TW202349917A - A remote node controlling management platform - Google Patents
A remote node controlling management platform Download PDFInfo
- Publication number
- TW202349917A TW202349917A TW111120482A TW111120482A TW202349917A TW 202349917 A TW202349917 A TW 202349917A TW 111120482 A TW111120482 A TW 111120482A TW 111120482 A TW111120482 A TW 111120482A TW 202349917 A TW202349917 A TW 202349917A
- Authority
- TW
- Taiwan
- Prior art keywords
- packet
- node
- control
- data
- registration
- Prior art date
Links
- 238000007726 management method Methods 0.000 claims abstract description 38
- 238000000034 method Methods 0.000 claims description 16
- 238000012790 confirmation Methods 0.000 claims description 2
- 230000005540 biological transmission Effects 0.000 abstract description 11
- 238000003672 processing method Methods 0.000 description 4
- 102220129022 rs202069145 Human genes 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000001934 delay Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
Landscapes
- Vehicle Body Suspensions (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
本發明涉及網路裝置封包處理方法,尤其涉及遠端節點控制管理平台。The present invention relates to a network device packet processing method, and in particular to a remote node control and management platform.
隨著物聯網的興起,大部份的設備開始提供網路連線功能。基於成本的考量,大部份的小型網路設備不具備硬體加密功能,因此只能在網路傳輸部份採用明碼方式傳送。但由於企業對於資安的要求越來越嚴格,因此採用明碼方式傳送的網路設備由於封包容易竄改因此紛紛要求採用更安全的傳送方式,目前主流的安全傳送方式是 TLS 加密傳輸,但是此種加密傳輸對於小型網路設備因受限硬體運算能力,將導致資料傳輸延遲;因此只能提升硬體運算能力,但是提升硬體運算能力後會造成成本加重,造成推廣不易。With the rise of the Internet of Things, most devices have begun to provide network connection capabilities. Due to cost considerations, most small network devices do not have hardware encryption functions, so they can only use clear code for network transmission. However, as enterprises have increasingly stringent requirements for information security, network devices that use plain code transmission are requiring more secure transmission methods because packets are easily tampered with. The current mainstream secure transmission method is TLS encrypted transmission, but this For small network devices, encrypted transmission will cause data transmission delays due to limited hardware computing capabilities. Therefore, the hardware computing capabilities can only be improved, but increasing the hardware computing capabilities will increase the cost and make promotion difficult.
因此,如何提供一種網路封包處理方法可以讓受限硬體運算能力的網路設備可以安全的傳送資料,防止封包被竄改或攔截重送。同時保証資料會送至設備節點裝置及設備中介主機,不會因網路不穩定而造成資料丟棄。另外在因網路異常造成資料重送時,也會確保相同的資料只會接收一次,確保資料傳輸的穩定,這些都是本案所要著重的問題與焦點。Therefore, how to provide a network packet processing method that allows network devices with limited hardware computing capabilities to safely transmit data and prevent packets from being tampered with or intercepted and retransmitted. At the same time, it is guaranteed that the data will be sent to the equipment node device and the equipment intermediary host, and the data will not be discarded due to network instability. In addition, when data is retransmitted due to network abnormalities, it will also be ensured that the same data will only be received once to ensure the stability of data transmission. These are the issues and focus of this case.
本發明之一目的在於提供一種遠端節點控制管理平台。此封包處理方法採用設備簽章協議傳送資料保証接收到的封包沒有被竄改,設備簽章協定有效期確保封包只在特定時間內有效。資料保証送達及相同封包保証接收一次的方式確保資料傳輸的安全及穩定。另外設備節點裝置會定時傳送心跳請求封包至設備中介主機,設備中介主機透過逾時判斷模組判斷設備節點裝置是否斷線及回應心跳回應封包給設備節點裝置。One object of the present invention is to provide a remote node control and management platform. This packet processing method uses the device signature protocol to transmit data to ensure that the received packet has not been tampered with, and the device signature protocol validity period ensures that the packet is only valid within a specific time. Guaranteed delivery of data and guaranteed receipt of the same packet once ensure the security and stability of data transmission. In addition, the equipment node device will regularly send heartbeat request packets to the equipment intermediary host. The equipment intermediary host determines whether the equipment node device is disconnected through the timeout determination module and responds to the heartbeat response packet to the equipment node device.
本發明之一種遠端節點控制管理平台,包含設備中介主機及至少一設備節點裝置。A remote node control and management platform of the present invention includes an equipment intermediary host and at least one equipment node device.
設備節點裝置包含節點端註冊模組、心跳模組、節點端資料發送模組及節點端資料接收模組。The equipment node device includes a node-side registration module, a heartbeat module, a node-side data sending module and a node-side data receiving module.
設備節點裝置節點端註冊模組用於將設備節點裝置註冊資料由設備簽章協議傳送至設備中介主機,註冊資料包含一動態產生的亂數令牌(token),此令牌(token)會跟原來的設備私鑰產生一組新的臨時設備私鑰,之後設備節點裝置跟設備中介主機皆以此新的臨時設備私鑰產生簽章,因此就算臨時設備私鑰被破解也無法得知原始的設備私鑰,因此大大提升安全性。當設備節點裝置接收到設備中介主機回傳的 DATAACK 封包時,則設備節點裝置會執行心跳模組、節點端資料發送模組及節點端資料接收模組。當設備節點裝置接收到設備中介主機回傳的 DATAERR 封包或是逾時沒有接收到 DATAACK 封包時,則會重新傳送註冊封包。The device node device node-side registration module is used to transmit the device node device registration data to the device intermediary host through the device signing protocol. The registration data includes a dynamically generated random token (token). This token (token) will be followed by The original device private key generates a new set of temporary device private keys, and then the device node device and the device intermediary host use the new temporary device private key to generate signatures. Therefore, even if the temporary device private key is cracked, the original device cannot be known. Device private key, thus greatly improving security. When the device node device receives the DATAACK packet returned by the device intermediary host, the device node device will execute the heartbeat module, the node-side data sending module and the node-side data receiving module. When the device node device receives the DATAERR packet returned by the device intermediary host or fails to receive the DATAACK packet after a timeout, the registration packet will be retransmitted.
設備節點裝置心跳模組用於當設備節點裝置成功註冊至設備中介主機時則會定時傳送心跳請求封包至設備中介主機。The device node device heartbeat module is used to regularly send heartbeat request packets to the device intermediary host when the device node device successfully registers with the device intermediary host.
設備節點裝置節點端資料發送模組主要是發送控制/更新封包至設備中介主機,所有要發送的控制/更新資料皆放在佇列(Queue)後最一筆,之後取出佇列(Queue)第一筆控制/更新資料透過設備簽章協議打包成控制/更新封包傳送給設備中介主機,當接收到設備中介主機回傳的 DATAACK 封包時,則會將佇列(Queue)的第一筆控制/更新資料刪除後重新取得佇列(Queue)第一筆控制/更新資料傳送,直到所有的佇列(Queue) 控制/更新資料全部傳送完畢。當收到設備中介主機回傳的 DATAERR 封包或是逾時沒有接收到 DATAACK 封包時,則會重新傳送佇列(Queue)的第一筆控制/更新資料。The device node device node-side data sending module mainly sends control/update packets to the equipment intermediary host. All control/update data to be sent is placed at the end of the queue (Queue), and then the first entry in the queue (Queue) is taken out. The control/update data is packaged into a control/update packet through the device signing protocol and sent to the device intermediary host. When the DATAACK packet returned by the device intermediary host is received, the first control/update in the queue will be After the data is deleted, the first control/update data of the queue (Queue) is re-obtained and transmitted until all queue (Queue) control/update data are transmitted. When the DATAERR packet returned by the device intermediary host is received or the DATAACK packet is not received after a timeout, the first control/update data of the queue (Queue) will be retransmitted.
設備節點裝置節點端資料接收模組主要是接收設備中介主機所傳送的控制/更新封包後判斷是否為合法的控制/更新封包,如果是合法的控制/更新封包則回傳 DATAACK 封包至設備中介主機,不是合法的控制/更新封包則回傳 DATAERR 封包至設備中介主機。若接收的資料為合法的控制/更新封包則會判斷跟前一次接收的控制/更新封包資料 ID 欄位值是否一致,如果一致則捨棄此次所接收的控制/更新封包;如果跟前一次接收的控制/更新封包資料 ID 欄位值不一致,則處理控制/更新封包之控制/更新資料。The node-side data receiving module of the equipment node device mainly receives the control/update packet sent by the equipment intermediary host and determines whether it is a legal control/update packet. If it is a legal control/update packet, it returns a DATAACK packet to the equipment intermediary host. , if it is not a legal control/update packet, a DATAERR packet will be returned to the device intermediary host. If the received data is a legal control/update packet, it will be judged whether the ID field value of the control/update packet received previously is consistent. If it is consistent, the control/update packet received this time will be discarded; if it is consistent with the control/update packet received last time, /Update packet data ID field value is inconsistent, then process the control/update packet control/update data.
設備中介主機包含中介端註冊模組、逾時判斷模組、中介端資料發送模組及中介端資料接收模組。The device intermediary host includes an intermediary registration module, a timeout judgment module, an intermediary data sending module and an intermediary data receiving module.
設備中介主機中介端註冊模組用於接收設備節點裝置註冊封包,當中介端註冊模組收到一個合法的註冊封包時則會回應 DATAACK 封包,否則回應 DATAERR 封包。The device intermediary host intermediary registration module is used to receive device node device registration packets. When the intermediary registration module receives a valid registration packet, it will respond with a DATAACK packet, otherwise it will respond with a DATAERR packet.
設備中介主機逾時判斷模組用於判斷是否定時接收到設備節點裝置傳送的心跳請求封包,收到心跳請求封包則會回應心跳回應封包至設備節點裝置,如果逾時沒收到心跳請求封包時,則切斷設備節點裝置網路連線。The device intermediary host timeout judgment module is used to determine whether the heartbeat request packet sent by the device node device is received in time. When the heartbeat request packet is received, it will respond with a heartbeat response packet to the device node device. If the heartbeat request packet is not received after the timeout, Then cut off the device node device network connection.
設備中介主機中介端資料發送模組主要是發送控制/更新封包至設備節點裝置,所有要發送的控制/更新資料皆放在佇列(Queue)後最一筆,之後取出佇列(Queue)第一筆控制/更新資料透過設備簽章協議打包成控制/更新封包傳送,當接收到設備節點裝置回傳的 DATAACK 封包時,則會將佇列(Queue)的第一筆控制/更新資料刪除後重新取得佇列(Queue)第一筆控制/更新資料傳送,直到所有的佇列(Queue)控制/更新資料全部傳送完畢。當收到設備節點裝置回傳的 DATAERR 封包或是逾時沒有接收到 DATAACK 封包時,則會重新傳送佇列(Queue)的第一筆控制/更新資料。The device intermediary host intermediary end data sending module mainly sends control/update packets to the equipment node device. All the control/update data to be sent is placed at the end of the queue (Queue), and then the first entry in the queue (Queue) is taken out. The control/update data is packaged into a control/update packet and transmitted through the device signature protocol. When the DATAACK packet returned by the device node device is received, the first control/update data in the queue (Queue) will be deleted and reset. Obtain the first control/update data of the queue (Queue) and transmit it until all the control/update data of the queue (Queue) have been transmitted. When the DATAERR packet returned by the device node device is received or the DATAACK packet is not received after a timeout, the first control/update data of the queue (Queue) will be retransmitted.
設備中介主機中介端資料接收模組主要是接收設備節點裝置所傳送的控制/更新封包後判斷是否為合法的控制/更新封包,如果是合法的控制/更新封包則回傳 DATAACK 封包至設備節點裝置,不是合法的控制/更新封包則回傳 DATAERR 封包至設備節點裝置。若接收的資料為合法的控制/更新封包則會判斷跟前一次接收的控制/更新封包資料 ID 欄位值是否一致,如果一致則捨棄此次所接收的控制/更新封包;如果跟前一次接收的控制/更新封包資料 ID 欄位值不一致,則處理控制/更新封包之控制/更新資料。The device intermediary host intermediary end data receiving module mainly receives the control/update packet sent by the device node device and determines whether it is a legal control/update packet. If it is a legal control/update packet, it returns a DATAACK packet to the device node device. , if it is not a legal control/update packet, a DATAERR packet will be returned to the device node device. If the received data is a legal control/update packet, it will be judged whether the ID field value of the control/update packet received previously is consistent. If it is consistent, the control/update packet received this time will be discarded; if it is consistent with the control/update packet received last time, /Update packet data ID field value is inconsistent, then process the control/update packet control/update data.
本發明為一種遠端節點控制管理平台,參考圖1為實施方式之實施環境及功能模組圖,設備節點裝置 10 透過網路連線至設備中介主機 20。在本發明實施環境中,包含設備中介主機 20 及至少一設備節點裝置 10 。The present invention is a remote node control and management platform. Refer to Figure 1 for an implementation environment and functional module diagram of the embodiment. The equipment node device 10 is connected to the equipment intermediary host 20 through the network. In the implementation environment of the present invention, it includes a device intermediary host 20 and at least one device node device 10.
參考圖1設備節點裝置 10 包含節點端註冊模組 100 、心跳模組 101、節點端資料發送模組 102 及節點端資料接收模組 103。節點端註冊模組 100 用於將設備節點裝置註冊資料由設備簽章協議傳送至設備中介主機。在本實施方式中,設備節點裝置 10 跟設備中介主機 20 擁有相同的設備私鑰。參考圖2為設備簽章協議實施方式之註冊封包格式,節點端註冊模組 100 會產生設備節點裝置註冊封包 P30A,一個完整設備節點裝置註冊封包 P30A 包含起始欄位 P300A,註冊種類欄位 P301A,註冊資料欄位 P302A 及結束欄位 P303A。註冊資料欄位 P302A 包含註冊 ID 欄位 P3020A 及註冊內容欄位 P3021A。註冊內容欄位 P3021A 包含標題欄位 P30210A,註冊載體欄位 P30211A及簽章欄位 P30212A。標題欄位 P30210A 包含設備簽章演算法、註冊載體欄位 P30211A 包含註冊資料及一動態產生的亂數令牌(token),此令牌(token)會跟原來的設備私鑰產生一組新的臨時設備私鑰,簽章欄位 P30212A 為標題欄位 P30210A 及註冊載體欄位 P30211A與臨時設備私鑰透過簽章演算法所產生。Referring to Figure 1, the device node device 10 includes a node-side registration module 100, a heartbeat module 101, a node-side data sending module 102 and a node-side data receiving module 103. The node-side registration module 100 is used to transmit the device node device registration data to the device intermediary host through the device signing protocol. In this implementation, the device node device 10 and the device intermediary host 20 have the same device private key. Referring to Figure 2, the registration packet format of the device signing protocol implementation is shown. The node-side registration module 100 will generate a device node device registration packet P30A. A complete device node device registration packet P30A includes a start field P300A and a registration type field P301A. , registration data field P302A and end field P303A. Registration data field P302A includes registration ID field P3020A and registration content field P3021A. The registration content field P3021A includes the title field P30210A, the registration carrier field P30211A and the signature field P30212A. The title field P30210A contains the device signature algorithm, and the registration carrier field P30211A contains the registration information and a dynamically generated random token. This token will generate a new set of tokens with the original device private key. The temporary device private key, signature field P30212A is the title field P30210A and the registration carrier field P30211A and the temporary device private key are generated through the signature algorithm.
參考圖5為設備節點裝置 10 之節點端註冊模組 100、心跳模組 101 實施方式之設備節點裝置註冊/心跳流程圖;參考圖6為設備中介主機 20 之中介端註冊模組 200、逾時判斷模組 201 實施方式之設備中介主機註冊/逾時判斷流程圖。 為了更好說明設備節點裝置 10 與設備中介主機 20 註冊流程與設備節點裝置 10 心跳流程及設備中介主機 20 逾時判斷流程關係,請一併參考圖5及圖6。在本實施方式中,步驟 S400 節點端註冊模組 100 會將產生的註冊封包 P30A 透過網路傳送至設備中介主機 20 。Refer to Figure 5 for a device node device registration/heartbeat flow chart of the node-side registration module 100 and heartbeat module 101 of the device node device 10; refer to Figure 6 for a diagram of the intermediary-side registration module 200 and timeout of the device intermediary host 20 Determination module 201 implementation of the device intermediary host registration/timeout determination flow chart. In order to better explain the relationship between the registration process of the device node device 10 and the device intermediary host 20 and the heartbeat process of the device node device 10 and the timeout judgment process of the device intermediary host 20, please refer to Figure 5 and Figure 6 together. In this implementation, in step S400, the node-side registration module 100 will transmit the generated registration packet P30A to the device intermediary host 20 through the network.
在步驟 S500 中介端註冊模組 200 會判斷收到的註冊封包是否為一合法的註冊封包,如是合法的註冊封包時則會執行步驟 S501 發送參考圖2 資料確認封包(DATAACK封包) P30A1至設備節點裝置,一個完整的 DATAACK 封包 P30A1 包含起始欄位 P300A1、DATAACK欄位 P301A1、註冊 ID 欄位 P302A1 及結束欄位 P303A1;否則執行步驟 S502 發送無效資料封包(DATAERR封包) P30A2,一個完整的 DATAERR 封包 P30A2 包含起始欄位 P300A2、DATAERR 欄位 P301A2、註冊 ID 欄位 P302A2 及結束欄位 P303A2 。In step S500, the intermediary registration module 200 will determine whether the received registration packet is a legal registration packet. If it is a legal registration packet, it will execute step S501 and send the data confirmation packet (DATAACK packet) P30A1 with reference to Figure 2 to the device node. Installation, a complete DATAACK packet P30A1 includes start field P300A1, DATAACK field P301A1, registration ID field P302A1 and end field P303A1; otherwise, execute step S502 to send invalid data packet (DATAERR packet) P30A2, a complete DATAERR packet P30A2 includes start field P300A2, DATAERR field P301A2, registration ID field P302A2 and end field P303A2.
在步驟 S503 中介端註冊模組 200 會發送包含逾時(timeout)資料的設備中介主機註冊封包至設備節點裝置 10,參考圖2一個完整的設備中介主機註冊資料封包 P30A 在前面已說明不再贅述。In step S503, the intermediary registration module 200 will send a device intermediary host registration packet including timeout information to the device node device 10. Refer to Figure 2 for a complete device intermediary host registration data packet P30A, which has been explained previously and will not be repeated. .
在步驟 S401 節點端註冊模組 100 會判斷設備中介主機 20 傳送的封包資料,如果收到 DATAERR 封包 P30A2 或是逾時沒有收到 DATAACK 封包 P30A1,則會執行步驟 S402 等待重新註冊, 等待重新註冊時間到時,則會重新執行步驟 S400 重送註冊封包至設備中介主機 20 。In step S401, the node-side registration module 100 will determine the packet data transmitted by the device intermediary host 20. If it receives the DATAERR packet P30A2 or fails to receive the DATAACK packet P30A1 after a timeout, it will execute step S402 to wait for re-registration and wait for the re-registration time. At that time, step S400 will be re-executed to resend the registration packet to the device intermediary host 20 .
節點端註冊模組 100 收到 DATAACK 封包 P30A1 時,步驟 S403 設備節點裝置 10 等待接收到設備中介主機 20 所傳送包含逾時資料(timeout)的設備中介主機註冊封包。步驟 S404 心跳模組 101 將用接收的逾時資料(timeout) 定時的傳送心跳請求封包至中介主機 20。參考圖3一個完整的心跳請求封包 P30B 包含起始欄位 P300B,心跳請求種類欄位 P301B 及結束欄位 P303B。When the node-side registration module 100 receives the DATAACK packet P30A1, in step S403, the device node device 10 waits to receive the device intermediary host registration packet containing timeout information sent by the device intermediary host 20. Step S404: The heartbeat module 101 will use the received timeout information (timeout) to regularly send heartbeat request packets to the intermediary host 20. Refer to Figure 3. A complete heartbeat request packet P30B includes a start field P300B, a heartbeat request type field P301B and an end field P303B.
在步驟 S504 逾時判斷模組 201 會判斷是否在逾時(timeout)時間內接收到心跳請求封包,如在逾時(timeout)時間接收到心跳請求封包,則在步驟 S505 回應心跳回應封包 P30B1 給設備節點裝置,參考圖3一個完整的心跳回應封包 P30B1 包含起始欄位 P300B1,心跳請求回應欄位 P301B1 及結束欄位 P303B1。 之後在步驟 S504 等待下一次的心跳封包;超過逾時(timeout)時間沒有收到心跳請求封包時,則會執行步驟 S506 關閉設備節點裝置連線。In step S504, the timeout judgment module 201 will determine whether the heartbeat request packet is received within the timeout time. If the heartbeat request packet is received within the timeout time, then in step S505, it will respond with the heartbeat response packet P30B1. Device node device, refer to Figure 3. A complete heartbeat response packet P30B1 includes a start field P300B1, a heartbeat request response field P301B1 and an end field P303B1. Then, in step S504, wait for the next heartbeat packet; when no heartbeat request packet is received after the timeout period, step S506 will be executed to close the device node device connection.
參考圖7為設備節點裝置 10 之節點端資料發送模組 102 及設備中介主機 20 之中介端資料發送模組 202 實施方式之資料保証送達發送流程圖。由於節點端資料發送模組102 與中介端資料發送模組 202 的資料保証送達發送流程圖一致,因此將以節點端資料發送模組102 為實施案例說明。Referring to FIG. 7 , a data guaranteed delivery and sending flow chart is shown for the implementation of the node-side data sending module 102 of the equipment node device 10 and the intermediary-side data sending module 202 of the equipment intermediary host 20 . Since the data delivery and sending flow charts of the node-side data sending module 102 and the intermediary-side data sending module 202 are consistent, the node-side data sending module 102 will be used as an implementation case description.
在步驟 S600 節點端資料發送模組 102 會將要發送的控制/更新資料推入至佇列(Queue)最後一筆,同時將資料 ID 值加 1。接下來執行步驟 S602 節點端資料發送模組 102 從佇列(Queue)取得第一筆控制/更新資料透過設備簽章協議打包成控制/更新封包發送至設備中介主機 20。參考圖4一個完整的控制/更新封包 P30C 包含起始欄位 P300C,資料種類欄位 P301C,控制/更新資料欄位 P302C 及結束欄位 P303C。控制/更新資料欄位 P302C 包含資料 ID 欄位 P3020C 及控制/更新內容欄位 P3021C。控制/更新內容欄位 P3021C 包含標題欄位 P30210C,控制/更新載體欄位 P30211C 及簽章欄位 P30212C。標題欄位 P30210C 包含設備簽章演算法及簽章型別,簽章型別主要決定控制/更新載體欄位 P30211C 內容是否為加密/未加密資料;控制/更新載體欄位 P30211C 包含控制/更新命令及有效期。簽章欄位 P30212C 為標題欄位 P30210C 及註冊載體欄位 P30211C 與臨時設備私鑰透過簽章演算法所產生。In step S600, the node-side data sending module 102 will push the control/update data to be sent to the last item of the queue (Queue), and at the same time increase the data ID value by 1. Next, step S602 is performed. The node-side data sending module 102 obtains the first control/update data from the queue (Queue), packages it into a control/update packet through the device signature protocol, and sends it to the device intermediary host 20. Refer to Figure 4. A complete control/update packet P30C includes a start field P300C, a data type field P301C, a control/update data field P302C and an end field P303C. Control/update data field P302C includes data ID field P3020C and control/update content field P3021C. Control/update content field P3021C includes title field P30210C, control/update carrier field P30211C and signature field P30212C. The title field P30210C contains the device signature algorithm and signature type. The signature type mainly determines whether the content of the control/update carrier field P30211C is encrypted/unencrypted data; the control/update carrier field P30211C contains the control/update command. and validity period. The signature field P30212C is the title field P30210C and the registration carrier field P30211C and the temporary device private key generated through the signature algorithm.
在步驟 S603 節點端資料發送模組 102 會判斷逾時時間內是否收到參考圖4 DATAACK 封包 P30C1(一個完整的 DATAACK 封包 P30C1 包含起始欄位 P300C1、DATAACK 欄位 P301C1、資料 ID 欄位 P302C1 及結束欄位 P303C1),或是 DATAERR 封包 P30C2(一個完整的 DATAERR 封包 P30C2 包含起始欄位 P300C2、DATAERR 欄位 P301C2、資料 ID 欄位 P302C2 及結束欄位 P303C2。如果沒有在逾時時間內收到 DATAACK 封包 P30C1 或是 DATAERR 封包 P30C2,則會執行步驟 S604 設備節點裝置重新註冊設備中介主機等待重新註冊,如果是節點端資料發送模組 102 則會跳至節點端註冊模組 100 重新註冊設備節點裝置 10;如果是中介端資料發送模組 202 則會跳至中介端註冊模組 200 等待設備節點裝置 10 重新註冊 。在步驟 S601 節點端註冊模組 100 等待註冊成功,當設備節點裝置 10 註冊成功時則會重新執行步驟 S602 節點端資料發送模組 102 重新發送佇列(Queue)第一筆控制/更新資料。In step S603, the node-side data sending module 102 will determine whether the DATAACK packet P30C1 in Figure 4 is received within the timeout period (a complete DATAACK packet P30C1 includes a starting field P300C1, a DATAACK field P301C1, a data ID field P302C1 and End field P303C1), or DATAERR packet P30C2 (a complete DATAERR packet P30C2 includes start field P300C2, DATAERR field P301C2, data ID field P302C2 and end field P303C2. If not received within the timeout period DATAACK packet P30C1 or DATAERR packet P30C2, step S604 will be executed to re-register the device node device and wait for re-registration. If it is the node-side data sending module 102, it will jump to the node-side registration module 100 to re-register the device node device. 10; If it is the intermediary-side data sending module 202, it will jump to the intermediary-side registration module 200 and wait for the equipment node device 10 to re-register. In step S601, the node-side registration module 100 waits for the registration to be successful. When the equipment node device 10 is successfully registered, Then step S602 will be re-executed. The node-side data sending module 102 will re-send the first control/update data of the queue (Queue).
在步驟 S605 節點端資料發送模組 102 判斷接收的封包為 DATAERR 封包 P30C2 時,則執行步驟 S602 節點端資料發送模組 102 重新發送佇列(Queue)第一筆控制/更新資料。當接收的封包為 DATAACK 封包 P30C1 時則執行步驟 S606 節點端資料發送模組 102 刪除佇列(Queue)第一筆控制/更新資料。In step S605, the node-side data sending module 102 determines that the received packet is the DATAERR packet P30C2, and then executes step S602. The node-side data sending module 102 resends the first control/update data of the queue (Queue). When the received packet is the DATAACK packet P30C1, step S606 is executed. The node-side data sending module 102 deletes the first control/update data of the queue (Queue).
在步驟 S607 節點端資料發送模組 102 判斷佇列(Queue)數量(Size)是否大於 0,如果數量(Size) 大於 0,節點端資料發送模組 102 會重新執行步驟 S602 取得佇列(Queue)第一筆控制/更新資料發送,直到所有佇列(Queue) 控制/更新資料發送完畢 。In step S607, the node-side data sending module 102 determines whether the queue (Queue) quantity (Size) is greater than 0. If the quantity (Size) is greater than 0, the node-side data sending module 102 will re-execute step S602 to obtain the queue (Queue). The first control/update data is sent until all queue control/update data are sent.
參考圖8為設備節點裝置 10 之節點端資料接收模組 103 及設備中介主機 20 之中介端資料接收模組 203 實施方式之資料保証送達一次接收流程圖。由於節點端資料接收模組 103 與中介端資料接收模組 203 的資料保証送達一次接收流程圖一致,因此將以節點端資料接收模組 103 為實施案例說明。Referring to Figure 8 , the data receiving module 103 of the device node device 10 and the intermediary data receiving module 203 of the device intermediary host 20 are implemented and the data is guaranteed to be delivered once. Since the data of the node-side data receiving module 103 and the intermediary-side data receiving module 203 are guaranteed to be delivered once, the data reception flow chart is consistent, so the node-side data receiving module 103 will be used as an implementation case description.
在步驟 S700 節點端資料接收模組 103 接收到控制/更新封包後會執行步驟 S701 判斷控制/更新資料封包格式是否符合參考圖4 P30C 封包格式,當接收到的資料不符合參考圖4 P30C 封包格式時,則會執行步驟 S704 節點端資料接收模組103 發送 DATAERR 封包 P30C2。In step S700, after receiving the control/update packet, the node-side data receiving module 103 will execute step S701 to determine whether the control/update data packet format conforms to the P30C packet format in Figure 4. When the received data does not conform to the P30C packet format in Figure 4, When, step S704 will be executed. The node-side data receiving module 103 sends the DATAERR packet P30C2.
在步驟 S702 節點端資料接收模組 103 驗証控制/更新資料內容(參考圖4 P3021C)簽章及有效期,當簽章無效或超過有效期時,則會執行步驟 S704 節點端資料接收模組 103 發送 DATAERR 封包 P30C2。In step S702, the node-side data receiving module 103 verifies the control/update data content (refer to Figure 4 P3021C) signature and validity period. When the signature is invalid or exceeds the validity period, step S704 is executed. The node-side data receiving module 103 sends DATAERR. Packet P30C2.
在步驟 S703 節點端資料接收模組 103 判斷資料 ID 欄位(參考圖4 P3020C),當接收到的資料 ID 欄位值與上一筆封包資料 ID 欄位值一致時,則執行步驟 S706 節點端資料接收模組 103 發送 DATAACK 封包 P30C1。In step S703, the node-side data receiving module 103 determines the data ID field (refer to Figure 4 P3020C). When the received data ID field value is consistent with the previous packet data ID field value, step S706 node-side data is executed. The receiving module 103 sends the DATAACK packet P30C1.
當節點端資料接收模組 103 接收到的資料 ID 欄位值與上一筆封包資料 ID 欄位值不一致時,則執行步驟 S705 節點端資料接收模組 103 發送 DATAACK 封包 P30C1。接下來執行步驟 S707 節點端資料接收模組 103 處理控制/更新封包之控制/更新資料。When the data ID field value received by the node-side data receiving module 103 is inconsistent with the data ID field value of the previous packet, step S705 is executed. The node-side data receiving module 103 sends the DATAACK packet P30C1. Next, step S707 is executed. The node-side data receiving module 103 processes the control/update data of the control/update packet.
因此,本案之一種遠端節點控制管理平台,是提供一種網路封包處理方法可以讓受限硬體運算能力的網路設備可以安全的傳送資料,防止封包被竄改或攔截重送。同時保証資料會送至設備節點裝置及設備中介主機,不會因網路不穩定而造成資料丟棄。另外在因網路異常造成資料重送時,也會確保相同的資料只會接收一次,並達成上述所有之目的。Therefore, this project is a remote node control and management platform that provides a network packet processing method that allows network devices with limited hardware computing capabilities to safely transmit data and prevent packets from being tampered with or intercepted and retransmitted. At the same time, it is guaranteed that the data will be sent to the equipment node device and the equipment intermediary host, and the data will not be discarded due to network instability. In addition, when data is re-sent due to network abnormalities, it will be ensured that the same data will only be received once, achieving all the above purposes.
雖然本發明已以較佳實施例揭露如上,然其並非用以限定本發明,任何熟習此技藝者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,因此本發明的保護範圍當視後附之申請專利範圍所界定者為準。Although the present invention has been disclosed above in terms of preferred embodiments, they are not intended to limit the present invention. Anyone skilled in the art may make some modifications and modifications without departing from the spirit and scope of the present invention. Therefore, the present invention The scope of protection shall be subject to the scope defined in the attached patent application.
10:設備節點裝置 100:節點端註冊模組 101:心跳模組 102:節點端資料發送模組 103:節點端資料接收模組 20:設備中介主機 200:中介端註冊模組 201:逾時判斷模組 202:中介端資料發送模組 203:中介端資料接收模組 10:Equipment node device 100:Node registration module 101:Heartbeat module 102:Node data sending module 103:Node data receiving module 20:Device intermediary host 200: Intermediary registration module 201: Timeout judgment module 202: Intermediary data sending module 203: Intermediary data receiving module
圖1為本發明一種遠端節點控制管理平台實施方式之實施環境及功能模組圖。 圖2為本發明一種遠端節點控制管理平台實施方式之註冊封包格式。 圖3為本發明一種遠端節點控制管理平台實施方式之心跳封包格式。 圖4為本發明一種遠端節點控制管理平台實施方式之控制/更新封包格式。 圖5為本發明一種遠端節點控制管理平台實施方式之設備節點裝置註冊/心跳流程圖。 圖6為本發明一種遠端節點控制管理平台實施方式之設備中介主機註冊/逾時判斷流程圖。 圖7為本發明一種遠端節點控制管理平台實施方式之資料保証送達發送流程圖。 圖8為本發明一種遠端節點控制管理平台實施方式之資料保証送達一次接收流程圖。 Figure 1 is a diagram of the implementation environment and functional modules of a remote node control and management platform implementation of the present invention. Figure 2 is a registration packet format of a remote node control and management platform implementation of the present invention. Figure 3 shows the heartbeat packet format of a remote node control and management platform implementation of the present invention. Figure 4 shows the control/update packet format of a remote node control and management platform implementation of the present invention. Figure 5 is a device node device registration/heartbeat flow chart of an implementation of a remote node control management platform of the present invention. Figure 6 is a flow chart of device intermediary host registration/timeout determination in an embodiment of a remote node control management platform of the present invention. Figure 7 is a data guaranteed delivery and sending flow chart of a remote node control and management platform implementation of the present invention. Figure 8 is a flow chart of data guaranteed to be delivered once and received in an embodiment of a remote node control and management platform of the present invention.
10:設備節點裝置 10:Equipment node device
100:節點端註冊模組 100:Node registration module
101:心跳模組 101:Heartbeat module
102:節點端資料發送模組 102:Node data sending module
103:節點端資料接收模組 103:Node data receiving module
20:設備中介主機 20:Device intermediary host
200:中介端註冊模組 200: Intermediary registration module
201:逾時判斷模組 201: Timeout judgment module
202:中介端資料發送模組 202: Intermediary data sending module
203:中介端資料接收模組 203: Intermediary data receiving module
Claims (24)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW111120482A TWI810957B (en) | 2022-06-01 | 2022-06-01 | A remote node controlling management platform |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW111120482A TWI810957B (en) | 2022-06-01 | 2022-06-01 | A remote node controlling management platform |
Publications (2)
Publication Number | Publication Date |
---|---|
TWI810957B TWI810957B (en) | 2023-08-01 |
TW202349917A true TW202349917A (en) | 2023-12-16 |
Family
ID=88585589
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW111120482A TWI810957B (en) | 2022-06-01 | 2022-06-01 | A remote node controlling management platform |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI810957B (en) |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002207426A (en) * | 2001-01-10 | 2002-07-26 | Sony Corp | System and method for issuing public key certificate, electronic certification device, and program storage medium |
US9253274B2 (en) * | 2007-01-19 | 2016-02-02 | Cisco Technology, Inc. | Service insertion architecture |
CN109995873A (en) * | 2019-04-10 | 2019-07-09 | 阿里巴巴集团控股有限公司 | A kind of management client, equipment monitoring system and method |
-
2022
- 2022-06-01 TW TW111120482A patent/TWI810957B/en active
Also Published As
Publication number | Publication date |
---|---|
TWI810957B (en) | 2023-08-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10243928B2 (en) | Detection of stale encryption policy by group members | |
RU2385488C2 (en) | Names resolution protocol for wire connection of equivalent devices and structure of message format date used in it | |
JP5414898B2 (en) | Security access control method and system for wired LAN | |
CN101547210A (en) | Method and device for processing TCP connection | |
US8976814B2 (en) | Method of transporting data from sending node to destination node | |
US20060221946A1 (en) | Connection establishment on a tcp offload engine | |
WO2009059496A1 (en) | A method, system, server and terminal for processing an authentication | |
WO2011029357A1 (en) | Method for authenticating communication traffic, communication system and protection apparatus | |
WO2008020644A1 (en) | Proxy server, communication system, communication method, and program | |
TWI232046B (en) | Data communication method and information processing device | |
US10015145B2 (en) | Unified source user checking of TCP data packets for network data leakage prevention | |
CN113765976A (en) | Communication method and system | |
US9300642B2 (en) | Restarting network reachability protocol sessions based on transport layer authentication | |
JP2006352500A (en) | Processor and method for automatic key replacement processing | |
WO2014194493A1 (en) | Method, device and system for reducing confirmation packets at transmission control layer | |
CN111064813B (en) | Method and device for synchronizing processing messages during block chain consensus processing | |
TW202349917A (en) | A remote node controlling management platform | |
CN111586017A (en) | Method and device for authenticating communication user | |
JP2003283489A (en) | Packet authentication system, authentication method, group management server and group member device | |
EP3799351B1 (en) | Communication relay program, relay device communication relay method, and communication system | |
US7703129B2 (en) | Authentication system and method thereof for dial-up networking connection via terminal | |
JP4296201B2 (en) | Method and apparatus for realizing bearer mobility | |
JP4076896B2 (en) | Information communication method and information communication system | |
US20070211729A1 (en) | Device authentication system | |
KR102052892B1 (en) | Confidentiality and reliable message communication system in Internet of Things environment, and method thereof |