Search

CN-122027267-A - Cross-network segment data relay transmission method in local area network isolation environment

CN122027267ACN 122027267 ACN122027267 ACN 122027267ACN-122027267-A

Abstract

The invention discloses a method for transmitting data in a relay way of a cross-network segment under a local area network isolation environment, which is applied to a relay host with double network cards and comprises the steps of obtaining data to be forwarded from a first host; the method comprises the steps of packaging data to be forwarded to obtain a forwarding frame of the data to be forwarded, wherein the forwarding frame comprises protocol information, message characteristic information, channel information and data information, the forwarding frame of the data to be forwarded is sent to a second host through a target network card/a sending socket and a data forwarding channel corresponding to a data forwarding direction, a first network segment and the second network segment are in an isolated state, a relay host accesses the first network segment and the second network segment respectively, the first network segment and the second network segment are local area networks accessed by the first host and the second host respectively, and the data forwarding channel is uniquely determined by a source port identifier, a target port identifier and a data flow direction. The invention has the advantages of small operation difficulty and good stability.

Inventors

  • Xue Faguang
  • LI CHENG
  • RONG PENGSHUAI
  • LIU LEI
  • DU RONGZHEN
  • LI XIAOYONG
  • ZHOU FENG

Assignees

  • 西安电子科技大学

Dates

Publication Date
20260512
Application Date
20260204

Claims (10)

  1. 1. The method is applied to a relay host with double network cards, and comprises the following steps: Acquiring data to be forwarded from a first host; Encapsulating the data to be forwarded to obtain a forwarding frame of the data to be forwarded, wherein the forwarding frame comprises protocol information, message characteristic information, channel information and data information; Transmitting the forwarding frame of the data to be forwarded to the second host through a data forwarding channel corresponding to the target network card/transmitting socket and the data forwarding direction; The first network segment and the second network segment are in an isolated state, the two network cards of the relay host are respectively connected to the first network segment and the second network segment, the first network segment and the second network segment are local area networks connected to the first host and the second host respectively, and the data forwarding channel is uniquely determined by a source port identifier, a target port identifier and a data flow direction.
  2. 2. The method of claim 1, wherein if no data is received for a duration T1, scanning is performed at a silence scan interval, and if data is received for a previous T1 time, scanning is performed at an active scan interval, wherein T1 is a preset active hold time, and wherein the silence scan interval is greater than the active scan interval.
  3. 3. The method of claim 1, wherein prior to sending the forwarding frame of the data to be forwarded to the second host, the method further comprises: sequentially executing anti-replay inspection, first message validity inspection and second message validity inspection operations on the forwarding frame, and after sequentially passing through all inspection operations, sending the forwarding frame of the data to be forwarded to the second host; the first message validity check is used for confirming that the format and the protocol of the data to be forwarded are processable, and the second message validity check is used for ensuring that the forwarding frame accords with forwarding rules and resource constraints.
  4. 4. The method of claim 1, wherein the protocol information includes protocol identification and version information, the message characteristic information includes a message type and a flag bit, the channel information includes a forwarding sequence number, a time stamp, a channel identification and a configuration generation number, and the data information includes the data to be forwarded and a payload length thereof; The first message validity test comprises a length consistency test, a protocol identification and a version test, and the second message validity test comprises a length and boundary test, a channel matching test and a protocol field test.
  5. 5. The method of claim 4, wherein performing an anti-replay check on the forwarded frame comprises: determining whether the time stamp of the forwarding frame is within an error range and whether the forwarding sequence number of the forwarding frame appears within a received record window; And if the time of the forwarding frame is in the current error range and the forwarding sequence number does not appear in the received record window, confirming that the forwarding frame passes the anti-replay test, otherwise, confirming that the forwarding frame does not pass the anti-replay test.
  6. 6. The method of claim 4, wherein if the state of the data forwarding channel changes within a t_guard time before the forwarding frame of the data to be forwarded is sent to the second host, the method further comprises, before the forwarding frame of the data to be forwarded is sent to the second host: Determining whether the configuration generation number of the forwarding frame is the same as the current configuration generation number of the data forwarding channel, wherein T_guard is the duration of a preset protection window, and the configuration generation number is updated after the state of the data forwarding channel is changed; And if the configuration generation number of the forwarding frame is the same as the current configuration generation number of the data forwarding channel, sending the forwarding frame of the data to be forwarded to the second host, otherwise, discarding the forwarding frame.
  7. 7. The method of claim 4, wherein the protocol information further comprises a message authentication code field, and wherein the first message validity check and the second message validity check further comprise authentication checks.
  8. 8. The method of claim 7, wherein after sending the forwarding frame to the second host, the method further comprises: Generating an audit log, wherein the audit log at least comprises a time stamp of the forwarding frame, a channel identifier, a first host identifier, a second host identifier, a load length, a forwarding sequence number, an authentication generation state and a sending return value/error code.
  9. 9. A relay host having a dual network card, comprising: The receiving unit is used for receiving data to be forwarded sent by the first host; the encapsulation unit is used for encapsulating the data to be forwarded to obtain a forwarding frame of the data to be forwarded, wherein the forwarding frame comprises protocol information, message characteristic information, channel information and data information; the sending unit is used for sending the forwarding frame of the data to be forwarded to the second host through a target network card/sending socket and a data forwarding channel corresponding to the data forwarding direction; The first network segment and the second network segment are in an isolated state, the two network cards of the relay host are respectively connected to the first network segment and the second network segment, the first network segment and the second network segment are local area networks connected to the first host and the second host respectively, and the data forwarding channel is uniquely determined by a source port identifier, a target port identifier and a data flow direction.
  10. 10. A computer readable storage medium storing a computer program, which when executed by a relay host implements the method of any of claims 1-7.

Description

Cross-network segment data relay transmission method in local area network isolation environment Technical Field The invention belongs to the technical field of data transmission, and particularly relates to a cross-network segment data relay transmission method in a local area network isolation environment. Background In local area networks of enterprises, scientific research institutions or production sites, a network is often divided into a plurality of isolated network segments due to security policies or network management requirements, and direct routing or access limiting are usually forbidden between the network segments, so that direct communication between hosts located in different network segments is not possible. However, under the scenes of equipment linkage, data acquisition, log aggregation, automatic control and the like, the requirement of cross-network-segment data interaction still exists. In this scenario, network device policies, such as routing, ACLs, firewall rules, etc., are typically chosen to be modified, or generic port forwarding or simple agents are employed to implement cross-segment interactions. The method for modifying the network equipment strategy has the problems of limited authority, complex approval process, large influence on the existing network, difficult audit and the like, and the method adopting port forwarding or simple proxy tools has insufficient long-term operation stability in an isolated scene and is difficult to meet the operation and maintenance requirements of 'controllable and auditable' of enterprises. Therefore, the current data interaction method under the local area network isolation environment has the problems of high operation difficulty and low stability. Disclosure of Invention The embodiment of the invention provides a cross-network segment data relay transmission method in a local area network isolation environment, which can solve the technical problems. In a first aspect, a method for transmitting data in a relay manner across network segments in a local area network isolation environment according to an embodiment of the present invention is applied to a relay host with a dual network card, where the method includes: Acquiring data to be forwarded from a first host; Encapsulating the data to be forwarded to obtain a forwarding frame of the data to be forwarded, wherein the forwarding frame comprises protocol information, message characteristic information, channel information and data information; Transmitting the forwarding frame of the data to be forwarded to the second host through a data forwarding channel corresponding to the target network card/transmitting socket and the data forwarding direction; The first network segment and the second network segment are in an isolated state, the two network cards of the relay host are respectively connected to the first network segment and the second network segment, the first network segment and the second network segment are local area networks connected to the first host and the second host respectively, and the data forwarding channel is uniquely determined by a source port identifier, a target port identifier and a data flow direction. In a second aspect, an embodiment of the present invention provides a relay host with a dual network card, including: The receiving unit is used for receiving data to be forwarded sent by the first host; the encapsulation unit is used for encapsulating the data to be forwarded to obtain a forwarding frame of the data to be forwarded, wherein the forwarding frame comprises protocol information, message characteristic information, channel information and data information; the sending unit is used for sending the forwarding frame of the data to be forwarded to the second host through a target network card/sending socket and a data forwarding channel corresponding to the data forwarding direction; The first network segment and the second network segment are in an isolated state, the two network cards of the relay host are respectively connected to the first network segment and the second network segment, the first network segment and the second network segment are local area networks connected to the first host and the second host respectively, and the data forwarding channel is uniquely determined by a source port identifier, a target port identifier and a data flow direction. In a third aspect, embodiments of the present invention provide a computer readable storage medium storing a computer program, which when executed, performs a method as in the first aspect. Compared with the prior art, the embodiment of the invention has the beneficial effects that the standardization and the structuring of the transmission data can be realized by packaging the data and incorporating the protocol information, the message characteristic information, the channel information and the data information, the diversified network protocol environment is adapted, and the identifiabi