A multi-cluster traffic processing method and device, electronic equipment and storage medium
By establishing encrypted channels and device sessions between encrypted devices and the unified access layer in the IoT platform, the problem of flexible scheduling and unified distribution of DTLS secure encrypted devices across multiple clusters is solved, achieving efficient and secure traffic forwarding for device management.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- E SURFING IOT CO LTD
- Filing Date
- 2024-09-10
- Publication Date
- 2026-07-07
AI Technical Summary
In the Internet of Things (IoT) field, how to achieve flexible scheduling and unified distribution of DTLS-secure encrypted device traffic across multiple clusters, especially in the public utilities and healthcare industries, where the secure transmission and storage of massive amounts of devices poses a challenge.
By establishing an encrypted channel with a unified access layer between the encrypted device and the target platform, packet payload is stripped, the unique device identifier is parsed, a device session is established, and business packets are exchanged based on device attribute information. This enables the DTLS encryption/decryption and session persistence functions to be implemented at the lower level, and the unified access layer is used for flexible traffic scheduling and unified distribution.
It enables secure management and traffic forwarding of DTLS encrypted devices in a multi-cluster architecture, reducing device development costs and resource consumption, and improving the flexibility and efficiency of device access.
Smart Images

Figure CN119232436B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of data processing technology, and in particular to a method, apparatus, electronic device, and storage medium for processing multi-cluster traffic. Background Technology
[0002] DTLS (Datagram Transport Layer Security) is a data packet security transport protocol used to provide secure data transmission over unreliable data packet transport protocols (such as UDP). It is particularly suitable for enabling secure encrypted communication between resource-constrained terminals and platforms in the Internet of Things (IoT) field, and has been widely used in smart utilities and the healthcare industry.
[0003] With the widespread adoption of smart technology, the access and management of massive numbers of IoT devices has become a focal point, especially in public utilities and healthcare, where the secure transmission and storage of device data is paramount. Therefore, whether considering factors such as geographically localized management, the saturation of single-platform device access, or security aspects like data isolation and dedicated resources, an architecture design that enables the access and management of massive numbers of devices across multiple clusters has become an inevitable choice. However, compared to plaintext transmission devices, achieving flexible scheduling and unified distribution of DTLS-secure encrypted device traffic across clusters presents a new challenge. Summary of the Invention
[0004] This invention proposes a method, apparatus, electronic device, and storage medium for multi-cluster traffic processing, aiming to at least partially solve one of the technical problems in related technologies. The embodiments of this invention can realize multi-cluster traffic processing.
[0005] On one hand, embodiments of the present invention provide a multi-cluster traffic processing method, including:
[0006] In response to the interaction request between the encryption device and the target platform, an encrypted channel with a unified access layer is established between the encryption device and the target platform;
[0007] The encrypted channel is stripped of its message payload to obtain the device service data. The device service data includes plaintext data, the link information of the encrypted channel, and the device source address information of the encrypted device.
[0008] The unique identifier of the encrypted device is obtained by parsing the message characteristics of the plaintext data. A device session is established at the target node of the unified access layer based on the unique device identifier. The device session is used to record the session record between the encrypted device and the unified access layer. The session record includes device session information and first attribute information. The first attribute information includes link information, device source address information and target node information.
[0009] The device attribute information of the encrypted device is obtained by querying the device's unique identifier, and business message exchange is carried out based on the device attribute information. The device attribute information includes first attribute information and second attribute information. The second attribute information includes the cluster information of the cluster to which the encrypted device belongs. The content of the business message exchange includes uplink business messages and downlink business messages.
[0010] Optionally, the method further includes the following steps:
[0011] In response to the device management instructions of the cluster to which the encryption device belongs, the device routing maintenance service interface of the unified access layer is invoked according to the second attribute information of the encryption device.
[0012] Based on the call to the device routing maintenance service interface, information management operations are performed on the data information in the routing table of the unified access layer;
[0013] The device management instructions include adding or deleting, and the information management operations include writing or deleting second attribute information.
[0014] Optionally, the encryption device has a pre-programmed unified access layer device interface address; establishing an encrypted channel between the encryption device and the target platform using the unified access layer includes the following steps:
[0015] Based on the device interface address, an encryption authentication process is performed between the encrypted device and the unified access layer access distribution service to complete the establishment of the encrypted channel;
[0016] The encryption authentication process includes establishing an encrypted link, a secure transmission protocol handshake, and certificate authentication.
[0017] Optionally, the method further includes the following steps:
[0018] Record device session information and link information and device source address information that are stripped out by the encrypted channel through message payload stripping in the device session;
[0019] The device's unique identifier, link information, device source address information, node information, and device session information are written into the session table in the unified access layer.
[0020] Optionally, the first attribute information is stored in the session table of the unified access layer, and the second attribute information is stored in the routing table of the unified access layer; obtaining the device attribute information of the encrypted device based on the device's unique identifier includes the following steps:
[0021] When the content of the service message exchange is a downlink service message, the first attribute information is obtained by querying the session table based on the unique device identifier determined by the downlink service message.
[0022] The session table stores the unique device identifier and first attribute information of all encrypted devices that have established device sessions in the unified access layer. The unique device identifier and first attribute information of each encrypted device are stored in the session table in the format of associated data groups.
[0023] When the content of the service message exchange is an uplink service message, the second attribute information is obtained by querying the routing table based on the device's unique identifier.
[0024] The routing table stores the unique device identifier and second attribute information of all encrypted devices in the managed multi-cluster. The unique device identifier and second attribute information of each encrypted device are stored in the routing table in the format of associated data groups.
[0025] Optionally, when the content of the service message exchange is a downlink service message, the service message exchange is performed on the encrypted device and its associated cluster based on device attribute information, including the following steps:
[0026] The downlink service message is forwarded to the first service node in the unified access layer through the encryption device; the target node represents the service node corresponding to the encryption device; the first service node represents any node in the unified access layer.
[0027] The second service node where the device session corresponding to the target encryption device is located is determined based on the first attribute information; the target encryption device represents the device to which the downlink service message is sent.
[0028] Downlink service packets are routed from the first service node to the second service node via remote procedure call, and then sent to the target encryption device through the device session and encryption channel corresponding to the target encryption device.
[0029] Optionally, when the content of the service message exchange is an uplink service message, the service message exchange is performed on the encrypted device and its cluster based on the device attribute information, including the following steps:
[0030] The cluster to which the encrypted device belongs is determined based on the second attribute information;
[0031] Uplink service messages are forwarded to the device access service of the cluster through a preset connection method, so that the cluster can perform process parsing of the uplink service messages; the preset connection methods include dedicated line connection or cloud peer-to-peer connection.
[0032] On the other hand, embodiments of the present invention provide a multi-cluster traffic processing device, comprising:
[0033] The first module is used to respond to the interaction request between the encryption device and the target platform and establish an encryption channel for the unified access layer between the encryption device and the target platform.
[0034] The second module is used to strip the message payload from the encrypted channel to obtain the device service data; the device service data includes plaintext data, the link information of the encrypted channel, and the device source address information of the encrypted device;
[0035] The third module is used to parse the message characteristics of plaintext data to obtain the unique device identifier of the encryption device, and establish a device session at the target node of the unified access layer based on the unique device identifier; the device session is used to record the session record between the encryption device and the unified access layer; the session record includes device session information and first attribute information; the first attribute information includes link information, device source address information and target node node information;
[0036] The fourth module is used to query and obtain the device attribute information of the encrypted device based on the device's unique identifier, and to perform business message interaction based on the device attribute information. The device attribute information includes first attribute information and second attribute information. The second attribute information includes the cluster information of the cluster to which the encrypted device belongs. The content of the business message interaction includes uplink business messages and downlink business messages.
[0037] Optionally, the device further includes:
[0038] The fifth module is used to respond to the device management instructions of the cluster to the encrypted device and call the unified access layer device routing maintenance service interface according to the second attribute information of the encrypted device.
[0039] The sixth module is used to perform information management operations on the data information in the routing table of the unified access layer based on the call to the device routing maintenance service interface;
[0040] The device management instructions include adding or deleting, and the information management operations include writing or deleting second attribute information.
[0041] Optionally, the device further includes:
[0042] The seventh module is used to record device session information and link information and device source address information that are stripped out by the encrypted channel through packet payload stripping in the device session;
[0043] The eighth module is used to write the device's unique identifier, link information, device source address information, node information, and device session information into the session table in the unified access layer.
[0044] On the other hand, embodiments of the present invention provide an electronic device, including: a processor and a memory; the memory is used to store a program; the processor executes the program to implement the above-described multi-cluster traffic processing method.
[0045] On the other hand, embodiments of the present invention provide a computer storage medium storing a processor-executable program, which, when executed by a processor, is used to implement the above-described multi-cluster traffic processing method.
[0046] This invention, in response to an interaction request between an encryption device and a target platform, establishes an encrypted channel in the unified access layer between the encryption device and the target platform. The encrypted channel is then subjected to packet payload stripping to obtain device service data. This device service data includes plaintext data, link information of the encrypted channel, and device source address information of the encryption device. A unique device identifier for the encryption device is obtained by parsing the packet characteristics of the plaintext data. Based on this unique device identifier, a device session is established at the target node in the unified access layer. The device session is used to record the session records between the encryption device and the unified access layer. The session records include device session information and first attribute information. The first attribute information includes link information, device source address information, and node information of the target node. The device attribute information of the encryption device is obtained by querying based on the unique device identifier. Service message interaction is then performed based on this device attribute information. The device attribute information includes first attribute information and second attribute information, the second attribute information including the cluster information of the encryption device's cluster. The content of the service message interaction includes uplink service messages and downlink service messages. This invention achieves business message interaction by establishing an encrypted channel, stripping message payload, establishing device sessions, and matching device attribute information. By using a logically integrated unified access layer, DTLS encryption / decryption and session persistence functions are decentralized, thereby enabling flexible traffic scheduling and unified distribution. This meets the needs of DTLS secure encryption device management and traffic forwarding in the multi-cluster architecture of IoT platforms. Attached Figure Description
[0047] The accompanying drawings are provided to further understand the technical solutions of the present invention and constitute a part of the specification. They are used together with the embodiments of the present invention to explain the technical solutions of the present invention, and do not constitute a limitation on the technical solutions of the present invention.
[0048] Figure 1 This is a schematic diagram of an implementation environment for multi-cluster traffic processing provided in an embodiment of the present invention;
[0049] Figure 2 A flowchart illustrating a multi-cluster traffic processing method provided in an embodiment of the present invention;
[0050] Figure 3 This is a schematic diagram of an extended process of the multi-cluster traffic processing method provided in an embodiment of the present invention;
[0051] Figure 4 This is a schematic diagram of another extended process of the multi-cluster traffic processing method provided in the embodiments of the present invention;
[0052] Figure 5This is a schematic diagram of the process for querying device attribute information provided in an embodiment of the present invention;
[0053] Figure 6 This is a schematic diagram of a service message interaction process provided in an embodiment of the present invention;
[0054] Figure 7 This is another schematic diagram of the business message interaction provided in an embodiment of the present invention;
[0055] Figure 8 This is a schematic diagram illustrating the architecture principle of multi-cluster traffic processing provided in an embodiment of the present invention;
[0056] Figure 9 This is a schematic diagram of the structure of a multi-cluster traffic processing device provided in an embodiment of the present invention;
[0057] Figure 10 This is a schematic diagram of the structure of an electronic device provided in an embodiment of the present invention. Detailed Implementation
[0058] To make the objectives, technical solutions, and advantages of this invention clearer, the invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the invention.
[0059] It should be noted that although functional modules are divided in the system diagram and the logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in a different order than the module division in the system or the order in the flowchart. The terms "first / S100," "second / S200," etc., in the specification, claims, and the aforementioned figures are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence.
[0060] In this document, the term "embodiment" means that a particular feature, structure, or characteristic described in connection with an embodiment may be included in at least one embodiment of the invention. The appearance of this phrase in various places throughout the specification does not necessarily refer to the same embodiment, nor is it a separate or alternative embodiment mutually exclusive with other embodiments. It will be explicitly and implicitly understood by those skilled in the art that the embodiments described herein can be combined with other embodiments.
[0061] To facilitate understanding of the technical solution of this invention, the technical features and proper nouns that may appear in the embodiments of this invention will first be explained:
[0062] DTLS (Datagram Transport Layer Security) is a secure transport protocol based on UDP. It provides similar security and data integrity protection as TLS (Transport Layer Security), while also having the advantages of UDP, such as low latency and support for multiplexing.
[0063] RPC (Remote Procedure Call) is a protocol that requests services from a remote computer over a network. It allows a program to call a procedure or function in another address space (usually on another machine on a shared network) without requiring the programmer to explicitly code the details of the remote call.
[0064] It is understood that the multi-cluster traffic processing method provided in this embodiment of the invention can be applied to any computer device with data processing and computing capabilities, and this computer device can be various types of terminals or servers. When the computer device in the embodiment is a server, the server is an independent physical server, or a server cluster or distributed system composed of multiple physical servers, or a cloud server that provides basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDN (Content Delivery Network), and big data and artificial intelligence platforms. Optionally, the terminal can be a smartphone, tablet computer, laptop computer, or desktop computer, but it is not limited to these.
[0065] like Figure 1 The diagram shown is a schematic representation of an implementation environment provided by an embodiment of the present invention. (Refer to...) Figure 1 The implementation environment includes at least one terminal 102 and a server 101. The terminal 102 and the server 101 can be connected via a network, either wirelessly or via a wired connection, to complete data transmission and exchange.
[0066] Server 101 can be a standalone physical server, a server cluster or distributed system composed of multiple physical servers, or a cloud server that provides basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDN (Content Delivery Network), and big data and artificial intelligence platforms.
[0067] Additionally, server 101 can also be a node server in a blockchain network. Blockchain is a novel application model of computer technologies such as distributed data storage, peer-to-peer transmission, consensus mechanisms, and encryption algorithms.
[0068] Terminal 102 can be a smartphone, tablet computer, laptop computer, desktop computer, smart speaker, smartwatch, etc., but is not limited to these. Terminal 102 and server 101 can be directly or indirectly connected via wired or wireless communication, and this embodiment of the invention does not impose any limitations.
[0069] Exemplary based on Figure 1 The implementation environment shown in this embodiment of the invention provides a multi-cluster traffic processing method. The following description uses the application of this multi-cluster traffic processing method in terminal 102 as an example. It can be understood that this multi-cluster traffic processing method can also be applied to server 101.
[0070] Reference Figure 2 , Figure 2 This is a flowchart illustrating a multi-cluster traffic processing method applied to a terminal according to an embodiment of the present invention. The executing entity of this multi-cluster traffic processing method can be any of the aforementioned computer devices (including servers or terminals). (Refer to...) Figure 2 The method includes the following steps:
[0071] S100. In response to the interaction request between the encryption device and the target platform, establish an encryption channel for the unified access layer between the encryption device and the target platform.
[0072] It should be noted that the encryption device has a pre-programmed device interface address of the unified access layer. In some embodiments, establishing an encryption channel between the encryption device and the target platform's unified access layer may include the following steps: based on the device interface address, performing an encryption authentication process between the encryption device and the access distribution service of the unified access layer to complete the establishment of the encryption channel; wherein, the encryption authentication process includes encryption link establishment, secure transmission protocol handshake and certificate authentication.
[0073] In some embodiments, such as Figure 3 As shown, the method may further include the following steps: A100, responding to the device management command of the encryption device by the cluster, calling the device routing maintenance service interface of the unified access layer according to the second attribute information of the encryption device; A200, based on the call to the device routing maintenance service interface, performing information management operations on the data information in the routing table of the unified access layer; wherein, the device management command includes adding or deleting, and the information management operation corresponds to writing or deleting the second attribute information.
[0074] For example, in some specific implementations, the encryption information such as the PSK and certificate of the DTLS device is decentralized to the unified access layer. The unified access layer realizes encryption and decryption, link maintenance, and session persistence for all DTLS devices, which can be achieved as follows:
[0075] 1) When adding or deleting devices, each cluster synchronously calls the unified access layer's device routing maintenance service interface with the device's unique identifier, cluster information, and device encryption information (including but not limited to PSK / PSKID, etc.) to write or delete the routing table of the unified access layer for global unified maintenance.
[0076] 2) All DTLS devices have the unified access layer's device interface address burned into them. When the device interacts with the platform, it must first complete the encrypted transmission channel establishment process with the unified access layer access distribution service, including establishing an encrypted link, DTLS handshake, and certificate authentication.
[0077] S200: Strip the message payload from the encrypted channel to obtain the device service data;
[0078] The equipment business data includes plaintext data, encrypted channel link information, and encrypted device source address information;
[0079] For example, in some specific implementations, after the DTLS encrypted channel is established, the application-side message is stripped of its payload, and the decrypted plaintext data, encrypted channel link information, device source address information, etc., are thrown out.
[0080] S300: Obtain the unique device identifier of the encrypted device by parsing the message characteristics of the plaintext data, and establish a device session at the target node of the unified access layer based on the unique device identifier;
[0081] Among them, the device session is used to record the session records between the encryption device and the unified access layer; the session record includes device session information and first attribute information; the first attribute information includes link information, device source address information and target node node information;
[0082] In some embodiments, such as Figure 4 As shown, the method may further include the following steps: B100, recording device session information and link information and device source address information thrown out by the encrypted channel through packet payload stripping in the device session; B200, writing the device unique identifier, link information, device source address information, node information and device session information into the session table in the unified access layer.
[0083] For example, in some specific implementations, after the unified access layer separates the device service data, it obtains the unique device identifier based on the packet characteristics and records its correspondence with the device's source address and DTLS encrypted session, thus completing the decoupling of device traffic uplink and downlink. Specifically, this can be achieved as follows:
[0084] 1) Parse the unique device identifier (including but not limited to IMEI) carried in the plaintext data packets thrown by the encrypted channel based on the characteristics of the packets (including but not limited to login packets ep; heartbeat packets path; business packets token, etc.).
[0085] 2) Establish and maintain a device session based on the device's unique identifier, and record the link information and device source address information thrown out by the encrypted channel in the device session.
[0086] 3) Synchronously write key information such as the device's unique identifier, device session information, encrypted channel link information, device source address information, and node information into the session table, and refresh it in real time each time a new device uplink service message is received.
[0087] S400: Obtain the device attribute information of the encrypted device by querying the device's unique identifier, and perform business message interaction based on the device attribute information;
[0088] The device attribute information includes first attribute information and second attribute information. The second attribute information includes the cluster information of the cluster to which the encrypted device belongs. The content of the service message exchange includes uplink service messages and downlink service messages.
[0089] It should be noted that the first attribute information is stored in the session table of the unified access layer, and the second attribute information is stored in the routing table of the unified access layer; in some embodiments, such as Figure 5 As shown, obtaining device attribute information of an encrypted device based on its unique device identifier may include the following steps: S411, when the content of the service message exchange is a downlink service message, the first attribute information is obtained by querying the session table based on the unique device identifier determined by the downlink service message; the session table stores the unique device identifier and first attribute information corresponding to all encrypted devices that have established device sessions in the unified access layer, and the unique device identifier and first attribute information corresponding to each encrypted device are stored in the session table in the format of an associated data group; S412, when the content of the service message exchange is an uplink service message, the second attribute information is obtained by querying the routing table based on the unique device identifier; the routing table stores the unique device identifier and second attribute information corresponding to all encrypted devices in the managed multi-cluster, and the unique device identifier and second attribute information corresponding to each encrypted device are stored in the routing table in the format of an associated data group.
[0090] In some embodiments, such as Figure 6As shown, when the content of the service message exchange is a downlink service message, the service message exchange between the encryption device and its cluster based on the device attribute information may include the following steps: S421, forwarding the downlink service message to the first service node in the unified access layer through the encryption device; the target node represents the service node corresponding to the encryption device; the first service node represents any service node in the unified access layer; S422, determining the second service node where the device session corresponding to the target encryption device is located based on the first attribute information; the target encryption device represents the device to which the downlink service message is sent; S423, routing the downlink service message from the first service node to the second service node through a remote procedure call, and then sending the downlink service message to the target encryption device through the device session and encryption channel corresponding to the target encryption device.
[0091] In some embodiments, such as Figure 7 As shown, when the content of the business message exchange is an uplink business message, the business message exchange between the encrypted device and its cluster based on the device attribute information may include the following steps: S431, determine the cluster to which the encrypted device belongs based on the second attribute information; S432, transfer the uplink business message to the device access service of the cluster through a preset connection method, so that the cluster can perform process parsing of the uplink business message; the preset connection method includes a dedicated line connection or a cloud peer-to-peer connection.
[0092] For example, in some specific implementations, the cluster affiliation information and corresponding access address of the device can be obtained by querying based on the device's unique identifier. Uplink and downlink interaction and distribution of the device's business data with the business cluster can be realized through methods such as dedicated lines or cloud peer-to-peer connections. Specifically, the following can be achieved:
[0093] 1) For device uplink service messages:
[0094] ① Query the routing table based on the device's unique identifier, and obtain the cluster information to be transferred out of the device and its access address based on the cluster information pre-written in the table.
[0095] ② The plaintext data packets emitted from the encrypted channel are forwarded to the device access service of the corresponding cluster via dedicated lines or cloud peer-to-peer connections, where they are used for corresponding business packet parsing and process handling.
[0096] 2) For downlink service messages from the device:
[0097] ① The device access module of each cluster forwards the messages that need to be sent to the device to any access distribution service node (i.e., service node) of the unified access layer.
[0098] ② After receiving the downlink packet, the access distribution service obtains the unique identifier of the device based on the packet characteristics (including but not limited to packet path or token, etc.), and queries the session table accordingly to obtain the corresponding node information, session information, link information, device source address, etc.
[0099] ③ The downlink packets are routed to the node where the device session is located via RPC, and then encrypted through the original device session and link via the DTLS channel before being sent to the device.
[0100] To explain in detail the principle of the technical solution of the present invention, the overall process of the present invention will be described below with reference to some specific embodiments. It is easy to understand that the following is an explanation of the technical principle of the present invention and should not be regarded as a limitation of the present invention.
[0101] First, it should be noted that the existing technical solutions are as follows:
[0102] Existing IoT multi-cluster processing models are mostly designed for multi-cluster access processing of IoT devices based on TCP protocols (such as MQTT or HTTP protocols).
[0103] Existing multi-cluster processing mostly involves devices connecting to different clusters based on their geographical location. Due to the different access addresses, mass production is not possible at the factory, and secondary programming is required according to the actual situation.
[0104] Alternatively, the device may need to implement an additional function to dynamically receive addresses allocated by the platform, allowing the platform to dynamically allocate cluster addresses for access, which increases the device's additional development costs and resource consumption.
[0105] In view of this, the present invention provides a method that divides the access interaction between DTLS devices and the platform into two parts: encrypted link maintenance and business data interaction. The DTLS encryption / decryption and session persistence functions are decentralized, and business data is transmitted through secure transmission methods such as dedicated lines and cloud peer-to-peer connections to achieve flexible traffic scheduling and unified distribution. This meets the needs of DTLS secure encryption device management and traffic forwarding in the multi-cluster architecture of IoT platforms. Specifically, refer to... Figure 8 The solution of the present invention can be achieved as follows:
[0106] 1. The encryption information such as PSK and certificates of DTLS devices is moved down to the unified access layer, which then handles encryption / decryption, link maintenance, and session persistence for all DTLS devices.
[0107] 1) When adding or deleting devices, each cluster synchronously calls the unified access layer's device routing maintenance service interface with the device's unique identifier, cluster information, and device encryption information (including but not limited to PSK / PSKID, etc.) to write or delete the routing table of the unified access layer for global unified maintenance.
[0108] 2) All DTLS devices have the unified access layer's device interface address burned into them. When the device interacts with the platform, it must first complete the encrypted transmission channel establishment process with the unified access layer access distribution service, including establishing an encrypted link, DTLS handshake, and certificate authentication.
[0109] 3) After the DTLS encrypted channel is established, the application-side message will be stripped of its payload, and the decrypted plaintext data, encrypted channel link information, device source address information, etc. will be thrown out.
[0110] 2. After the unified access layer separates the device service data, it obtains the unique device identifier based on packet characteristics and records its correspondence with the device's source address and DTLS encrypted session, thus completing the decoupling of device traffic from uplink to downlink.
[0111] 1) Parse the unique device identifier (including but not limited to IMEI) carried in the plaintext data packets thrown by the encrypted channel based on the characteristics of the packets (including but not limited to login packets ep; heartbeat packets path; business packets token, etc.).
[0112] 2) Establish and maintain a device session based on the device's unique identifier, and record the link information and device source address information thrown out by the encrypted channel in the device session.
[0113] 3) Synchronously write key information such as the device's unique identifier, device session information, encrypted channel link information, device source address information, and node information into the session table, and refresh it in real time each time a new device uplink service message is received.
[0114] 3. Based on the device's unique identifier, query and obtain the device's cluster affiliation information and corresponding access address, and realize the uplink and downlink interaction and distribution of the device's business data with the business cluster through methods such as dedicated lines or cloud peer-to-peer connections:
[0115] 1) For device uplink service messages:
[0116] ① Query the routing table based on the device's unique identifier, and obtain the cluster information to be transferred out of the device and its access address based on the cluster information pre-written in the table.
[0117] ② The plaintext data packets emitted from the encrypted channel are forwarded to the device access service of the corresponding cluster via dedicated lines or cloud peer-to-peer connections, where they are used for corresponding business packet parsing and process handling.
[0118] 2) For downlink service messages from the device:
[0119] ① The device access module of each cluster forwards the messages that need to be sent to the device to any access distribution service node (i.e., service node) of the unified access layer.
[0120] ② After receiving the downlink packet, the access distribution service obtains the unique identifier of the device based on the packet characteristics (including but not limited to packet path or token, etc.), and queries the session table accordingly to obtain the corresponding node information, session information, link information, device source address, etc.
[0121] ③ The downlink packets are routed to the node where the device session is located via RPC, and then encrypted through the original device session and link via the DTLS channel before being sent to the device.
[0122] In summary, this invention has been developed and deployed on the corresponding IoT platform's AIoT general component service, achieving excellent results. The method of this invention supports multiple protocols on IoT platforms (including but not limited to: DTLS devices, LWM2M protocol devices, CoAP protocol devices, UDP protocol devices, etc.) and various business scenarios. This invention is easy to implement and promote, and can be extended to other industries and systems, including but not limited to: traditional telecommunications, smart cities, smart homes, industry & agriculture, smart healthcare, and connected vehicles. Compared to existing technologies, this invention has at least the following beneficial effects:
[0123] This invention provides a multi-cluster access interaction mode for DTLS encryption devices based on the UDP protocol.
[0124] The device only needs to be programmed with the same unified access cluster address, avoiding secondary programming; at the same time, there is no need to develop an additional dynamic address receiving function for the device, avoiding additional resource consumption.
[0125] The solution of this invention saves equipment development costs and production cycle, avoids additional business interactions, and effectively improves customer experience.
[0126] On the other hand, such as Figure 9 As shown, this embodiment of the invention provides a multi-cluster traffic processing device 900, comprising:
[0127] The first module 901 is used to respond to the interaction request between the encryption device and the target platform and establish an encryption channel for the unified access layer between the encryption device and the target platform.
[0128] The second module 902 is used to strip the message payload from the encrypted channel to obtain device service data; the device service data includes plaintext data, link information of the encrypted channel, and device source address information of the encrypted device;
[0129] The third module 903 is used to parse the message characteristics of plaintext data to obtain the unique device identifier of the encryption device, and establish a device session at the target node of the unified access layer based on the unique device identifier; the device session is used to record the session record between the encryption device and the unified access layer; the session record includes device session information and first attribute information; the first attribute information includes link information, device source address information and target node node information;
[0130] The fourth module 904 is used to query and obtain the device attribute information of the encrypted device based on the device's unique identifier, and to perform business message interaction based on the device attribute information. The device attribute information includes first attribute information and second attribute information. The second attribute information includes the cluster information of the cluster to which the encrypted device belongs. The content of the business message interaction includes uplink business messages and downlink business messages.
[0131] In some embodiments, the apparatus may further include:
[0132] The fifth module is used to respond to the device management instructions of the cluster to the encrypted device and call the unified access layer device routing maintenance service interface according to the second attribute information of the encrypted device.
[0133] The sixth module is used to perform information management operations on the data information in the routing table of the unified access layer based on the call to the device routing maintenance service interface;
[0134] The device management instructions include adding or deleting, and the information management operations include writing or deleting second attribute information.
[0135] In some embodiments, the apparatus may further include:
[0136] The seventh module is used to record device session information and link information and device source address information that are stripped out by the encrypted channel through packet payload stripping in the device session;
[0137] The eighth module is used to write the device's unique identifier, link information, device source address information, node information, and device session information into the session table in the unified access layer.
[0138] The content of the method embodiments of the present invention is applicable to the device embodiments. The specific functions implemented by the device embodiments are the same as those of the above method embodiments, and the beneficial effects achieved are also the same as those achieved by the above methods.
[0139] On the other hand, embodiments of the present invention also provide an electronic device, which includes a memory and a processor. The memory stores a computer program, and the processor executes the computer program to implement the aforementioned sensitive information method. This electronic device can be any smart terminal, including tablet computers, in-vehicle computers, etc.
[0140] It is understood that the content of the above method embodiments is applicable to this device embodiment. The specific functions implemented by this device embodiment are the same as those of the above method embodiments, and the beneficial effects achieved are also the same as those achieved by the above method embodiments.
[0141] like Figure 10 As shown, Figure 10 This illustration shows a specific example of the hardware structure of an electronic device 1000 according to one embodiment. The electronic device 1000 includes:
[0142] The processor 1001 can be implemented using a general-purpose CPU (Central Processing Unit), microprocessor, application-specific integrated circuit (ASIC), or one or more integrated circuits, and is used to execute relevant programs to implement the technical solutions provided in the embodiments of the present invention.
[0143] The memory 1002 can be implemented as a read-only memory (ROM), static storage device, dynamic storage device, or random access memory (RAM). The memory 1002 can store the operating system and other application programs. When the technical solutions provided in the embodiments of this specification are implemented through software or firmware, the relevant program code is stored in the memory 1002 and is called and executed by the processor 1001 to execute the network node population optimization method of the embodiments of this invention.
[0144] Input / output interface 1003 is used to implement information input and output;
[0145] The communication interface 1004 is used to enable communication and interaction between this device and other devices. Communication can be achieved through wired means (such as USB, network cable, etc.) or wireless means (such as mobile network, WIFI, Bluetooth, etc.).
[0146] Bus 1005 transmits information between various components of the device (e.g., processor 1001, memory 1002, input / output interface 1003, and communication interface 1004);
[0147] The processor 1001, memory 1002, input / output interface 1003 and communication interface 1004 are connected to each other within the device via bus 1005.
[0148] The electronic device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs.
[0149] The content of the method embodiments of the present invention is applicable to the embodiments of the present electronic device. The specific functions implemented by the embodiments of the present electronic device are the same as those of the above method embodiments, and the beneficial effects achieved are also the same as those achieved by the above methods.
[0150] Another aspect of this invention provides a computer-readable storage medium storing a program that is executed by a processor to implement the aforementioned method.
[0151] It should be noted that the computer-readable medium shown in the embodiments of the present invention can be a computer-readable signal medium or a computer-readable storage medium, or any combination thereof. A computer-readable storage medium can be, for example,—but not limited to—an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of a computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM), flash memory, optical fiber, portable compact disc read-only memory (CD to ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof. In the present invention, a computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. In the present invention, a computer-readable signal medium can include a data signal propagated in baseband or as part of a carrier wave, wherein computer-readable program code is carried. Such transmitted data signals can take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. The computer-readable signal medium can also be any computer-readable medium other than a computer-readable storage medium, which can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device. The program code contained on the computer-readable medium can be transmitted using any suitable medium, including but not limited to wireless, wired, etc., or any suitable combination thereof.
[0152] The content of the method embodiments of the present invention is applicable to the computer-readable storage medium embodiments. The specific functions implemented by the computer-readable storage medium embodiments are the same as those of the above method embodiments, and the beneficial effects achieved are also the same as those achieved by the above methods.
[0153] This invention also discloses a computer program product or computer program, which includes computer instructions stored in a computer-readable storage medium. A processor of a computer device can read the computer instructions from the computer-readable storage medium and execute the computer instructions, causing the computer device to perform the aforementioned method.
[0154] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present invention. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in a block diagram or flowchart, and combinations of blocks in a block diagram or flowchart, may be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.
[0155] It should be noted that although several modules for the device used to perform actions have been mentioned in the detailed description above, this division is not mandatory. In fact, according to embodiments of the present invention, the features and functions of two or more modules or units described above can be embodied in one module or unit. Conversely, the features and functions of one module or unit described above can be further divided and embodied by multiple modules or units.
[0156] Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein can be implemented by software or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of the present invention can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, portable hard drive, etc.) or on a network, including several instructions to cause a computing device (such as a personal computer, server, touch terminal, or network device, etc.) to execute the method according to the embodiments of the present invention.
[0157] In some alternative embodiments, the functions / operations mentioned in the block diagrams may not occur in the order shown in the operation diagrams. For example, depending on the functions / operations involved, two consecutively shown blocks may actually be executed substantially simultaneously, or the blocks may sometimes be executed in reverse order. Furthermore, the embodiments presented and described in the flowcharts of this invention are provided by way of example to provide a more comprehensive understanding of the technology. The disclosed methods are not limited to the operations and logic flows presented herein. Alternative embodiments are contemplated in which the order of various operations is changed and sub-operations described as part of a larger operation are executed independently.
[0158] Furthermore, although the invention has been described in the context of functional modules, it should be understood that, unless otherwise stated, one or more of the functions and / or features may be integrated into a single physical device and / or software module, or one or more functions and / or features may be implemented in a separate physical device or software module. It is also understood that a detailed discussion of the actual implementation of each module is unnecessary for understanding the invention. Rather, given the properties, functions, and internal relationships of the various functional modules in the apparatus disclosed herein, the actual implementation of the module will be understood within the scope of conventional skill of an engineer. Therefore, those skilled in the art can implement the invention as set forth in the claims using ordinary techniques without excessive experimentation. It is also understood that the specific concepts disclosed are merely illustrative and not intended to limit the scope of the invention, which is determined by the full scope of the appended claims and their equivalents.
[0159] If a function is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this invention, or the part that contributes to the prior art, or a part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods of the various embodiments of this invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0160] The logic and / or steps represented in the flowchart or otherwise described herein, for example, can be considered as a sequenced list of executable instructions for implementing logical functions, and can be embodied in any computer-readable medium for use by, or in conjunction with, an instruction execution means, apparatus, or device (such as a computer-based device, a processor-including device, or other means that can fetch and execute instructions from, or in conjunction with, an instruction execution means, apparatus, or device). For the purposes of this specification, "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transmit programs for use by, or in conjunction with, an instruction execution means, apparatus, or device.
[0161] More specific examples of computer-readable media (a non-exhaustive list) include: electrical connections (electronic devices) having one or more wires, portable computer disk drives (magnetic devices), random access memory (RAM), read-only memory (ROM), erasable and editable read-only memory (EPROM or flash memory), fiber optic devices, and portable optical disc read-only memory (CDROM). Furthermore, computer-readable media can even be paper or other suitable media on which programs can be printed, because programs can be obtained electronically, for example, by optically scanning the paper or other medium, followed by editing, interpreting, or otherwise processing as necessary, and then stored in computer memory.
[0162] It should be understood that various parts of the present invention can be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, multiple steps or methods can be implemented in software or firmware stored in memory and executed by a suitable instruction execution device. For example, if implemented in hardware, as in another embodiment, it can be implemented using any one or a combination of the following techniques known in the art: discrete logic circuits having logic gates for implementing logical functions on data signals, application-specific integrated circuits (ASICs) having suitable combinational logic gates, programmable gate arrays (PGAs), field-programmable gate arrays (FPGAs), etc.
[0163] In the description of this specification, references to terms such as "one embodiment," "some embodiments," "example," "specific example," or "some examples," etc., indicate that a specific feature, structure, material, or characteristic described in connection with that embodiment or example is included in at least one embodiment or example of the invention. In this specification, the illustrative expressions of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments or examples.
[0164] Although embodiments of the invention have been shown and described, those skilled in the art will understand that various changes, modifications, substitutions and alterations can be made to these embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the claims and their equivalents.
[0165] The above is a detailed description of the preferred embodiments of the present invention. However, the present invention is not limited to the embodiments. Those skilled in the art can make various equivalent modifications or substitutions without departing from the spirit of the present invention. All such equivalent modifications or substitutions are included within the scope defined by the claims of the present invention.
Claims
1. A method for processing multi-cluster traffic, characterized in that, Includes the following steps: In response to the interaction request between the encryption device and the target platform, an encryption channel for the unified access layer between the encryption device and the target platform is established; The encrypted channel is stripped of its message payload to obtain device service data; the device service data includes plaintext data, link information of the encrypted channel, and device source address information of the encrypted device. The unique device identifier of the encryption device is obtained by parsing the message characteristics of the plaintext data. A device session is established at the target node of the unified access layer based on the unique device identifier. The device session is used to record the session record between the encryption device and the unified access layer. The session record includes device session information and first attribute information. The first attribute information includes the link information, the device source address information, and the node information of the target node. The device attribute information of the encrypted device is obtained by querying the unique identifier of the device, and business message interaction is performed based on the device attribute information; the device attribute information includes the first attribute information and the second attribute information, the second attribute information includes the cluster information of the cluster to which the encrypted device belongs; the content of the business message interaction includes uplink business messages and downlink business messages; Wherein, when the content of the service message exchange is the downlink service message, the service message exchange based on the device attribute information between the encrypted device and its associated cluster includes the following steps: The encryption device forwards the downlink service message to the first service node in the unified access layer; the target node represents the service node corresponding to the encryption device; the first service node represents any node in the unified access layer. Based on the first attribute information, the second service node where the device session corresponding to the target encryption device is located is determined; the target encryption device represents the device to which the downlink service message is sent. The downlink service message is routed from the first service node to the second service node via remote procedure call, and then sent to the target encryption device through the device session and encryption channel corresponding to the target encryption device; Wherein, when the content of the service message exchange is the uplink service message, the service message exchange based on the device attribute information between the encrypted device and its associated cluster includes the following steps: The cluster to which the encryption device belongs is determined based on the second attribute information; The uplink service message is forwarded to the device access service of the cluster through a preset connection method, so that the cluster can perform process parsing on the uplink service message; the preset connection method includes a dedicated line connection or a cloud peer-to-peer connection.
2. The multi-cluster traffic processing method according to claim 1, characterized in that, The method further includes the following steps: In response to the device management command of the encryption device from the cluster, the device routing maintenance service interface of the unified access layer is invoked according to the second attribute information of the encryption device. Based on the call to the device routing maintenance service interface, information management operations are performed on the data information in the routing table of the unified access layer; The device management instructions include adding or deleting, and the information management operations correspond to writing or deleting the second attribute information.
3. The multi-cluster traffic processing method according to claim 1, characterized in that, The encryption device is pre-programmed with the device interface address of the unified access layer; establishing an encryption channel between the encryption device and the target platform's unified access layer includes the following steps: Based on the device interface address, an encryption authentication process is performed between the encrypted device and the access distribution service of the unified access layer to complete the establishment of the encrypted channel; The encryption authentication process includes establishing an encrypted link, a secure transmission protocol handshake, and certificate authentication.
4. The multi-cluster traffic processing method according to claim 1, characterized in that, The method further includes the following steps: The device session information, the link information and the device source address information that are stripped out by the packet payload of the encrypted channel are recorded in the device session. The device's unique identifier, the link information, the device's source address information, the node information, and the device's session information are written into the session table in the unified access layer.
5. The multi-cluster traffic processing method according to claim 1, characterized in that, The first attribute information is stored in the session table of the unified access layer, and the second attribute information is stored in the routing table of the unified access layer; obtaining the device attribute information of the encrypted device based on the device's unique identifier includes the following steps: When the content of the service message interaction is the downlink service message, the first attribute information is obtained by querying the session table based on the unique device identifier determined by the downlink service message; The session table stores the unique device identifier and the first attribute information corresponding to all the encrypted devices that have established the device session in the unified access layer. The unique device identifier and the first attribute information corresponding to each encrypted device are stored in the session table in the format of an associated data group. When the content of the service message exchange is the uplink service message, the second attribute information is obtained by querying the routing table according to the unique identifier of the device. The routing table stores the unique device identifier and the second attribute information corresponding to all the encrypted devices in the managed multi-cluster. The unique device identifier and the second attribute information corresponding to each encrypted device are stored in the routing table in the format of an associated data group.
6. A multi-cluster traffic processing device, characterized in that, include: The first module is used to respond to the interaction request between the encryption device and the target platform and establish an encryption channel for the unified access layer between the encryption device and the target platform. The second module is used to strip the packet payload from the encrypted channel to obtain device service data; the device service data includes plaintext data, link information of the encrypted channel, and device source address information of the encrypted device; The third module is used to parse the message characteristics of the plaintext data to obtain the unique device identifier of the encryption device, and establish a device session on the target node of the unified access layer based on the unique device identifier; the device session is used to record the session record between the encryption device and the unified access layer; the session record includes device session information and first attribute information; the first attribute information includes the link information, the device source address information and the node information of the target node; The fourth module is used to query and obtain the device attribute information of the encrypted device based on the device's unique identifier, and to perform business message interaction based on the device attribute information; the device attribute information includes the first attribute information and the second attribute information, the second attribute information including the cluster information of the cluster to which the encrypted device belongs; the content of the business message interaction includes uplink business messages and downlink business messages; Wherein, when the content of the service message exchange is the downlink service message, the service message exchange based on the device attribute information between the encrypted device and its associated cluster includes the following steps: The encryption device forwards the downlink service message to the first service node in the unified access layer; the target node represents the service node corresponding to the encryption device; the first service node represents any node in the unified access layer. Based on the first attribute information, the second service node where the device session corresponding to the target encryption device is located is determined; the target encryption device represents the device to which the downlink service message is sent. The downlink service message is routed from the first service node to the second service node via remote procedure call, and then sent to the target encryption device through the device session and encryption channel corresponding to the target encryption device; Wherein, when the content of the service message exchange is the uplink service message, the service message exchange based on the device attribute information between the encrypted device and its associated cluster includes the following steps: The cluster to which the encryption device belongs is determined based on the second attribute information; The uplink service message is forwarded to the device access service of the cluster through a preset connection method, so that the cluster can perform process parsing on the uplink service message; the preset connection method includes a dedicated line connection or a cloud peer-to-peer connection.
7. An electronic device, characterized in that, Including the processor and memory; The memory is used to store programs; The processor executes the program to implement the method as described in any one of claims 1 to 5.
8. A computer storage medium storing a processor-executable program, characterized in that, The processor-executable program, when executed by the processor, is used to implement the method as described in any one of claims 1 to 5.