Satellite internet password defined network isolation method and system
By using SRv6 segment lists and security segment identifiers in satellite internet, tenant identity and permissions are verified hop-by-hop, solving the security cross-risk problem in multi-tenant shared environments. This enables fine-grained traffic control from the network edge to the backbone network, improving security and network dynamic scalability.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- WEBRAY TECH BEIJING CO LTD
- Filing Date
- 2026-04-22
- Publication Date
- 2026-07-14
Smart Images

Figure CN122394895A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of communication technology, and in particular to a method and system for cryptographically defined network isolation in satellite internet. Background Technology
[0002] With the rapid deployment of mega-satellite constellations, satellite networks are evolving from closed communication systems serving specific missions into open service platforms for global internet access. The core driving force behind this evolution lies in a fundamental shift in the system design philosophy: the network objective has expanded from deterministic communication across single links to the optimization of global network throughput and connectivity. This shift in philosophy not only restructures the satellite network architecture but also brings new systemic security challenges. As satellite internet evolves from a dedicated system to a shared, multi-tenant system, the security boundary issues arising from multi-tenant coexistence are becoming increasingly prominent.
[0003] In scenarios where multiple tenants share physical infrastructure, existing satellite internet primarily employs link-layer encryption or end-to-end VPN / IPsec for network isolation. These solutions rely on secure associations between links or terminals, making it difficult to address the uncontrollable path risks brought about by topology changes in dynamically evolving satellite-to-ground backbone networks. Furthermore, the enforcement of security policies is typically limited to the network edge, failing to provide fine-grained constraints on traffic within the backbone network, leading to potential security cross-risks in multi-tenant environments. Summary of the Invention
[0004] This invention provides a satellite internet cryptographic definition network isolation method and system to address the potential security cross-risks in multi-tenant environments in existing technologies.
[0005] This invention provides a satellite internet cryptographic definition network isolation method, comprising: Responding to the tenant's business requests; A logical tunnel is generated based on the security policy of the business request. The logical tunnel is then converted into a list of SRv6 segments containing security segment identifiers. The security segment identifiers are associated with credential information used to verify the identity and permissions of the tenant hop by hop. The SRv6 segment list and security segment identifier information are sent to the satellite nodes and ground nodes participating in the path; When satellite nodes and ground nodes participating in the path forward data packets, they extract the security segment identifier corresponding to the current segment, verify the validity of the security segment identifier and its matching with the current data flow; after successful verification, they execute the SRv6 instruction to forward the data packet to the next segment.
[0006] A satellite internet cryptographically defined network isolation method provided by the present invention further includes: Reserve a predefined segment in the SRv6 segment identifier structure, embed a hashed or encrypted short-term access token, and generate a secure segment identifier; or, Define a security association header in the IPv6 extension header, carrying complete identity token and signature information, and generate a security segment identifier.
[0007] A satellite internet cryptographically defined network isolation method provided by the present invention further includes: The control plane allocates independent security segment identifier namespaces for different tenants or different services, and controls entities within a slice to only generate and resolve security segment identifiers for their own domains, thus achieving physical isolation between slices.
[0008] A satellite internet cryptographically defined network isolation method provided by the present invention further includes: When a new service is initiated, the control plane dynamically plans the path according to the security policy and generates the corresponding security segment identifier; or, When a service ends or a policy changes, the corresponding security segment identifier path automatically becomes invalid and is reclaimed, controlling the dynamic evolution of the network topology along with the service lifecycle.
[0009] A satellite internet cryptographically defined network isolation method provided by the present invention further includes: The SRv6 controller receives differentiated security policies and identity information of tenants with different security levels, parses them, maps them to the target private network endpoint, and generates a logical tunnel containing the tunnel start point, tunnel end point and security policy. The key management system is used as the root of trust to perform identity authentication on the tenant and generate an encryption policy associated with the logical tunnel.
[0010] A satellite internet cryptographically defined network isolation method provided by the present invention further includes: On a shared physical infrastructure, multiple non-interfering coverage networks are constructed. The shared physical infrastructure includes at least one of user antennas, satellite constellations, gateway stations, and Internet access point (POP) nodes. Each of the aforementioned overlay networks corresponds to one tenant or one type of service, and tenant isolation and service carrying are achieved in a zero-trust environment through security segment identifiers.
[0011] A satellite internet cryptographically defined network isolation method provided by the present invention further includes: The satellite nodes and ground nodes participating in the path record verification logs for security segment identifiers and path execution logs, supporting complete auditing and security tracking of path integrity, identity credentials, and access behavior.
[0012] A satellite internet cryptographically defined network isolation method provided by the present invention further includes: The ground nodes include user antennas, gateway stations, Internet access point (POP) routers, and core backbone routers. The Internet access point (POP) router, acting as an SRv6 edge node, classifies incoming service flows and encapsulates corresponding SRv6 segment lists according to service type or security policy.
[0013] A satellite internet cryptographically defined network isolation method provided by the present invention further includes: The starting node of the path directly discards data packets that do not have a valid security segment identifier, thus suppressing illegal traffic at the source and implementing path-level logical isolation.
[0014] This invention also provides a satellite internet cryptographically defined network isolation system, comprising: The response module is used to respond to tenant business requests; The conversion module is used to generate a logical tunnel based on the security policy of the business request, and convert the logical tunnel into an SRv6 segment list containing a security segment identifier. The security segment identifier is associated with credential information used to verify the identity and permissions of the tenant hop by hop. The sending module is used to send the SRv6 segment list and security segment identifier information to the satellite nodes and ground nodes participating in the path; The verification module is used to extract the security segment identifier corresponding to the current segment when the satellite nodes and ground nodes of the participating path are forwarding data packets, verify the validity of the security segment identifier and its matching with the current data flow; after the verification is successful, the SRv6 instruction is executed to forward the data packet to the next segment.
[0015] The present invention also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to implement the satellite internet cryptographic definition network isolation method as described above.
[0016] The present invention also provides a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the satellite internet cryptographic definition network isolation method as described above.
[0017] The present invention also provides a computer program product, including a computer program that, when executed by a processor, implements the satellite internet cryptographic definition network isolation method as described above.
[0018] This invention provides a satellite internet cryptographically defined network isolation method and system, which converts tenant security policies into an SRv6 segment list containing security segment identifiers, and verifies the validity of the security segment identifiers at each forwarding node in each participating path, ensuring that data packets strictly follow the predefined isolation path. This extends the granularity of security policy execution from the network edge to the backbone network to impose fine-grained constraints on traffic, effectively reducing potential security cross-risks in multi-tenant environments. Attached Figure Description
[0019] To more clearly illustrate the technical solutions in this invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.
[0020] Figure 1 This is an overall framework diagram of the satellite internet cryptographic definition network isolation method provided by the present invention; Figure 2 This is a flowchart illustrating the satellite internet cryptographic definition network isolation method provided by the present invention; Figure 3 These are engineering application example diagrams provided by the present invention; Figure 4 This is a schematic diagram of the structure of the satellite internet cryptographic definition network isolation system provided by the present invention; Figure 5 This is a schematic diagram of the structure of the electronic device provided by the present invention. Detailed Implementation
[0021] To make the objectives, technical solutions, and advantages of this invention clearer, the technical solutions of this invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this invention. All other embodiments obtained by those skilled in the art based on the embodiments of this invention without creative effort are within the scope of protection of this invention.
[0022] Figure 1 This is an overall framework diagram of the satellite internet cryptographic definition network isolation method provided by the present invention; Figure 2 This is a flowchart illustrating the satellite internet cryptographic definition network isolation method provided by the present invention.
[0023] like Figure 1As shown, the overall architecture is a three-tiered progressive architecture, with each layer independent yet deeply collaborative. The control plane is the core of the entire system's decision-making and management, the data plane is the execution carrier of control plane commands, and the service delivery layer is the implementation layer for the entire isolation method. The three-tiered architecture is interconnected, realizing the entire process from security policy formulation to actual tenant isolation business implementation. The composition, core functions, and interaction logic of each layer are as follows: The control plane, the top-level decision-making and management layer of the architecture, consists of an SRv6 controller and a key management system. These two components are deeply coupled and jointly drive the operation of the control plane, serving as the core of trust and command for the entire isolation method. The SRv6 controller acts as the execution engine, receiving differentiated security policies and identity information from tenants of different security levels. After parsing the tenant's business requirements, it maps them to the target private network endpoint, generates logical tunnel definitions, and converts them into a list of SRv6 segments containing security segment identifiers. The key management system, as the sole root of trust in the entire system, performs core functions such as tenant authentication, full lifecycle key management, and the formulation of encryption policies associated with logical tunnels. It also provides identity credential support for the generation of security segment identifiers. Together, they complete the entire decision-making process for policy parsing, path planning, command generation, and security authentication.
[0024] The data plane, serving as the middle execution and forwarding layer of the architecture, is the concrete implementation link for control plane commands. Based on SRv6 source routing technology and combined with security segment identifiers, it achieves hop-by-hop verification and logical isolation of data packets. It consists of all satellite nodes and ground nodes participating in the tenant service forwarding path. The data plane receives the SRv6 segment list and security segment identifier information sent by the control plane. During data packet forwarding, each satellite and ground node performs extraction, validity verification, and matching verification of the security segment identifier with the data flow. If the verification is successful, the SRv6 forwarding command is executed; if the verification fails, forwarding stops. Simultaneously, it suppresses illegal traffic at the source, ensuring that data packets are transmitted strictly according to the isolation path predefined by the control plane, extending the granularity of security policy execution to the backbone network.
[0025] The service delivery layer, as the underlying bearer layer of the architecture, is the actual business delivery link for multi-tenant applications in this invention's isolation method. It is built upon the shared physical infrastructure of satellite internet. This layer constructs multiple independent and non-interfering coverage networks on shared physical infrastructure such as user antennas, satellite constellations, gateway stations, and Internet access point (POP) nodes. Each coverage network uniquely corresponds to one tenant or one type of service and is equipped with an independent security segment identifier namespace. Through a hop-by-hop verification mechanism in the data plane, tenant isolation and service delivery are achieved in a zero-trust environment, completing the final implementation from technical solution to actual business service.
[0026] The interaction logic of the three-tier architecture is as follows: The service delivery layer receives the tenant's business requests and uploads them to the control plane. After the control plane completes policy parsing, path planning and instruction generation based on the business requests, it sends the SRv6 segment list and security segment identifier information to the data plane. The data plane performs hop-by-hop verification and forwarding operations to achieve secure transmission of tenant services in the service delivery layer's overlay network. At the same time, the data plane sends the verification logs and path execution logs back to the control plane to complete the full-process control and auditing.
[0027] The tenant security policy is transformed into an SRv6 segment list containing security segment identifiers. Hop-by-hop verification and forwarding are implemented at the satellite-to-ground forwarding nodes in the data plane. The granularity of security policy execution is extended from the network edge to the backbone network. Service delivery layer enables multi-tenant isolated service carrying, thus solving the security cross-risk problem of multi-tenant isolation in the existing satellite Internet.
[0028] like Figure 1 and Figure 2 As shown in the figure, this embodiment provides a satellite internet cryptographic definition network isolation method, which includes the following steps: 201. Responding to the tenant's business request.
[0029] Specifically, the control plane consists of an SRv6 controller and a key management system, which are deeply coupled and jointly drive the operation of the control plane. The SRv6 controller acts as the execution engine, while the key management system serves as the root of trust for the entire system. Tenants include entities of different security levels and types, such as TOC users, TOB users, and TOG users. Service requests initiated by tenants include their differentiated security policies and identity information reflecting their communication needs. After receiving a service request, the key management system first performs a preliminary verification of the tenant's identity information, and the SRv6 controller receives and parses the core requirements of the service request. This precise reception and verification of service requests from different types of tenants lays the foundation for the generation of security policies and logical tunnels. Simultaneously, the decoupling of the satellite and ground control planes reduces the operational complexity of the satellite-borne network.
[0030] 202. Generate a logical tunnel based on the security policy of the business request, and convert the logical tunnel into a list of SRv6 segments containing security segment identifiers. The security segment identifiers are associated with credential information used to verify the identity and permissions of tenants hop by hop.
[0031] Specifically, the SRv6 controller generates a complete logical tunnel definition based on the parsed service requests and security policies. This definition includes the security policies that must be followed at the tunnel's starting and ending points, as well as the namespace of the tenant's Secure Segment Identifier (S-SID). The security policies cover encryption requirements, access permissions, and other related content. The SRv6 controller then breaks down the logical tunnel into each hop that the data packet must pass through in the satellite internet backbone network. For each node, a Secure Segment Identifier is generated for the corresponding SRv6 segment. This identifier is associated with credentials used to verify the tenant's identity and permissions hop-by-hop. These credentials are generated by the key management system based on the tenant's identity verification results and include core information such as identity token signature information. By transforming the abstract tenant security policy into executable, programmable data plane path instructions, deep integration of security policies and network forwarding paths is achieved, ensuring that traffic forwarding has a clear path and authentication basis.
[0032] 203. Send the SRv6 segment list and safety segment identifier information to the satellite nodes and ground nodes participating in the path.
[0033] Specifically, the control plane automatically pushes the generated SRv6 segment list and complete information of the security segment identifier to all satellite nodes and ground nodes participating in the packet forwarding path. Ground nodes are various forwarding initiation nodes on the ground side of the satellite internet, while satellite nodes only possess basic IPv6 forwarding capabilities and do not need to run complex control plane protocols such as BGP ISIS. After transmission, all participating nodes hold unified path and authentication credential information. This global synchronization of policy and path information across satellite and ground nodes provides a unified basis for hop-by-hop authentication and forwarding, while allowing the satellite network to shield itself from the adverse effects of high latency and dynamic topology changes, existing solely as an efficient forwarding resource.
[0034] 204. When satellite nodes and ground nodes participating in the path forward data packets, extract the security segment identifier corresponding to the current segment, verify the validity of the security segment identifier and its matching with the current data flow; after successful verification, execute the SRv6 instruction to forward the data packet to the next segment.
[0035] Specifically, when a tenant's data packet is sent from the source, it carries a complete list of security segment identifiers. When a satellite node or ground node participating in the path receives the data packet, it first extracts the security segment identifier corresponding to the current segment using its own SRv6 parsing module. Then, based on the trust root support provided by the key management system, it completes two core verifications. The first is to verify the validity of the security segment identifier, checking whether the identifier was generated by the control plane and has not been revoked within its validity period. The second is to verify the matching of the security segment identifier with the current data flow, checking whether the identifier corresponds one-to-one with the tenant's identity, service type, and security policy. If the verification is successful, the node strictly executes the SRv6 instructions and forwards the data packet to the node corresponding to the next segment. If the verification fails, forwarding stops. This extends the granularity of security policy execution from the network edge to the backbone network, enabling hop-by-hop fine-grained constraints on traffic, ensuring that data packets strictly follow predefined isolated paths for forwarding, and effectively reducing potential security cross-risks in multi-tenant environments.
[0036] The method in this embodiment forms a complete closed loop from request and response to hop-by-hop forwarding, which fulfills the requirement of multi-tenant isolation in satellite internet and enables traffic forwarding within the backbone network to have authentication and path constraint capabilities.
[0037] Furthermore, based on the above embodiments, this embodiment also includes: reserving a preset bit field in the SRv6 segment identifier structure, embedding a hashed or encrypted short-term access token, and generating a secure segment identifier; or, defining a security association header in the IPv6 extension header, carrying complete identity token and signature information, and generating a secure segment identifier.
[0038] Specifically, a special segment is reserved within the existing SRv6 segment identifier structure. This reserved segment is a free field within the segment identifier structure, requiring no significant modifications to the original structure. A short-term access token is generated by the key management system in the control plane. This token undergoes hashing or encrypted compression, and the processed short-term access token is then embedded into the reserved segment, combined with the existing SRv6 segment identifier to generate a secure segment identifier. The short-term access token has an expiration time, valid only within the lifecycle of the corresponding service. This approach achieves identity credential embedding while maintaining compatibility with the existing SRv6 segment identifier structure, reducing data plane overhead. Furthermore, the expiration time of the short-term access token significantly reduces the risk of token misuse and tampering, enhancing verification security.
[0039] Leveraging the flexibility of IPv6 extension headers, a dedicated Security Association header is defined within the IPv6 extension header. This Security Association header, as a custom extension field of the IPv6 extension header, is specifically used to carry complete identity token and signature information. This Security Association header is combined with the SRv6 segment identifier to generate a Security Segment Identifier. The identity token is a complete tenant identity and authorization credential generated by the key management system, and the signature information is the control plane's digital signature of the token, used to prevent token tampering during transmission. This approach can carry more comprehensive and detailed tenant identity and authorization information, improving the accuracy of hop-by-hop verification, without requiring any modifications to the original structure of the SRv6 segment identifier. It also exhibits stronger compatibility with the IPv6 SRv6 mechanism and is suitable for tenant services with high security requirements.
[0040] The two generation schemes in this embodiment can be flexibly selected according to the security level and data transmission efficiency requirements of actual business, and both can provide effective identity credentials for hop-by-hop verification.
[0041] Furthermore, based on the above embodiments, the method further includes: allocating independent security segment identifier namespaces for different tenants or different services by the control plane, controlling entities within a slice to only generate and resolve security segment identifiers for their own domains, and performing physical isolation between slices.
[0042] Specifically, the SRv6 controller in the control plane allocates independent security segment identifier namespaces for different tenants or different types of services. Each namespace is globally unique and corresponds one-to-one with the tenant's identity, service type, or security level, with no overlap between different namespaces. Strict access and resolution permissions are set for each namespace; only satellite nodes, ground nodes, and tenant entities within that slice can generate and resolve security segment identifiers for their own domain. They have no permission to resolve, process, or forward security segment identifiers from other namespaces. This achieves physical hard isolation between multi-tenant, multi-service slices, preventing traffic from different slices from intersecting. This surpasses the traditional method of isolation only at the network edge, extending isolation capabilities to every forwarding node in the backbone network, fundamentally preventing information leakage between different slices.
[0043] Furthermore, based on the above embodiments, this embodiment also includes: when a new service is initiated, the control plane dynamically plans the path according to the security policy and generates the corresponding security segment identifier; or, when the service ends or the policy changes, the corresponding security segment identifier path automatically becomes invalid and is recycled, and the control network topology dynamically evolves with the service lifecycle.
[0044] Specifically, when a new tenant service is initiated, the control plane first receives and verifies the new service's request information, security policy, and identity information. Then, the SRv6 controller dynamically plans a dedicated data packet forwarding path for the new service according to the specific requirements of the security policy, and generates a security segment identifier matching the path and a corresponding SRv6 segment list. Finally, all information is automatically sent to the satellite-ground nodes participating in the path.
[0045] When a tenant's business ends (i.e., communication needs are fulfilled) or when the tenant's business security policy changes (e.g., increased encryption requirements or access restrictions), the control plane will immediately mark the security segment identifier path corresponding to the business as invalid and simultaneously reclaim information such as the SRv6 segment list of the path's security segment identifiers. Upon receiving the reclamation command, the satellite and ground nodes participating in that path will no longer verify or forward data packets for that path.
[0046] This approach avoids the security vulnerabilities associated with traditional static configuration, enables the self-evolution of satellite network topology, and allows the network topology to dynamically grow and shrink according to business needs. This significantly reduces the risk of the network being attacked by external reconnaissance, while also improving the dynamic scalability of multi-tenant networks and enabling on-demand allocation of network resources.
[0047] Furthermore, based on the above embodiments, this embodiment also includes: receiving differentiated security policies and identity information of tenants with different security levels through the SRv6 controller, parsing them and mapping them to the target private network endpoint to generate a logical tunnel containing the tunnel start point, tunnel end point and security policy; and performing identity authentication on the tenants through the key management system as the root of trust to generate an encryption policy associated with the logical tunnel.
[0048] Specifically, the SRv6 controller in the control plane receives differentiated security policies from tenants with different security levels. High-security TOG services have higher encryption requirements and access restrictions, while ordinary TOC services use basic security policies. The controller also receives tenant identity information. After deep parsing this information, the SRv6 controller precisely maps it to the target private network endpoint. The mapping process strictly matches the tenant's business needs with the service capabilities of the private network endpoint, subsequently generating a complete logical tunnel definition including the tunnel start point, tunnel end point, and security policies.
[0049] The key management system in the control plane serves as the sole root of trust for the entire isolation method. It performs rigorous authentication of tenant identity information, including verifying the legitimacy of the tenant's identity, the validity of permissions, and the authenticity of business requests. After successful authentication, the key management system generates an encryption policy uniquely associated with the logical tunnel based on the tenant's security policy and the characteristics of the logical tunnel. The encryption policy includes core elements such as encryption algorithm, key type, key lifecycle, and encryption range.
[0050] Through precise mapping by the SRv6 controller, the generated logical tunnels are ensured to be highly matched with the tenant's business needs, avoiding the problem of unreasonable path planning. At the same time, the key management system serves as the root of trust, enhancing the authority and reliability of identity authentication. The exclusive encryption policy generated for each logical tunnel further strengthens tunnel security and provides encrypted protection for subsequent data transmission.
[0051] Furthermore, based on the above embodiments, this embodiment also includes: constructing multiple non-interfering coverage networks on the shared physical infrastructure, the shared physical infrastructure including at least one of user antennas, satellite constellations, gateway stations and Internet access point (POP) nodes; each coverage network corresponds to a tenant or a type of service, and tenant isolation and service carrying in a zero-trust environment are achieved through security segment identifiers.
[0052] Specifically, multiple independent and non-interfering coverage networks are constructed on the shared physical infrastructure of satellite internet. This shared physical infrastructure includes one or more of the following: user antenna satellite constellation gateway stations and Internet access point (POP) nodes. A unique correspondence is established for each coverage network, meaning one coverage network corresponds to only one tenant or one type of service. The forwarding path for each coverage network is exclusively planned by the control plane for that tenant's service and is equipped with an independent security segment identifier namespace. Through a hop-by-hop verification mechanism of the security segment identifier, tenant isolation and service delivery are achieved in a zero-trust environment within each coverage network. Only traffic carrying a valid security segment identifier for that coverage network can enter the corresponding coverage network for forwarding; traffic without a valid identifier cannot enter any coverage network. By fully utilizing the shared physical infrastructure of satellite internet, complete isolation between tenant services is achieved. This improves the utilization rate of physical resources and, in accordance with the requirements of a zero-trust architecture, ensures the security of each tenant's service delivery, perfectly adapting to the needs of multi-tenant shared physical resources requiring independent and secure isolation.
[0053] Furthermore, based on the above embodiments, this embodiment also includes: satellite nodes and ground nodes participating in the path recording verification logs of security segment identifiers and path execution logs, supporting complete auditing and security tracking of path integrity, identity credentials, and access behavior.
[0054] Specifically, all satellite and ground nodes participating in the packet forwarding path record two types of logs in real time during the hop-by-hop verification and SRv6 command forwarding process. The first type is the verification log for the security segment identifier, including verification time, security segment identifier information, verification result, and node identifier for verification execution. The second type is the path execution log, including packet forwarding time, forwarding node, unique packet identifier, and corresponding tenant identity. All nodes upload the recorded logs to the log management module in the control plane in real time. This module summarizes, stores, and classifies the logs, supporting administrators in performing complete auditing and security tracking of path integrity, whether packets are forwarded according to predefined paths, whether identity credentials and security segment identifiers are legal and valid, access behavior, tenant packet transmission behavior, and node forwarding operation behavior. This enables rapid location and tracing of abnormal behavior in the network. Through the full-process monitoring, auditing, and traceability of multi-tenant network isolation, when security anomalies occur in the network, such as illegal identifier path tampering, the problematic nodes and illegal behaviors can be quickly located, improving the security control capabilities and problem handling efficiency of the satellite internet.
[0055] Furthermore, based on the above embodiments, this embodiment also includes: ground nodes including user antennas, gateway stations, Internet access point (POP) routers, and core backbone routers; wherein, the Internet access point (POP) router, as an SRv6 edge node, classifies incoming service flows and encapsulates corresponding SRv6 segment lists according to service type or security policy.
[0056] Specifically, the ground nodes in this embodiment include the four types of nodes mentioned above, each with its own specific function. The user antenna is the initiating node for tenant service requests; the gateway station is the core relay node for satellite-to-ground data transmission; the core backbone router is the main forwarding node of the terrestrial backbone network; and the Internet access point (POP) router is the SRv6 edge node connecting the terrestrial service network and the satellite bearer network. As a core SRv6 edge node, the Internet access point (POP) router's core function is to classify service flows entering the satellite bearer network based on service type, tenant identity, or security policy. Then, based on the classification results, it encapsulates different service flows into corresponding SRv6 segment lists. This encapsulation process is entirely completed on the ground side. After the encapsulated data packets enter the satellite bearer network, the satellite bearer network only performs forwarding operations and is unaware of any control plane information of the terrestrial services, such as BGP, ISIS, or other control protocol information.
[0057] By completely decoupling the terrestrial service control plane from the satellite bearer plane, the terrestrial network can continue to use the mature BGP VPN architecture without requiring significant modifications to the satellite network, thus reducing the transformation cost of the terrestrial network. The satellite network exists solely as an efficient and controllable forwarding resource. Through the classification and encapsulation of POP access routers, the accuracy and security of service flows entering the satellite network are improved, while the adverse effects of dynamic changes in the satellite network topology are shielded.
[0058] Furthermore, based on the above embodiments, this embodiment also includes: the path starting node directly discards data packets that do not have a valid security segment identifier, suppressing illegal traffic at the source and implementing path-level logical isolation.
[0059] Specifically, the starting node of the data packet forwarding path is set as the first line of defense against illegal traffic. This starting node can be a ground node such as a POP access router user antenna, or the starting satellite node of a satellite constellation. Upon receiving a data packet, the starting node does not perform a forwarding operation. Instead, it first checks whether the data packet carries a valid security segment identifier. This verification includes whether the identifier was generated by the control plane, whether it is valid, and whether it matches the tenant identity and service type of the data packet. For data packets without a valid security segment identifier, the starting node will directly discard them without any forwarding operation. Simultaneously, it will record relevant information about the illegal traffic, such as the source address, data packet characteristics, and discard time, and upload this information to the control plane's log management module in real time. Through source interception at the starting node, combined with hop-by-hop verification by subsequent nodes, a dual protection mechanism is formed, achieving source suppression and path-level logical isolation of illegal traffic.
[0060] By preventing illegal traffic from entering the satellite internet backbone network at the source, it avoids illegal traffic from occupying network resources, while further strengthening the security protection capabilities of the backbone network, reducing the interference and security threats of illegal traffic to multi-tenant networks, and making the transmission environment of legitimate traffic safer and more efficient.
[0061] Figure 3 This is an example diagram of an engineering application provided by the present invention.
[0062] like Figure 3 As shown, the left side represents the multi-autonomous system (MAS) access side. Services from different ASs are aggregated to the POP access router via eBGP. The access side maintains a traditional BGP architecture and is unaware of the specific topology and status of the intermediate satellite network. The POP access router, acting as an SRv6 edge node, classifies incoming service flows and encapsulates corresponding SRv6 policies based on service type or policy.
[0063] The light blue area in the middle represents the satellite bearer network. This network does not run complex control plane protocols such as BGP and ISIS, but only has IPv6 forwarding capabilities. It achieves precise control of cross-satellite and multi-hop paths by carrying explicit forwarding expressions through SRv6 S-SIDs. In the diagram, VLANs 2049–4094 are reserved bearer resources, corresponding to different SRv6 logical channels or service slices. This allows the satellite network to be logically abstracted into one or more programmable end-to-end transmission paths, thereby shielding it from the adverse effects of high latency and dynamic topology changes of satellite links.
[0064] On the POP backbone router side, it acts as an SRv6 egress node, performing SRv6 decapsulation and re-introducing service traffic into the core backbone network. Internally, the backbone runs ISIS and iBGP VPN to achieve large-scale route convergence and service isolation, completely independent of the satellite bearer layer. In this way, "decoupling of the terrestrial service control plane and the satellite bearer plane" is achieved. The terrestrial network can continue to use the mature BGP / VPN architecture, while the satellite network exists solely as an efficient and controllable forwarding resource.
[0065] Overall, this architecture uses SRv6 to abstract the complex satellite transmission network into a programmable, slicable IPv6 bearer channel, achieving end-to-end service-level path controllability, network structure simplification, and cross-domain collaboration capabilities. It is particularly suitable for satellite communication scenarios with high requirements for latency, reliability, and path determinism.
[0066] Table 1
[0067] As shown in Table 1, SRV6 uses hop-by-hop verifiable S-SIDs to force the intent path to the data plane, achieving high security isolation. Compared with traditional link or end-to-end encryption schemes, it is more effective in suppressing mid-route rerouting or bypass attacks. The cost is medium control plane complexity and medium-to-high data plane overhead, but it is a natural match with the SRv6 orchestration mechanism and is suitable for engineering deployment.
[0068] The method of the present invention has the following effects: Hop-by-hop verifiable security isolation: Data packets must carry a valid S-SID at each hop and be verified using an identity token. Unauthorized traffic is dropped at the start of the path, achieving source suppression and path-level logical isolation, significantly improving security in multi-tenant environments.
[0069] Strong tenant isolation and slice security: Through an independent S-SID namespace, it ensures that entities within a slice can only generate and resolve S-SIDs of their own domain, achieving physical hard isolation. This goes beyond traditional VLAN / VRF or link / end-to-end encryption, which only achieve isolation at the edge, extending logical isolation to every hop of the backbone network.
[0070] Programmable and executable security policies are implemented: The control plane transforms abstract tenant security policies into executable SRv6 segment lists and S-SID paths, enabling automatic policy execution in the data plane. The combination of verification mechanisms and path planning shifts network behavior from stateless table lookups to stateful authorization verification, improving the reliability of policy execution.
[0071] Dynamic network topology and service lifecycle management: Supports on-demand generation and dynamic destruction of S-SID paths, allowing the network topology to evolve automatically throughout the service lifecycle. This reduces the risk of reconnaissance and attacks, and improves network resilience and scalability.
[0072] Zero Trust and Auditability: S-SID verification and path execution logs are recorded throughout the entire process, supporting end-to-end auditing and security tracing. Verifiable data plane constraints ensure that network behavior fully complies with tenant security policies, achieving a zero-trust security architecture.
[0073] Enhanced anti-hijacking and lateral movement capabilities: Hop-by-hop verification and strong path constraint mechanisms suppress mid-route rerouting or bypass attacks, effectively preventing unauthorized lateral traffic movement. Improved security protection capabilities of core backbone networks in multi-tenant environments.
[0074] Engineering feasibility: The solution can be implemented on the existing satellite constellation and ground POP network architecture, and is compatible with SRv6 source routing and IPv6 extension header mechanism.
[0075] The following describes the SRv6-based cryptographic definition network isolation system for satellite internet provided by this invention. The SRv6-based cryptographic definition network isolation system described below can be referred to in correspondence with the SRv6-based cryptographic definition network isolation method described above.
[0076] Figure 4 This is a schematic diagram of the structure of the satellite internet cryptographic definition network isolation system provided by the present invention.
[0077] like Figure 4 As shown in this embodiment, a satellite internet cryptographic definition network isolation system based on SRv6 is provided, comprising: Response module 401 is used to respond to the tenant's business requests; The conversion module 402 is used to generate a logical tunnel based on the security policy of the business request, and convert the logical tunnel into a list of SRv6 segments containing security segment identifiers. The security segment identifiers are associated with credential information used to verify the identity and permissions of tenants hop by hop. The sending module 403 is used to send the SRv6 segment list and security segment identifier information to the satellite nodes and ground nodes participating in the path; The verification module 404 is used to extract the security segment identifier corresponding to the current segment when satellite nodes and ground nodes participating in the path forward data packets, verify the validity of the security segment identifier and its matching with the current data flow; after the verification is successful, the SRv6 instruction is executed to forward the data packet to the next segment.
[0078] Figure 5 This is a schematic diagram of the structure of the electronic device provided by the present invention.
[0079] like Figure 5 As shown, the electronic device may include a processor 510, a communications interface 520, a memory 530, and a communication bus 540, wherein the processor 510, communications interface 520, and memory 530 communicate with each other via the communication bus 540. The processor 510 can invoke logical instructions in the memory 530 to execute a satellite internet cryptographically defined network isolation method, including: responding to a tenant's service request; generating a logical tunnel based on the security policy of the service request; converting the logical tunnel into an SRv6 segment list containing a security segment identifier, the security segment identifier being associated with credential information used for hop-by-hop verification of the tenant's identity and permissions; sending the SRv6 segment list and security segment identifier information to satellite nodes and ground nodes participating in the path; when the satellite nodes and ground nodes participating in the path forward data packets, extracting the security segment identifier corresponding to the current segment, verifying the validity of the security segment identifier and its matching with the current data flow; after successful verification, executing SRv6 instructions to forward the data packet to the next segment.
[0080] Furthermore, the logical instructions in the aforementioned memory 530 can be implemented as software functional units and, when sold or used as independent products, can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, or the part that contributes to the prior art, or a part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0081] On the other hand, the present invention also provides a computer program product, which includes a computer program that can be stored on a non-transitory computer-readable storage medium. When the computer program is executed by a processor, the computer can execute the satellite internet cryptographically defined network isolation method provided by the above methods, including: responding to a tenant's service request; generating a logical tunnel based on the security policy of the service request; converting the logical tunnel into an SRv6 segment list containing a security segment identifier, wherein the security segment identifier is associated with credential information used to verify the identity and permissions of the tenant hop-by-hop; sending the SRv6 segment list and the security segment identifier information to the satellite nodes and ground nodes participating in the path; when the satellite nodes and ground nodes participating in the path forward data packets, extracting the security segment identifier corresponding to the current segment, verifying the validity of the security segment identifier and its matching with the current data flow; after successful verification, executing an SRv6 instruction to forward the data packet to the next segment.
[0082] In another aspect, the present invention also provides a non-transitory computer-readable storage medium storing a computer program thereon. When executed by a processor, the computer program implements the satellite internet cryptographically defined network isolation method provided by the methods described above, including: responding to a tenant's service request; generating a logical tunnel based on the security policy of the service request; converting the logical tunnel into an SRv6 segment list containing a security segment identifier, wherein the security segment identifier is associated with credential information used to verify the identity and permissions of the tenant hop-by-hop; sending the SRv6 segment list and the security segment identifier information to satellite nodes and ground nodes participating in the path; when the satellite nodes and ground nodes participating in the path forward data packets, extracting the security segment identifier corresponding to the current segment, verifying the validity of the security segment identifier and its matching with the current data flow; after successful verification, executing an SRv6 instruction to forward the data packet to the next segment.
[0083] The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Those skilled in the art can understand and implement this without any creative effort.
[0084] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods described in the various embodiments or some parts of the embodiments.
[0085] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims
1. A method for cryptographically defined network isolation in satellite internet, characterized in that, include: Responding to the tenant's business requests; Based on the security policy of the business request, a logical tunnel is generated, and the logical tunnel is converted into a list of SRv6 segments containing security segment identifiers. The security segment identifiers are associated with credential information used to verify the identity and permissions of the tenant hop by hop. The SRv6 segment list and security segment identifier information are sent to the satellite nodes and ground nodes participating in the path; When satellite nodes and ground nodes participating in the path forward data packets, they extract the security segment identifier corresponding to the current segment, verify the validity of the security segment identifier and its matching with the current data flow; after successful verification, they execute the SRv6 instruction to forward the data packet to the next segment.
2. The satellite internet cryptographic definition network isolation method according to claim 1, characterized in that, Also includes: In the segment identifier structure of SRv6, a preset bit segment is reserved, and a short-term access token that has been hashed or encrypted is embedded to generate a secure segment identifier. or, Define a security association header in the IPv6 extension header, carrying complete identity token and signature information, and generate a security segment identifier.
3. The satellite internet cryptographic definition network isolation method according to claim 2, characterized in that, Also includes: The control plane allocates independent security segment identifier namespaces for different tenants or different services, and controls entities within a slice to only generate and resolve security segment identifiers for their own domains, thus achieving physical isolation between slices.
4. The satellite internet cryptographic definition network isolation method according to claim 3, characterized in that, Also includes: When a new service is initiated, the control plane dynamically plans the path according to the security policy and generates the corresponding security segment identifier. or, When a service ends or a policy changes, the corresponding security segment identifier path automatically becomes invalid and is reclaimed, controlling the dynamic evolution of the network topology along with the service lifecycle.
5. The satellite internet cryptographic definition network isolation method according to claim 1, characterized in that, Also includes: The SRv6 controller receives differentiated security policies and identity information of tenants with different security levels, parses them, maps them to the target private network endpoint, and generates a logical tunnel containing the tunnel start point, tunnel end point and security policy. The key management system is used as the root of trust to perform identity authentication on the tenant and generate an encryption policy associated with the logical tunnel.
6. The satellite internet cryptographic definition network isolation method according to claim 1, characterized in that, Also includes: On a shared physical infrastructure, multiple non-interfering coverage networks are constructed. The shared physical infrastructure includes at least one of user antennas, satellite constellations, gateway stations, and Internet access point (POP) nodes. Each of the aforementioned overlay networks corresponds to one tenant or one type of service, and tenant isolation and service carrying are achieved in a zero-trust environment through security segment identifiers.
7. The satellite internet cryptographic definition network isolation method according to claim 1, characterized in that, Also includes: The satellite nodes and ground nodes participating in the path record verification logs for security segment identifiers and path execution logs, supporting complete auditing and security tracking of path integrity, identity credentials, and access behavior.
8. The satellite internet cryptographic definition network isolation method according to claim 1, characterized in that, Also includes: The ground nodes include user antennas, gateway stations, Internet access point (POP) routers, and core backbone routers. The Internet access point (POP) router, acting as an SRv6 edge node, classifies incoming service flows and encapsulates corresponding SRv6 segment lists according to service type or security policy.
9. The satellite internet cryptographic definition network isolation method according to claim 1, characterized in that, Also includes: The starting node of the path directly discards data packets that do not have a valid security segment identifier, thus suppressing illegal traffic at the source and implementing path-level logical isolation.
10. A satellite internet cryptographically defined network isolation system, characterized in that, include: The response module is used to respond to tenant business requests; The conversion module is used to generate a logical tunnel based on the security policy of the business request, and convert the logical tunnel into an SRv6 segment list containing a security segment identifier. The security segment identifier is associated with credential information used to verify the identity and permissions of the tenant hop by hop. The sending module is used to send the SRv6 segment list and security segment identifier information to the satellite nodes and ground nodes participating in the path; The verification module is used to extract the security segment identifier corresponding to the current segment when the satellite nodes and ground nodes of the participating path are forwarding data packets, verify the validity of the security segment identifier and its matching with the current data flow; after the verification is successful, the SRv6 instruction is executed to forward the data packet to the next segment.