CN109951485A - SDN-based Internet of things access control method - Google Patents
SDN-based Internet of things access control method Download PDFInfo
- Publication number
- CN109951485A CN109951485A CN201910213943.5A CN201910213943A CN109951485A CN 109951485 A CN109951485 A CN 109951485A CN 201910213943 A CN201910213943 A CN 201910213943A CN 109951485 A CN109951485 A CN 109951485A
- Authority
- CN
- China
- Prior art keywords
- access
- main body
- gateway
- pdp
- token
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention relates to an SDN-based Internet of things access control method, and belongs to the field of Internet of things. S1: firstly, an IoT equipment access control architecture based on an SDN network is provided; s2: the access control process is divided into the following links: s21 token construction; s22 access request; s23 fine grain access control decision; s24 access control policy enforcement; according to the invention, in an SDN network architecture, complexity of access control execution and policy management is reduced, and finer granularity can be realized by utilizing access control by introducing an SDN-based concept.
Description
Technical field
The invention belongs to internet of things field, are related to a kind of Internet of Things access control method based on SDN.
Background technique
Access control is the major issue that Internet of Things security needs solve.The access control of Internet of Things mainly uses certainly at present
The schemes such as main access control and forced symmetric centralization.There are the following problems for access control policy in traditional network: lacking
It authorizes, lack the distributed nature (authorization needs centralized control) of access control model, rule and strategy is inconsistent, static rule
The problem of being primarily present performance bottleneck and Single Point of Faliure with tactical management complexity and Policy Enforcement Point.In addition, current network
In most of access control be only limitted to be applied to firewall and accesses control list in the network equipment.Firewall is by single-point
Failure and static configuration problem, ACL complex management and easy error.When rely on manual configuration (such as ACL, VLAN, filter rule
When then), this mode error-prone, and the problems such as it is easy to appear configuration errors.
In recent years, software defined network was introduced into Internet of Things, software defined network (SDN) by the control plane of Internet of Things and
Forwarding plane separates, to realize the abstract of underlying infrastructure.
How after introducing software defined network, handles the access control problem of Internet of Things well, be always research hotspot.Cause
This, introduces SDN network framework as the key for reducing access control execution and tactical management complexity.
Summary of the invention
In view of this, the purpose of the present invention is to provide a kind of Internet of Things access control method based on SDN.
In order to achieve the above objectives, the invention provides the following technical scheme:
A kind of Internet of Things access control method based on SDN, method includes the following steps:
S1: firstly, proposing an IoT equipment access control framework based on SDN network;Include:
A, application layer
This layer is made of the one group of application program disposed on virtualization core network;
B, control layer
The layer is responsible for managing network layer device;The control layer has the safety of highest level, and as access control pipe
The core of reason;All-network device configuration can be obtained, realize that authentication and access rule, SDN controller are able to detect evil
Meaning behavior or other danger signals generate in the case where occurring and modify new forward rule;
C, network layer
The layer includes two kinds of interchangers, is respectively as follows: SDN switch and SDN access switch;Two kinds of interchangers in this layer
All by control layer-management, and access rule is defined by control layer;SDN switch is as the basic network equipment, for forwarding
Data;SDN controller is configured SDN switch equipment using flow table and connect them with the equipment that can be communicated;SDN access
Interchanger includes the function of SDN switch, when between internet of things equipment there are when illegal permissions data stream, SDN access switch pair
Illegal permissions data stream is filtered, to realize that SDN access switch controls data stream;
D, mechanical floor
This layer is formed by one group with different data and the heterogeneous device for supporting different access to service;Equipment can transport
The multiple application programs of row, each application program will access different classes of data with different permissions;Wherein comprising as follows
Equipment:
(1) gateway;Including two kinds of gateways, it is respectively as follows: Secure Manager gateway and PDP gateway;Wherein, Secure Manager net
Close for constructing and generating token, PDP gateway for realizing policy decision point PDP in access control function, to access request
Generate access control decision;
(2) main body;Initiate the Internet of things node of access request;
(3) object;Accessed Internet of things node;
S2: access control process is divided into following link:
S21 token construction
When main body needs to access object, main body will request access to message and be sent to Secure Manager gateway, safety management
Person's gateway is generated by obtaining Subjective and Objective ID included in access request message, request action information and token contextual information
Token is simultaneously handed down to main body;
S22 access request
Main body initiates access request to object, accesses the data or resource stored in object;Main body generates access request,
Wherein additional token to the certification of main body and establishes access control relationship for object, and the request is not by any intermediate entities
It reads;Access request is forwarded to object by SDN switch, after object IoT equipment receives access request, just starts the writ of execution
Board verification step;
S23 fine-granularity access control decision
Main body IP, ID can be moved with the request authorized is allowed when PDP gateway is in the access request message for receiving main body
In the contingency table of work main body ID corresponding to main body IP address and allow authorize request action together with access request message
It is transmitted to object, after object IoT equipment receives access request, just starts to execute token authentication;Steps are as follows for token authentication:
1 object is checked whether comprising token;
2. object digital signature checked validity;
3. object clarifying space contextual information;
If token authentication fail, access control decision be refusal, object by access control decision, Subjective and Objective ID and
The access time of main body < TC1:TC2> it is sent to PDP gateway, which can be issued SDN controller by PDP gateway.
If Subjective and Objective ID, request action RA and contextual information and object are allowed to visit by token authentication success, object
Ask that the period is sent to PDP gateway, further to generate specific fine-granularity access control decision.
PDP gateway is to subject role R, master/object device security level DS, the universal grade UR of equipment, data sensitive grade
The information such as PU are judged, are generated access control decision and are issued SDN controller.
S24 access control policy executes
SDN control layer is in the access time < TC for obtaining access control decision, Subjective and Objective ID and main body1:TC2> after just will
These information are converted into flow_mod flow table and in TC1Moment is handed down to SDN access switch, in TC1Moment, main body start to
Object sends the data flow of lawful authority, wherein may include the data flow of illegal permission, hands over when data flow enters SDN access
When changing planes, SDN access switch is according to the flow_mod flow table rule of acquisition to lawful authority data flow in data flow and illegal
Permissions data stream is divided, and filters illegal permissions data stream, executes " forwarding " operation to the data flow of lawful authority;
Then, main body IP, ID can be moved with the request authorized is allowed when PDP gateway when receiving the data packet of main body IP
In the contingency table of work main body ID corresponding to main body IP address and allow authorize request action be transmitted to together with data packet
Object, object is according to allowing the request action authorized to be matched with request action in data message, if it fails to match, when
Preceding access terminates, and final state and Subjective and Objective ID are sent to SDN controller, SDN controller according to receive these
Information issues update to SDN access switch or deletes the flow entry instruction in specified flow table, then main body is needed to re-execute
Step S21~S24;If successful match, object, which generates, responds and executes request action, and request response is back to main body.
In TC2Moment, SDN controller can issue update from trend SDN access switch or delete the stream in specified flow table
List item instruction.If main body needs to access object, needs to retransmit the access control request with token, execute above-mentioned S21-S24
Process.
Further, the S21 specifically:
The structure of function token is as follows:
ICAP={ S, O, RA, CC }
Wherein meaning of parameters is as follows:
S: indicating main body, uses main body ID as S in token construction process, is used for clear identification function token;
O: it indicates object, uses object ID as O in token construction process;
RA: one group of request action, including GET, POST, PUT and DELETE are indicated;RA is<GET>,<POST>,<POST>
Or<NULL>;If RA=<NULL>, does not allow authorisation body request action;
CC: one group of token contextual information, including time context, equipment safety grade, the universal grade of equipment, number are indicated
Word signature and public key;
Contextual information includes: that time context, spatial context, equipment safety grade, the universal grade of equipment, data are quick
Feel grade;
1. time context TC: the access time of main body is as time context, i.e. TC=< TC1:TC2>, wherein TC1For
Access initial time: TC2The time is terminated for access;
2. spatial context: the IP address and IP address range that object allows to access, i.e. SC=< IP1:IP2:
IP3:···:IPi>, spatial context is managed by object;
3. equipment safety grade DS: trust number institute in equipment number in the same space range of place in main equipment
Accounting example;If ratio is lower, the equipment safety grade of main body is 0, i.e. DSs=0;If ratio is higher, main body is set
Standby security level is 1, i.e. DSs=1;Wherein, the equipment safety grade of main body is stored in Secure Manager gateway, and object is allowed
Equipment safety grade determined by object and be stored in object;
4. the universal grade UR of equipment: object device number is shared in all devices total number in the same space range of place
Ratio;If ratio is lower, the universal grade of the equipment of object is 0, i.e. URo=0;If ratio is higher, the equipment of object
Universal grade is 1, i.e. URo=0;Wherein, the universal grade of the requested equipment of main body is determined by main body and is stored in main body, visitor
The universal grade of the equipment of body is stored in PDP gateway;
5. data sensitive grade PU: data sensitive grade is divided into general and serious two grades, institute after data are accessed
It is general, then PU=1 that the lower data of the seriousness of consequence, which may be brought, and otherwise, data may bring consequence after being accessed
The higher data of seriousness be serious, then PU=2;Wherein, data sensitive grade is defined and stored in object by object oneself
In.
Further, the S22 specifically:
After main body receives function token, access object is just begun to try;Main body generates access request, wherein additional token,
And access request is sent to object.
Further, the S23 specifically:
Main body IP, ID can be moved with the request authorized is allowed when PDP gateway is in the access request message for receiving main body
In the contingency table of work main body ID corresponding to main body IP address and allow authorize request action together with access request message
It is transmitted to object, object IoT equipment just starts to execute token verification process after receiving access request;Firstly, object inspection is asked
Whether include token and token validity, signature validity in asking;Secondly, object detection token context in spatially under
Whether literary SC meets verification condition;After verifying token, object is by Subjective and Objective ID, contextual information, request action RA and visitor
Body allows access time section to be sent to PDP gateway, and PDP gateway is universal according to the equipment of the information received and the object of maintenance
The conditions such as grade are verified, and access control decision is generated;
Object, which receives, just to be started to execute token verification process after token in access request, the specific steps are as follows:
1) object check whether comprising token and token it is whether effective;Firstly, object device inspection when receiving access request
It whether makes a thorough investigation of in asking comprising token;If including token in access request, and the issuing time of token is in the effective time of token
It is interior, then it carries out 2) verifying in next step, if not including the issuing time of token or token in access request not in the effective of token
In time, then it is divided into two kinds of situations:
1. object allows the request action and number of authorization according to the contingency table of main body IP, ID and the request action for allowing authorization
It is matched according to request action in message, if it fails to match, current accessed is terminated, and by final state and Subjective and Objective ID
And the access time of main body < TC1:TC2> it is sent to SDN controller, SDN controller connects according to these information received to SDN
Enter interchanger to issue update or delete the flow entry instruction in specified flow table, then need main body re-execute the steps S21~
S24。
2. object, which generates, to be responded and execute request action if successful match, response is back to main body;
2) whether object inspection signature is effective;If signature is invalid, licensing process stops, and access control decision is to refuse
Absolutely, object is by the access time of access control decision, Subjective and Objective ID and main body < TC1:TC2> it is sent to PDP gateway;If label
Name effectively, then carries out next step verifying;
3) object checks whether spatial context information meets verification condition;
If the IP address IP of main bodysIt is present in spatial context SC, is i.e. in IPs ∈ SC, then enters and verify in next step;
If the IP address of main body is not spatially hereafter in SC, i.e.,Then authentication failed, access control decision
For refusal, object is by the access time of access control decision, Subjective and Objective ID and main body < TC1:TC2> it is sent to PDP gateway;
If verifying any step authentication failed during token, token authentication failure, then access control is determined
Plan is refusal, and object is by the access time of access control decision, Subjective and Objective ID and main body < TC1:TC2> it is sent to PDP gateway;
Otherwise, token authentication is completed, then Subjective and Objective ID, request action RA and contextual information and object are allowed access time section by object
It is sent to PDP gateway, PDP gateway allows access time section according to Subjective and Objective ID, request action RA and contextual information and object
Further generate specific fine-granularity access control decision;
PDP gateway is to subject role R, master/object device security level DS, the universal grade UR of equipment, data sensitive grade
The information such as PU are judged, are generated access control decision and are issued SDN controller.
1) subject role R
If the request action of PDP gateway judgement main body is present among role-permission of main body, i.e. RA ∈ R then enters
It verifies in next step;
If the request action of PDP gateway judgement main body is not present among role-permission of main body, i.e.,Then ask
Movement authorization failure is sought, access control decision is refusal;
If request action authorization failure, access control decision is refusal, and PDP gateway is by access control decision, Subjective and Objective
The access time of ID and main body < TC1:TC2> it is sent to SDN controller;
2) equipment safety grade DS
If PDP gateway judges that the equipment safety grade DSs of main body is greater than or equal to permitted equipment safety of object etc.
Grade DSo, i.e. DSs >=DSo, then enter and verify in next step;
If the equipment safety grade DS of PDP gateway judgement main bodysEquipment safety grade DS permitted less than objecto, i.e.,
DSs<DSo, then equipment safety grade authorization failure, access control decision are refusal;
3) the universal grade UR of equipment
If PDP gateway judges the universal grade UR of the requested equipment of main bodysLess than or equal to object equipment generally etc.
Grade URo, i.e. URs≤URo, then enter and verify in next step;
If PDP gateway judges the universal grade UR of the requested equipment of main bodysGrade UR universal greater than the equipment of objecto, i.e.,
URs>URo, then equipment safety grade authorization failure, access control decision is refusal, and PDP gateway is by access control decision, Subjective and Objective
The access time of ID and main body < TC1:TC2> it is sent to SDN controller;
4) data sensitive grade PU
PDP gateway judgement principal access grade AL if the role of main body is specific role is 2, and the role of main body is to face
When role then principal access grade AL be 2;
If PDP gateway judge main body access level AL be greater than or equal to object data sensitive grade PU, i.e. AL >=
PU then enters and verifies in next step;
If PDP gateway judgement principal access grade is less than the data sensitive grade of object, i.e. AL < PU, then request action
Authorization failure, access control decision be refusal, PDP gateway by the access time of access control decision, Subjective and Objective ID and main body <
TC1:TC2> it is sent to SDN controller;
2) time context
If PDP gateway judges that the access time of main body allows access time section < T in object1:T2> within, i.e. T1≤TC1
∩TC2≥T2Then access control decision is to allow, and PDP gateway is by the access time of access control decision, Subjective and Objective ID and main body
<TC1:TC2> it is sent to SDN controller;
If PDP gateway judges that the access time of main body does not allow access time section < T in object1:T2> within, i.e. T1≥
TC1∪TC2≤T2Then access control decision is refusal, and PDP gateway is by the access of access control decision, Subjective and Objective ID and main body
Time < TC1:TC2> it is sent to SDN controller;
In conclusion PDP gateway verifies request action, role and contextual information one by one, last object is determined
Whether main body is authorized;
At the same time, PDP gateway is associated with the request action authorized is allowed by main body IP, ID and is stored in PDP gateway
Among.
Further, the S24 specifically:
Steps are as follows for access control policy execution:
1) access strategy decision, main body ID and object ID are transmitted directly to SDN controller by PDP gateway, and SDN controller will
Access strategy decision and main body ID and object ID are converted to flow_mod flow table rule;
2) then, SDN controller is in TC1Moment issues flow table to the SDN access switch that object IoT equipment is accessed,
At the same time, in TC1From moment, main body can start the data flow that lawful authority is sent to object, wherein may include illegal
The data flow of permission, when data flow is sent to SDN access switch, SDN access switch passes through the flow entry pair in flow table
Data packet is filtered;
A, movement is " forwarding " extremely output PDP gateway if access control decision is " permission ";
B, movement is that " discarding " or " redirection " is sent to SDN controller if access control decision is " refusal ",
SDN controller analyzes data packet, then abandons to data packet;
3) by the corresponding main body ID of the IP of packet header and can allow to authorize when receiving data packet when PDP gateway
Request action be transmitted to object together with data packet, object judges whether in data packet comprising token;
1. main body needs to re-execute the steps S21~S24 if including token in data packet;
2. object is dynamic according to request in the request action and data message for allowing to authorize if not including token in data packet
It is matched;
If a, it fails to match, object can not execute request action, and access terminates and by final state and Subjective and Objective
ID is sent to SDN controller, and SDN controller issues update or deletion to SDN access switch according to these information received
Flow entry instruction in specified flow table, subsequent main body need to be implemented step S21~S24;
If b, successful match, object, which generates, to be responded and executes request action, and response is back to main body;
4) in TC2Moment, SDN controller can issue update from trend SDN access switch or delete in specified flow table
Flow entry instruction.
The beneficial effects of the present invention are: the present invention reduces access control and executes and strategy pipe in SDN network framework
Complexity is managed, by introducing the concept based on SDN, finer granularity may be implemented using access control.
Other advantages, target and feature of the invention will be illustrated in the following description to a certain extent, and
And to a certain extent, based on will be apparent to those skilled in the art to investigating hereafter, Huo Zheke
To be instructed from the practice of the present invention.Target of the invention and other advantages can be realized by following specification and
It obtains.
Detailed description of the invention
To make the objectives, technical solutions, and advantages of the present invention clearer, the present invention is made below in conjunction with attached drawing excellent
The detailed description of choosing, in which:
Fig. 1 is the IoT equipment access control framework based on SDN network;
Fig. 2 is the CCAAC flow chart based on SDN network;
Fig. 3 is the workflow for supporting the SDN switch of openflow.
Specific embodiment
Illustrate embodiments of the present invention below by way of specific specific example, those skilled in the art can be by this specification
Other advantages and efficacy of the present invention can be easily understood for disclosed content.The present invention can also pass through in addition different specific realities
The mode of applying is embodied or practiced, the various details in this specification can also based on different viewpoints and application, without departing from
Various modifications or alterations are carried out under spirit of the invention.It should be noted that diagram provided in following embodiment is only to show
Meaning mode illustrates basic conception of the invention, and in the absence of conflict, the feature in following embodiment and embodiment can phase
Mutually combination.
Wherein, the drawings are for illustrative purposes only and are merely schematic diagrams, rather than pictorial diagram, should not be understood as to this
The limitation of invention;Embodiment in order to better illustrate the present invention, the certain components of attached drawing have omission, zoom in or out, not
Represent the size of actual product;It will be understood by those skilled in the art that certain known features and its explanation may be omitted and be in attached drawing
It is understood that.
The same or similar label correspond to the same or similar components in the attached drawing of the embodiment of the present invention;It is retouched in of the invention
In stating, it is to be understood that if there is the orientation or positional relationship of the instructions such as term " on ", "lower", "left", "right", "front", "rear"
To be based on the orientation or positional relationship shown in the drawings, be merely for convenience of description of the present invention and simplification of the description, rather than indicate or
It implies that signified device or element must have a particular orientation, be constructed and operated in a specific orientation, therefore is described in attached drawing
The term of positional relationship only for illustration, is not considered as limiting the invention, for the ordinary skill of this field
For personnel, the concrete meaning of above-mentioned term can be understood as the case may be.
One, the IoT access control framework based on SDN
Firstly, proposing an IoT equipment access control framework based on SDN network, as shown in Figure 1.
A, application layer
This layer is made of the one group of application program disposed on virtualization core network.These application programs are by third party's public affairs
Department's exploitation, may bring serious security risk.Therefore, it is necessary to stringent access controls to pass through core and access system integrating
In the virtual management deployment of these applications.
B, control layer
The layer is responsible for managing network layer device.The control layer has the safety of highest level, and as access control pipe
The core of reason.Other than it can obtain all-network device configuration, realize the functions such as authentication, access rule, SDN control
Device generates in the case where can also detecting malicious act or the appearance of other danger signals and modifies new forward rule.
C, network layer
The layer includes two kinds of interchangers, is respectively as follows: SDN switch and SDN access switch.Two kinds of interchangers in this layer
All by control layer-management, and access rule is defined by control layer.SDN switch is as the basic network equipment, for forwarding
Data.SDN controller is configured SDN switch equipment using flow table and connect them with the equipment that can be communicated.SDN access
Interchanger not only contains the function of SDN switch, but also when, there are when illegal permissions data stream, SDN connects between internet of things equipment
Enter interchanger to be filtered illegal permissions data stream, to realize SDN access switch to the data flow of different safety class
It is controlled.
D, mechanical floor
This layer is formed by one group with different data and the heterogeneous device for supporting different access to service.Therefore, every group
Equipment all has certain security level, is specifically dependent upon the program of authentication scheme and its operation that it is supported.Equipment can
To run multiple application programs, therefore each application program will access different classes of data with different permissions.Wherein
Include following equipment:
(1) gateway.Include herein two kinds of gateways, is respectively as follows: Secure Manager gateway and PDP gateway.Wherein, bursting tube
Reason person's gateway is for constructing and generating token, and PDP gateway is for realizing the function of policy decision point in access control (PDP),
Access control decision is generated to access request.
(2) main body;Initiate the Internet of things node of access request;
(3) object;Accessed Internet of things node;
Internet of Things framework can simplify the connection between the entities such as a large amount of IoT equipment, at the same shared information and data, service with
And the safety management of other related private datas.Therefore, it is necessary to more fine granularity and the higher access control model of flexibility with
Frame.
Two, the Internet of Things fine-grained access control method based on SDN
Access control process, as shown in Fig. 2, being divided into following link.
1. token constructs
In systems, when main body needs to access object, main body will request access to message and be sent to Secure Manager gateway,
Secure Manager gateway is by obtaining the information such as Subjective and Objective ID, request action included in access request message and token or more
The information such as literary information generate token and are handed down to main body.
2. access request
Main body initiates access request to object, accesses the data or resource stored in object.Therefore, main body generates access
Request, wherein attached token, and the request is not read by any intermediate entities.Access request is forwarded to visitor by SDN switch
Body just starts to execute token verification step after object (IoT equipment) receives access request.
3. fine-granularity access control decision
Main body IP, ID can be moved with the request authorized is allowed when PDP gateway is in the access request message for receiving main body
In the contingency table of work main body ID corresponding to main body IP address and allow authorize request action together with access request message
It is transmitted to object, after object (IoT equipment) receives access request, just starts to execute token authentication.Steps are as follows for token authentication:
1. whether including token 2. object inspection signature validity 3. object clarifying space contextual information in object inspection request.
If token authentication fail, access control decision be refusal, object by access control decision, Subjective and Objective ID and
The access time of main body < TC1:TC2> it is sent to PDP gateway.If token authentication success, object is dynamic by Subjective and Objective ID, request
Making RA and contextual information and object allows access time section to be sent to PDP gateway, is visited with further generating specific fine granularity
Ask control decision, subsequent PDP gateway is by the access time of access control decision, Subjective and Objective ID and main body < TC1:TC2> be sent to
SDN controller, and establish main body IP, ID in PDP gateway and allow the contingency table of the request action of authorization.
4. access control policy executes
Just by the access time of decision, Subjective and Objective ID and main body < TC after PDP gateway generation access control decision1:TC2>
It is sent to SDN controller, SDN control layer is in the access time < TC for obtaining access control decision, Subjective and Objective ID and main body1:TC2
> after these information are just converted into flow_mod flow table and in TC1Moment is handed down to SDN access switch, in TC1Moment, main body
Start the data flow (such as Fig. 1 blue line) that lawful authority is sent to object, wherein may include the data flow of illegal permission (as schemed
1 red line), when data flow enters SDN access switch, SDN access switch is right according to the flow_mod flow table rule of acquisition
Lawful authority data flow is divided with illegal permissions data stream in data flow, and filters illegal permissions data stream, pairing right
The data flow of limit executes " forwarding " operation.
Then, main body IP, ID can be moved with the request authorized is allowed when PDP gateway when receiving the data packet of main body IP
In the contingency table of work main body ID corresponding to main body IP address and allow authorize request action be transmitted to together with data packet
Object, object is according to allowing the request action authorized to be matched with request action in data message, if it fails to match, when
Preceding access terminates, and final state and Subjective and Objective ID are sent to SDN controller, SDN controller according to receive these
Information issues update to SDN access switch or deletes the flow entry instruction in specified flow table, then main body is needed to re-execute
Step (1) (2) (3) (4).If successful match, object, which generates, to be responded and executes request action, and response is back to main body,
And in TC2Moment, the flow entry that SDN controller can issue update from trend SDN access switch or delete in specified flow table refer to
It enables.
(1) token structural scheme designs
The structure of function token is as follows:
ICAP={ S, O, RA, CC }
Wherein meaning of parameters is as follows:
S: indicating main body, uses main body ID as S in token construction process, is used for clear identification function token;
O: it indicates object, uses object ID as O in token construction process;
RA: indicating one group of request action, such as: GET, POST, PUT, DELETE;RA can be<GET>,<POST>,<
POST>or<NULL>.If RA=<NULL>, does not allow authorisation body request action.
CC: one group of token contextual information, including time context, equipment safety grade, the universal grade of equipment, number are indicated
Word signature and public key.
In this model contextual information include: time context, spatial context, equipment safety grade, equipment generally etc.
Grade, data sensitive grade this several class.
1 time context TC: the access time of main body is as time context, i.e. TC=< TC1:TC2>, wherein TC1To visit
Ask initial time, TC2The time is terminated for access.
2. spatial context: the IP address and IP address range that object allows to access, i.e. SC=< IP1:IP2:
IP3:···:IPi>, spatial context is managed by object.
2 equipment safety grade DS: trust number institute in equipment number in the same space range of place in main equipment
Accounting example.If ratio is lower, the equipment safety grade of main body is 0, i.e. DSs=0.If ratio is higher, main body is set
Standby security level is 1, i.e. DSs=1.Wherein, the equipment safety grade of main body is stored in Secure Manager gateway, and object is allowed
Equipment safety grade determined by object and be stored in object.
The universal grade UR of 3 equipment: object device number is shared in all devices total number in the same space range of place
Ratio.If ratio is lower, the universal grade of the equipment of object is 0, i.e. URo=0.If ratio is higher, the equipment of object
Universal grade is 1, i.e. URo=0.Wherein, the universal grade of the requested equipment of main body is determined by main body and is stored in main body, visitor
The universal grade of the equipment of body is stored in PDP gateway.
5. data sensitive grade PU: the serious of consequence may be brought after being accessed by access data in object device
Property, data sensitive grade is divided into general and serious two grades by us herein, and data may bring consequence after being accessed
The lower data of seriousness be general, then PU=1, otherwise, data may bring the seriousness of consequence higher after being accessed
Data be serious, then PU=2,.Wherein, data sensitive grade is defined and stored in object by object oneself.
(2) access request designs
Access control method of this system based on distributed function, IoT equipment can make fine granularity and context-aware
Authorization decision, this function is embedded in resource-constrained equipment.After main body receives function token, access visitor is just begun to try
Body.Therefore, main body generates access request, wherein attached token, and access request is sent to object.When SDN switch is received
When to access request and can not matching any mounted flow table rule, exchange opportunity generates one to controller
PACKET_IN data packet message, to obtain new forward process rule.Controller to interchanger send grouping output message with into
Packet transaction of row issues flowmod for installation flow table to be regular in a switch during routing path calculation.SDN is handed over
It changes planes and access request is just forwarded to object after new flow table rule is installed.
(3) fine-granularity access control decision scheme designs
Main body IP, ID can be moved with the request authorized is allowed when PDP gateway is in the access request message for receiving main body
In the contingency table of work main body ID corresponding to main body IP address and allow authorize request action together with access request message
It is transmitted to object, object (IoT equipment) just starts to execute token verification process after receiving access request.Firstly, object inspection
Whether include token and token validity, signature validity in request.Secondly, in object detection token context spatially
Hereafter whether SC meets verification condition, finally, object checks whether main body is legal.Verify token after, object by Subjective and Objective ID,
Contextual information, request action RA and object allow access time section to be sent to PDP gateway, and PDP gateway is according to being received
The conditions such as information and the universal grade of the equipment of the object of maintenance are verified, and access control decision is generated.
Object, which receives, just to be started to execute token verification process after token in access request, the specific steps are as follows:
1) object check whether comprising token and token it is whether effective;Firstly, object device inspection when receiving access request
It whether makes a thorough investigation of in asking comprising token;If including token in access request, and the issuing time of token is in the effective time of token
It is interior, then it carries out 2) verifying in next step, if not including the issuing time of token or token in access request not in the effective of token
In time, then it is divided into two kinds of situations:
1. object allows the request action and number of authorization according to the contingency table of main body IP, ID and the request action for allowing authorization
It is matched according to request action in message, if it fails to match, current accessed is terminated, and by final state and Subjective and Objective ID
And the access time of main body < TC1:TC2> it is sent to SDN controller, SDN controller connects according to these information received to SDN
Enter interchanger to issue update or delete the flow entry instruction in specified flow table, then need main body re-execute the steps S21~
S24。
2. object, which generates, to be responded and execute request action if successful match, response is back to main body;
2) whether object inspection signature is effective.PDP gateway check spatial context information whether meet verification condition it
Before, it is necessary to verify the signature field specified in token.For this purpose, the public key that main body is generated using Secure Manager gateway, if label
Name is invalid, then licensing process stops, and access control decision is refusal, and object is by access control decision, Subjective and Objective ID and main body
Access time < TC1:TC2> it is sent to PDP gateway.If signature is effectively, next step verifying is carried out.
3) object checks whether spatial context information meets verification condition.
If the IP address IP of main bodysIt is present in spatial context SC, is i.e. in IPs ∈ SC, then enters and verify in next step.
If the IP address of main body is not spatially hereafter in SC, i.e.,Then authentication failed, access control decision
For refusal, object is by the access time of access control decision, Subjective and Objective ID and main body < TC1:TC2> it is sent to PDP gateway.
Such as 1 spatial context licensing process of table:
1 spatial context licensing process of table
| Main body S | Main body IP | Object O | Spatial context SC | Decision |
| Equipment A | IP1 | Equipment a | <IP1:IP2:IP3:IP4> | Verifying is completed |
| Equipment B | IP2 | Equipment b | <IP1:IP3:IP5:IP7> | Refusal |
| Equipment C | IP1 | Equipment c | <IP1:IP3:IP5:IP7> | Verifying is completed |
If verifying any step authentication failed during token, token authentication failure, then access control is determined
Plan is refusal, and object is by the access time of access control decision, Subjective and Objective ID and main body < TC1:TC2> it is sent to PDP gateway.
Otherwise, token authentication is completed, then Subjective and Objective ID, request action RA and contextual information and object are allowed access time section by object
It is sent to PDP gateway, PDP gateway allows access time section according to Subjective and Objective ID, request action RA and contextual information and object
Further generate specific fine-granularity access control decision.
PDP gateway is to subject role R, master/object device security level DS, the universal grade UR of equipment, data sensitive grade
The information such as PU are judged, are generated access control decision and are issued SDN controller.
1) role R
If the request action of main body is present among role-permission of main body, i.e. RA ∈ R then enters and verifies in next step.
If the request action of main body is not present among role-permission of main body, i.e.,Then request action authorization
Failure, access control decision are refusal.
As table 2 gives an example of request action licensing process:
2 request action licensing process of table
Wherein, digital " 1 " indicates that effectively, digital " 0 " indicates a certain movement nothing in permission for a certain movement in permission in table 2
Effect.
If request action authorization failure, access control decision is refusal, and PDP gateway is by access control decision, Subjective and Objective
The access time of ID and main body < TC1:TC2> it is sent to SDN controller.
2) equipment safety grade DS
If the equipment safety grade DSs of main body is greater than or equal to the permitted equipment safety grade DSo of object, i.e. DSs
>=DSo then enters and verifies in next step.
If the equipment safety grade DS of main bodysEquipment safety grade DS permitted less than objecto, i.e. DSs<DSo, then
Equipment safety grade authorization failure, access control decision are refusal.
As table 3 gives an example of equipment safety grade licensing process:
3 equipment safety grade licensing process of table
3) the universal grade UR of equipment
If the universal grade UR of the requested equipment of main bodysGrade UR universal less than or equal to the equipment of objecto, i.e. URs≤
URo, then enter and verify in next step.
If the universal grade UR of the requested equipment of main bodysGrade UR universal greater than the equipment of objecto, i.e. URs>URo, then
Equipment safety grade authorization failure, access control decision are refusal, and PDP gateway is by access control decision, Subjective and Objective ID and master
The access time of body < TC1:TC2> it is sent to SDN controller.
As table 4 gives an example of the universal grade licensing process of equipment.
The universal grade licensing process of 4 equipment of table
4) data sensitive grade PU
Principal access grade AL is 2 if the role of main body is specific role, and the role of main body leads if being temporary role
Body access level AL is 2.
If the access level AL of main body is greater than or equal to data sensitive the grade PU, i.e. AL >=PU, then under entering of object
One step card.
If principal access grade is less than the data sensitive grade of object, i.e. AL < PU, then request action authorization failure, is visited
Control decision is asked as refusal, PDP gateway is by the access time of access control decision, Subjective and Objective ID and main body < TC1:TC2> send
To SDN controller.As table 5 gives an example of role's verifying.
One example of 5 role of table verifying
2) time context
If the access time of main body allows access time section < T in object1:T2> within, i.e. T1≤TC1∩TC2≥T2Then
Access control decision is to allow, and PDP gateway is by the access time of access control decision, Subjective and Objective ID and main body < TC1:TC2> hair
It send to SDN controller.
If the access time of main body does not allow access time section < T in object1:T2> within, i.e. T1≥TC1∪TC2≤T2
Then access control decision is refusal, and PDP gateway is by the access time of access control decision, Subjective and Objective ID and main body < TC1:TC2>
It is sent to SDN controller.
Time context licensing process is as shown in table 6.
6 time of table context licensing process
In conclusion we verify request action, role and contextual information one by one, last object determines whether
Main body is authorized.
At the same time, PDP gateway by main body IP, ID generation table 7 associated with the request action authorized is allowed and is stored in
Among PDP gateway.
Table 7 main body IP, ID and the request action contingency table for allowing to authorize
| Main body IP | Main body ID | Allow the request action authorized |
| 233.54.223.183 | 01-00-5e-36-df-b7 | GET |
| 239.11.20.1 | 01-00-5e-0b-14-01 | Put |
| 233.54.223.183 | 01-00-5e-36-df-b7 | Post |
(4) access control policy carries into execution a plan design
Steps are as follows for access control policy execution:
1) access strategy decision, main body ID and object ID are transmitted directly to SDN controller by PDP gateway, and SDN controller will
Access strategy decision and main body ID and object ID are converted to flow_mod flow table rule;
2) then, SDN controller is in TC1Moment issues flow table to the SDN access switch that object IoT equipment is accessed,
At the same time, in TC1From moment, main body can start the data flow that lawful authority is sent to object, wherein may include illegal
The data flow of permission, when data flow is sent to SDN access switch, SDN access switch passes through the flow entry pair in flow table
Data packet is filtered;
A, movement is " forwarding " extremely output PDP gateway if access control decision is " permission ".
B, movement is " discarding " if access control decision is " refusal ", abandons the data packet.
3) by the corresponding main body ID of the IP of packet header in table 7 and can permit when PDP gateway when receiving data packet
Perhaps the request action authorized is transmitted to object together with data packet, and object judges whether in data packet comprising token.
1. main body needs re-execute the steps (1) (2) (3) (4) if including token in data packet
2. object is dynamic according to request in the request action and data message for allowing to authorize if not including token in data packet
It is matched.
If a, it fails to match, object can not execute request action, and access terminates and by final state and Subjective and Objective
ID is sent to SDN controller, and SDN controller issues update or deletion to SDN access switch according to these information received
Flow entry instruction in specified flow table, subsequent main body need to be implemented step (1) (2) (3) (4).
If b, successful match, object, which generates, to be responded and executes request action, and response is back to main body.
4) in TC2Moment, SDN controller can issue update from trend SDN access switch or delete in specified flow table
Flow entry instruction.
Fig. 3 is the workflow for supporting the SDN switch of openflow.
Finally, it is stated that the above examples are only used to illustrate the technical scheme of the present invention and are not limiting, although referring to compared with
Good embodiment describes the invention in detail, those skilled in the art should understand that, it can be to skill of the invention
Art scheme is modified or replaced equivalently, and without departing from the objective and range of the technical program, should all be covered in the present invention
Scope of the claims in.
Claims (4)
1. a kind of Internet of Things access control method based on SDN, it is characterised in that: method includes the following steps:
S1: firstly, proposing an IoT equipment access control framework based on SDN network;Include:
A, application layer
This layer is made of the one group of application program disposed on virtualization core network;
B, control layer
The layer is responsible for managing network layer device;The control layer has the safety of highest level, and as access control management
Core;All-network device configuration can be obtained, realize authentication and access rule, SDN controller is able to detect malice row
For or generate and modify new forward rule in the case that other danger signals occur;
C, network layer
The layer includes two kinds of interchangers, is respectively as follows: SDN switch and SDN access switch;Two kinds of interchangers in this layer all by
Layer-management is controlled, and access rule is defined by control layer;SDN switch is as the basic network equipment, for forwarding data;
SDN controller is configured SDN switch equipment using flow table and connect them with the equipment that can be communicated;SDN access exchange
Machine includes the function of SDN switch, when, there are when illegal permissions data stream, SDN access switch is to illegal between internet of things equipment
Permissions data stream is filtered, to realize that SDN access switch controls different data streams;
D, mechanical floor
This layer is formed by one group with different data and the heterogeneous device for supporting different access to service;Equipment can run more
A application program, each application program will access different classes of data with different permissions;Wherein include following equipment:
(1) gateway;Including two kinds of gateways, it is respectively as follows: Secure Manager gateway and PDP gateway;Wherein, Secure Manager gateway is used
In constructing and generating token, PDP gateway generates access request for realizing the function of policy decision point PDP in access control
Access control decision;
(2) main body;Initiate the Internet of things node of access request;
(3) object;Accessed Internet of things node;
S2: access control process is divided into following link:
S21 token construction
When main body needs to access object, main body will request access to message and be sent to Secure Manager gateway, Secure Manager net
It closes and generates token by obtaining Subjective and Objective ID included in access request message, request action information and token contextual information
And it is handed down to main body;
S22 access request
Main body initiates access request to object, accesses the data or resource stored in object;Main body generates access request, wherein
Additional token to the certification of main body and establishes access control relationship for object, and the request is not read by any intermediate entities;
Access request is forwarded to object by SDN switch, after object IoT equipment receives access request, is just started execution token and is tested
Demonstrate,prove step;
S23 fine-granularity access control decision
It can be by main body IP, ID and the request action for allowing to authorize when PDP gateway is in the access request message for receiving main body
In contingency table main body ID corresponding to main body IP address and allow authorize request action forwarded together with access request message
To object, after object IoT equipment receives access request, just start to execute token authentication;Steps are as follows for token authentication:
1. whether including token in object inspection request;
2. object digital signature checked validity;
3. object clarifying space contextual information;
If token authentication fails, access control decision is refusal, and object is by access control decision, Subjective and Objective ID and main body
Access time < TC1:TC2> it is sent to PDP gateway;Certification request is unsuccessfully returned to main body by PDP gateway;
If token authentication success, when Subjective and Objective ID, request action RA and contextual information and object are allowed to access by object
Between section be sent to PDP gateway, further to generate specific fine-granularity access control decision;
PDP gateway is to subject role R, master/object device security level DS, the universal grade UR of equipment, data sensitive grade PU etc.
Information is judged, is generated access control decision and is issued SDN controller;
S24 access control policy executes
SDN control layer is in the access time < TC for obtaining access control decision, Subjective and Objective ID and main body1:TC2> after just by these
Information is converted into flow_mod flow table and in TC1Moment is handed down to SDN access switch, in TC1Moment, main body start to object
The data flow for sending lawful authority, wherein may include the data flow of illegal permission, when data flow enters SDN access switch
When, SDN access switch is according to the flow_mod flow table rule of acquisition to lawful authority data flow in data flow and illegal permission
Data flow is divided, and filters illegal permissions data stream, executes " forwarding " operation to the data flow of lawful authority;
It then, can be by main body IP, ID and the request action for allowing to authorize when receiving the data packet of main body IP when PDP gateway
In contingency table main body ID corresponding to main body IP address and allow authorize request action object is transmitted to together with data packet,
Object is according to allowing the request action authorized to be matched with request action in data message, if it fails to match, current visit
It asks termination, and final state and Subjective and Objective ID is sent to SDN controller, SDN controller is according to these information received
Update is issued to SDN access switch or deletes the flow entry instruction in specified flow table, then main body is needed to re-execute the steps
S21~S24;If successful match, object, which generates, responds and executes request action, and request response is back to main body;
In TC2Moment, the flow entry that SDN controller can issue update from trend SDN access switch or delete in specified flow table refer to
It enables;
If main body needs to access object, needs to retransmit the access control request with token, execute above-mentioned S21-S24 process.
2. a kind of Internet of Things access control method based on SDN according to claim 1, it is characterised in that: the S21 tool
Body are as follows:
The structure of function token is as follows:
ICAP={ S, O, RA, CC }
Wherein meaning of parameters is as follows:
S: indicating main body, uses main body ID as S in token construction process, is used for clear identification function token;
O: it indicates object, uses object ID as O in token construction process;
RA: one group of request action, including GET, POST, PUT and DELETE are indicated;RA is<GET>,<POST>,<POST>or<
NULL>;If RA=<NULL>, does not allow authorisation body request action;
CC: one group of token contextual information, including time context, equipment safety grade, the universal grade of equipment, number label are indicated
Name and public key;
Contextual information includes: time context, spatial context, equipment safety grade, the universal grade of equipment, data sensitive etc.
Grade;
1. time context TC: the access time of main body is as time context, i.e. TC=< TC1:TC2>, wherein TC1For access
Initial time: TC2The time is terminated for access;
2. spatial context: the IP address and IP address range that object allows to access, i.e. SC=< IP1:IP2:IP3:···:IPi
>, spatial context is managed by object;
3. equipment safety grade DS: trust number institute's accounting in equipment number in the same space range of place in main equipment
Example;If ratio is lower, the equipment safety grade of main body is 0, i.e. DSs=0;If ratio is higher, the equipment of main body is pacified
Congruent grade is 1, i.e. DSs=1;Wherein, the equipment safety grade of main body is stored in Secure Manager gateway, and object is permitted to be set
Standby security level is determined by object and is stored in object;
4. the universal grade UR of equipment: object device number institute's accounting in all devices total number in the same space range of place
Example;If ratio is lower, the universal grade of the equipment of object is 0, i.e. URo=0;If ratio is higher, the equipment of object is general
It is 1 all over grade, i.e. URo=0;Wherein, the universal grade of the requested equipment of main body is determined by main body and is stored in main body, object
The universal grade of equipment be stored in PDP gateway;
5. data sensitive grade PU: data sensitive grade being divided into general and serious two grades, institute may after data are accessed
Bringing the lower data of the seriousness of consequence is general, then PU=1, and otherwise, data may bring the tight of consequence after being accessed
The higher data of principal characteristic are serious, then PU=2;Wherein, data sensitive grade is defined and stored in object by object oneself.
3. a kind of Internet of Things access control method based on SDN according to claim 1, it is characterised in that: the S23 tool
Body are as follows:
Just start to execute token verification process after object IoT equipment receives access request;
Firstly, object is checked whether comprising token, signature validity;Secondly, object detection token context in spatially under
Whether literary SC meets verification condition;After verifying token, object is by Subjective and Objective ID, contextual information, request action RA and visitor
Body allows access time section to be sent to PDP gateway, and PDP gateway is universal according to the equipment of the information received and the object of maintenance
The conditions such as grade are verified again, generate access control decision;
Object, which receives, just to be started to execute token verification process after token in access request, the specific steps are as follows:
1) object check whether comprising token and token it is whether effective;It is asked firstly, object device is checked when receiving access request
It whether include token in asking;If including token in access request, and the issuing time of token is within the effective time of token, then
2) verify in next step, if not including the issuing time of token or token in access request not in the effective time of token
It is interior, then it is divided into two kinds of situations:
1. request action and datagram that object allows to authorize according to the contingency table of main body IP, ID and the request action for allowing authorization
Request action is matched in text, if it fails to match, current accessed is terminated, and final state and Subjective and Objective ID are sent
To SDN controller, SDN controller issues update to SDN access switch according to these information received or deletes specified stream
Flow entry instruction in table, then needs main body to re-execute the steps S21~S24;
2. object, which generates, to be responded and execute request action if successful match, response is back to main body;
2) object checks whether digital signature is effective in token;If signature is invalid, licensing process stops, access control decision
For refusal, object is by the access time of access control decision, Subjective and Objective ID and main body < TC1:TC2> it is sent to PDP gateway;Such as
Fruit signature effectively, then carries out verifying in next step 3);
3) object checks whether spatial context information meets verification condition;
If the IP address IP of main bodysIt is present in spatial context SC, is i.e. in IPs ∈ SC, then enters and verify in next step;
If the IP address of main body is not spatially hereafter in SC, i.e.,Then authentication failed, access control decision are to refuse
Absolutely, object is by the access time of access control decision, Subjective and Objective ID and main body < TC1:TC2> it is sent to PDP gateway;
If verifying any step authentication failed during token, token authentication failure, then access control decision is
Refusal, object is by the access time of access control decision, Subjective and Objective ID and main body < TC1:TC2> it is sent to PDP gateway;Otherwise,
Token authentication is completed, then Subjective and Objective ID, request action RA and contextual information and object are allowed access time section to send by object
To PDP gateway, PDP gateway allows access time Duan Jinyi according to Subjective and Objective ID, request action RA and contextual information and object
Step generates specific fine-granularity access control decision;
PDP gateway is to subject role R, master/object device security level DS, the universal grade UR of equipment, data sensitive grade PU etc.
Information is judged, is generated access control decision and is issued SDN controller;
1) subject role R
If the request action of PDP gateway judgement main body is present among role-permission of main body, i.e. RA ∈ R then enters next
Step card;
If the request action of PDP gateway judgement main body is not present among role-permission of main body, i.e.,Then request is dynamic
Make authorization failure, access control decision is refusal;
If request action authorization failure, access control decision be refusal, PDP gateway by access control decision, Subjective and Objective ID with
And the access time of main body < TC1:TC2> it is sent to SDN controller;
2) equipment safety grade DS
If PDP gateway judges that the equipment safety grade DSs of main body is greater than or equal to the permitted equipment safety grade of object
DSo, i.e. DSs >=DSo then enter and verify in next step;
If the equipment safety grade DS of PDP gateway judgement main bodysEquipment safety grade DS permitted less than objecto, i.e. DSs<
DSo, then equipment safety grade authorization failure, access control decision are refusal;
3) the universal grade UR of equipment
If PDP gateway judges the universal grade UR of the requested equipment of main bodysGrade UR universal less than or equal to the equipment of objecto,
That is URs≤URo, then enter and verify in next step;
If PDP gateway judges the universal grade UR of the requested equipment of main bodysGrade UR universal greater than the equipment of objecto, i.e. URs>
URo, then equipment safety grade authorization failure, access control decision is refusal, and PDP gateway is by access control decision, Subjective and Objective ID
And the access time of main body < TC1:TC2> it is sent to SDN controller;
4) data sensitive grade PU
PDP gateway judgement principal access grade AL if the role of main body is specific role is 2, and the role of main body is interim angle
Then principal access grade AL is 2 to color;
If PDP gateway judges that the access level AL of main body is greater than or equal to data sensitive grade PU, the i.e. AL >=PU of object, then
It is verified into next step;
If PDP gateway judges that principal access grade is less than the data sensitive grade of object, i.e. AL < PU, then request action authorization
Failure, access control decision are refusal, and PDP gateway is by the access time of access control decision, Subjective and Objective ID and main body < TC1:
TC2> it is sent to SDN controller;
2) time context
If PDP gateway judges that the access time of main body allows access time section < T in object1:T2> within, i.e. T1≤TC1∩TC2
≥T2Then access control decision is to allow, and PDP gateway is by the access time of access control decision, Subjective and Objective ID and main body < TC1:
TC2> it is sent to SDN controller;
If PDP gateway judges that the access time of main body does not allow access time section < T in object1:T2> within, i.e. T1≥TC1∪
TC2≤T2Then access control decision be refusal, PDP gateway by the access time of access control decision, Subjective and Objective ID and main body <
TC1:TC2> it is sent to SDN controller;
In conclusion PDP gateway verifies request action, role and contextual information one by one, last object determines whether
Main body is authorized;
At the same time, PDP gateway is associated with the request action authorized is allowed by main body IP, ID and is stored among PDP gateway.
4. a kind of Internet of Things access control method based on SDN according to claim 1, it is characterised in that: the S24 tool
Body are as follows:
Steps are as follows for access control policy execution:
1) access strategy decision, main body ID and object ID are transmitted directly to SDN controller by PDP gateway, and SDN controller will access
Strategic decision-making and main body ID and object ID are converted to flow_mod flow table rule;
2) then, SDN controller is in TC1Moment issues flow table to the SDN access switch that object IoT equipment is accessed, same with this
When, in TC1From moment, main body can start the data flow that lawful authority is sent to object, wherein may include illegal permission
Data flow, when data flow is sent to SDN access switch, SDN access switch is by the flow entry in flow table to data packet
It is filtered;
A, movement is " forwarding " extremely output PDP gateway if access control decision is " permission ";
B, movement is that " discarding " or " redirection " is sent to SDN controller, SDN control if access control decision is " refusal "
Device processed analyzes data packet;
If any flow entry in data packet and flow table all mismatches, it will be sent to controller by exit passageway, obtain
New forward rule is forwarded to PDP gateway;
3) by the corresponding main body ID of the IP of packet header and it can allow what is authorized to ask when receiving data packet when PDP gateway
Movement is asked to be transmitted to object together with data packet, object judges whether in data packet comprising token;
1. main body needs to re-execute the steps S21~S24 if including token in data packet;
2. if in data packet do not include token, object according to allow authorize request action and data message in request action into
Row matching;
If a, it fails to match, object can not execute request action, and access terminates and sends out final state and Subjective and Objective ID
It send to SDN controller, SDN controller issues update to SDN access switch according to these information received or deletes specified
Flow entry instruction in flow table, subsequent main body need to be implemented step S21~S24;
If b, successful match, object, which generates, to be responded and executes request action, and response is back to main body;
4) in TC2Moment, SDN controller can issue update from trend SDN access switch or delete the flow entry in specified flow table
Instruction.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910213943.5A CN109951485B (en) | 2019-03-20 | 2019-03-20 | SDN-based Internet of things access control method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910213943.5A CN109951485B (en) | 2019-03-20 | 2019-03-20 | SDN-based Internet of things access control method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109951485A true CN109951485A (en) | 2019-06-28 |
| CN109951485B CN109951485B (en) | 2021-03-16 |
Family
ID=67010391
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910213943.5A Active CN109951485B (en) | 2019-03-20 | 2019-03-20 | SDN-based Internet of things access control method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109951485B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110505150A (en) * | 2019-09-04 | 2019-11-26 | 北京元安物联技术有限公司 | Internet of Things network control method, device, system, things-internet gateway and SDN controller |
| CN110855717A (en) * | 2019-12-05 | 2020-02-28 | 浙江军盾信息科技有限公司 | Method, device and system for protecting equipment of Internet of things |
| CN111193754A (en) * | 2019-12-17 | 2020-05-22 | 杭州海康威视数字技术股份有限公司 | Data access method, system and equipment applied to Internet of things |
| CN112187799A (en) * | 2020-09-28 | 2021-01-05 | 京东数字科技控股股份有限公司 | Resource access policy generation method and device, storage medium and electronic equipment |
| CN114065238A (en) * | 2021-11-05 | 2022-02-18 | 深圳致星科技有限公司 | Data management method and device and electronic equipment |
| CN114338076A (en) * | 2021-11-11 | 2022-04-12 | 清华大学 | Distributed cross-device access control method and device suitable for smart home environment |
| CN114826636A (en) * | 2021-01-29 | 2022-07-29 | 华为技术有限公司 | Access control system and related method and apparatus |
| CN116389032A (en) * | 2022-12-29 | 2023-07-04 | 国网甘肃省电力公司庆阳供电公司 | SDN architecture-based power information transmission link identity verification method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104901958A (en) * | 2015-05-21 | 2015-09-09 | 大连理工大学 | User-driven centralized access control method for SDN (Software Defined Network) |
| CN105824303A (en) * | 2016-05-17 | 2016-08-03 | 上海颖电控制技术有限公司 | Distributed intelligent instrument control system based on Internet of things and method thereof |
| US20180316627A1 (en) * | 2017-05-01 | 2018-11-01 | At&T Intellectual Property I, L.P. | Systems and methods for allocating end device reources to a network slice |
| CN109218981A (en) * | 2018-11-20 | 2019-01-15 | 太原理工大学 | Wi-Fi access authentication method based on position signal feature common recognition |
| CN109361766A (en) * | 2018-12-04 | 2019-02-19 | 安徽信息工程学院 | A kind of internet of things net controller based on SDN |
-
2019
- 2019-03-20 CN CN201910213943.5A patent/CN109951485B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104901958A (en) * | 2015-05-21 | 2015-09-09 | 大连理工大学 | User-driven centralized access control method for SDN (Software Defined Network) |
| CN105824303A (en) * | 2016-05-17 | 2016-08-03 | 上海颖电控制技术有限公司 | Distributed intelligent instrument control system based on Internet of things and method thereof |
| US20180316627A1 (en) * | 2017-05-01 | 2018-11-01 | At&T Intellectual Property I, L.P. | Systems and methods for allocating end device reources to a network slice |
| CN109218981A (en) * | 2018-11-20 | 2019-01-15 | 太原理工大学 | Wi-Fi access authentication method based on position signal feature common recognition |
| CN109361766A (en) * | 2018-12-04 | 2019-02-19 | 安徽信息工程学院 | A kind of internet of things net controller based on SDN |
Non-Patent Citations (1)
| Title |
|---|
| 刘文超: "基于ICN的IoT信息分发平台的设计与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑(月刊)》 * |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110505150A (en) * | 2019-09-04 | 2019-11-26 | 北京元安物联技术有限公司 | Internet of Things network control method, device, system, things-internet gateway and SDN controller |
| CN110855717A (en) * | 2019-12-05 | 2020-02-28 | 浙江军盾信息科技有限公司 | Method, device and system for protecting equipment of Internet of things |
| CN110855717B (en) * | 2019-12-05 | 2022-03-04 | 杭州安恒信息安全技术有限公司 | Method, device and system for protecting equipment of Internet of things |
| CN111193754A (en) * | 2019-12-17 | 2020-05-22 | 杭州海康威视数字技术股份有限公司 | Data access method, system and equipment applied to Internet of things |
| CN111193754B (en) * | 2019-12-17 | 2020-08-04 | 杭州海康威视数字技术股份有限公司 | Data access method, system and equipment applied to Internet of things |
| CN112187799A (en) * | 2020-09-28 | 2021-01-05 | 京东数字科技控股股份有限公司 | Resource access policy generation method and device, storage medium and electronic equipment |
| CN112187799B (en) * | 2020-09-28 | 2023-04-07 | 京东科技控股股份有限公司 | Resource access policy generation method and device, storage medium and electronic equipment |
| CN114826636A (en) * | 2021-01-29 | 2022-07-29 | 华为技术有限公司 | Access control system and related method and apparatus |
| CN114065238A (en) * | 2021-11-05 | 2022-02-18 | 深圳致星科技有限公司 | Data management method and device and electronic equipment |
| CN114338076A (en) * | 2021-11-11 | 2022-04-12 | 清华大学 | Distributed cross-device access control method and device suitable for smart home environment |
| CN116389032A (en) * | 2022-12-29 | 2023-07-04 | 国网甘肃省电力公司庆阳供电公司 | SDN architecture-based power information transmission link identity verification method |
| CN116389032B (en) * | 2022-12-29 | 2023-12-08 | 国网甘肃省电力公司庆阳供电公司 | SDN architecture-based power information transmission link identity verification method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109951485B (en) | 2021-03-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109951485A (en) | SDN-based Internet of things access control method | |
| US8375430B2 (en) | Roaming secure authenticated network access method and apparatus | |
| US8959334B2 (en) | Secure network architecture | |
| CN102469078B (en) | Method and system for accessing campus network to external network | |
| CN100591011C (en) | Identification method and system | |
| US8141143B2 (en) | Method and system for providing remote access to resources in a secure data center over a network | |
| US20060190997A1 (en) | Method and system for transparent in-line protection of an electronic communications network | |
| JP5187397B2 (en) | Trusted network connect system with enhanced safety | |
| CN102244664B (en) | Multistage interconnection safety management centre subsystem of multistage safety interconnection platform | |
| CN103404103A (en) | System and method for combining an access control system with a traffic management system | |
| JP2007310512A (en) | Communication system, service providing server, and user authentication server | |
| CN103986734B (en) | Authentication management method and authentication management system applicable to high-security service system | |
| CN108966216A (en) | A kind of method of mobile communication and device applied to power distribution network | |
| CN107317816A (en) | A kind of method for network access control differentiated based on client application | |
| CN102045310B (en) | Industrial Internet intrusion detection as well as defense method and device | |
| CA2493897C (en) | Distributed contact information management | |
| WO2008025277A1 (en) | Method, system and password management server for managing user password of network device | |
| Fernandez | Two Patterns for Web Services Security. | |
| JPH1028144A (en) | System for constituting network with access control function | |
| CN103746995A (en) | User management and control method and system for security network | |
| CN103780395B (en) | Network insertion proves the method and system of two-way measurement | |
| US7899918B1 (en) | Service accounting in a network | |
| JPH0779243A (en) | Network connection device and network connection method | |
| JP2002084326A (en) | Device to be serviced, central unit and servicing device | |
| CN102215211B (en) | The security policy negotiation method and system of communication means, the access of support trustable network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220519 Address after: 901, 8 / F, building 2, yard 30, Shixing street, Shijingshan District, Beijing Patentee after: KYLAND TECHNOLOGY Co.,Ltd. Address before: 400065 Chongqing Nan'an District huangjuezhen pass Chongwen Road No. 2 Patentee before: CHONGQING University OF POSTS AND TELECOMMUNICATIONS |