB library, and configuring OIDs of the MIB library for calling encryption security management tracing interfaces of the real-time tracing facility and the history tracing facility.
Step 2: and configuring the mode of the SNMP. And inquiring the tracing device by the network management system in an SNMP Get mode by default. In a specific case, the source tracing device may report the information to the network management system in an SNMP Trap/Inform manner, which is not limited in the present invention.
And step 3: and the network management system performs user authentication on the tracing device. If the authentication is successful and the authority for inquiring the tracing log exists, turning to the step 4, and if the authentication is failed or the authority for inquiring the tracing log does not exist, refusing to carry out tracing inquiry;
and 4, step 4: the network management system inputs the source tracing parameters through the interface and starts to inquire. If the query is a real-time query, inputting one or more source IPv4 addresses; if the query is a historical query, information such as a time range may need to be input on the basis of inputting one or more source IPv4 addresses. The related information is packaged in a message in an encrypted SNMP form and is sent to the stateless translation gateway;
and 5: the encryption security management tracing interface judges whether the IPv4/IPv6 address of the tracing inquirer is in the allowed range, if so, the step 6 is continued; otherwise, directly discarding the request;
step 6: and the encryption security management tracing interface decrypts the request and judges whether the SNMP request parameter of the inquirer is in a limited format. If yes, continuing to step 7; otherwise the request is discarded directly.
And 7: and performing real-time query according to the stateless translation mapping algorithm and the mapping table, and returning structured output data. The output data can comprise a traced IPv6 address, or a plurality of IPv4-IPv6 stateless mapping records, or other required tracing results;
and 8: and organizing the structured output data into a standard SNMP interface output form, and sending the standard SNMP interface output form to a source tracing inquirer in an encryption mode.
Having described embodiments of the present disclosure, the foregoing description is intended to be exemplary, not exhaustive, and not limited to the disclosed embodiments. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terms used herein were chosen in order to best explain the principles of the embodiments, the practical application, or technical improvements to the techniques in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

Claims (10)

1.一种适用于IPv6/IPv4访问服务的安全溯源装置,其特征在于,包括通讯连接的无状态翻译网关和溯源装置,其中,1. a safety traceability device that is applicable to IPv6/IPv4 access service, is characterized in that, comprises the stateless translation gateway and the source tracing device of communication connection, wherein, 所述无状态翻译网关:用于配置IPv6/IPv4无状态灵活映射表,并基于所述IPv6/IPv4无状态灵活映射表对所接收到的IPv6/IPv4地址进行无状态映射,获得IPv6/IPv4地址映射记录;Described stateless translation gateway: is used for configuring IPv6/IPv4 stateless flexible mapping table, and carries out stateless mapping to the received IPv6/IPv4 address based on described IPv6/IPv4 stateless flexible mapping table, obtains IPv6/IPv4 address mapping records; 所述溯源装置:用于向所述无状态翻译网关发出溯源请求,并根据所述溯源请求获取所述IPv6/IPv4地址映射记录,实现实时溯源及历史溯源。The source tracing device: used to send a source tracing request to the stateless translation gateway, and obtain the IPv6/IPv4 address mapping record according to the source tracing request, so as to realize real-time source tracing and historical source tracing. 2.根据权利要求1所述的一种适用于IPv6/IPv4访问服务的安全溯源装置,其特征在于,所述溯源装置包括加密安全的实时溯源设施和加密安全的历史溯源设施,其中,2. a kind of safety traceability device applicable to IPv6/IPv4 access service according to claim 1, is characterized in that, described source traceability device comprises the real-time source tracing facility of encryption security and the historical traceability facility of encryption security, wherein, 所述实时溯源设施:用于基于无状态翻译算法对所述IPv6/IPv4无状态灵活映射表进行查询并获取数据,统计浏览量和基于IP地址的用户画像以及进行实时监控;Described real-time source tracing facility: is used for inquiring and acquiring data of described IPv6/IPv4 stateless flexible mapping table based on stateless translation algorithm, counting pageviews and IP address-based user portraits and performing real-time monitoring; 所述历史溯源设施:用于基于无状态翻译算法对所述IPv6/IPv4无状态灵活映射表进行查询并获取数据,进行用户追踪和行为分析;The historical traceability facility: used for querying and acquiring data from the IPv6/IPv4 stateless flexible mapping table based on a stateless translation algorithm, and performing user tracking and behavior analysis; 所述实时溯源设施和历史溯源设施分别连接至所述无状态翻译网关。The real-time provenance facility and the historical provenance facility are respectively connected to the stateless translation gateway. 3.根据权利要求2所述的一种适用于IPv6/IPv4访问服务的安全溯源装置,其特征在于,所述溯源装置上设有加密安全的溯源接口,所述溯源接口用于用户从所述无状态翻译网关上获取所述实时溯源设施中的实时溯源数据和/或所述历史溯源设施中的历史溯源数据。3. a kind of safety traceability device that is applicable to IPv6/IPv4 access service according to claim 2, is characterized in that, described source tracing device is provided with the source tracing interface of encryption safety, and described source tracing interface is used for the user from the described source tracing interface. The real-time traceability data in the real-time traceability facility and/or the historical traceability data in the historical traceability facility are acquired on the stateless translation gateway. 4.根据权利要求3所述的一种适用于IPv6/IPv4访问服务的安全溯源装置,其特征在于,所述溯源接口包括:4. a kind of safety traceability device suitable for IPv6/IPv4 access service according to claim 3, is characterized in that, described source traceability interface comprises: 至少一个加密安全的本机查询溯源接口:所述本机查询溯源接口用于基于身份认证和授权的管理员以及有限集合的请求参数在所述无状态翻译网关上查询溯源信息;以及,At least one encrypted and secure local query traceability interface: the local query traceability interface is used to query traceability information on the stateless translation gateway based on an administrator of identity authentication and authorization and a limited set of request parameters; and, 至少一个加密安全的高性能远程查询溯源接口:所述高性能远程查询溯源接口用于使用HTTPS/TLS/SSH加密方式,对接并实现外部业务/查询系统与所述无状态翻译网关之间的溯源查询;以及,At least one encrypted and secure high-performance remote query traceability interface: the high-performance remote query traceability interface is used to use HTTPS/TLS/SSH encryption to connect and implement traceability between an external business/query system and the stateless translation gateway inquiries; and, 至少一个加密安全的管理溯源接口:所述管理溯源接口用于管理系统使用标准的SNMP协议进行实时溯源和历史溯源。At least one encrypted and secure management traceability interface: the management traceability interface is used for the management system to perform real-time traceability and historical traceability using the standard SNMP protocol. 5.根据权利要求4所述的一种适用于IPv6/IPv4访问服务的安全溯源装置,其特征在于,所述无状态翻译网关上配置有储存溯源资源的溯源MIB库,所述溯源MIB库包括实时溯源MIB库和历史溯源MIB库,所述实时溯源MIB库和历史溯源MIB库上皆配置有一个OID溯源接口,所述OID溯源接口用于调用所述实时溯源设施上的管理溯源接口或所述历史溯源设施上的管理溯源接口。5. a kind of safety traceability device suitable for IPv6/IPv4 access service according to claim 4, is characterized in that, described stateless translation gateway is configured with the traceability MIB library storing source tracing resources, and described source tracing MIB library comprises The real-time traceability MIB library and the historical traceability MIB library, the real-time traceability MIB library and the historical traceability MIB library are both configured with an OID traceability interface, and the OID traceability interface is used to call the management traceability interface on the real-time traceability facility or all Describe the management traceability interface on the historical traceability facility. 6.根据权利要求5所述的一种适用于IPv6/IPv4访问服务的安全溯源装置,其特征在于,所述无状态翻译网关上还配置有前置判断组件和日志记录模块,其中,6. a kind of security traceability device suitable for IPv6/IPv4 access service according to claim 5, is characterized in that, described stateless translation gateway is also configured with pre-judgment component and log record module, wherein, 所述前置判断组件:用于接收溯源请求,根据所述溯源请求判断溯源接口所属设施和接口类型,并将所述溯源请求分发至所匹配的溯源接口;The pre-determination component is used to receive a traceability request, determine the facility and interface type to which the traceability interface belongs according to the traceability request, and distribute the traceability request to the matched traceability interface; 所述日志记录模块:用于将与所述溯源请求相关联的访问记录和查询记录均形成的强日志记录,记录在本机或单独的日志服务器上。The log recording module is used to record the strong log records formed by the access records and query records associated with the source tracing request on the local machine or a separate log server. 7.一种实施权利要求1-6任一项所述的适用于IPv6/IPv4访问服务的安全溯源装置的方法,其特征在于,包括如下步骤:7. A method for implementing the security traceability device applicable to IPv6/IPv4 access service according to any one of claims 1-6, characterized in that, comprising the steps of: S100、安装并配置所述无状态翻译网关,基于所述无状态翻译网关正常运行业务流量;S100. Install and configure the stateless translation gateway, and run business traffic normally based on the stateless translation gateway; S200、在所述无状态翻译网关上安装所述实时溯源设施和所述历史溯源设施,并分别配置至少一个所述本机查询溯源接口、所述高性能远程查询溯源接口和所述管理溯源接口;S200. Install the real-time traceability facility and the historical traceability facility on the stateless translation gateway, and configure at least one of the local query traceability interface, the high-performance remote query traceability interface, and the management traceability interface respectively ; S300、发送加密的溯源请求,通过前置判断组件根据所述溯源请求判断溯源接口所属设施和接口类型,并将所述溯源请求分发至所匹配的溯源接口;以及,通过所述所匹配的溯源接口对所述加密的溯源请求进行用户权限校验:如果是合法请求则正常解密,并根据输入参数和无状态映射算法生成源地址和/或其他参数,实现溯源;如果是非法请求,则拒绝访问;S300. Send an encrypted traceability request, determine the facility and interface type of the traceability interface according to the traceability request by the pre-determination component, and distribute the traceability request to the matched traceability interface; and, through the matched traceability interface The interface performs user authority verification on the encrypted traceability request: if it is a legitimate request, it will be decrypted normally, and the source address and/or other parameters will be generated according to the input parameters and the stateless mapping algorithm to realize traceability; if it is an illegal request, it will be rejected access; S400、通过日志记录模块,将与所述溯源请求相关联的访问记录和查询记录均形成的强日志记录,记录在本机或单独的日志服务器上。S400. Record a strong log record formed by both the access record and the query record associated with the traceability request on the local machine or a separate log server through the log record module. 8.一种基于权利要求4-6任一项所述适用于IPv6/IPv4访问服务的安全溯源装置进行本机查询的溯源方法,其特征在于,包括如下步骤:8. a source tracing method for carrying out local query based on the safety tracing device applicable to IPv6/IPv4 access service described in any one of claims 4-6, is characterized in that, comprises the steps: S111、管理用户登录所述无状态翻译网关,进行用户权限校验和认证;S111, the management user logs in to the stateless translation gateway, and performs user authority check and authentication; S121、输入包含溯源参数的溯源请求;S121. Input a traceability request including traceability parameters; S131、通过所述本机查询溯源接口判断所述溯源参数是否匹配所述本机查询溯源接口的限定格式:是则通过所述本机查询溯源接口根据所述IPv6/IPv4无状态灵活映射表进行实时查询,并返回结构化的输出数据;否则丢弃该溯源请求;S131. Determine whether the source tracing parameter matches the limited format of the local query source tracing interface through the local query source tracing interface: if yes, perform the local query source tracing interface according to the IPv6/IPv4 stateless flexible mapping table Query in real time and return structured output data; otherwise, discard the traceability request; S141、获取所述输出数据并返回给用户。S141. Acquire the output data and return it to the user. 9.一种基于权利要求4-6任一项所述适用于IPv6/IPv4访问服务的安全溯源装置进行高性能远程查询的溯源方法,其特征在于,包括如下步骤:9. A source tracing method for carrying out high-performance remote inquiry based on the safety tracing device applicable to IPv6/IPv4 access service described in any one of claims 4-6, is characterized in that, comprises the steps: S211、远程用户登录所述无状态翻译网关,进行用户权限校验和认证;S221、输入包含溯源参数的溯源请求;S211, a remote user logs in to the stateless translation gateway, and performs user authority check and authentication; S221, inputs a traceability request including traceability parameters; S231、通过所述高性能远程查询溯源接口判断所述远程用户的IPv4/IPv6地址是否在预设允许范围内:是则解密所述溯源请求,并判断所述溯源参数是否匹配所述高性能远程查询溯源接口的限定格式;否则丢弃该溯源请求;S231. Determine whether the IPv4/IPv6 address of the remote user is within a preset allowable range through the high-performance remote query traceability interface: if yes, decrypt the traceability request, and determine whether the traceability parameter matches the high-performance remote Query the limited format of the traceability interface; otherwise, discard the traceability request; S241、若所述溯源参数匹配所述高性能远程查询溯源接口的限定格式,则通过所述高性能远程查询溯源接口根据所述IPv6/IPv4无状态灵活映射表进行实时查询,并返回结构化的输出数据;否则丢弃该溯源请求;S241. If the source tracing parameter matches the limited format of the high-performance remote query source tracing interface, perform a real-time query according to the IPv6/IPv4 stateless flexible mapping table through the high-performance remote query source tracing interface, and return a structured Output data; otherwise, discard the traceability request; S251、获取所述输出数据并返回给远程用户。S251. Acquire the output data and return it to the remote user. 10.一种基于权利要求4-6任一项所述适用于IPv6/IPv4访问服务的安全溯源装置进行管理的溯源方法,其特征在于,包括如下步骤:10. A source tracing method that is managed based on the safety source tracing device applicable to IPv6/IPv4 access service described in any one of claims 4-6, is characterized in that, comprises the steps: S311、在所述无状态翻译网关和网络管理系统上安装溯源MIB库,并配置SNMP参数和SNMP模式;S311, install the traceability MIB library on the stateless translation gateway and the network management system, and configure SNMP parameters and SNMP mode; S321、网络管理用户登录所述无状态翻译网关,进行用户权限校验和认证;S321, a network management user logs in to the stateless translation gateway, and performs user authority check and authentication; S331、输入包含溯源参数的溯源请求;S331. Input a traceability request including traceability parameters; S341、通过所述管理溯源接口判断所述网络管理用户的IPv4/IPv6地址是否在预设允许范围内:是则解密所述溯源请求,并判断所述溯源参数是否匹配所述管理溯源接口的限定格式;否则丢弃该溯源请求;S341. Determine whether the IPv4/IPv6 address of the network management user is within a preset allowable range through the management traceability interface: if yes, decrypt the traceability request, and determine whether the traceability parameter matches the limit of the management traceability interface format; otherwise, the traceability request is discarded; S351、若所述溯源参数匹配所述管理溯源接口的限定格式,则通过所述管理溯源接口根据所述IPv6/IPv4无状态灵活映射表进行实时查询,并返回结构化的输出数据;否则丢弃该溯源请求;S351. If the traceability parameter matches the limited format of the management traceability interface, perform a real-time query according to the IPv6/IPv4 stateless flexible mapping table through the management traceability interface, and return structured output data; otherwise, discard the traceability request; S361、获取所述输出数据并返回给所述网络管理用户。S361. Acquire the output data and return it to the network management user.
CN202111495152.XA 2021-12-09 2021-12-09 Security traceability device and method suitable for IPv6/IPv4 access service Active CN114143113B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111495152.XA CN114143113B (en) 2021-12-09 2021-12-09 Security traceability device and method suitable for IPv6/IPv4 access service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111495152.XA CN114143113B (en) 2021-12-09 2021-12-09 Security traceability device and method suitable for IPv6/IPv4 access service

Publications (2)

Publication Number Publication Date
CN114143113A true CN114143113A (en) 2022-03-04
CN114143113B CN114143113B (en) 2023-07-28

Family

ID=80385439

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111495152.XA Active CN114143113B (en) 2021-12-09 2021-12-09 Security traceability device and method suitable for IPv6/IPv4 access service

Country Status (1)

Country Link
CN (1) CN114143113B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103856581A (en) * 2014-03-26 2014-06-11 清华大学 Translation packaging adaptive algorithm of user-side device
US20180026888A1 (en) * 2012-03-12 2018-01-25 Comcast Cable Communications, Llc Stateless Protocol Translation
CN113542452A (en) * 2021-09-15 2021-10-22 北京英迪瑞讯网络科技有限公司 Real-time IPv4-IPv6 tracing method and system based on algorithm mapping
CN113691650A (en) * 2021-10-21 2021-11-23 北京英迪瑞讯网络科技有限公司 IPv4/IPv6 stateless segmented safety mapping method and control system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180026888A1 (en) * 2012-03-12 2018-01-25 Comcast Cable Communications, Llc Stateless Protocol Translation
CN103856581A (en) * 2014-03-26 2014-06-11 清华大学 Translation packaging adaptive algorithm of user-side device
CN113542452A (en) * 2021-09-15 2021-10-22 北京英迪瑞讯网络科技有限公司 Real-time IPv4-IPv6 tracing method and system based on algorithm mapping
CN113691650A (en) * 2021-10-21 2021-11-23 北京英迪瑞讯网络科技有限公司 IPv4/IPv6 stateless segmented safety mapping method and control system

Also Published As

Publication number Publication date
CN114143113B (en) 2023-07-28

Similar Documents

Publication Publication Date Title
US9461975B2 (en) Method and system for traffic engineering in secured networks
Blaze et al. Trust management for IPsec
US20180343236A1 (en) Identity and Metadata Based Firewalls in Identity Enabled Networks
US7356601B1 (en) Method and apparatus for authorizing network device operations that are requested by applications
EP3605948B1 (en) Distributing overlay network ingress information
KR20120020187A (en) Method and system for filtering of network traffic
EP4323898B1 (en) Computer-implemented methods and systems for establishing and/or controlling network connectivity
CN103023856A (en) Method and system for single sign-on and information processing method and system
US20230179582A1 (en) Centralized management of private networks
KR20240124308A (en) System and method for controlling Internet access using encrypted DNS
US20250310308A1 (en) Centralized management control lists for private networks
WO2016202397A1 (en) Dns based pki system
Raz et al. An SNMP application level gateway for payload address translation
CN114143113B (en) Security traceability device and method suitable for IPv6/IPv4 access service
CN113691650B (en) IPv4/IPv6 stateless segmented safety mapping method and control system
Cisco Glossary
Cisco Glossary
Martins et al. An Extensible Access Control Architecture for Software Defined Networks based on X. 812
US20250240175A1 (en) Methods and systems for implementing secure communication channels between systems over a network
Scharf et al. RFC 9648: YANG Data Model for TCP
Wallis et al. Secure Zero Configuration of IoT Devices-A Survey
CN117581520A (en) Secure networking engine for secure networking systems
CN120321654A (en) Method and system for extending operator mobile phone number identification in multi-identification network system
Raz et al. RFC2962: An SNMP Application Level Gateway for Payload Address Translation
JP2004297749A (en) Vpn device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant