WO2023134557A1 - Processing method and apparatus based on industrial internet identifier - Google Patents

Processing method and apparatus based on industrial internet identifier Download PDF

Info

Publication number
WO2023134557A1
WO2023134557A1 PCT/CN2023/070847 CN2023070847W WO2023134557A1 WO 2023134557 A1 WO2023134557 A1 WO 2023134557A1 CN 2023070847 W CN2023070847 W CN 2023070847W WO 2023134557 A1 WO2023134557 A1 WO 2023134557A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
industrial internet
authentication
identifier
identification
Prior art date
Application number
PCT/CN2023/070847
Other languages
French (fr)
Chinese (zh)
Inventor
张镇伟
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2023134557A1 publication Critical patent/WO2023134557A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/30Managing network names, e.g. use of aliases or nicknames
    • H04L61/3015Name registration, generation or assignment

Definitions

  • the present application relates to the communication field, and in particular to a processing method and device based on industrial Internet identification.
  • Industrial Internet identifiers refer to identifiers that can uniquely identify physical resources and virtual resources. Physical resources include but are not limited to machines and products, and virtual resources include but not limited to algorithms and processes.
  • the data corresponding to the Industrial Internet logo can be managed in an organized manner through the Industrial Internet logo, so as to realize cross-enterprise, cross-industry, cross-regional, and even cross-country data sharing.
  • the industrial Internet identity can be carried by an active identity carrier, and the active identity carrier can embed the industrial Internet identity of the device into the device.
  • the Industrial Internet logo consists of two parts, namely the logo prefix and the logo suffix. An ID prefix is used to identify a unique business principal, and an ID suffix is used to identify a unique resource.
  • the embodiment of this application provides a processing method based on the Industrial Internet ID, which can write the Industrial Internet ID corresponding to the device into the device.
  • the embodiment of the present application provides a processing method based on an Industrial Internet ID, which can be executed by a first device, and the first device can correspond to a device that needs to write an Industrial Internet ID.
  • the first device may send a first message to the second device, where the first message is used to apply for an Industrial Internet ID for the first device, where the second device is a network manager or a network admission controller.
  • the first device may receive a second message sent by the second device, where the second message indicates a result of applying for an Industrial Internet ID for the first device.
  • the first device may write the target industrial Internet identifier into the first device based on the second message.
  • the second device is a network management or network access controller, so using this solution, there is no need to purchase a private active identification carrier service platform, and there is no risk of being unable to apply for an industrial Internet identification.
  • enterprise nodes also The first device can write the target industrial Internet identifier into the device without managing a very large number of secure access accounts.
  • the first message sent by the first device to the second device may include the target Industrial Internet identifier.
  • the first device may first obtain the target Industrial Internet identifier, then obtain the first message including the target Industrial Internet identifier, and then send the first message to the second device.
  • the first message is used to request to register the target industrial internet identifier for the first device.
  • the first device may send the first message including the target Industrial Internet identifier to the second device when it has an initial Industrial Internet identifier.
  • the first device when it obtains the target industrial Internet identifier, it may first obtain the first prefix during specific implementation, where the first prefix may be, for example, the prefix corresponding to the enterprise that purchased the first device. Then, the first device may obtain the target Industrial Internet identifier based on the first prefix and the initial Industrial Internet identifier of the first device. For example, the prefix in the initial Industrial Internet identifier is replaced with the first prefix, so as to obtain the target Industrial Internet identifier.
  • the first device may obtain the first prefix from extended information of a Dynamic Host Configuration Protocol (Dynamic Host Configuration Protocol, DHCP) option (option). Specifically, the first device may obtain the extended information of the DHCP option when obtaining an Internet Protocol (Internet Protocol, IP) address through a DHCP server, so as to obtain the first prefix.
  • DHCP Dynamic Host Configuration Protocol
  • the first message carries the initial Industrial Internet identifier of the first device.
  • the second device may determine the target Industrial Internet identity based on the initial Industrial Internet identity, and request to register the target Industrial Internet identity.
  • the second device may be pre-configured with a first prefix, and after receiving the first message, the second device may, based on the initial Industrial Internet identifier in the first message and the first prefix , obtain the target Industrial Internet ID, and then request to register the target Industrial Internet ID. After the target Industrial Internet ID is successfully registered, the second device may send a second message carrying the target Industrial Internet ID to the first device.
  • the first message is used to request allocation of an industrial Internet identifier for the first device. For example, if the first device does not have an initial Industrial Internet ID, the first device sends to the second device a first message for requesting allocation of an Industrial Internet ID for the first device.
  • the second message includes the target Industrial Internet identifier
  • the first device may parse the second message to obtain the target Industrial Internet ID, so as to further write the target industrial Internet ID into the first device.
  • the first device does not have an initial Industrial Internet ID
  • the first device sends a first message to the second device requesting to assign an Industrial Internet ID to the first device, and receives the first message The second message carrying the target Industrial Internet identifier sent by the second device.
  • the first device has an initial Industrial Internet ID
  • the second device may be pre-configured with a first prefix
  • the second device may Based on the initial industrial internet identifier in the first message and the first prefix, a target industrial internet identifier is obtained, and then registration of the target industrial internet identifier is requested.
  • the second device may send a second message carrying the target Industrial Internet ID to the first device.
  • the second device when the second device is a network admission controller, when the first device does not write the target Industrial Internet identifier into the first device, the second device may be the The first device determines the corresponding network access right. In this case, before sending the first message to the second device, the first device may also send a first authentication message to the second device, so as to obtain permission to access the network.
  • the first authentication message includes the initial Industrial Internet identifier.
  • the second device determines the network access right of the first device based on the initial industrial Internet identifier.
  • the second device when the second device is a network admission controller, after the first device writes the target Industrial Internet identifier into the first device, the first device may The target Industrial Internet ID performs re-authentication, so as to obtain the network access authority corresponding to the target Industrial Internet ID.
  • the first device after the first device writes the target industrial Internet identifier into the first device, it can send a second authentication message to the second device, and the second authentication message includes the target industrial Internet Internet identifier, so as to obtain the network access authority corresponding to the target industrial Internet identifier.
  • the first device may also obtain indication information, where the indication information is used to indicate to apply for an industrial Internet identifier for the first device. After the first device obtains the indication information, it may trigger the operation of applying for an Industrial Internet ID (that is, send the first message) based on the indication information. In this way, the first device can actively trigger the operation of applying for an Industrial Internet ID based on the indication information without manual configuration.
  • the indication information may be carried in DHCP option extension information.
  • the first device may obtain the extended information of the DHCP option when obtaining the IP address through the DHCP server. Further, the first device can obtain the indication information by parsing the extension information of the DHCP option.
  • the first message is an authentication message.
  • the first message may also be used to apply for an Industrial Internet ID for the first device.
  • the security authentication of the first device may be divided into two stages, and the authentication message mentioned here may be the authentication message of the first stage.
  • the security authentication of the first device is divided into two stages, and after the first stage of security authentication is passed, the first device can apply to the second device (network admission controller) for a second Stage security authentication information, such as the certificate required for the second stage security authentication.
  • the second device may include the target Industrial Internet identifier in the security authentication information and send it to the first device.
  • the aforementioned second message may be security authentication information carrying the target industrial Internet information.
  • the second device may determine the target industrial Internet identifier before carrying the target industrial Internet identifier in the security authentication information and sending it to the first device. There are many ways for the second device to determine the target Industrial Internet ID.
  • the second device may request the third device (corresponding to the enterprise node) to assign an Industrial Internet ID to the first device, so as to obtain the target Industrial Internet ID;
  • the first message may include an initial Industrial Internet ID, and the second device is configured with a first prefix, then the second device may be based on the initial Industrial Internet ID and the first prefix to obtain the target industrial Internet identifier.
  • the second device obtains the target Industrial Internet ID, it also needs to request registration of the target Industrial Internet ID from the third device, and after the target Industrial Internet ID is successfully registered, the target Industrial Internet ID carried in the security authentication information and sent to the first device.
  • the embodiment of the present application provides a processing method based on industrial Internet identification, which is applied to a second device, and the second device is a network manager or a network admission controller.
  • the second device may receive the first message sent by the first device, the first message is used to apply for an Industrial Internet ID for the first device, and then the second device sends a second message to the third device, the The second message is used to apply for an Industrial Internet identifier for the first device, and the second message includes device information of the first device.
  • the second device sends the second message to the third device, it may receive a third message sent by the third device for the second message, and send the third message to the first device.
  • the third message indicates a result of applying for an Industrial Internet ID for the first device.
  • the second device is a network management or network access controller, there is no need to purchase a private active identification carrier service platform, and there is no risk of being unable to apply for an industrial Internet identification.
  • enterprises The node does not need to manage a very large number of secure access accounts, and the first device can write the target industrial Internet identifier into the device.
  • the first message includes the target Industrial Internet identifier.
  • the third message includes the target Industrial Internet identifier.
  • the first device may parse the third message to obtain the target Industrial Internet identifier, so as to further write the target Industrial Internet identifier into the first device.
  • the second device may also receive a first authentication message sent by the first device, and determine the first authentication message according to the first authentication message 1st network access for .
  • the second device may also receive a second authentication message sent by the first device, and the second authentication message Including the target Industrial Internet identifier, and determining the second network access right of the first device according to the second authentication message.
  • the first message carries the initial Industrial Internet identifier of the first device.
  • the first message is an authentication message.
  • the first device may send a first message to the second device to request the allocation of an Industrial Internet ID for the first device
  • the second device may process the first message, for example, add the device information of the first device to the first message to obtain a second message, and the second message is used to request the allocation of an industrial Internet identifier for the first device .
  • the first device has an initial Industrial Internet ID
  • the second device can obtain a second message including the target Industrial Internet ID based on the first message, and send the second message to Send it to the third device, thereby requesting the third device to register the target industrial Internet identifier for the first device.
  • the second device may obtain the second message including the target industrial Internet identifier based on the first message.
  • the second message including the target Industrial Internet identifier is obtained based on the first message.
  • the second device may obtain the pre-configured first prefix and the device information of the first device, and based on the The first prefix and the initial Industrial Internet ID obtain the target Industrial Internet ID, and then, based on the target Industrial Internet ID and the device information, obtain the second IP address including the device information and the target Industrial Internet ID. information.
  • the embodiment of the present application provides a processing device based on industrial Internet identification, which is applied to the first device, and the device includes: a sending unit, configured to send a first message to the second device, and the first message It is used to apply for an industrial Internet identifier for the first device, and the second device is a network manager or a network admission controller; a receiving unit is used to receive a second message sent by the second device, and the second message indicates A result of applying for an Industrial Internet ID for the first device; a processing unit configured to write a target Industrial Internet ID into the first device based on the second message.
  • the sending unit is configured to: send a first message carrying the target industrial Internet identifier to the second device, where the first message is used to request registration of the target industrial Internet Internet logo.
  • the processing unit is further configured to: obtain the first prefix in the extended information of the DHCP option option of the Dynamic Host Configuration Protocol; Internet identifier, to obtain the target industrial Internet identifier.
  • the first message carries the initial Industrial Internet identifier of the first device.
  • the first message is used to request allocation of an industrial internet identifier for the first device.
  • the second message includes the target Industrial Internet identifier.
  • the sending unit is further configured to: before sending the first message, send a first authentication message to the second device, so as to obtain a network access permission.
  • the first authentication message includes the initial Industrial Internet identifier.
  • the sending unit is further configured to: send a second authentication message to the second device, where the second authentication message includes the target industrial Internet identifier.
  • the processing unit is further configured to: acquire indication information, where the indication information is used to instruct to apply for an industrial Internet identifier for the first device.
  • the indication information is carried in DHCP option extension information.
  • the first message is an authentication message.
  • the receiving unit is configured to: receive security authentication information sent by the network admission controller, where the security authentication information includes the target industrial Internet identifier.
  • the embodiment of the present application provides a processing device based on industrial Internet identification, which is applied to a second device, the second device is a network manager or a network admission controller, and the device includes: a receiving unit configured to receiving a first message sent by the first device, the first message is used to apply for an Industrial Internet ID for the first device; a sending unit is used to send the second message to a third device, and the second message uses For applying for an Industrial Internet ID for the first device, the second message includes device information of the first device; the receiving unit is further configured to receive a third message, the third message indicates that the first device is A result of a device applying for an Industrial Internet ID; the sending unit is further configured to send the third message to the first device.
  • the first message includes the target Industrial Internet identifier.
  • the third message includes the target Industrial Internet identifier.
  • the receiving unit is further configured to: receive a first authentication message sent by the first device before receiving the first message; the apparatus further includes a processing unit configured to Determine the first network access right of the first device according to the first authentication message.
  • the receiving unit is further configured to receive a second authentication message sent by the first device, where the second authentication message includes the target Industrial Internet identifier; the device includes The processing unit is configured to determine the second network access right of the first device according to the second authentication message.
  • the first message includes an initial Industrial Internet identifier of the first device.
  • the first message is an authentication message.
  • the second message is used to request to assign an industrial internet identifier to the first device.
  • the second message is used to request to register the target industrial internet identifier for the first device.
  • the second message is obtained based on the following methods: obtaining a pre-configured first prefix and the device information of the first device; based on the first prefix and the initial Industrial Internet identifier , to obtain the target Industrial Internet ID; based on the target Industrial Internet ID and the device information, obtain a second message including the device information and the target Industrial Internet ID, and the second message is used to request for the The first device registers the target industrial Internet identifier.
  • the embodiment of the present application provides a processing system based on Industrial Internet identification, the system includes a first device and a second device; the first device is used to send a first message to the second device, and the The first message is used to apply for an Industrial Internet ID for the first device, and the second device is a network manager or network admission controller; the second device sends a second message to the first device, and the second The message indicates the result of applying for the Industrial Internet ID for the first device; the first device writes the target Industrial Internet ID into the first device according to the second message.
  • the first message includes the target Industrial Internet identifier.
  • the first message includes an initial Industrial Internet identifier of the first device.
  • the second message includes the target Industrial Internet identifier.
  • the first message is an authentication message.
  • the second message is security authentication information including the target Internet identifier.
  • the embodiment of the present application provides a device.
  • the device includes a processor and memory.
  • the memory is used to store instructions or computer programs.
  • the processor is configured to execute the instructions or computer programs in the memory, execute the method described in any one of the above first aspects, or execute the method described in any one of the above second aspects.
  • the embodiment of the present application provides a computer-readable storage medium, including instructions or computer programs, which, when run on a computer, cause the computer to perform the method described in any one of the above first aspects, or to perform the above The method according to any one of the second aspect.
  • the embodiments of the present application provide a computer program product including instructions or computer programs, which, when run on a computer, cause the computer to execute the method described in any one of the above first aspects, or to execute the above second aspect. The method described in any one of the aspects.
  • Figure 1 is a schematic diagram of an Industrial Internet logo
  • FIG. 2 is a schematic diagram of an exemplary application scenario provided by an embodiment of the present application.
  • FIG. 3 is a signaling interaction diagram of a processing method based on industrial Internet identification provided by an embodiment of the present application
  • FIG. 4 is a signaling interaction diagram of a processing method based on industrial Internet identification provided by an embodiment of the present application
  • FIG. 5 is a signaling interaction diagram of a processing method based on industrial Internet identification provided by an embodiment of the present application
  • FIG. 6 is a signaling interaction diagram of a processing method based on industrial Internet identification provided by an embodiment of the present application.
  • Fig. 7 is a schematic flowchart of a processing method based on industrial Internet identification provided by the embodiment of the present application.
  • FIG. 8 is a schematic flowchart of another processing method based on industrial Internet identification provided by the embodiment of the present application.
  • FIG. 9 is a schematic structural diagram of a processing device based on industrial Internet identification provided by an embodiment of the present application.
  • Fig. 10 is a schematic structural diagram of another processing device based on industrial Internet identification provided by the embodiment of the present application.
  • FIG. 11 is a schematic structural diagram of a device provided by an embodiment of the present application.
  • the embodiment of the present application provides a processing method based on the Industrial Internet ID, which can write the Industrial Internet ID corresponding to the enterprise into the device after the enterprise purchases the device.
  • the Industrial Internet logo includes a logo prefix and a logo suffix, and the logo prefix can reflect a unique corporate entity.
  • An identification suffix is used to identify a unique resource (such as a device).
  • the identification prefix can include multiple levels, as shown in Figure 1, the A in the identification prefix is used to identify the country, the A.B in the identification prefix is used to identify the B region of the country A, and the entire identification prefix A.B.C is used to identify a specific An enterprise (that is, an enterprise located in region B in country A).
  • the identification suffix block_data is used to identify unique resources.
  • the device does not have an Industrial Internet logo.
  • the company that purchased the device needs to assign its own Industrial Internet logo to it.
  • the device has an initial Industrial Internet ID
  • the initial Industrial Internet ID may be the Industrial Internet ID corresponding to the enterprise that produced the device.
  • the company that purchased the device needs to replace the logo prefix in the initial Industrial Internet logo with the company's logo prefix to form the device corresponding to the company's Industrial Internet logo.
  • the identification prefix corresponding to equipment manufacturer A is: 88.103.1
  • the industrial Internet identification is written for the equipment when it leaves the factory; then the equipment is purchased by enterprise B, and the identification prefix corresponding to enterprise B is: 88.103.2.
  • the identification prefix in its Industrial Internet identification needs to be changed to 88.103.2.
  • the enterprise node can also store the device information of the device and the device's Industrial Internet ID in the company.
  • the enterprise nodes mentioned here refer to the nodes used by enterprises to deal with matters related to the Industrial Internet.
  • an enterprise that manufactures equipment can develop its own private active identification carrier service platform. After purchasing the equipment, the enterprise that purchases the equipment can also purchase the active identification carrier service platform developed by the equipment manufacturing enterprise, so as to use the active identification
  • the carrier service platform writes the industrial Internet logo corresponding to the enterprise into the device.
  • the active identification carrier may directly apply for an industrial Internet identification from the enterprise node that purchased the device.
  • this approach also has certain drawbacks:
  • the enterprise node that purchases the device will assign an accessible account password or access token to each connected device (such as a terminal, corresponding to an active identification carrier).
  • each connected device such as a terminal, corresponding to an active identification carrier.
  • enterprise nodes are usually deployed in the cloud (public cloud or private cloud).
  • cloud public cloud or private cloud.
  • industrial network devices may be restricted from directly accessing external services. Therefore, the active identification carrier may not be able to directly access the aforementioned enterprise nodes, resulting in the inability to apply for an industrial Internet identification.
  • the active identification carrier cannot automatically know when to apply for an industrial Internet identification from the enterprise node that purchased the device, and manual configuration is required.
  • the embodiment of this application provides a processing method based on industrial Internet identification, which does not need to purchase a private active identification carrier service platform, and there is no risk of being unable to apply for an industrial Internet identification.
  • enterprise nodes do not need to be managed A very large account for secure access.
  • FIG. 2 is a schematic diagram of an exemplary application scenario provided by the embodiment of the present application.
  • the identification agent 200 may run in a necessary network administrator or network admission controller of the enterprise network to which the enterprise node 300 belongs.
  • the identification agent 200 since the identification agent 200 runs in the necessary network management or network admission controller of the enterprise network, the network investment can be reduced. In addition, it can also avoid network security problems that may be caused by direct external interaction of enterprise nodes, and can also greatly simplify the management scale of enterprise nodes 300 for devices that need to apply for industrial Internet identification.
  • this figure is a signaling interaction diagram of a processing method based on industrial Internet identification provided by an embodiment of the present application. in:
  • the active identification device is a device that needs to write the industrial Internet identification into itself, and the active identification device may be, for example, the device 100 shown in FIG. 2 .
  • the identification proxy server is a device that runs the identification proxy.
  • the identification proxy may be the identification proxy 200 described in FIG. 2 , and the identification proxy server may be a network manager or a network admission controller.
  • the identifier resolution node is an identifier resolution node of an enterprise, and the identifier resolution node may be, for example, the enterprise node 300 shown in FIG. 2 .
  • a DHCP server can assign an IP address to an actively identified device.
  • the method 100 shown in FIG. 3 can be applied to a scenario where the active identification device has an initial industrial Internet identification.
  • the method 100 may include, for example, the following S101-S109.
  • the active identification device obtains a DHCP option through a DHCP server, the DHCP option includes an IP address, and the extended information of the DHCP option includes a prefix 1 and an address of an identification proxy server.
  • the prefix 1 is a prefix corresponding to the enterprise to which the identification resolution node belongs.
  • the extended information of the DHCP option further includes indication information, and the indication information is used to instruct the active identification device to apply for an industrial Internet identification. Since the extended information includes indication information, the active identification device can apply for an industrial Internet identification based on the indication information without manual configuration.
  • the information included in the extended information of the DHCP option may be pre-configured on the DHCP server.
  • the active identification device obtains the target Industrial Internet identification based on the initial Industrial Internet identification and the prefix 1.
  • the active identification device may replace the prefix in the initial industrial Internet identification with the prefix 1, so as to obtain the target industrial Internet identification.
  • the active identification device sends a message 1 to the identification proxy server, where the message 1 includes the target Industrial Internet ID, and the message 1 is used to request registration of the target Industrial Internet ID.
  • the active identification device After the active identification device obtains the target industrial Internet identification, it can obtain message 1 based on the target industrial Internet identification, and then send the message 1 to the address of the identification proxy server included in the extension information of the DHCP option. The above identifies the proxy server.
  • the identification proxy server obtains message 2 according to message 1, wherein message 2 includes the target industrial Internet identification and device information of the active identification device.
  • the device information of the active identification device may be configured on the identification proxy server in advance by an administrator.
  • the identification proxy server is a network administrator, the network administrator already has the device information of the active identification device.
  • the device information of the active identification device may include, for example, a media access control (media access control, MAC) address of the active identification device, a name of the active identification device, an initial industrial Internet identification of the active identification device, etc. , not listed here.
  • a media access control media access control, MAC
  • the ID proxy server sends message 2 to the ID resolution node, so as to apply for registration of the target industrial Internet ID with the ID resolution node.
  • S106 The identity resolution node verifies the target industrial Internet identity.
  • the identifier parsing node After the identifier parsing node receives the message 2, it can parse the message 2 to obtain the target industrial Internet identifier included in the message 2. Then, verify the target Industrial Internet ID. In an example, the identity resolution node may determine that the target Industrial Internet identity has passed the verification when the target Industrial Internet identity has not been registered.
  • the identity resolution node sends a message 3 to the identity proxy server when the target industrial Internet identity passes the verification, and the message 3 is used to indicate that the registration of the target industrial Internet identity is successful.
  • the identity resolution node may also save the correspondence between the target industrial Internet identity and the device information of the actively-identified device when the target industrial Internet identity passes the verification.
  • the identification proxy server sends message 3 to the active identification device.
  • the active identification device Based on the message 3, the active identification device writes the target industrial Internet identification into the active identification device.
  • the active identification device After the active identification device receives the message 3, it may determine that the registration of the target industrial Internet identification is successful. Therefore, the active identification device can write the target industrial Internet identification into the active identification device.
  • an active identification device with an initial Industrial Internet identification, it can determine the prefix 1 and the address of the identification proxy server applying for the Industrial Internet identification while obtaining the IP address, so as to use the prefix 1 to obtain the target Industrial Internet ID, and apply for registration of the target Industrial Internet ID through the ID proxy server.
  • the active identification device obtains the target Industrial Internet ID based on the prefix 1 and the initial Industrial Internet ID, and sends message 1 including the target Industrial Internet ID to the ID proxy server.
  • the message 1 may include an initial industrial Internet identifier.
  • the identification proxy server can be configured with a prefix 1, and the identification proxy server can obtain the target industrial Internet identification based on the initial industrial Internet identification and prefix 1 included in the message 1, and then, the identification proxy server can be based on the target The Industrial Internet ID and the device information of the actively identified device obtain the aforementioned message 2, and further execute S105 and subsequent steps.
  • method 100 may also be combined with a network access control (network access control, NAC) solution.
  • NAC network access control
  • a prefix-based authentication and authorization policy may be pre-configured on the network admission controller. For example, configure network authority 1 for prefixes not intended for the enterprise, and configure network authority 2 for prefixes aimed at the enterprise, where network resources accessible by network authority 1 are less than network resources accessible by network authority 2.
  • the active identification device may send an authentication message 1 to the network admission controller, where the authentication message 1 includes an initial industrial Internet identification.
  • the active identification device may send the authentication message 1 to a network authentication device, and the network authentication device forwards the authentication message 1 to a network admission controller.
  • the network admission controller determines the network authority 1 based on the initial industrial Internet identification in the authentication message 1, and sends the network authority 1 to the network authentication device, so that the active identification device obtains the network authority 1. in:
  • the authentication message 1 may be a message based on MAC authentication, or a message based on 802.1X authentication.
  • the authentication message 1 can be obtained by extending an existing protocol message, for example, by extending an existing protocol message, the extended type length value (type length value, TLV) field is used to carry the initial Industrial Internet logo.
  • the existing protocol packets include but are not limited to Link Layer Discovery Protocol (LLDP) packets, Extensible Authentication Protocol (EAP) packets, 802.11 association protocol packets, etc. etc., not listed here.
  • the identification proxy server may send a re-authentication message to the network authentication device.
  • the active identification device may send an authentication message 2 carrying the target Industrial Internet identifier to the network authentication device, and the network authentication device sends the authentication message 2 to the network based on the re-authentication message Admission controller.
  • the network admission controller determines the network authority 2 based on the target industrial Internet identifier in the authentication message 2, and sends the network authority 2 to the network authentication device, so that the active identification device obtains the network authority 2. in:
  • the authentication message 2 may be a message based on MAC authentication, or a message based on 802.1X authentication.
  • the authentication message 2 can be obtained by extending an existing protocol packet, for example, extending an existing protocol packet, and the extended TLV field is used to carry the target industrial Internet identifier.
  • the existing protocol packets include but not limited to LLDP packets, EAP packets, 802.11 associated protocol packets, etc., which are not listed here for description.
  • FIG. 4 this figure is a signaling interaction diagram of another industrial Internet identification-based processing method provided by the embodiment of the present application. in:
  • the active identification device is a device that needs to write the industrial Internet identification into itself, and the active identification device may be, for example, the device 100 shown in FIG. 2 .
  • the network admission controller is a device that runs an identification agent, and the identification agent may be the identification agent 200 described in FIG. 2 .
  • the identifier resolution node is an identifier resolution node of an enterprise, and the identifier resolution node may be, for example, the enterprise node 300 shown in FIG. 2 .
  • the method 200 shown in FIG. 4 may also be applied to a scenario where the active identification device has an initial industrial Internet identification.
  • the method 200 may include, for example, the following S201-S211.
  • the active identification device sends an authentication message 3 to the network admission controller, where the authentication message 3 includes the initial industrial Internet identification of the active identification device.
  • accessing the network by an active identification device may include two-stage authentication, and the authentication message 3 is used to perform the first-stage authentication, and the authentication message 3 may include device information of the active identification device.
  • the authentication at the first stage may be authentication with weak security such as MAC authentication.
  • the authentication message 3 it is similar to the authentication message 1.
  • the authentication at the first stage may be handled by a network admission controller.
  • the network admission controller may authenticate the active identification device based on the authentication message 3 .
  • the first stage of certification may be manually approved. In this case, the administrator may approve the active identification device.
  • the network admission controller can obtain a corresponding authentication result after authenticating the active identification device based on the authentication message 3 . If the authentication in the first stage is manually approved, the network admission controller may obtain the authentication result input by the user.
  • the prefix 1 may be pre-configured on the network admission controller. After the network admission controller receives the authentication message 3 including the initial Industrial Internet ID, it can obtain the target Industrial Internet ID based on the initial Industrial Internet ID and prefix 1.
  • the network admission controller generates a message 4, the message 4 includes the target industrial Internet identity and the device information of the active identification device, and the message 4 is used to request registration of the target industrial Internet identity.
  • the network admission controller sends message 4 to the identity resolution node, so as to apply to the identity resolution node for registration of the target industrial Internet identity.
  • S205 The identity resolution node verifies the target industrial Internet identity.
  • the identity resolution node sends a message 5 to the network admission controller when the target industrial Internet identity passes the verification, and the message 5 is used to indicate that the registration of the target industrial Internet identity is successful.
  • S204-S206 its specific implementation is the same as that of S105-S107, and the identification proxy server in S105-S107 is equivalent to the network admission controller in S204-S206.
  • S204-S206 reference may be made to the description of S105-S107, which will not be repeated here.
  • the network admission controller sends a message 6 to the network authentication device, where the message 6 is used to indicate that the authentication of the active identification device is successful.
  • the network admission controller when it determines that the active identification device has passed the authentication, it can execute the "obtain the target industrial Internet identification based on the initial industrial Internet identification and prefix 1" in S202 and the subsequent S203- S207.
  • S207 may be performed before the "obtain the target Industrial Internet ID based on the initial Industrial Internet ID and prefix 1" in S202 is executed, it may also be performed between S202-S206, and it may also be performed with the step in S202 "Get the target industrial internet identifier based on the initial industrial internet identifier and prefix 1" is executed at the same time, which is not specifically limited in this embodiment of the present application.
  • the active identification device After the active identification device obtains the IP address, it sends a message 7 to the network admission controller, where the message 7 is used to request security authentication information.
  • the actively identified device can obtain an IP address through the DHCP server.
  • the security authentication information is information required for the active identification device to perform the second-stage security authentication.
  • the security authentication information may include an 802.1X authentication certificate.
  • the security authentication information may also include other information, which will not be listed here.
  • the network admission controller sends the security authentication information including the target Industrial Internet ID to the active ID device.
  • the network admission controller After the network admission controller receives the message 5, it can determine that the registration of the target industrial Internet identifier is successful. Therefore, after receiving the message 7, the network admission controller may obtain the target industrial Internet identifier, and send the security authentication information including the target industrial Internet identifier to the active identification device.
  • the active identification device writes the target industrial Internet identification into the active identification device.
  • the active identification device After the active identification device receives the security authentication information, it can analyze the security authentication information to obtain the target industrial Internet identifier, and then write the target industrial Internet identifier into the active identification device.
  • the active identification device sends an authentication message 4 to the network admission controller, where the authentication message 4 includes the security authentication information.
  • the authentication message 4 may be an authentication message corresponding to 802.1X authentication.
  • the network admission controller may perform security authentication on the active identification device based on the security authentication information in the authentication message 4.
  • the security authentication of the active identification terminal can be divided into two stages of authentication.
  • the active identification device with the initial industrial Internet identification it can be successfully authenticated in the first stage and obtain the second authentication.
  • the target Industrial Internet logo is obtained.
  • this figure is a signaling interaction diagram of a processing method based on industrial Internet identification provided by an embodiment of the present application. in:
  • the identification proxy server and the identification resolution node, reference may be made to relevant descriptions in the method 100, and repeated descriptions are not repeated here.
  • the method 300 shown in FIG. 5 can be applied to a scenario where the active identification device does not have an initial industrial Internet identification.
  • the method 300 may include, for example, the following S301-S308.
  • the active identification device obtains a DHCP option through a DHCP server, the DHCP option includes an IP address, and the extended information of the DHCP option includes an address of an identification proxy server.
  • the extended information of the DHCP option further includes indication information, and the indication information is used to instruct the active identification device to apply for an industrial Internet identification.
  • the information included in the extended information of the DHCP option may be pre-configured on the DHCP server.
  • the active identification device sends a message 1' to the identification proxy server, and the message 1' is used to request allocation of an industrial Internet identification.
  • the identification proxy server obtains message 2' according to message 1', wherein message 2' includes the device information of the active identification device.
  • the device information of the active identification device may be configured on the identification proxy server in advance by an administrator.
  • the identification proxy server is a network administrator, the network administrator already has the device information of the active identification device.
  • the identification proxy server can obtain the message 2' based on the message 1' and the device information of the active identification device. For example, the identification proxy server may add the device information to the message 1' to obtain the message 2'.
  • the identification proxy server sends the message 2' to the identification resolution node, so as to request the identification resolution node to allocate an industrial Internet identification for the active identification device.
  • the identity resolution node determines the target industrial Internet identity as the industrial Internet identity allocated to the active identity device.
  • the identification resolution node can obtain the target industrial Internet identification according to certain rules, for example, randomly generate an identification suffix, and if the randomly generated identification suffix is not used, based on the identification suffix and the corresponding identification prefix of the enterprise , to obtain the target Industrial Internet ID.
  • S306 The identity resolution node sends the message 3' carrying the target industrial Internet identity to the identity proxy server.
  • the identification proxy server sends the message 3' to the active identification device.
  • the active identification device writes the target industrial Internet identification into the active identification device based on the message 3'.
  • the active identification device After the active identification device receives the message 3', it can analyze the message 3' to obtain the target industrial Internet identification included in the message 3', so as to write the target industrial Internet identification into the active identification device.
  • an active identification device that does not have an initial Industrial Internet identification, it can determine the address of the identification proxy server that previously applied for an Industrial Internet identification based on the extended information of the DHCP option while obtaining an IP address , so as to request to assign an Industrial Internet ID to itself through the ID proxy server.
  • method 300 may also be combined with a NAC solution. Specifically: when the active identification device does not have an industrial Internet identification, determine the corresponding network access authority for the active identification device. After the active identification device obtains the target Industrial Internet ID, re-authentication is performed based on the target Industrial Internet ID, so as to obtain the network access authority corresponding to the target Industrial Internet ID.
  • a prefix-based authentication and authorization policy may be pre-configured on the network admission controller. For example, configure network authority 1 for no prefix, and configure network authority 2 for the enterprise-specific prefix.
  • the network resources accessible by network authority 1 are less than those accessible by network authority 2.
  • the active identification device may send an authentication message 1' to the network admission controller, and the authentication message 1' does not include the industrial Internet identification.
  • the active identification device may send the authentication message 1' to the network authentication device, and the network authentication device sends the authentication message 1' to the network admission controller.
  • the network admission controller determines the network authority 1 based on the authentication message 1', and sends the network authority 1 to the network authentication device, so that the active identification device obtains the network authority 1. in:
  • the authentication message 1' can also be a message based on MAC authentication, or a message based on 802.1X authentication.
  • the authentication message 1' may be an existing protocol message.
  • the existing protocol packets include but are not limited to Link Layer Discovery Protocol (LLDP) packets, Extensible Authentication Protocol (EAP) packets, 802.11 association protocol packets, etc. Etc., not enumerating and explaining one by one here.
  • the identification proxy server may send a re-authentication message to the network authentication device.
  • the active identification device may send an authentication message 2' carrying the target Industrial Internet identifier to the network authentication device, and the network authentication device sends the authentication message 2' to the network authentication device based on the re-authentication message.
  • the network admission controller described above. The network admission controller determines the network authority 2 based on the target industrial Internet identifier in the authentication message 2', and sends the network authority 2 to the network authentication device, so that the active identification device obtains the network authority 2 . in:
  • the authentication message 2' may be a message based on MAC authentication, or a message based on 802.1X authentication. , which will not be repeated here.
  • FIG. 6 this figure is a signaling interaction diagram of another industrial Internet identification-based processing method provided by the embodiment of the present application. in:
  • the network admission controller and the identification resolution node reference may be made to the description of the method 200 above, and the description will not be repeated here.
  • the method 400 shown in FIG. 6 may also be applied to a scenario where the active identification device does not have an initial industrial Internet identification.
  • the method 400 may include, for example, the following S401-S410.
  • S401 The active identification device sends an authentication message 3' to the network admission controller.
  • actively identifying the device to access the network may include two stages of authentication, the authentication message 3' is used to perform the first stage of authentication, and the authentication message 3' may include the device of the actively identifying device information.
  • the authentication at the first stage may be authentication with weak security such as MAC authentication.
  • the authentication message 3' it is similar to the authentication message 1'.
  • the authentication at the first stage may be handled by a network admission controller, and in this case, the network admission controller may authenticate the active identification device based on the authentication message 3'.
  • the first stage of certification may be manually approved. In this case, the administrator may approve the active identification device.
  • the network admission controller can obtain a corresponding authentication result after authenticating the active identification device based on the authentication message 3'. If the authentication at the first stage is manually approved, the network admission controller can obtain the authentication result input by the user.
  • the network admission controller sends a message 4' to the identity resolution node, so as to request the identity resolution node to allocate an industrial Internet identity for the active identity device.
  • the identity resolution node determines the target industrial Internet identity as the industrial Internet identity assigned to the active identity device based on the message 4'.
  • identification resolution node determining the target Industrial Internet ID as the Industrial Internet ID assigned to the active identification device, reference may be made to relevant descriptions in S305, and repeated descriptions are not repeated here.
  • the identifier resolution node may also store the correspondence between the target industrial Internet identifier and the device information of the active identifier device.
  • the identifier resolution node sends a message 5' to the network admission controller, and the message 5' carries the target industrial Internet identifier.
  • the network admission controller After the network admission controller receives the message 5', it can save the target industrial Internet identifier. As an example, the network admission controller may save the correspondence between the target industrial Internet identifier and the identifier of the active identifier device. Wherein, the identifier of the active identification device may be, for example, the MAC address of the active identification device.
  • S406 The network admission controller sends a message 6' to the network authentication device, where the message 6' is used to indicate that the authentication of the active identification device is successful.
  • the active identification device After the active identification device obtains the IP address, it sends a message 7' to the network admission controller, where the message 7' is used to request security authentication information.
  • the actively identified device can obtain an IP address through the DHCP server.
  • Said message 7' includes the identification of said active identification device.
  • the security authentication information is information required for the active identification device to perform the second-stage security authentication.
  • the security authentication information may include an 802.1X authentication certificate.
  • the security authentication information may also include other information, which will not be listed here.
  • the network admission controller sends security authentication information including the target Industrial Internet ID to the active ID device.
  • the network admission controller may search for the correspondence between the aforementioned target industrial Internet identifier and the identifier of the active identifier device based on the identifier of the active identifier device in the message 7' relationship, so as to obtain the target industrial Internet identity, and then send the security authentication information including the target industrial Internet identity to the active identification device.
  • the active identification device writes the target industrial Internet identification into the active identification device.
  • the active identification device After the active identification device receives the security authentication information, it can analyze the security authentication information to obtain the target industrial Internet identifier, and then write the target industrial Internet identifier into the active identification device.
  • the active identification device sends an authentication message 4' to the network admission controller, where the authentication message 4' includes the security authentication information.
  • the authentication message 4' may be an authentication message corresponding to 802.1X authentication.
  • the network admission controller may perform security authentication on the active identification device based on the security authentication information in the authentication message 4'.
  • the security authentication of the active identification terminal can be divided into two stages of authentication.
  • the target industrial Internet logo is obtained.
  • this figure is a schematic flowchart of a processing method based on industrial Internet identification provided by an embodiment of the present application.
  • the first device is a device that needs to write the industrial Internet identifier into itself, and the first device may be, for example, the device 100 shown in FIG. 2 .
  • the second device is a device running an identification agent.
  • the identification agent may be the identification agent 200 described in FIG. 2
  • the second device may be a network manager or a network admission controller.
  • the method shown in FIG. 7 can be applied to the method 100 , method 200 , method 300 and method 400 provided in the above embodiments.
  • the method 500 shown in FIG. 7 may include, for example, the following S501-S503.
  • the first device sends a first message to a second device, where the first message is used to apply for an Industrial Internet ID for the first device, and the second device is a network manager or a network admission controller.
  • the first device receives a second message sent by the second device, where the second message indicates a result of applying for an Industrial Internet ID for the first device.
  • the first device writes the target Industrial Internet identifier into the first device based on the second message.
  • the first device corresponds to the active identification device in the method 100; the second device corresponds to the identification proxy server in the method 100.
  • the first message corresponds to message 1 in method 100 ; the second message corresponds to message 3 in method 100 .
  • the first device corresponds to the active identification device in the method 200; the second device corresponds to the network admission server in the method 200.
  • the first message corresponds to the authentication message 3 in the method 200; the second message corresponds to the security authentication information in the method 200.
  • the first device corresponds to the active identification device in the method 300; the second device corresponds to the identification proxy server in the method 300.
  • the first message corresponds to message 1' in method 100; the second message corresponds to message 3' in method 100.
  • the first device corresponds to the active identification device in the method 400; the second device corresponds to the network admission server in the method 400.
  • the first message corresponds to the authentication message 3' in the method 400; the second message corresponds to the security authentication information in the method 400.
  • the sending the first message to the second device includes:
  • the method further includes:
  • the first message carries the initial Industrial Internet identifier of the first device.
  • the first message is used to request allocation of an industrial Internet identifier for the first device.
  • the second message includes the target Industrial Internet identifier.
  • the method before sending the first message, the method further includes:
  • the first authentication message in method 500 may correspond to authentication message 1 in the above embodiment, or may correspond to authentication message 1' in the above embodiment.
  • the first authentication message includes the initial Industrial Internet identifier.
  • the method further includes:
  • the second authentication message in method 500 may correspond to authentication message 2 in the above embodiment, or may correspond to authentication message 2' in the above embodiment.
  • the method further includes:
  • the indication information in method 500 may be the indication information mentioned in method 100 or the indication information mentioned in method 300 .
  • the indication information is carried in DHCP option extension information.
  • the first message is an authentication message.
  • the authentication message mentioned here may correspond to the authentication message 3 in the method 200, and may also correspond to the authentication message 3' in the method 400.
  • the receiving the second message sent by the second device includes:
  • the security authentication information mentioned here may correspond to the security authentication information in method 200 , and may also correspond to the security authentication information in method 400 .
  • FIG. 8 this figure is a schematic flow chart of another industrial Internet identification-based processing method provided by the embodiment of the present application.
  • the first device is a device that needs to write the industrial Internet identifier into itself, and the first device may be, for example, the device 100 shown in FIG. 2 .
  • the second device is a device running an identification agent.
  • the identification agent may be the identification agent 200 described in FIG. 2
  • the second device may be a network manager or a network admission controller.
  • the method shown in FIG. 8 may be applied to the method 100 and the method 300 provided in the above embodiments.
  • the method 600 shown in FIG. 8 may include, for example, the following S601-S604.
  • the second device receives a first message sent by the first device, where the first message is used to apply for an Industrial Internet ID for the first device.
  • the first message corresponds to message 1 in method 100 .
  • the first message corresponds to message 1' in method 300.
  • the second device sends the second message to the third device, where the second message is used to apply for an Industrial Internet identifier for the first device, and the second message includes device information of the first device.
  • the second message corresponds to message 2 in method 100 .
  • the second message corresponds to message 2' in method 300.
  • the second device receives a third message sent by the third device, where the third message indicates a result of applying for an Industrial Internet ID for the first device.
  • the third message corresponds to message 3 in method 100 .
  • the third message corresponds to message 3' in method 300.
  • S604 The second device sends the third message to the first device.
  • the first message includes the target Industrial Internet identifier.
  • the third message includes the target Industrial Internet identifier.
  • the method before receiving the first message, further includes: receiving a first authentication message sent by the first device; determining the first authentication message of the first device according to the first authentication message 1st network access for .
  • the first authentication message in method 600 may correspond to authentication message 1 in the above embodiment, or may correspond to authentication message 1' in the above embodiment.
  • the method further includes: receiving a second authentication message sent by the first device, where the second authentication message includes the target Industrial Internet identifier; A second network access right of the first device is determined.
  • the second authentication message in method 600 may correspond to authentication message 2 in the above embodiment, or may correspond to authentication message 2' in the above embodiment.
  • the first message includes an initial Industrial Internet identifier of the first device.
  • the first message is an authentication message.
  • the second message is used to request to assign an industrial Internet identifier to the first device.
  • the second message is used to request to register the target industrial internet identifier for the first device.
  • the second message is obtained based on the following manner: obtaining a pre-configured first prefix and device information of the first device; based on the first prefix and the initial industrial Internet identifier, Obtain the target Industrial Internet ID; based on the target Industrial Internet ID and the device information, obtain a second message including the device information and the target Industrial Internet ID, and the second message is used to request for the The first device registers the target Industrial Internet identifier. in:
  • the embodiment of the present application also provides an Industrial Internet ID-based processing device, see FIG. 9 , which is a schematic structural diagram of an Industrial Internet ID-based processing device provided in the embodiment of the present application.
  • the apparatus 900 shown in FIG. 9 may be applied to the first device, for executing the above method 500 performed by the first device.
  • the apparatus 900 includes: a sending unit 901 , a receiving unit 902 and a processing unit 903 .
  • the sending unit 901 is configured to send a first message to a second device, the first message is used to apply for an Industrial Internet ID for the first device, and the second device is a network manager or a network admission controller; a receiving unit 902 , configured to receive a second message sent by the second device, the second message indicating the result of applying for an Industrial Internet ID for the first device; the processing unit 903 is configured to, based on the second message, assign the target industrial The Internet identifier is written into the first device.
  • the sending unit 901 is configured to: send a first message carrying the target Industrial Internet identifier to the second device, where the first message is used to request registration of the target Industrial internet logo.
  • the processing unit 903 is further configured to: obtain the first prefix in the extended information of the DHCP option option of the Dynamic Host Configuration Protocol; according to the first prefix and the initial Industrial Internet ID, to obtain the target Industrial Internet ID.
  • the first message carries the initial Industrial Internet identifier of the first device.
  • the first message is used to request allocation of an industrial internet identifier for the first device.
  • the second message includes the target Industrial Internet identifier.
  • the sending unit 901 is further configured to: before sending the first message, send a first authentication message to the second device, so as to obtain a network access permission.
  • the first authentication message includes the initial Industrial Internet identifier.
  • the sending unit 901 is further configured to: send a second authentication message to the second device, where the second authentication message includes the target industrial Internet identifier.
  • the processing unit 903 is further configured to: acquire indication information, where the indication information is used to instruct to apply for an industrial Internet identifier for the first device.
  • the indication information is carried in DHCP option extension information.
  • the first message is an authentication message.
  • the receiving unit 903 is configured to: receive security authentication information sent by the network admission controller, where the security authentication information includes the target industrial Internet identifier.
  • the embodiment of the present application also provides an Industrial Internet ID-based processing device, see FIG. 10 , which is a schematic structural diagram of another Industrial Internet ID-based processing device provided in the embodiment of the present application.
  • the apparatus 1000 shown in FIG. 10 may be applied to a second device, for executing the above method 600 performed by the second device.
  • the apparatus 1000 includes: a receiving unit 1001 and a sending unit 1002 .
  • the receiving unit 1001 is configured to receive a first message sent by the first device, and the first message is used to apply for an Industrial Internet ID for the first device; the sending unit 1002 is configured to send the second message to a third device , the second message is used to apply for an Industrial Internet ID for the first device, the second message includes device information of the first device; the receiving unit 1001 is also used to receive a third message, the The third message indicates a result of applying for an Industrial Internet ID for the first device; the sending unit 1002 is further configured to send the third message to the first device.
  • the first message includes the target Industrial Internet identifier.
  • the third message includes the target Industrial Internet identifier.
  • the receiving unit 1001 is further configured to: before receiving the first message, receive a first authentication message sent by the first device; the apparatus further includes a processing unit configured to: Determine the first network access right of the first device according to the first authentication message.
  • the receiving unit 1001 is further configured to receive a second authentication message sent by the first device, where the second authentication message includes the target Industrial Internet identifier; the apparatus includes The processing unit is configured to determine the second network access right of the first device according to the second authentication message.
  • the first message includes an initial Industrial Internet identifier of the first device.
  • the first message is an authentication message.
  • the second message is used to request to assign an industrial internet identifier to the first device.
  • the second message is used to request to register the target industrial internet identifier for the first device.
  • the second message is obtained based on the following methods: obtaining a pre-configured first prefix and the device information of the first device; based on the first prefix and the initial Industrial Internet identifier , to obtain the target Industrial Internet ID; based on the target Industrial Internet ID and the device information, obtain a second message including the device information and the target Industrial Internet ID, and the second message is used to request for the The first device registers the target industrial Internet identifier.
  • obtaining a pre-configured first prefix and the device information of the first device based on the first prefix and the initial Industrial Internet identifier , to obtain the target Industrial Internet ID; based on the target Industrial Internet ID and the device information, obtain a second message including the device information and the target Industrial Internet ID, and the second message is used to request for the
  • the first device registers the target industrial Internet identifier.
  • a device 1100 includes: a processor 1110 , a communication interface 1120 and a memory 1130 .
  • the number of processors 1110 in the device 1100 may be one or more, and one processor is taken as an example in FIG. 11 .
  • the processor 1110, the communication interface 1120, and the memory 1130 may be connected through a bus system or other methods, wherein the connection through the bus system 1140 is taken as an example in FIG. 11 .
  • the processor 1110 may be a central processing unit (central processing unit, CPU), a network processor (network processor, NP) or a combination of CPU and NP.
  • the processor 1110 may further include a hardware chip.
  • the aforementioned hardware chip may be an application-specific integrated circuit (application-specific integrated circuit, ASIC), a programmable logic device (programmable logic device, PLD) or a combination thereof.
  • the aforementioned PLD may be a complex programmable logic device (complex programmable logic device, CPLD), a field-programmable gate array (field-programmable gate array, FPGA), a general array logic (generic array logic, GAL) or any combination thereof.
  • the memory 1130 may include a volatile memory (English: volatile memory), such as a random-access memory (random-access memory, RAM); the memory 1130 may also include a non-volatile memory (English: non-volatile memory), such as a fast Flash memory (English: flash memory), hard disk (hard disk drive, HDD) or solid-state drive (solid-state drive, SSD); the memory 1130 may also include a combination of the above types of memory.
  • the memory 1130 may, for example, store extended information of DHCP options including the first prefix; when the device 1100 corresponds to the processing device 1000 based on the Industrial Internet ID shown in FIG. 10 , The storage 1130 may, for example, store device information of the first device.
  • the memory 1130 stores an operating system and programs, executable modules or data structures, or their subsets, or their extended sets, where the programs may include various operating instructions for implementing various operations.
  • the operating system may include various system programs for implementing various basic services and processing hardware-based tasks.
  • the processor 1110 can read the program in the memory 1130 to implement the processing method based on the Industrial Internet ID provided by the embodiment of the present application (such as the processing method based on the Industrial Internet ID executed by the first device, or the industrial Internet ID-based processing method executed by the second device). treatment of Internet identifiers).
  • the bus system 1140 may be a peripheral component interconnect standard (peripheral component interconnect, PCI) bus or an extended industry standard architecture (extended industry standard architecture, EISA) bus or the like.
  • PCI peripheral component interconnect
  • EISA extended industry standard architecture
  • the bus system 1140 can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used in FIG. 11 , but it does not mean that there is only one bus or one type of bus.
  • the embodiment of the present application also provides a computer-readable storage medium, including an instruction or a computer program, which, when run on a computer, causes the computer to execute the industrial Internet identification-based processing method provided in the above embodiments.
  • the embodiment of the present application also provides a computer program product including an instruction or a computer program, which, when run on a computer, causes the computer to execute the industrial Internet identification-based processing method provided in the above embodiments.
  • the disclosed system, device and method can be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of units is only a logical business division. In actual implementation, there may be other division methods.
  • multiple units or components can be combined or integrated. to another system, or some features may be ignored, or not implemented.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
  • a unit described as a separate component may or may not be physically separated, and a component displayed as a unit may or may not be a physical unit, that is, it may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each business unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit.
  • the above-mentioned integrated units can be implemented in the form of hardware or in the form of software business units.
  • the integrated unit is realized in the form of a software business unit and sold or used as an independent product, it can be stored in a computer-readable storage medium.
  • the technical solution of the present application is essentially or part of the contribution to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods in various embodiments of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disc, etc., which can store program codes. .
  • the services described in the present invention may be implemented by hardware, software, firmware or any combination thereof.
  • the services may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
  • Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another.
  • a storage media may be any available media that can be accessed by a general purpose or special purpose computer.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Provided in the embodiments of the present application is a processing method based on an industrial Internet identifier. The method comprises: a first device can send a first message to a second device, wherein the first message is used for applying for an industrial Internet identifier for the first device, and the second device is a network administrator or a network access controller; then, the first device can receive a second message, which is sent by the second device, wherein the second message indicates a result of applying for the industrial Internet identifier for the first device; and after receiving the second message, the first device can write a target industrial Internet identifier into the first device on the basis of the second message. Since a second device is a network administrator or a network access controller, by means of the present solution, there is no need to purchase a private active identifier carrier service platform, and there is no risk of it being impossible to obtain an industrial Internet identifier; and in addition, an enterprise node does not need to manage a very large amount of secure access accounts, and a first device can write a target industrial Internet identifier into the first device.

Description

一种基于工业互联网标识的处理方法及装置A processing method and device based on industrial Internet identification
本申请要求于2022年1月13日提交中国国家知识产权局、申请号为202210038368.1、申请名称为“一种基于工业互联网标识的处理方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application filed with the State Intellectual Property Office of China on January 13, 2022, with the application number 202210038368.1 and the application name "A Processing Method and Device Based on Industrial Internet Marks", the entire content of which is passed References are incorporated in this application.
技术领域technical field
本申请涉及通信领域,尤其涉及一种基于工业互联网标识的处理方法及装置。The present application relates to the communication field, and in particular to a processing method and device based on industrial Internet identification.
背景技术Background technique
工业互联网标识是指能够唯一识别物理资源以及虚拟资源的身份标识,其中,物理资源包括但不限于机器以及产品,虚拟资源包括但不限于算法以及工序。通过工业互联网标识可以将工业互联网标识所对应的数据进行有组织的管理,从而实现跨企业、跨行业、跨地区、甚至跨国家的数据共享。Industrial Internet identifiers refer to identifiers that can uniquely identify physical resources and virtual resources. Physical resources include but are not limited to machines and products, and virtual resources include but not limited to algorithms and processes. The data corresponding to the Industrial Internet logo can be managed in an organized manner through the Industrial Internet logo, so as to realize cross-enterprise, cross-industry, cross-regional, and even cross-country data sharing.
在一个示例中,工业互联网标识可以通过主动标识载体承载,主动标识载体可以将设备的工业互联网标识嵌入到设备内部。工业互联网标识包括两部分,分别为标识前缀和标识后缀。标识前缀用于标识唯一的企业主体,标识后缀用于标识唯一的资源。In an example, the industrial Internet identity can be carried by an active identity carrier, and the active identity carrier can embed the industrial Internet identity of the device into the device. The Industrial Internet logo consists of two parts, namely the logo prefix and the logo suffix. An ID prefix is used to identify a unique business principal, and an ID suffix is used to identify a unique resource.
企业在购买设备后,需要将该设备对应本企业的工业互联网标识写入到设备内部。如何将该设备对应本企业的工业互联网标识写入到设备内部,是目前尚待解决的问题。After the enterprise purchases the equipment, it needs to write the industrial Internet logo of the equipment corresponding to the enterprise into the equipment. How to write the device corresponding to the enterprise's industrial Internet logo into the device is a problem that has yet to be solved.
发明内容Contents of the invention
本申请实施例提供了一种基于工业互联网标识的处理方法,可以将设备对应的工业互联网标识写入到设备内部。The embodiment of this application provides a processing method based on the Industrial Internet ID, which can write the Industrial Internet ID corresponding to the device into the device.
第一方面,本申请实施例提供了一种基于工业互联网标识的处理方法,可以由第一设备执行,第一设备可以对应需要写入工业互联网标识的设备。第一设备可以向第二设备发送第一消息,该第一消息用于为所述第一设备申请工业互联网标识,其中,所述第二设备为网管或者网络准入控制器。而后,所述第一设备可以接收所述第二设备发送的第二消息,所述第二消息指示为所述第一设备申请工业互联网标识的结果。第一设备接收第二消息之后,可以基于所述第二消息,将目标工业互联网标识写入到第一设备中。正是由于第二设备为网管或者网络准入控制器,因此,利用本方案,既无需购买私有的主动标识载体服务平台,也不会存在无法申请到工业互联网标识的风险,另外,企业节点也无需管理十分庞大的安全访问的账号,第一设备就可以将目标工业互联网标识写入到设备内部。In the first aspect, the embodiment of the present application provides a processing method based on an Industrial Internet ID, which can be executed by a first device, and the first device can correspond to a device that needs to write an Industrial Internet ID. The first device may send a first message to the second device, where the first message is used to apply for an Industrial Internet ID for the first device, where the second device is a network manager or a network admission controller. Then, the first device may receive a second message sent by the second device, where the second message indicates a result of applying for an Industrial Internet ID for the first device. After receiving the second message, the first device may write the target industrial Internet identifier into the first device based on the second message. It is precisely because the second device is a network management or network access controller, so using this solution, there is no need to purchase a private active identification carrier service platform, and there is no risk of being unable to apply for an industrial Internet identification. In addition, enterprise nodes also The first device can write the target industrial Internet identifier into the device without managing a very large number of secure access accounts.
在一种可能的实现方式中,第一设备发送给第二设备的第一消息中可以包括目标工业互联网标识。例如,所述第一设备可以首先获取目标工业互联网标识,而后,得到包括所述目标工业互联网标识的所述第一消息,再将所述第一消息发送给第二设备。对于这种情况,所述第一消息用于请求为第一设备注册所述目标工业互联网标识。在一个示例中,所述第一设备可以在自身具备初始工业互联网标识的情况下,向所述第二设备发送包括所述目标工业互联网标识的第一消息。In a possible implementation manner, the first message sent by the first device to the second device may include the target Industrial Internet identifier. For example, the first device may first obtain the target Industrial Internet identifier, then obtain the first message including the target Industrial Internet identifier, and then send the first message to the second device. In this case, the first message is used to request to register the target industrial internet identifier for the first device. In an example, the first device may send the first message including the target Industrial Internet identifier to the second device when it has an initial Industrial Internet identifier.
在一种可能的实现方式中,第一设备获取目标工业互联网标识在具体实现时,可以首先获取第一前缀,其中,第一前缀例如可以是购买所述第一设备的企业对应的前缀。而后,所述第一设备可以基于所述第一前缀和所述第一设备的初始工业互联网标识,得到所述目标工业互联网标识。例如,将所述初始工业互联网标识中的前缀替换为所述第一前缀,从 而得到所述目标工业互联网标识。在一个示例中,所述第一设备可以从动态主机配置协议(Dynamic Host Configuration Protocol,DHCP)选项(option)的扩展信息中获得所述第一前缀。具体地,所述第一设备可以在通过DHCP服务器获取因特网协议(Internet Protocol,IP)地址时,获得所述DHCP选项的扩展信息,从而得到所述第一前缀。In a possible implementation manner, when the first device obtains the target industrial Internet identifier, it may first obtain the first prefix during specific implementation, where the first prefix may be, for example, the prefix corresponding to the enterprise that purchased the first device. Then, the first device may obtain the target Industrial Internet identifier based on the first prefix and the initial Industrial Internet identifier of the first device. For example, the prefix in the initial Industrial Internet identifier is replaced with the first prefix, so as to obtain the target Industrial Internet identifier. In an example, the first device may obtain the first prefix from extended information of a Dynamic Host Configuration Protocol (Dynamic Host Configuration Protocol, DHCP) option (option). Specifically, the first device may obtain the extended information of the DHCP option when obtaining an Internet Protocol (Internet Protocol, IP) address through a DHCP server, so as to obtain the first prefix.
在一种实现可能的实现方式中,所述第一消息携带所述第一设备的初始工业互联网标识。对于这种情况,第二设备可以基于所述初始工业互联网标识确定所述目标工业互联网标识,并请求注册所述目标工业互联网标识。在一个示例中,所述第二设备上可以预先配置有第一前缀,第二设备接收到所述第一消息之后,可以基于所述第一消息中的初始工业互联网标识和所述第一前缀,得到目标工业互联网标识,而后,请求注册所述目标工业互联网标识。在所述目标工业互联网标识注册成功之后,所述第二设备可以将携带所述目标工业互联网标识的第二消息发送给第一设备。In a possible implementation manner, the first message carries the initial Industrial Internet identifier of the first device. In this case, the second device may determine the target Industrial Internet identity based on the initial Industrial Internet identity, and request to register the target Industrial Internet identity. In an example, the second device may be pre-configured with a first prefix, and after receiving the first message, the second device may, based on the initial Industrial Internet identifier in the first message and the first prefix , obtain the target Industrial Internet ID, and then request to register the target Industrial Internet ID. After the target Industrial Internet ID is successfully registered, the second device may send a second message carrying the target Industrial Internet ID to the first device.
在一种可能的实现方式中,所述第一消息用于请求为所述第一设备分配工业互联网标识。例如,所述第一设备不具备初始工业互联网标识,则所述第一设备向第二设备发送用于请求为所述第一设备分配工业互联网标识的第一消息。In a possible implementation manner, the first message is used to request allocation of an industrial Internet identifier for the first device. For example, if the first device does not have an initial Industrial Internet ID, the first device sends to the second device a first message for requesting allocation of an Industrial Internet ID for the first device.
在一种可能的实现方式中,所述第二消息包括所述目标工业互联网标识,第一设备接收到所述第二消息之后,可以对所述第二消息进行解析,得到所述目标工业互联网标识,从而进一步将目标工业互联网标识写入到第一设备内部。在一个示例中,所述第一设备不具备初始工业互联网标识,所述第一设备向第二设备发送用于请求为所述第一设备分配工业互联网标识的第一消息,并接收所述第二设备发送的携带所述目标工业互联网标识的所述第二消息。在又一个示例中,所述第一设备具备初始工业互联网标识,所述第二设备上可以预先配置有第一前缀,第二设备接收到包括所述初始工业互联网标识的第一消息之后,可以基于所述第一消息中的初始工业互联网标识和所述第一前缀,得到目标工业互联网标识,而后,请求注册所述目标工业互联网标识。在所述目标工业互联网标识注册成功之后,所述第二设备可以将携带所述目标工业互联网标识的第二消息发送给第一设备。In a possible implementation manner, the second message includes the target Industrial Internet identifier, and after receiving the second message, the first device may parse the second message to obtain the target Industrial Internet ID, so as to further write the target industrial Internet ID into the first device. In an example, the first device does not have an initial Industrial Internet ID, the first device sends a first message to the second device requesting to assign an Industrial Internet ID to the first device, and receives the first message The second message carrying the target Industrial Internet identifier sent by the second device. In yet another example, the first device has an initial Industrial Internet ID, the second device may be pre-configured with a first prefix, and after receiving the first message including the initial Industrial Internet ID, the second device may Based on the initial industrial internet identifier in the first message and the first prefix, a target industrial internet identifier is obtained, and then registration of the target industrial internet identifier is requested. After the target Industrial Internet ID is successfully registered, the second device may send a second message carrying the target Industrial Internet ID to the first device.
在一种可能的实现方式中,当所述第二设备为网络准入控制器时,在所述第一设备未将目标工业互联网标识写入到第一设备中时,第二设备可以为所述第一设备确定对应的网络访问权限。对于这种情况,所述第一设备在向第二设备发送第一消息之前,还可以向所述第二设备发送第一认证消息,以获得接入网络的权限。In a possible implementation manner, when the second device is a network admission controller, when the first device does not write the target Industrial Internet identifier into the first device, the second device may be the The first device determines the corresponding network access right. In this case, before sending the first message to the second device, the first device may also send a first authentication message to the second device, so as to obtain permission to access the network.
在一种可能的实现方式中,所述第一认证消息中包括所述初始工业互联网标识。相应的,第二设备基于所述初始工业互联网标识确定所述第一设备的网络访问权限。In a possible implementation manner, the first authentication message includes the initial Industrial Internet identifier. Correspondingly, the second device determines the network access right of the first device based on the initial industrial Internet identifier.
在一种可能的实现方式中,当所述第二设备为网络准入控制器时,在所述第一设备将目标工业互联网标识写入到第一设备中之后,所述第一设备可以基于所述目标工业互联网标识进行重认证,从而获得与所述目标工业互联网标识对应的网络访问权限。对于这种情况,所述第一设备在将目标工业互联网标识写入到第一设备中之后,可以向所述第二设备发送第二认证消息,所述第二认证消息中包括所述目标工业互联网标识,从而获取与所述目标工业互联网标识对应的网络访问权限。In a possible implementation manner, when the second device is a network admission controller, after the first device writes the target Industrial Internet identifier into the first device, the first device may The target Industrial Internet ID performs re-authentication, so as to obtain the network access authority corresponding to the target Industrial Internet ID. In this case, after the first device writes the target industrial Internet identifier into the first device, it can send a second authentication message to the second device, and the second authentication message includes the target industrial Internet Internet identifier, so as to obtain the network access authority corresponding to the target industrial Internet identifier.
在一种可能的实现方式中,第一设备在向第二设备发送第一消息之前,还可以获取指示信息,所述指示信息用于指示为所述第一设备申请工业互联网标识。第一设备获取所述 指示信息之后,可以基于所述指示信息触发申请工业互联网标识的操作(即发送第一消息)。这样一来,第一设备即可基于所述指示信息主动触发申请工业互联网标识的操作,而无需人为手工配置。In a possible implementation manner, before sending the first message to the second device, the first device may also obtain indication information, where the indication information is used to indicate to apply for an industrial Internet identifier for the first device. After the first device obtains the indication information, it may trigger the operation of applying for an Industrial Internet ID (that is, send the first message) based on the indication information. In this way, the first device can actively trigger the operation of applying for an Industrial Internet ID based on the indication information without manual configuration.
在一种可能的实现方式中,所述指示信息可以携带在DHCP option扩展信息中。具体地,所述第一设备可以在通过DHCP服务器获取IP地址时,获得所述DHCP选项的扩展信息。进一步地,所述第一设备对所述DHCP选项的扩展信息进行解析即可获得所述指示信息。In a possible implementation manner, the indication information may be carried in DHCP option extension information. Specifically, the first device may obtain the extended information of the DHCP option when obtaining the IP address through the DHCP server. Further, the first device can obtain the indication information by parsing the extension information of the DHCP option.
在一种可能的实现方式中,所述第一消息为认证消息。换言之,所述第一消息除了可以用于请求进行安全认证之外,还可以用于为所述第一设备申请工业互联网标识。在一个示例中,可以将第一设备的安全认证划分成两个阶段,此处提及的认证消息,可以是第一阶段的认证消息。In a possible implementation manner, the first message is an authentication message. In other words, in addition to requesting security authentication, the first message may also be used to apply for an Industrial Internet ID for the first device. In an example, the security authentication of the first device may be divided into two stages, and the authentication message mentioned here may be the authentication message of the first stage.
在一种可能的实现方式中,将第一设备的安全认证划分成两个阶段,则在第一阶段安全认证通过之后,第一设备可以向第二设备(网络准入控制器)申请第二阶段的安全认证信息,例如第二阶段安全认证所需的证书。对于这种情况,所述第二设备可以将所述目标工业互联网标识携带在所述安全认证信息中发送给所述第一设备。换言之,对于这种情况,前述第二消息可以是携带所述目标工业互联网信息的安全认证信息。其中,第二设备在将所述目标工业互联网标识携带在所述安全认证信息中发送给所述第一设备之前,可以确定所述目标工业互联网标识。第二设备确定目标工业互联网标识可以有多种实现方式,在一个示例中,所述第二设备可以向第三设备(对应企业节点)请求为第一设备分配工业互联网标识,从而得到所述目标工业互联网标识;在又一个示例中,所述第一消息中可以包括初始工业互联网标识,而所述第二设备上配置有第一前缀,则所述第二设备可以基于所述初始工业互联网标识和所述第一前缀得到所述目标工业互联网标识。当然,所述第二设备得到所述目标工业互联网标识之后,还需要向第三设备请求注册所述目标工业互联网标识,并在所述目标工业互联网标识注册成功之后,将所述目标工业互联网标识携带在所述安全认证信息中发送给所述第一设备。In a possible implementation, the security authentication of the first device is divided into two stages, and after the first stage of security authentication is passed, the first device can apply to the second device (network admission controller) for a second Stage security authentication information, such as the certificate required for the second stage security authentication. In this case, the second device may include the target Industrial Internet identifier in the security authentication information and send it to the first device. In other words, for this case, the aforementioned second message may be security authentication information carrying the target industrial Internet information. Wherein, the second device may determine the target industrial Internet identifier before carrying the target industrial Internet identifier in the security authentication information and sending it to the first device. There are many ways for the second device to determine the target Industrial Internet ID. In one example, the second device may request the third device (corresponding to the enterprise node) to assign an Industrial Internet ID to the first device, so as to obtain the target Industrial Internet ID; in yet another example, the first message may include an initial Industrial Internet ID, and the second device is configured with a first prefix, then the second device may be based on the initial Industrial Internet ID and the first prefix to obtain the target industrial Internet identifier. Of course, after the second device obtains the target Industrial Internet ID, it also needs to request registration of the target Industrial Internet ID from the third device, and after the target Industrial Internet ID is successfully registered, the target Industrial Internet ID carried in the security authentication information and sent to the first device.
第二方面,本申请实施例提供了一种基于工业互联网标识的处理方法,应用于第二设备,所述第二设备为网管或者网络准入控制器。第二设备可以接收第一设备发送的第一消息,所述第一消息用于为所述第一设备申请工业互联网标识,而后,所述第二设备向第三设备发送第二消息,所述第二消息用于为所述第一设备申请工业互联网标识,所述第二消息包括所述第一设备的设备信息。第二设备向所述第三设备发送第二消息之后,可以接收所述第三设备针对所述第二消息发送的第三消息,并将所述第三消息发送给所述第一设备。所述第三消息指示为所述第一设备申请工业互联网标识的结果。由此可见,利用本方案,由于第二设备为网管或者网络准入控制器,因此,既无需购买私有的主动标识载体服务平台,也不会存在无法申请到工业互联网标识的风险,另外,企业节点也无需管理十分庞大的安全访问的账号,第一设备就可以将目标工业互联网标识写入到设备内部。In a second aspect, the embodiment of the present application provides a processing method based on industrial Internet identification, which is applied to a second device, and the second device is a network manager or a network admission controller. The second device may receive the first message sent by the first device, the first message is used to apply for an Industrial Internet ID for the first device, and then the second device sends a second message to the third device, the The second message is used to apply for an Industrial Internet identifier for the first device, and the second message includes device information of the first device. After the second device sends the second message to the third device, it may receive a third message sent by the third device for the second message, and send the third message to the first device. The third message indicates a result of applying for an Industrial Internet ID for the first device. It can be seen that with this solution, since the second device is a network management or network access controller, there is no need to purchase a private active identification carrier service platform, and there is no risk of being unable to apply for an industrial Internet identification. In addition, enterprises The node does not need to manage a very large number of secure access accounts, and the first device can write the target industrial Internet identifier into the device.
在一种可能的实现方式中,所述第一消息包括所述目标工业互联网标识。In a possible implementation manner, the first message includes the target Industrial Internet identifier.
在一种可能的实现方式中,所述第三消息包括所述目标工业互联网标识。第一设备接收到所述第三消息之后,可以对所述第三消息进行解析,得到所述目标工业互联网标识, 从而进一步将目标工业互联网标识写入到第一设备内部。In a possible implementation manner, the third message includes the target Industrial Internet identifier. After receiving the third message, the first device may parse the third message to obtain the target Industrial Internet identifier, so as to further write the target Industrial Internet identifier into the first device.
在一种可能的实现方式中,第二设备在接收所述第一消息之前,还可以接收所述第一设备发送的第一认证消息,并根据所述第一认证消息确定所述第一设备的第一网络访问权限。In a possible implementation manner, before receiving the first message, the second device may also receive a first authentication message sent by the first device, and determine the first authentication message according to the first authentication message 1st network access for .
在一种可能的实现方式中,所述第二设备在将第三消息发送给第一设备之后,第二设备还可以接收所述第一设备发送的第二认证消息,所述第二认证消息中包括所述目标工业互联网标识,并根据所述第二认证消息确定所述第一设备的第二网络访问权限。In a possible implementation manner, after the second device sends the third message to the first device, the second device may also receive a second authentication message sent by the first device, and the second authentication message Including the target Industrial Internet identifier, and determining the second network access right of the first device according to the second authentication message.
在一种实现可能的实现方式中,所述第一消息携带所述第一设备的初始工业互联网标识。In a possible implementation manner, the first message carries the initial Industrial Internet identifier of the first device.
在一种实现可能的实现方式中,所述第一消息为认证消息。In a possible implementation manner, the first message is an authentication message.
在一种实现可能的实现方式中,所述第一设备不具备初始工业互联网标识,则所述第一设备可以向第二设备发送用于请求为第一设备分配工业互联网标识的第一消息,所述第二设备可以对第一消息进行处理,例如将第一设备的设备信息添加到第一消息中,从而得到第二消息,所述第二消息用于请求为第一设备分配工业互联网标识。In a possible implementation manner, if the first device does not have an initial Industrial Internet ID, then the first device may send a first message to the second device to request the allocation of an Industrial Internet ID for the first device, The second device may process the first message, for example, add the device information of the first device to the first message to obtain a second message, and the second message is used to request the allocation of an industrial Internet identifier for the first device .
在一种实现可能的实现方式中,所述第一设备具备初始工业互联网标识,则所述第二设备可以基于所述第一消息得到包括目标工业互联网标识的第二消息,并将第二消息发送给第三设备,从而请求第三设备为第一设备注册目标工业互联网标识。In a possible implementation manner, the first device has an initial Industrial Internet ID, and the second device can obtain a second message including the target Industrial Internet ID based on the first message, and send the second message to Send it to the third device, thereby requesting the third device to register the target industrial Internet identifier for the first device.
在一种实现可能的实现方式中,所述第二设备在将第二消息发送给第三设备之前,可以基于第一消息得到包括目标工业互联网标识的第二消息。其中,基于所述第一消息得到包括目标工业互联网标识的第二消息在具体实现时,所述第二设备可以获取预先配置的第一前缀和所述第一设备的设备信息,并基于所述第一前缀和所述初始工业互联网标识,得到所述目标工业互联网标识,而后,基于所述目标工业互联网标识和所述设备信息,得到包括所述设备信息和所述目标工业互联网标识的第二消息。In a possible implementation manner, before sending the second message to the third device, the second device may obtain the second message including the target industrial Internet identifier based on the first message. Wherein, the second message including the target Industrial Internet identifier is obtained based on the first message. During specific implementation, the second device may obtain the pre-configured first prefix and the device information of the first device, and based on the The first prefix and the initial Industrial Internet ID obtain the target Industrial Internet ID, and then, based on the target Industrial Internet ID and the device information, obtain the second IP address including the device information and the target Industrial Internet ID. information.
第三方面,本申请实施例提供了一种基于工业互联网标识的处理装置,应用于第一设备,所述装置包括:发送单元,用于向第二设备发送第一消息,所述第一消息用于为所述第一设备申请工业互联网标识,所述第二设备为网管或者网络准入控制器;接收单元,用于接收所述第二设备发送的第二消息,所述第二消息指示为所述第一设备申请工业互联网标识的结果;处理单元,用于基于所述第二消息,将目标工业互联网标识写入到所述第一设备中。In the third aspect, the embodiment of the present application provides a processing device based on industrial Internet identification, which is applied to the first device, and the device includes: a sending unit, configured to send a first message to the second device, and the first message It is used to apply for an industrial Internet identifier for the first device, and the second device is a network manager or a network admission controller; a receiving unit is used to receive a second message sent by the second device, and the second message indicates A result of applying for an Industrial Internet ID for the first device; a processing unit configured to write a target Industrial Internet ID into the first device based on the second message.
在一种实现可能的实现方式中,所述发送单元,用于:向所述第二设备发送携带所述目标工业互联网标识的第一消息,所述第一消息用于请求注册所述目标工业互联网标识。In a possible implementation manner, the sending unit is configured to: send a first message carrying the target industrial Internet identifier to the second device, where the first message is used to request registration of the target industrial Internet Internet logo.
在一种实现可能的实现方式中,所述处理单元还用于:获取动态主机配置协议DHCP选项option的扩展信息中的第一前缀;根据所述第一前缀和所述第一设备的初始工业互联网标识,得到所述目标工业互联网标识。In a possible implementation manner, the processing unit is further configured to: obtain the first prefix in the extended information of the DHCP option option of the Dynamic Host Configuration Protocol; Internet identifier, to obtain the target industrial Internet identifier.
在一种实现可能的实现方式中,所述第一消息携带所述第一设备的初始工业互联网标识。In a possible implementation manner, the first message carries the initial Industrial Internet identifier of the first device.
在一种实现可能的实现方式中,所述第一消息用于请求为所述第一设备分配工业互联网标识。In a possible implementation manner, the first message is used to request allocation of an industrial internet identifier for the first device.
在一种实现可能的实现方式中,所述第二消息包括所述目标工业互联网标识。In a possible implementation manner, the second message includes the target Industrial Internet identifier.
在一种实现可能的实现方式中,所述发送单元还用于:在发送所述第一消息之前,向所述第二设备发送第一认证消息,以获得接入网络的权限。In a possible implementation manner, the sending unit is further configured to: before sending the first message, send a first authentication message to the second device, so as to obtain a network access permission.
在一种实现可能的实现方式中,所述第一认证消息包括所述初始工业互联网标识。In a possible implementation manner, the first authentication message includes the initial Industrial Internet identifier.
在一种实现可能的实现方式中,所述发送单元还用于:向所述第二设备发送第二认证消息,所述第二认证消息中包括所述目标工业互联网标识。In a possible implementation manner, the sending unit is further configured to: send a second authentication message to the second device, where the second authentication message includes the target industrial Internet identifier.
在一种实现可能的实现方式中,所述处理单元还用于:获取指示信息,所述指示信息用于指示为所述第一设备申请工业互联网标识。In a possible implementation manner, the processing unit is further configured to: acquire indication information, where the indication information is used to instruct to apply for an industrial Internet identifier for the first device.
在一种实现可能的实现方式中,所述指示信息携带在DHCP option扩展信息中。In a possible implementation manner, the indication information is carried in DHCP option extension information.
在一种实现可能的实现方式中,所述第一消息为认证消息。In a possible implementation manner, the first message is an authentication message.
在一种实现可能的实现方式中,所述接收单元,用于:接收所述网络准入控制器发送的安全认证信息,所述安全认证信息包括所述目标工业互联网标识。In a possible implementation manner, the receiving unit is configured to: receive security authentication information sent by the network admission controller, where the security authentication information includes the target industrial Internet identifier.
第四方面,本申请实施例提供了一种基于工业互联网标识的处理装置,应用于第二设备,所述第二设备为网管或者网络准入控制器,所述装置包括:接收单元,用于接收第一设备发送的第一消息,所述第一消息用于为所述第一设备申请工业互联网标识;发送单元,用于向第三设备发送所述第二消息,所述第二消息用于为所述第一设备申请工业互联网标识,所述第二消息包括所述第一设备的设备信息;所述接收单元,还用于接收第三消息,所述第三消息指示为所述第一设备申请工业互联网标识的结果;所述发送单元,还用于将所述第三消息发送给所述第一设备。In a fourth aspect, the embodiment of the present application provides a processing device based on industrial Internet identification, which is applied to a second device, the second device is a network manager or a network admission controller, and the device includes: a receiving unit configured to receiving a first message sent by the first device, the first message is used to apply for an Industrial Internet ID for the first device; a sending unit is used to send the second message to a third device, and the second message uses For applying for an Industrial Internet ID for the first device, the second message includes device information of the first device; the receiving unit is further configured to receive a third message, the third message indicates that the first device is A result of a device applying for an Industrial Internet ID; the sending unit is further configured to send the third message to the first device.
在一种实现可能的实现方式中,所述第一消息包括所述目标工业互联网标识。In a possible implementation manner, the first message includes the target Industrial Internet identifier.
在一种实现可能的实现方式中,所述第三消息包括所述目标工业互联网标识。In a possible implementation manner, the third message includes the target Industrial Internet identifier.
在一种实现可能的实现方式中,所述接收单元还用于:在接收所述第一消息之前,接收所述第一设备发送的第一认证消息;所述装置还包括处理单元,用于根据所述第一认证消息确定所述第一设备的第一网络访问权限。In a possible implementation manner, the receiving unit is further configured to: receive a first authentication message sent by the first device before receiving the first message; the apparatus further includes a processing unit configured to Determine the first network access right of the first device according to the first authentication message.
在一种实现可能的实现方式中,所述接收单元还用于接收所述第一设备发送的第二认证消息,所述第二认证消息中包括所述目标工业互联网标识;所述装置包括的处理单元用于根据所述第二认证消息确定所述第一设备的第二网络访问权限。In a possible implementation manner, the receiving unit is further configured to receive a second authentication message sent by the first device, where the second authentication message includes the target Industrial Internet identifier; the device includes The processing unit is configured to determine the second network access right of the first device according to the second authentication message.
在一种实现可能的实现方式中,所述第一消息包括所述第一设备的初始工业互联网标识。In a possible implementation manner, the first message includes an initial Industrial Internet identifier of the first device.
在一种实现可能的实现方式中,所述第一消息为认证消息。In a possible implementation manner, the first message is an authentication message.
在一种实现可能的实现方式中,所述第二消息用于请求为第一设备分配工业互联网标识。In a possible implementation manner, the second message is used to request to assign an industrial internet identifier to the first device.
在一种实现可能的实现方式中,所述第二消息用于请求为第一设备注册目标工业互联网标识。In a possible implementation manner, the second message is used to request to register the target industrial internet identifier for the first device.
在一种实现可能的实现方式中,所述第二消息基于如下方式获得:获取预先配置的第一前缀和所述第一设备的设备信息;基于所述第一前缀和所述初始工业互联网标识,得到所述目标工业互联网标识;基于所述目标工业互联网标识和所述设备信息,得到包括所述设备信息和所述目标工业互联网标识的第二消息,所述第二消息用于请求为所述第一设备 注册所述目标工业互联网标识。In a possible implementation manner, the second message is obtained based on the following methods: obtaining a pre-configured first prefix and the device information of the first device; based on the first prefix and the initial Industrial Internet identifier , to obtain the target Industrial Internet ID; based on the target Industrial Internet ID and the device information, obtain a second message including the device information and the target Industrial Internet ID, and the second message is used to request for the The first device registers the target industrial Internet identifier.
第五方面,本申请实施例提供了一种基于工业互联网标识的处理***,所述***包括第一设备和第二设备;所述第一设备用于向第二设备发送第一消息,所述第一消息用于为所述第一设备申请工业互联网标识,所述第二设备为网管或者网络准入控制器;所述第二设备向所述第一设备发送第二消息,所述第二消息指示为所述第一设备申请工业互联网标识的结果;所述第一设备根据所述第二消息,将目标工业互联网标识写入到所述第一设备中。In the fifth aspect, the embodiment of the present application provides a processing system based on Industrial Internet identification, the system includes a first device and a second device; the first device is used to send a first message to the second device, and the The first message is used to apply for an Industrial Internet ID for the first device, and the second device is a network manager or network admission controller; the second device sends a second message to the first device, and the second The message indicates the result of applying for the Industrial Internet ID for the first device; the first device writes the target Industrial Internet ID into the first device according to the second message.
在一种实现可能的实现方式中,所述第一消息包括所述目标工业互联网标识。In a possible implementation manner, the first message includes the target Industrial Internet identifier.
在一种实现可能的实现方式中,所述第一消息包括所述第一设备的初始工业互联网标识。In a possible implementation manner, the first message includes an initial Industrial Internet identifier of the first device.
在一种实现可能的实现方式中,所述第二消息包括所述目标工业互联网标识。In a possible implementation manner, the second message includes the target Industrial Internet identifier.
在一种实现可能的实现方式中,所述第一消息为认证消息。In a possible implementation manner, the first message is an authentication message.
在一种实现可能的实现方式中,所述第二消息为包括所述目标互联网标识的安全认证信息。In a possible implementation manner, the second message is security authentication information including the target Internet identifier.
第六方面,本申请实施例提供了一种设备。所述设备包括处理器和存储器。所述存储器用于存储指令或计算机程序。所述处理器用于执行所述存储器中的所述指令或计算机程序,执行以上第一方面任意一项所述的方法,或者执行以上第二方面任意一项所述的方法。In a sixth aspect, the embodiment of the present application provides a device. The device includes a processor and memory. The memory is used to store instructions or computer programs. The processor is configured to execute the instructions or computer programs in the memory, execute the method described in any one of the above first aspects, or execute the method described in any one of the above second aspects.
第七方面,本申请实施例提供了一种计算机可读存储介质,包括指令或计算机程序,当其在计算机上运行时,使得计算机执行以上第一方面任意一项所述的方法,或者执行以上第二方面任意一项所述的方法。In the seventh aspect, the embodiment of the present application provides a computer-readable storage medium, including instructions or computer programs, which, when run on a computer, cause the computer to perform the method described in any one of the above first aspects, or to perform the above The method according to any one of the second aspect.
第八方面,本申请实施例提供了一种包含指令或计算机程序的计算机程序产品,当其在计算机上运行时,使得计算机执行以上第一方面任意一项所述的方法,或者执行以上第二方面任意一项所述的方法。In the eighth aspect, the embodiments of the present application provide a computer program product including instructions or computer programs, which, when run on a computer, cause the computer to execute the method described in any one of the above first aspects, or to execute the above second aspect. The method described in any one of the aspects.
附图说明Description of drawings
为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请中记载的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments described in this application. Those skilled in the art can also obtain other drawings based on these drawings without creative work.
图1为一个工业互联网标识的示意图;Figure 1 is a schematic diagram of an Industrial Internet logo;
图2为本申请实施例提供的一个示例性应用场景示意图;FIG. 2 is a schematic diagram of an exemplary application scenario provided by an embodiment of the present application;
图3为本申请实施例提供的一种基于工业互联网标识的处理方法的信令交互图;FIG. 3 is a signaling interaction diagram of a processing method based on industrial Internet identification provided by an embodiment of the present application;
图4为本申请实施例提供的一种基于工业互联网标识的处理方法的信令交互图;FIG. 4 is a signaling interaction diagram of a processing method based on industrial Internet identification provided by an embodiment of the present application;
图5为本申请实施例提供的一种基于工业互联网标识的处理方法的信令交互图;FIG. 5 is a signaling interaction diagram of a processing method based on industrial Internet identification provided by an embodiment of the present application;
图6为本申请实施例提供的一种基于工业互联网标识的处理方法的信令交互图;FIG. 6 is a signaling interaction diagram of a processing method based on industrial Internet identification provided by an embodiment of the present application;
图7为本申请实施例提供的一种基于工业互联网标识的处理方法的流程示意图;Fig. 7 is a schematic flowchart of a processing method based on industrial Internet identification provided by the embodiment of the present application;
图8为本申请实施例提供的又一种基于工业互联网标识的处理方法的流程示意图;FIG. 8 is a schematic flowchart of another processing method based on industrial Internet identification provided by the embodiment of the present application;
图9为本申请实施例提供的一种基于工业互联网标识的处理装置的结构示意图;FIG. 9 is a schematic structural diagram of a processing device based on industrial Internet identification provided by an embodiment of the present application;
图10为本申请实施例提供的又一种基于工业互联网标识的处理装置的结构示意图;Fig. 10 is a schematic structural diagram of another processing device based on industrial Internet identification provided by the embodiment of the present application;
图11为本申请实施例提供的一种设备的结构示意图。FIG. 11 is a schematic structural diagram of a device provided by an embodiment of the present application.
具体实施方式Detailed ways
本申请实施例提供了一种基于工业互联网标识的处理方法,能够在企业购买设备之后,将对应该企业的工业互联网标识写入到设备内部。The embodiment of the present application provides a processing method based on the Industrial Internet ID, which can write the Industrial Internet ID corresponding to the enterprise into the device after the enterprise purchases the device.
为方便理解,首先对工业互联网标识的相关内容进行介绍。For the convenience of understanding, first introduce the relevant content of the Industrial Internet logo.
参见图1,该图为一个工业互联网标识的示意图。如图1所示,工业互联网标识包括标识前缀和标识后缀,标识前缀能够体现唯一的企业主体。标识后缀用于标识唯一的资源(例如设备)。其中:标识前缀可以包括多个层级,如图1所示,标识前缀中的A用于标识国家,标识前缀中的A.B用于标识A国家的B地区,整个标识前缀A.B.C用于标识某一具体的企业(即位于A国家B地区的某一企业)。标识后缀block_data用于标识唯一的资源。See Figure 1, which is a schematic diagram of an Industrial Internet logo. As shown in Figure 1, the Industrial Internet logo includes a logo prefix and a logo suffix, and the logo prefix can reflect a unique corporate entity. An identification suffix is used to identify a unique resource (such as a device). Among them: the identification prefix can include multiple levels, as shown in Figure 1, the A in the identification prefix is used to identify the country, the A.B in the identification prefix is used to identify the B region of the country A, and the entire identification prefix A.B.C is used to identify a specific An enterprise (that is, an enterprise located in region B in country A). The identification suffix block_data is used to identify unique resources.
企业在购买设备后,需要将该设备对应本企业的工业互联网标识写入到设备内部。After the enterprise purchases the equipment, it needs to write the industrial Internet logo of the equipment corresponding to the enterprise into the equipment.
在一个场景中,该设备没有工业互联网标识,此时,购买该设备的企业需要为其分配本企业的工业互联网标识。In one scenario, the device does not have an Industrial Internet logo. At this time, the company that purchased the device needs to assign its own Industrial Internet logo to it.
在另一个场景中,该设备具备一个初始工业互联网标识,该初始工业互联网标识可以是生产该设备的企业对应的工业互联网标识。对于这种情况,购买该设备的企业需要将初始工业互联网标识中的标识前缀更换为本企业的标识前缀,形成该设备对应本企业的工业互联网标识。例如,设备制造商A对应的标识前缀为:88.103.1,在出厂时为设备写入工业互联网标识;而后该设备被企业B购买,企业B对应的标识前缀为:88.103.2。该设备被企业B购买之后,需要将其工业互联网标识中的标识前缀修改为88.103.2。In another scenario, the device has an initial Industrial Internet ID, and the initial Industrial Internet ID may be the Industrial Internet ID corresponding to the enterprise that produced the device. In this case, the company that purchased the device needs to replace the logo prefix in the initial Industrial Internet logo with the company's logo prefix to form the device corresponding to the company's Industrial Internet logo. For example, the identification prefix corresponding to equipment manufacturer A is: 88.103.1, and the industrial Internet identification is written for the equipment when it leaves the factory; then the equipment is purchased by enterprise B, and the identification prefix corresponding to enterprise B is: 88.103.2. After the device is purchased by enterprise B, the identification prefix in its Industrial Internet identification needs to be changed to 88.103.2.
企业节点除了将该设备对应本企业的工业互联网标识写入到设备内部之外,还可以存储该设备的设备信息和该设备在本企业的工业互联网标识。此处提及的企业节点,指的是企业用于处理与工业互联网相关的事项的节点。In addition to writing the device corresponding to the company's Industrial Internet ID into the device, the enterprise node can also store the device information of the device and the device's Industrial Internet ID in the company. The enterprise nodes mentioned here refer to the nodes used by enterprises to deal with matters related to the Industrial Internet.
在一个示例中,制造设备的企业可以开发其私有的主动标识载体服务平台,购买设备的企业在购买设备之后,可以一并购买制造设备的企业开发的主动标识载体服务平台,从而利用该主动标识载体服务平台将对应本企业的工业互联网标识写入到设备内部。In one example, an enterprise that manufactures equipment can develop its own private active identification carrier service platform. After purchasing the equipment, the enterprise that purchases the equipment can also purchase the active identification carrier service platform developed by the equipment manufacturing enterprise, so as to use the active identification The carrier service platform writes the industrial Internet logo corresponding to the enterprise into the device.
但是,对于某一企业而言,其可以购买多个企业制造的设备,若采用上述方案,则需要购买前述多个企业开发的主动标识载体服务平台,成本高昂。因此,该方案的可行性不是很高。However, for a certain enterprise, it can purchase equipment manufactured by multiple enterprises. If the above solution is adopted, it needs to purchase the active identification carrier service platform developed by the above-mentioned multiple enterprises, and the cost is high. Therefore, the feasibility of this scheme is not very high.
在又一个示例中,可以由主动标识载体直接向购买该设备的企业节点申请工业互联网标识。但是,这种方式也有一定的缺陷:In yet another example, the active identification carrier may directly apply for an industrial Internet identification from the enterprise node that purchased the device. However, this approach also has certain drawbacks:
第一、通常情况下,购买该设备的企业节点会为每个对接的设备(例如终端,对应主动标识载体)分配一个可访问的账号密码或者访问令牌,当大批量的终端需要与所述企业节点对接时,则安全访问的账号管理将变得十分庞大,难以维护。First, under normal circumstances, the enterprise node that purchases the device will assign an accessible account password or access token to each connected device (such as a terminal, corresponding to an active identification carrier). When a large number of terminals need to communicate with the When the enterprise nodes are connected, the account management for secure access will become very large and difficult to maintain.
第二、企业节点通常部署在云端(公有云或者私有云),出于工业数据安全方面的考虑,可能会限制工业网络设备直接访问外部服务。因此,主动标识载体可能无法直接访问前述企业节点,从而导致无法申请到工业互联网标识。Second, enterprise nodes are usually deployed in the cloud (public cloud or private cloud). For industrial data security considerations, industrial network devices may be restricted from directly accessing external services. Therefore, the active identification carrier may not be able to directly access the aforementioned enterprise nodes, resulting in the inability to apply for an industrial Internet identification.
第三、主动标识载体不能自动获知向购买该设备的企业节点申请工业互联网标识的时机,需要人为手工配置。Third, the active identification carrier cannot automatically know when to apply for an industrial Internet identification from the enterprise node that purchased the device, and manual configuration is required.
因此,该方案的可行性也不是很高。Therefore, the feasibility of this scheme is not very high.
鉴于此,本申请实施例提供了一种基于工业互联网标识的处理方法,既无需购买私有的主动标识载体服务平台,也不会存在无法申请到工业互联网标识的风险,另外,企业节点也无需管理十分庞大的安全访问的账号。In view of this, the embodiment of this application provides a processing method based on industrial Internet identification, which does not need to purchase a private active identification carrier service platform, and there is no risk of being unable to apply for an industrial Internet identification. In addition, enterprise nodes do not need to be managed A very large account for secure access.
本申请实施例提供的基于工业互联网标识的处理方法,可以应用于图2所示的场景。图2为本申请实施例提供的一个示例性应用场景示意图。The processing method based on the industrial Internet identification provided by the embodiment of this application can be applied to the scenario shown in FIG. 2 . Fig. 2 is a schematic diagram of an exemplary application scenario provided by the embodiment of the present application.
在图2所示的场景中,对于需要将工业互联网标识写入到自身内部的设备100而言,其可以通过标识代理200向企业节点300申请工业互联网标识。其中,标识代理200可以运行在企业节点300所属的企业网络所必须的网管或者网络准入控制器中。一方面,由于标识代理200运行在企业网络所必须的网管或者网络准入控制器中,因此,可以减少网络的投资。另外,也可以避免企业节点直接对外交互可能带来的网络安全问题,还可以大幅简化企业节点300对对需要申请工业互联网标识的设备的管理规模。In the scenario shown in FIG. 2 , for a device 100 that needs to write an Industrial Internet ID into itself, it can apply for an Industrial Internet ID from the enterprise node 300 through the ID proxy 200 . Wherein, the identification agent 200 may run in a necessary network administrator or network admission controller of the enterprise network to which the enterprise node 300 belongs. On the one hand, since the identification agent 200 runs in the necessary network management or network admission controller of the enterprise network, the network investment can be reduced. In addition, it can also avoid network security problems that may be caused by direct external interaction of enterprise nodes, and can also greatly simplify the management scale of enterprise nodes 300 for devices that need to apply for industrial Internet identification.
接下来,结合附图介绍本申请实施例提供的基于工业互联网标识的处理方法。Next, the processing method based on the industrial Internet identification provided by the embodiment of the present application is introduced with reference to the accompanying drawings.
首先介绍主动标识设备具备初始工业互联网标识时,本申请实施例提供的基于工业互联网标识的处理方法。First, when the active identification device has an initial industrial Internet identification, the processing method based on the industrial Internet identification provided by the embodiment of this application is introduced.
参见图3,该图为本申请实施例提供的一种基于工业互联网标识的处理方法的信令交互图。其中:Referring to FIG. 3 , this figure is a signaling interaction diagram of a processing method based on industrial Internet identification provided by an embodiment of the present application. in:
主动标识设备为需要将工业互联网标识写入到自身内部的设备,主动标识设备例如可以是图2所示的设备100。标识代理服务器为运行标识代理的设备,所述标识代理可以是图2所述的标识代理200,标识代理服务器可以是网管或者网络准入控制器。标识解析节点为企业的标识解析节点,标识解析节点例如可以是图2所示的企业节点300。DHCP服务器可以为主动标识设备分配IP地址。The active identification device is a device that needs to write the industrial Internet identification into itself, and the active identification device may be, for example, the device 100 shown in FIG. 2 . The identification proxy server is a device that runs the identification proxy. The identification proxy may be the identification proxy 200 described in FIG. 2 , and the identification proxy server may be a network manager or a network admission controller. The identifier resolution node is an identifier resolution node of an enterprise, and the identifier resolution node may be, for example, the enterprise node 300 shown in FIG. 2 . A DHCP server can assign an IP address to an actively identified device.
图3所示的方法100,可以应用于所述主动标识设备具备初始工业互联网标识的场景。The method 100 shown in FIG. 3 can be applied to a scenario where the active identification device has an initial industrial Internet identification.
所述方法100例如可以包括如下S101-S109。The method 100 may include, for example, the following S101-S109.
S101:主动标识设备通过DHCP服务器获取DHCP选项,所述DHCP选项中包括IP地址,所述DHCP选项的扩展信息中包括前缀1和标识代理服务器的地址。S101: The active identification device obtains a DHCP option through a DHCP server, the DHCP option includes an IP address, and the extended information of the DHCP option includes a prefix 1 and an address of an identification proxy server.
其中,所述前缀1为对应所述标识解析节点所属的企业的前缀。Wherein, the prefix 1 is a prefix corresponding to the enterprise to which the identification resolution node belongs.
在一个示例中,所述DHCP选项的扩展信息中还包括指示信息,该指示信息用于指示所述主动标识设备申请工业互联网标识。由于所述扩展信息中包括指示信息,因此,所述主动标识设备可以基于所述指示信息申请工业互联网标识,而无需人为手工配置。In an example, the extended information of the DHCP option further includes indication information, and the indication information is used to instruct the active identification device to apply for an industrial Internet identification. Since the extended information includes indication information, the active identification device can apply for an industrial Internet identification based on the indication information without manual configuration.
在一个示例中,所述DHCP选项的扩展信息中包括的信息,可以是预先配置在所述DHCP服务器上的。In an example, the information included in the extended information of the DHCP option may be pre-configured on the DHCP server.
S102:主动标识设备基于初始工业互联网标识和所述前缀1,得到目标工业互联网标识。S102: The active identification device obtains the target Industrial Internet identification based on the initial Industrial Internet identification and the prefix 1.
主动标识设备可以将所述初始工业互联网标识中的前缀替换成所述前缀1,从而得到目标工业互联网标识。The active identification device may replace the prefix in the initial industrial Internet identification with the prefix 1, so as to obtain the target industrial Internet identification.
S103:主动标识设备向标识代理服务器发送消息1,所述消息1中包括所述目标工业互联网标识,所述消息1用于请求注册所述目标工业互联网标识。S103: The active identification device sends a message 1 to the identification proxy server, where the message 1 includes the target Industrial Internet ID, and the message 1 is used to request registration of the target Industrial Internet ID.
主动标识设备得到目标工业互联网标识之后,可以基于所述目标工业互联网标识,得到消息1,而后,基于所述DHCP选项的扩展信息中包括的标识代理服务器的地址,将所述消息1发送给所述标识代理服务器。After the active identification device obtains the target industrial Internet identification, it can obtain message 1 based on the target industrial Internet identification, and then send the message 1 to the address of the identification proxy server included in the extension information of the DHCP option. The above identifies the proxy server.
S104:标识代理服务器根据消息1得到消息2,其中,消息2中包括所述目标工业互联网标识和所述主动标识设备的设备信息。S104: The identification proxy server obtains message 2 according to message 1, wherein message 2 includes the target industrial Internet identification and device information of the active identification device.
在一个示例中,所述主动标识设备的设备信息可以是管理员提前配置到所述标识代理服务器上的。在又一个示例中,当所述标识代理服务器是网管时,所述网管中原本就具备所述主动标识设备的设备信息。In an example, the device information of the active identification device may be configured on the identification proxy server in advance by an administrator. In yet another example, when the identification proxy server is a network administrator, the network administrator already has the device information of the active identification device.
所述主动标识设备的设备信息,例如可以包括主动标识设备的媒体接入控制(media access control,MAC)地址、所述主动标识设备的名称、所述主动标识设备的初始工业互联网标识,等等,此处不一一列举说明。The device information of the active identification device may include, for example, a media access control (media access control, MAC) address of the active identification device, a name of the active identification device, an initial industrial Internet identification of the active identification device, etc. , not listed here.
S105:标识代理服务器将消息2发送给标识解析节点,以向所述标识解析节点申请注册所述目标工业互联网标识。S105: The ID proxy server sends message 2 to the ID resolution node, so as to apply for registration of the target industrial Internet ID with the ID resolution node.
S106:标识解析节点对所述目标工业互联网标识进行验证。S106: The identity resolution node verifies the target industrial Internet identity.
标识解析节点接收到消息2之后,可以对消息2进行解析,得到消息2中包括的目标工业互联网标识。而后,对所述目标工业互联网标识进行验证。在一个示例中,标识解析节点可以在所述目标工业互联网标识尚未被注册的情况下,确定所述目标工业互联网标识通过验证。After the identifier parsing node receives the message 2, it can parse the message 2 to obtain the target industrial Internet identifier included in the message 2. Then, verify the target Industrial Internet ID. In an example, the identity resolution node may determine that the target Industrial Internet identity has passed the verification when the target Industrial Internet identity has not been registered.
S107:标识解析节点在所述目标工业互联网标识通过验证的情况下,向所述标识代理服务器发送消息3,消息3用于指示目标工业互联网标识注册成功。S107: The identity resolution node sends a message 3 to the identity proxy server when the target industrial Internet identity passes the verification, and the message 3 is used to indicate that the registration of the target industrial Internet identity is successful.
另外,所述标识解析节点在所述目标工业互联网标识通过验证的情况下,还可以保存所述目标工业互联网标识和所述主动标识设备的设备信息之间的对应关系。In addition, the identity resolution node may also save the correspondence between the target industrial Internet identity and the device information of the actively-identified device when the target industrial Internet identity passes the verification.
S108:标识代理服务器将消息3发送给所述主动标识设备。S108: The identification proxy server sends message 3 to the active identification device.
S109:主动标识设备基于所述消息3,将目标工业互联网标识写入到主动标识设备中。S109: Based on the message 3, the active identification device writes the target industrial Internet identification into the active identification device.
主动标识设备接收到消息3之后,可以确定所述目标工业互联网标识注册成功。因此,所述主动标识设备可以将目标工业互联网标识写入到所述主动标识设备中。After the active identification device receives the message 3, it may determine that the registration of the target industrial Internet identification is successful. Therefore, the active identification device can write the target industrial Internet identification into the active identification device.
通过以上描述可知,对于原本具有初始工业互联网标识的主动标识设备而言,其可以在获取IP地址的同时,确定前缀1以及确定申请工业互联网标识的标识代理服务器的地址,从而利用前缀1得到目标工业互联网标识,并通过所述标识代理服务器申请注册所述目标工业互联网标识。From the above description, it can be seen that for an active identification device with an initial Industrial Internet identification, it can determine the prefix 1 and the address of the identification proxy server applying for the Industrial Internet identification while obtaining the IP address, so as to use the prefix 1 to obtain the target Industrial Internet ID, and apply for registration of the target Industrial Internet ID through the ID proxy server.
在以上方法100中,由主动标识设备基于前缀1和初始工业互联网标识得到目标工业互联网标识,并将包括目标工业互联网标识的消息1发送给标识代理服务器。但是在另一个示例中,所述消息1中可以包括初始工业互联网标识。相应的,所述标识代理服务器上可以配置有前缀1,标识代理服务器可以基于包括消息1中的初始工业互联网标识和前缀1得到目标工业互联网标识,而后,所述标识代理服务器可以基于所述目标工业互联网标识和所述主动标识设备的设备信息,得到前述消息2,并进一步执行S105及后续步骤。In the above method 100, the active identification device obtains the target Industrial Internet ID based on the prefix 1 and the initial Industrial Internet ID, and sends message 1 including the target Industrial Internet ID to the ID proxy server. However, in another example, the message 1 may include an initial industrial Internet identifier. Correspondingly, the identification proxy server can be configured with a prefix 1, and the identification proxy server can obtain the target industrial Internet identification based on the initial industrial Internet identification and prefix 1 included in the message 1, and then, the identification proxy server can be based on the target The Industrial Internet ID and the device information of the actively identified device obtain the aforementioned message 2, and further execute S105 and subsequent steps.
在一个示例中,当方法100中的标识代理服务器为网络准入控制器时,方法100还可以与网络接入控制(network access control,NAC)方案相结合。具体地:在所述主动标识 设备未将初始工业互联网标识更新为目标工业互联网标识时,基于所述初始工业互联网标识确定所述主动标识设备的网络访问权限。当所述主动标识设备将初始工业互联网标识更新为目标工业互联网标识之后,基于所述目标工业互联网标识进行重认证,从而获得与所述目标工业互联网标识对应的网络访问权限。In an example, when the identification proxy server in method 100 is a network admission controller, method 100 may also be combined with a network access control (network access control, NAC) solution. Specifically: when the active identification device does not update the initial Industrial Internet identification to the target Industrial Internet identification, determine the network access authority of the active identification device based on the initial Industrial Internet identification. After the active identification device updates the initial Industrial Internet identification to the target Industrial Internet identification, re-authentication is performed based on the target Industrial Internet identification, so as to obtain the network access authority corresponding to the target Industrial Internet identification.
在一个示例中,可以预先在所述网络准入控制器上配置基于前缀的认证授权策略。例如,对于针对非本企业的前缀,配置网络权限1,对于针对本企业的前缀,配置网络权限2,其中,网络权限1可访问的网络资源,少于网络权限2可访问的网络资源。In an example, a prefix-based authentication and authorization policy may be pre-configured on the network admission controller. For example, configure network authority 1 for prefixes not intended for the enterprise, and configure network authority 2 for prefixes aimed at the enterprise, where network resources accessible by network authority 1 are less than network resources accessible by network authority 2.
对于这种情况,在S101之前,所述主动标识设备可以向所述网络准入控制器发送认证消息1,该认证消息1中包括初始工业互联网标识。作为一个示例,所述主动标识设备可以向网络认证设备发送所述认证消息1,由所述网络认证设备将所述认证消息1转发给网络准入控制器。所述网络准入控制器基于所述认证消息1中的初始工业互联网标识,确定网络权限1,并将网络权限1发送给网络认证设备,从而使得所述主动标识设备获得所述网络权限1。其中:For this case, before S101, the active identification device may send an authentication message 1 to the network admission controller, where the authentication message 1 includes an initial industrial Internet identification. As an example, the active identification device may send the authentication message 1 to a network authentication device, and the network authentication device forwards the authentication message 1 to a network admission controller. The network admission controller determines the network authority 1 based on the initial industrial Internet identification in the authentication message 1, and sends the network authority 1 to the network authentication device, so that the active identification device obtains the network authority 1. in:
所述认证消息1可以是基于MAC认证的消息,也可以是基于802.1X认证的消息。所述认证消息1可以对已有的协议报文进行扩展得到的,例如,对已有的协议报文进行扩展,扩展类型长度值(type length value,TLV)字段用于携带所述初始工业互联网标识。其中,已有的协议报文包括但不限于链路层发现协议(Link Layer Discovery Protocol,LLDP)报文、可扩展身份验证协议(Extensible Authentication Protocol,EAP)报文、802.11关联协议报文,等等,此处不一一列举说明。The authentication message 1 may be a message based on MAC authentication, or a message based on 802.1X authentication. The authentication message 1 can be obtained by extending an existing protocol message, for example, by extending an existing protocol message, the extended type length value (type length value, TLV) field is used to carry the initial Industrial Internet logo. Among them, the existing protocol packets include but are not limited to Link Layer Discovery Protocol (LLDP) packets, Extensible Authentication Protocol (EAP) packets, 802.11 association protocol packets, etc. etc., not listed here.
在S107之后,标识代理服务器可以向网络认证设备发送重认证消息。相应的,在S109之后,所述主动标识设备可以向网络认证设备发送携带目标工业互联网标识的认证消息2,所述网络认证设备基于所述重认证消息将所述认证消息2发送给所述网络准入控制器。所述网络准入控制器基于所述认证消息2中的目标工业互联网标识,确定网络权限2,并将网络权限2发送给网络认证设备,从而使得所述主动标识设备获得所述网络权限2。其中:After S107, the identification proxy server may send a re-authentication message to the network authentication device. Correspondingly, after S109, the active identification device may send an authentication message 2 carrying the target Industrial Internet identifier to the network authentication device, and the network authentication device sends the authentication message 2 to the network based on the re-authentication message Admission controller. The network admission controller determines the network authority 2 based on the target industrial Internet identifier in the authentication message 2, and sends the network authority 2 to the network authentication device, so that the active identification device obtains the network authority 2. in:
与认证消息1类似,所述认证消息2可以是基于MAC认证的消息,也可以是基于802.1X认证的消息。所述认证消息2可以对已有的协议报文进行扩展得到的,例如,对已有的协议报文进行扩展,扩展类TLV字段用于携带所述目标工业互联网标识。其中,已有的协议报文包括但不限于LLDP报文、EAP报文、802.11关联协议报文,等等,此处不一一列举说明。Similar to the authentication message 1, the authentication message 2 may be a message based on MAC authentication, or a message based on 802.1X authentication. The authentication message 2 can be obtained by extending an existing protocol packet, for example, extending an existing protocol packet, and the extended TLV field is used to carry the target industrial Internet identifier. Wherein, the existing protocol packets include but not limited to LLDP packets, EAP packets, 802.11 associated protocol packets, etc., which are not listed here for description.
参见图4,该图为本申请实施例提供的又一种基于工业互联网标识的处理方法的信令交互图。其中:Referring to FIG. 4 , this figure is a signaling interaction diagram of another industrial Internet identification-based processing method provided by the embodiment of the present application. in:
主动标识设备为需要将工业互联网标识写入到自身内部的设备,主动标识设备例如可以是图2所示的设备100。网络准入控制器为运行标识代理的设备,所述标识代理可以是图2所述的标识代理200。标识解析节点为企业的标识解析节点,标识解析节点例如可以是图2所示的企业节点300。The active identification device is a device that needs to write the industrial Internet identification into itself, and the active identification device may be, for example, the device 100 shown in FIG. 2 . The network admission controller is a device that runs an identification agent, and the identification agent may be the identification agent 200 described in FIG. 2 . The identifier resolution node is an identifier resolution node of an enterprise, and the identifier resolution node may be, for example, the enterprise node 300 shown in FIG. 2 .
图4所示的方法200,也可以应用于所述主动标识设备具备初始工业互联网标识的场景。The method 200 shown in FIG. 4 may also be applied to a scenario where the active identification device has an initial industrial Internet identification.
所述方法200例如可以包括如下S201-S211。The method 200 may include, for example, the following S201-S211.
S201:主动标识设备向网络准入控制器发送认证消息3,所述认证消息3中包括所述主动标识设备的初始工业互联网标识。S201: The active identification device sends an authentication message 3 to the network admission controller, where the authentication message 3 includes the initial industrial Internet identification of the active identification device.
在一个示例中,主动标识设备接入网络可以包括两个阶段的认证,所述认证消息3用于进行第一阶段的认证,所述认证消息3中可以包括所述主动标识设备的设备信息。在一个示例中,所述第一阶段的认证可以是安全性偏弱的认证例如MAC认证。关于所述认证消息3,其与认证消息1类似,关于认证消息3可以参考前文对于认证消息1的描述部分,此处不做详述。In an example, accessing the network by an active identification device may include two-stage authentication, and the authentication message 3 is used to perform the first-stage authentication, and the authentication message 3 may include device information of the active identification device. In an example, the authentication at the first stage may be authentication with weak security such as MAC authentication. As for the authentication message 3, it is similar to the authentication message 1. For the authentication message 3, reference may be made to the foregoing description of the authentication message 1, and details are not described here.
关于所述主动标识设备的设备信息,可以参考上文的描述部分,此处不再重复描述。Regarding the device information of the active identification device, reference may be made to the above description, and the description will not be repeated here.
在一个示例中,所述第一阶段的认证可以由网络准入控制器处理,对于这种情况,所述网络准入控制器可以基于所述认证消息3对所述主动标识设备进行认证。在又一个示例中,所述第一阶段的认证可以由人工审批。对于这种情况,可以由管理员对所述主动标识设备进行审批。In an example, the authentication at the first stage may be handled by a network admission controller. In this case, the network admission controller may authenticate the active identification device based on the authentication message 3 . In yet another example, the first stage of certification may be manually approved. In this case, the administrator may approve the active identification device.
S202:网络准入控制器在确定所述主动标识设备通过认证的情况下,基于所述初始工业互联网标识和前缀1,得到目标工业互联网标识。S202: If the network admission controller determines that the active identification device has passed the authentication, based on the initial industrial Internet identification and prefix 1, obtain a target industrial Internet identification.
若所述第一阶段的认证可以由网络准入控制器处理,则所述网络准入控制器基于所述认证消息3对所述主动标识设备进行认证之后,可以得到对应的认证结果。若所述第一阶段的认证由人工审批,则所述网络准入控制器可以获取用户输入的认证结果。If the authentication at the first stage can be processed by the network admission controller, the network admission controller can obtain a corresponding authentication result after authenticating the active identification device based on the authentication message 3 . If the authentication in the first stage is manually approved, the network admission controller may obtain the authentication result input by the user.
在一个示例中,所述前缀1可以预先配置在所述网络准入控制器上。当所述网络准入控制器接收到包括初始工业互联网标识的认证消息3之后,可以基于所述初始工业互联网标识和前缀1,得到目标工业互联网标识。In an example, the prefix 1 may be pre-configured on the network admission controller. After the network admission controller receives the authentication message 3 including the initial Industrial Internet ID, it can obtain the target Industrial Internet ID based on the initial Industrial Internet ID and prefix 1.
S203:网络准入控制器生成消息4,消息4中包括所述目标工业互联网标识和所述主动标识设备的设备信息,消息4用于请求注册所述目标工业互联网标识。S203: The network admission controller generates a message 4, the message 4 includes the target industrial Internet identity and the device information of the active identification device, and the message 4 is used to request registration of the target industrial Internet identity.
S204:网络准入控制器将消息4发送给标识解析节点,以向所述标识解析节点申请注册所述目标工业互联网标识。S204: The network admission controller sends message 4 to the identity resolution node, so as to apply to the identity resolution node for registration of the target industrial Internet identity.
S205:标识解析节点对所述目标工业互联网标识进行验证。S205: The identity resolution node verifies the target industrial Internet identity.
S206:标识解析节点在所述目标工业互联网标识通过验证的情况下,向所述网络准入控制器发送消息5,消息5用于指示目标工业互联网标识注册成功。S206: The identity resolution node sends a message 5 to the network admission controller when the target industrial Internet identity passes the verification, and the message 5 is used to indicate that the registration of the target industrial Internet identity is successful.
关于S204-S206,其具体实现与S105-S107的具体实现相同,S105-S107中的标识代理服务器相当于S204-S206中的网络准入控制器。关于S204-S206的具体实现,可以参考S105-S107的描述部分,此处不做重复描述。Regarding S204-S206, its specific implementation is the same as that of S105-S107, and the identification proxy server in S105-S107 is equivalent to the network admission controller in S204-S206. For the specific implementation of S204-S206, reference may be made to the description of S105-S107, which will not be repeated here.
S207:网络准入控制器向网络认证设备发送消息6,消息6用于指示主动标识设备认证成功。S207: The network admission controller sends a message 6 to the network authentication device, where the message 6 is used to indicate that the authentication of the active identification device is successful.
需要说明的是,网络准入控制器在确定所述主动标识设备通过认证的情况下,可以执行S202中的“基于所述初始工业互联网标识和前缀1,得到目标工业互联网标识”以及后续S203-S207。在一个示例中,S207可以在S202中的“基于所述初始工业互联网标识和前缀1,得到目标工业互联网标识”被执行之前执行,也可在S202-S206之间执行,还可以与S202中的“基于所述初始工业互联网标识和前缀1,得到目标工业互联网标识”同时执行,本申请实施例不做具体限定。It should be noted that, when the network admission controller determines that the active identification device has passed the authentication, it can execute the "obtain the target industrial Internet identification based on the initial industrial Internet identification and prefix 1" in S202 and the subsequent S203- S207. In an example, S207 may be performed before the "obtain the target Industrial Internet ID based on the initial Industrial Internet ID and prefix 1" in S202 is executed, it may also be performed between S202-S206, and it may also be performed with the step in S202 "Get the target industrial internet identifier based on the initial industrial internet identifier and prefix 1" is executed at the same time, which is not specifically limited in this embodiment of the present application.
S208:主动标识设备获取IP地址之后,向网络准入控制器发送消息7,消息7用于请求安全认证信息。S208: After the active identification device obtains the IP address, it sends a message 7 to the network admission controller, where the message 7 is used to request security authentication information.
其中:in:
主动标识设备可以通过DHCP服务器获取IP地址。The actively identified device can obtain an IP address through the DHCP server.
所述安全认证信息为所述主动标识设备进行第二阶段安全认证所需的信息。当所述第二阶段安全认证为802.1X认证时,所述安全认证信息可以包括802.1X认证证书。当然,所述安全认证信息还可以包括其它信息,此处不一一列举说明。The security authentication information is information required for the active identification device to perform the second-stage security authentication. When the second-stage security authentication is 802.1X authentication, the security authentication information may include an 802.1X authentication certificate. Of course, the security authentication information may also include other information, which will not be listed here.
S209:网络准入控制器将包括所述目标工业互联网标识的安全认证信息发送给所述主动标识设备。S209: The network admission controller sends the security authentication information including the target Industrial Internet ID to the active ID device.
网络准入控制器接收到消息5之后,则可以确定目标工业互联网标识注册成功。因此,网络准入控制器接收到消息7之后,可以获取所述目标工业互联网标识,并将包括所述目标工业互联网标识的安全认证信息发送给所述主动标识设备。After the network admission controller receives the message 5, it can determine that the registration of the target industrial Internet identifier is successful. Therefore, after receiving the message 7, the network admission controller may obtain the target industrial Internet identifier, and send the security authentication information including the target industrial Internet identifier to the active identification device.
S210:主动标识设备将所述目标工业互联网标识写入到所述主动标识设备内部。S210: The active identification device writes the target industrial Internet identification into the active identification device.
主动标识设备接收到所述安全认证信息之后,可以对所述安全认证信息进行解析,得到目标工业互联网标识,而后,将所述目标工业互联网标识写入到所述主动标识设备内部。After the active identification device receives the security authentication information, it can analyze the security authentication information to obtain the target industrial Internet identifier, and then write the target industrial Internet identifier into the active identification device.
S211:主动标识设备向网络准入控制器发送认证消息4,所述认证消息4包括所述安全认证信息。S211: The active identification device sends an authentication message 4 to the network admission controller, where the authentication message 4 includes the security authentication information.
在一个示例中,所述认证消息4可以是802.1X认证对应的认证消息。网络准入控制器接收到认证消息4之后,可以基于认证消息4中的安全认证信息,对所述主动标识设备进行安全认证。In an example, the authentication message 4 may be an authentication message corresponding to 802.1X authentication. After receiving the authentication message 4, the network admission controller may perform security authentication on the active identification device based on the security authentication information in the authentication message 4.
通过以上描述可知,利用方法200,可以将主动标识终端的安全认证分成两个阶段的认证,对于原本具有初始工业互联网标识的主动标识设备而言,其可以在第一阶段认证成功、获取第二阶段认证所需要的安全认证信息时,申请得到目标工业互联网标识。It can be seen from the above description that using the method 200, the security authentication of the active identification terminal can be divided into two stages of authentication. For the active identification device with the initial industrial Internet identification, it can be successfully authenticated in the first stage and obtain the second authentication. When applying for the security certification information required for phase certification, the target Industrial Internet logo is obtained.
接下来介绍主动标识设备不具备初始工业互联网标识时,本申请实施例提供的基于工业互联网标识的处理方法。Next, when the active identification device does not have the initial Industrial Internet identification, the processing method based on the Industrial Internet identification provided by the embodiment of this application is introduced.
参见图5,该图为本申请实施例提供的一种基于工业互联网标识的处理方法的信令交互图。其中:Referring to FIG. 5 , this figure is a signaling interaction diagram of a processing method based on industrial Internet identification provided by an embodiment of the present application. in:
关于主动标识设备、标识代理服务器以及标识解析节点,可以参考方法100中的相关描述部分,此处不做重复描述。Regarding the active identification device, the identification proxy server, and the identification resolution node, reference may be made to relevant descriptions in the method 100, and repeated descriptions are not repeated here.
图5所示的方法300,可以应用于所述主动标识设备不具备初始工业互联网标识的场景。The method 300 shown in FIG. 5 can be applied to a scenario where the active identification device does not have an initial industrial Internet identification.
所述方法300例如可以包括如下S301-S308。The method 300 may include, for example, the following S301-S308.
S301:主动标识设备通过DHCP服务器获取DHCP选项,所述DHCP选项中包括IP地址,所述DHCP选项的扩展信息中包括标识代理服务器的地址。S301: The active identification device obtains a DHCP option through a DHCP server, the DHCP option includes an IP address, and the extended information of the DHCP option includes an address of an identification proxy server.
在一个示例中,所述DHCP选项的扩展信息中还包括指示信息,该指示信息用于指示所述主动标识设备申请工业互联网标识。In an example, the extended information of the DHCP option further includes indication information, and the indication information is used to instruct the active identification device to apply for an industrial Internet identification.
在一个示例中,所述DHCP选项的扩展信息中包括的信息,可以是预先配置在所述 DHCP服务器上的。In an example, the information included in the extended information of the DHCP option may be pre-configured on the DHCP server.
S302:主动标识设备向标识代理服务器发送消息1’,所述消息1’用于请求分配工业互联网标识。S302: The active identification device sends a message 1' to the identification proxy server, and the message 1' is used to request allocation of an industrial Internet identification.
S303:标识代理服务器根据消息1’得到消息2’,其中,消息2’中包括所述主动标识设备的设备信息。S303: The identification proxy server obtains message 2' according to message 1', wherein message 2' includes the device information of the active identification device.
在一个示例中,所述主动标识设备的设备信息可以是管理员提前配置到所述标识代理服务器上的。在又一个示例中,当所述标识代理服务器是网管时,所述网管中原本就具备所述主动标识设备的设备信息。In an example, the device information of the active identification device may be configured on the identification proxy server in advance by an administrator. In yet another example, when the identification proxy server is a network administrator, the network administrator already has the device information of the active identification device.
标识代理服务器接收到消息1’之后,可以基于所述消息1’和主动标识设备的设备信息,得到消息2’。例如,所述标识代理服务器可以将所述设备信息添加到所述消息1’中,得到所述消息2’。After receiving the message 1', the identification proxy server can obtain the message 2' based on the message 1' and the device information of the active identification device. For example, the identification proxy server may add the device information to the message 1' to obtain the message 2'.
S304:标识代理服务器将消息2’发送给标识解析节点,以请求所述标识解析节点为所述主动标识设备分配工业互联网标识。S304: The identification proxy server sends the message 2' to the identification resolution node, so as to request the identification resolution node to allocate an industrial Internet identification for the active identification device.
S305:标识解析节点将目标工业互联网标识确定为分配给所述主动标识设备的工业互联网标识。S305: The identity resolution node determines the target industrial Internet identity as the industrial Internet identity allocated to the active identity device.
标识解析节点可以按照一定的规则获得所述目标工业互联网标识,例如,随机生成一个标识后缀,并在该随机生成的标识后缀未被使用的情况下,基于所述标识后缀和企业对应的标识前缀,得到所述目标工业互联网标识。The identification resolution node can obtain the target industrial Internet identification according to certain rules, for example, randomly generate an identification suffix, and if the randomly generated identification suffix is not used, based on the identification suffix and the corresponding identification prefix of the enterprise , to obtain the target Industrial Internet ID.
S306:标识解析节点将携带目标工业互联网标识的消息3’发送给标识代理服务器。S306: The identity resolution node sends the message 3' carrying the target industrial Internet identity to the identity proxy server.
S307:标识代理服务器将消息3’发送给所述主动标识设备。S307: The identification proxy server sends the message 3' to the active identification device.
S308:主动标识设备基于所述消息3’,将目标工业互联网标识写入到主动标识设备中。S308: The active identification device writes the target industrial Internet identification into the active identification device based on the message 3'.
主动标识设备接收到消息3’之后,可以对所述消息3’进行解析,得到消息3’中包括的目标工业互联网标识,从而将所述目标工业互联网标识写入到主动标识设备中。After the active identification device receives the message 3', it can analyze the message 3' to obtain the target industrial Internet identification included in the message 3', so as to write the target industrial Internet identification into the active identification device.
通过以上描述可知,对于原本不具有初始工业互联网标识的主动标识设备而言,其可以在获取IP地址的同时,基于所述DHCP选项的扩展信息,确定前申请工业互联网标识的标识代理服务器的地址,从而并通过所述标识代理服务器请求为自身分配工业互联网标识。From the above description, it can be seen that for an active identification device that does not have an initial Industrial Internet identification, it can determine the address of the identification proxy server that previously applied for an Industrial Internet identification based on the extended information of the DHCP option while obtaining an IP address , so as to request to assign an Industrial Internet ID to itself through the ID proxy server.
在一个示例中,当方法300中的标识代理服务器为网络准入控制器时,方法300还可以与NAC方案相结合。具体地:在所述主动标识设备不具备工业互联网标识时,为所述主动标识设备确定对应的网络访问权限。当所述主动标识设备获得目标工业互联网标识之后,基于所述目标工业互联网标识进行重认证,从而获得与所述目标工业互联网标识对应的网络访问权限。In an example, when the identification proxy server in method 300 is a network admission controller, method 300 may also be combined with a NAC solution. Specifically: when the active identification device does not have an industrial Internet identification, determine the corresponding network access authority for the active identification device. After the active identification device obtains the target Industrial Internet ID, re-authentication is performed based on the target Industrial Internet ID, so as to obtain the network access authority corresponding to the target Industrial Internet ID.
在一个示例中,可以预先在所述网络准入控制器上配置基于前缀的认证授权策略。例如,对于无前缀,配置网络权限1,对于针对本企业的前缀,配置网络权限2,其中,网络权限1可访问的网络资源,少于网络权限2可访问的网络资源。In an example, a prefix-based authentication and authorization policy may be pre-configured on the network admission controller. For example, configure network authority 1 for no prefix, and configure network authority 2 for the enterprise-specific prefix. The network resources accessible by network authority 1 are less than those accessible by network authority 2.
对于这种情况,在S301之前,所述主动标识设备可以向所述网络准入控制器发送认证消息1’,该认证消息1’不包括工业互联网标识。作为一个示例,所述主动标识设备可 以向网络认证设备发送所述认证消息1’,由所述网络认证设备将所述认证消息1’发送给网络准入控制器。所述网络准入控制器基于所述认证消息1’,确定网络权限1,并将网络权限1发送给网络认证设备,从而使得所述主动标识设备获得所述网络权限1。其中:For this case, before S301, the active identification device may send an authentication message 1' to the network admission controller, and the authentication message 1' does not include the industrial Internet identification. As an example, the active identification device may send the authentication message 1' to the network authentication device, and the network authentication device sends the authentication message 1' to the network admission controller. The network admission controller determines the network authority 1 based on the authentication message 1', and sends the network authority 1 to the network authentication device, so that the active identification device obtains the network authority 1. in:
与认证消息1类似,所述认证消息1’也可以是基于MAC认证的消息,也可以是基于802.1X认证的消息。所述认证消息1’可以是已有的协议报文。其中,已有的协议报文包括但不限于链路层发现协议(Link Layer Discovery Protocol,LLDP)报文、可扩展身份验证协议(Extensible Authentication Protocol,EAP)报文、802.11关联协议报文,等等,此处不一一列举说明。Similar to the authentication message 1, the authentication message 1' can also be a message based on MAC authentication, or a message based on 802.1X authentication. The authentication message 1' may be an existing protocol message. Among them, the existing protocol packets include but are not limited to Link Layer Discovery Protocol (LLDP) packets, Extensible Authentication Protocol (EAP) packets, 802.11 association protocol packets, etc. Etc., not enumerating and explaining one by one here.
在S306之后,标识代理服务器可以向网络认证设备发送重认证消息。相应的,在S308之后,所述主动标识设备可以向网络认证设备发送携带目标工业互联网标识的认证消息2’,所述网络认证设备基于所述重认证消息将所述认证消息2’发送给所述网络准入控制器。所述网络准入控制器基于所述认证消息2’中的目标工业互联网标识,确定网络权限2,并将网络权限2发送给网络认证设备,从而使得所述主动标识设备获得所述网络权限2。其中:After S306, the identification proxy server may send a re-authentication message to the network authentication device. Correspondingly, after S308, the active identification device may send an authentication message 2' carrying the target Industrial Internet identifier to the network authentication device, and the network authentication device sends the authentication message 2' to the network authentication device based on the re-authentication message. The network admission controller described above. The network admission controller determines the network authority 2 based on the target industrial Internet identifier in the authentication message 2', and sends the network authority 2 to the network authentication device, so that the active identification device obtains the network authority 2 . in:
与认证消息1’类似,所述认证消息2’可以是基于MAC认证的消息,也可以是基于802.1X认证的消息。,此处不再重复说明。Similar to the authentication message 1', the authentication message 2' may be a message based on MAC authentication, or a message based on 802.1X authentication. , which will not be repeated here.
参见图6,该图为本申请实施例提供的又一种基于工业互联网标识的处理方法的信令交互图。其中:Referring to FIG. 6 , this figure is a signaling interaction diagram of another industrial Internet identification-based processing method provided by the embodiment of the present application. in:
关于主动标识设备、网络准入控制器和标识解析节点,可以参考上文对于方法200的描述部分,此处不再重复描述。Regarding the active identification device, the network admission controller and the identification resolution node, reference may be made to the description of the method 200 above, and the description will not be repeated here.
图6所示的方法400,也可以应用于所述主动标识设备不具备初始工业互联网标识的场景。The method 400 shown in FIG. 6 may also be applied to a scenario where the active identification device does not have an initial industrial Internet identification.
所述方法400例如可以包括如下S401-S410。The method 400 may include, for example, the following S401-S410.
S401:主动标识设备向网络准入控制器发送认证消息3’。S401: The active identification device sends an authentication message 3' to the network admission controller.
在一个示例中,主动标识设备接入网络可以包括两个阶段的认证,所述认证消息3’用于进行第一阶段的认证,所述认证消息3’中可以包括所述主动标识设备的设备信息。在一个示例中,所述第一阶段的认证可以是安全性偏弱的认证例如MAC认证。关于所述认证消息3’,其与认证消息1’类似,关于认证消息3’可以参考前文对于认证消息1’的描述部分,此处不做详述。In an example, actively identifying the device to access the network may include two stages of authentication, the authentication message 3' is used to perform the first stage of authentication, and the authentication message 3' may include the device of the actively identifying device information. In an example, the authentication at the first stage may be authentication with weak security such as MAC authentication. As for the authentication message 3', it is similar to the authentication message 1'. For the authentication message 3', reference may be made to the description of the authentication message 1' above, and details will not be described here.
关于所述主动标识设备的设备信息,可以参考上文的描述部分,此处不再重复描述。Regarding the device information of the active identification device, reference may be made to the above description, and the description will not be repeated here.
在一个示例中,所述第一阶段的认证可以由网络准入控制器处理,对于这种情况,所述网络准入控制器可以基于所述认证消息3’对所述主动标识设备进行认证。在又一个示例中,所述第一阶段的认证可以由人工审批。对于这种情况,可以由管理员对所述主动标识设备进行审批。In an example, the authentication at the first stage may be handled by a network admission controller, and in this case, the network admission controller may authenticate the active identification device based on the authentication message 3'. In yet another example, the first stage of certification may be manually approved. In this case, the administrator may approve the active identification device.
S402:网络准入控制器在确定所述主动标识设备通过认证的情况下,生成消息4’,消息4’中包括所述主动标识设备的设备信息,消息4’用于请求为所述主动标识设备分配工业互联网标识。S402: When the network admission controller determines that the active identification device has passed the authentication, generate a message 4', the message 4' includes the device information of the active identification device, and the message 4' is used to request for the active identification The device is assigned an Industrial Internet ID.
若所述第一阶段的认证可以由网络准入控制器处理,则所述网络准入控制器基于所述认证消息3’对所述主动标识设备进行认证之后,可以得到对应的认证结果。若所述第一阶 段的认证由人工审批,则所述网络准入控制器可以获取用户输入的认证结果。If the authentication at the first stage can be processed by the network admission controller, the network admission controller can obtain a corresponding authentication result after authenticating the active identification device based on the authentication message 3'. If the authentication at the first stage is manually approved, the network admission controller can obtain the authentication result input by the user.
S403:网络准入控制器将消息4’发送给标识解析节点,以请求所述标识解析节点为所述主动标识设备分配工业互联网标识。S403: The network admission controller sends a message 4' to the identity resolution node, so as to request the identity resolution node to allocate an industrial Internet identity for the active identity device.
S404:标识解析节点基于消息4’将目标工业互联网标识确定为分配给所述主动标识设备的工业互联网标识。S404: The identity resolution node determines the target industrial Internet identity as the industrial Internet identity assigned to the active identity device based on the message 4'.
关于标识解析节点将目标工业互联网标识确定为分配给所述主动标识设备的工业互联网标识的具体实现,可以参考S305中的相关描述部分,此处不做重复描述。Regarding the specific implementation of the identification resolution node determining the target Industrial Internet ID as the Industrial Internet ID assigned to the active identification device, reference may be made to relevant descriptions in S305, and repeated descriptions are not repeated here.
标识解析节点还可以保存所述目标工业互联网标识和所述主动标识设备的设备信息之间的对应关系。The identifier resolution node may also store the correspondence between the target industrial Internet identifier and the device information of the active identifier device.
S405:标识解析节点向所述网络准入控制器发送消息5’,消息5’中携带所述目标工业互联网标识。S405: The identifier resolution node sends a message 5' to the network admission controller, and the message 5' carries the target industrial Internet identifier.
网络准入控制器接收到所述消息5’之后,可以保存所述目标工业互联网标识。作为一个示例,所述网络准入控制器可以保存所述目标工业互联网标识和所述主动标识设备的标识之间的对应关系。其中,所述主动标识设备的标识,例如可以是所述主动标识设备的MAC地址。S406:网络准入控制器向网络认证设备发送消息6’,消息6’用于指示主动标识设备认证成功。After the network admission controller receives the message 5', it can save the target industrial Internet identifier. As an example, the network admission controller may save the correspondence between the target industrial Internet identifier and the identifier of the active identifier device. Wherein, the identifier of the active identification device may be, for example, the MAC address of the active identification device. S406: The network admission controller sends a message 6' to the network authentication device, where the message 6' is used to indicate that the authentication of the active identification device is successful.
S407:主动标识设备获取IP地址之后,向网络准入控制器发送消息7’,消息7’用于请求安全认证信息。S407: After the active identification device obtains the IP address, it sends a message 7' to the network admission controller, where the message 7' is used to request security authentication information.
其中:in:
主动标识设备可以通过DHCP服务器获取IP地址。The actively identified device can obtain an IP address through the DHCP server.
所述消息7’包括所述主动标识设备的标识。Said message 7' includes the identification of said active identification device.
所述安全认证信息为所述主动标识设备进行第二阶段安全认证所需的信息。当所述第二阶段安全认证为802.1X认证时,所述安全认证信息可以包括802.1X认证证书。当然,所述安全认证信息还可以包括其它信息,此处不一一列举说明。The security authentication information is information required for the active identification device to perform the second-stage security authentication. When the second-stage security authentication is 802.1X authentication, the security authentication information may include an 802.1X authentication certificate. Of course, the security authentication information may also include other information, which will not be listed here.
S408:网络准入控制器将包括所述目标工业互联网标识的安全认证信息发送给所述主动标识设备。网络准入控制器接收到所述消息7’之后,可以基于所述消息7’中的主动标识设备的标识,查找得到前述所述目标工业互联网标识和所述主动标识设备的标识之间的对应关系,从而得到所述目标工业互联网标识,从而将包括所述目标工业互联网标识的安全认证信息发送给所述主动标识设备。S408: The network admission controller sends security authentication information including the target Industrial Internet ID to the active ID device. After receiving the message 7', the network admission controller may search for the correspondence between the aforementioned target industrial Internet identifier and the identifier of the active identifier device based on the identifier of the active identifier device in the message 7' relationship, so as to obtain the target industrial Internet identity, and then send the security authentication information including the target industrial Internet identity to the active identification device.
S409:主动标识设备将所述目标工业互联网标识写入到所述主动标识设备内部。S409: The active identification device writes the target industrial Internet identification into the active identification device.
主动标识设备接收到所述安全认证信息之后,可以对所述安全认证信息进行解析,得到目标工业互联网标识,而后,将所述目标工业互联网标识写入到所述主动标识设备内部。After the active identification device receives the security authentication information, it can analyze the security authentication information to obtain the target industrial Internet identifier, and then write the target industrial Internet identifier into the active identification device.
S410:主动标识设备向网络准入控制器发送认证消息4’,所述认证消息4’包括所述安全认证信息。S410: The active identification device sends an authentication message 4' to the network admission controller, where the authentication message 4' includes the security authentication information.
在一个示例中,所述认证消息4’可以是802.1X认证对应的认证消息。网络准入控制器接收到认证消息4’之后,可以基于认证消息4’中的安全认证信息,对所述主动标识设备进行安全认证。In an example, the authentication message 4' may be an authentication message corresponding to 802.1X authentication. After receiving the authentication message 4', the network admission controller may perform security authentication on the active identification device based on the security authentication information in the authentication message 4'.
通过以上描述可知,利用方法400,可以将主动标识终端的安全认证分成两个阶段的认 证,对于原本不具有初始工业互联网标识的主动标识设备而言,其可以在第一阶段认证成功、获取第二阶段认证所需要的安全认证信息时,申请得到目标工业互联网标识。From the above description, it can be seen that using method 400, the security authentication of the active identification terminal can be divided into two stages of authentication. When applying for the security certification information required by the second-stage certification, the target industrial Internet logo is obtained.
参见图7,该图为本申请实施例提供的一种基于工业互联网标识的处理方法的流程示意图。Referring to FIG. 7 , this figure is a schematic flowchart of a processing method based on industrial Internet identification provided by an embodiment of the present application.
第一设备为需要将工业互联网标识写入到自身内部的设备,第一设备例如可以是图2所示的设备100。第二设备为运行标识代理的设备,所述标识代理可以是图2所述的标识代理200,第二设备可以是网管或者网络准入控制器。The first device is a device that needs to write the industrial Internet identifier into itself, and the first device may be, for example, the device 100 shown in FIG. 2 . The second device is a device running an identification agent. The identification agent may be the identification agent 200 described in FIG. 2 , and the second device may be a network manager or a network admission controller.
图7所示的方法,可以应用于以上实施例提供的方法100、方法200、方法300以及方法400。图7所示的方法500,例如可以包括如下S501-S503。The method shown in FIG. 7 can be applied to the method 100 , method 200 , method 300 and method 400 provided in the above embodiments. The method 500 shown in FIG. 7 may include, for example, the following S501-S503.
S501:第一设备向第二设备发送第一消息,所述第一消息用于为所述第一设备申请工业互联网标识,所述第二设备为网管或者网络准入控制器。S501: The first device sends a first message to a second device, where the first message is used to apply for an Industrial Internet ID for the first device, and the second device is a network manager or a network admission controller.
S502:第一设备接收所述第二设备发送的第二消息,所述第二消息指示为所述第一设备申请工业互联网标识的结果。S502: The first device receives a second message sent by the second device, where the second message indicates a result of applying for an Industrial Internet ID for the first device.
S503:第一设备基于所述第二消息,将目标工业互联网标识写入到所述第一设备中。S503: The first device writes the target Industrial Internet identifier into the first device based on the second message.
当所述方法500应用于以上方法100时,第一设备对应方法100中的主动标识设备;第二设备对应方法100中的标识代理服务器。所述第一消息对应于方法100中的消息1;所述第二消息对应方法100中的消息3。When the method 500 is applied to the above method 100, the first device corresponds to the active identification device in the method 100; the second device corresponds to the identification proxy server in the method 100. The first message corresponds to message 1 in method 100 ; the second message corresponds to message 3 in method 100 .
当所述方法500应用于以上方法200时,第一设备对应方法200中的主动标识设备;第二设备对应方法200中的网络准入服务器。所述第一消息对应于方法200中的认证消息3;所述第二消息对应方法200中的安全认证信息。When the method 500 is applied to the above method 200, the first device corresponds to the active identification device in the method 200; the second device corresponds to the network admission server in the method 200. The first message corresponds to the authentication message 3 in the method 200; the second message corresponds to the security authentication information in the method 200.
当所述方法500应用于以上方法300时,第一设备对应方法300中的主动标识设备;第二设备对应方法300中的标识代理服务器。所述第一消息对应于方法100中的消息1’;所述第二消息对应方法100中的消息3’。When the method 500 is applied to the above method 300, the first device corresponds to the active identification device in the method 300; the second device corresponds to the identification proxy server in the method 300. The first message corresponds to message 1' in method 100; the second message corresponds to message 3' in method 100.
当所述方法500应用于以上方法400时,第一设备对应方法400中的主动标识设备;第二设备对应方法400中的网络准入服务器。所述第一消息对应于方法400中的认证消息3’;所述第二消息对应方法400中的安全认证信息。When the method 500 is applied to the above method 400, the first device corresponds to the active identification device in the method 400; the second device corresponds to the network admission server in the method 400. The first message corresponds to the authentication message 3' in the method 400; the second message corresponds to the security authentication information in the method 400.
在一种可能的实现方式中,所述向第二设备发送第一消息,包括:In a possible implementation manner, the sending the first message to the second device includes:
向所述第二设备发送携带所述目标工业互联网标识的第一消息,所述第一消息用于请求注册所述目标工业互联网标识。Sending a first message carrying the target Industrial Internet identifier to the second device, where the first message is used to request registration of the target Industrial Internet identifier.
在一种可能的实现方式中,所述方法还包括:In a possible implementation, the method further includes:
获取动态主机配置协议DHCP选项option的扩展信息中的第一前缀;Obtain the first prefix in the extended information of the Dynamic Host Configuration Protocol DHCP option option;
根据所述第一前缀和所述第一设备的初始工业互联网标识,得到所述目标工业互联网标识。Obtain the target Industrial Internet identifier according to the first prefix and the initial Industrial Internet identifier of the first device.
在一种可能的实现方式中,所述第一消息携带所述第一设备的初始工业互联网标识。In a possible implementation manner, the first message carries the initial Industrial Internet identifier of the first device.
在一种可能的实现方式中,所述第一消息用于请求为所述第一设备分配工业互联网标识。In a possible implementation manner, the first message is used to request allocation of an industrial Internet identifier for the first device.
在一种可能的实现方式中,所述第二消息包括所述目标工业互联网标识。In a possible implementation manner, the second message includes the target Industrial Internet identifier.
在一种可能的实现方式中,在发送所述第一消息之前,所述方法还包括:In a possible implementation manner, before sending the first message, the method further includes:
向所述第二设备发送第一认证消息,以获得接入网络的权限。Send a first authentication message to the second device, so as to obtain permission to access the network.
方法500中的第一认证消息,可以对应以上实施例中的认证消息1,也可以对应以上实施例中的认证消息1’。The first authentication message in method 500 may correspond to authentication message 1 in the above embodiment, or may correspond to authentication message 1' in the above embodiment.
在一种可能的实现方式中,所述第一认证消息包括所述初始工业互联网标识。In a possible implementation manner, the first authentication message includes the initial Industrial Internet identifier.
在一种可能的实现方式中,所述方法还包括:In a possible implementation, the method further includes:
向所述第二设备发送第二认证消息,所述第二认证消息中包括所述目标工业互联网标识。Sending a second authentication message to the second device, where the second authentication message includes the target Industrial Internet identifier.
方法500中的第二认证消息,可以对应以上实施例中的认证消息2,也可以对应以上实施例中的认证消息2’。The second authentication message in method 500 may correspond to authentication message 2 in the above embodiment, or may correspond to authentication message 2' in the above embodiment.
在一种可能的实现方式中,所述方法还包括:In a possible implementation, the method further includes:
获取指示信息,所述指示信息用于指示为所述第一设备申请工业互联网标识。Obtain instruction information, where the instruction information is used to instruct to apply for an Industrial Internet ID for the first device.
方法500中的指示信息,可以是方法100中的提及的指示信息,也可以是方法300中提及的指示信息。The indication information in method 500 may be the indication information mentioned in method 100 or the indication information mentioned in method 300 .
在一种可能的实现方式中,所述指示信息携带在DHCP option扩展信息中。In a possible implementation manner, the indication information is carried in DHCP option extension information.
在一种可能的实现方式中,所述第一消息为认证消息。此处提及的所述认证消息可以对应方法200中的认证消息3,也可以对应方法400中的认证消息3’。In a possible implementation manner, the first message is an authentication message. The authentication message mentioned here may correspond to the authentication message 3 in the method 200, and may also correspond to the authentication message 3' in the method 400.
在一种可能的实现方式中,所述接收所述第二设备发送的第二消息,包括:In a possible implementation manner, the receiving the second message sent by the second device includes:
接收所述网络准入控制器发送的安全认证信息,所述安全认证信息包括所述目标工业互联网标识。此处提及的安全认证信息,可以对应方法200中的安全认证信息,也可以对应方法400中的安全认证信息。Receive security authentication information sent by the network admission controller, where the security authentication information includes the target industrial Internet identifier. The security authentication information mentioned here may correspond to the security authentication information in method 200 , and may also correspond to the security authentication information in method 400 .
关于所述方法500的具体实现,可以参考前文对于方法100、方法200、方法300以及方法400的相关描述部分,此处不做详述。Regarding the specific implementation of the method 500, reference may be made to the relevant descriptions of the method 100, the method 200, the method 300, and the method 400 above, and details are not described here.
参见图8,该图为本申请实施例提供的又一种基于工业互联网标识的处理方法的流程示意图。Referring to FIG. 8 , this figure is a schematic flow chart of another industrial Internet identification-based processing method provided by the embodiment of the present application.
第一设备为需要将工业互联网标识写入到自身内部的设备,第一设备例如可以是图2所示的设备100。第二设备为运行标识代理的设备,所述标识代理可以是图2所述的标识代理200,第二设备可以是网管或者网络准入控制器。The first device is a device that needs to write the industrial Internet identifier into itself, and the first device may be, for example, the device 100 shown in FIG. 2 . The second device is a device running an identification agent. The identification agent may be the identification agent 200 described in FIG. 2 , and the second device may be a network manager or a network admission controller.
图8所示的方法,可以应用于以上实施例提供的方法100以及方法300。图8所示的方法600,例如可以包括如下S601-S604。The method shown in FIG. 8 may be applied to the method 100 and the method 300 provided in the above embodiments. The method 600 shown in FIG. 8 may include, for example, the following S601-S604.
S601:第二设备接收第一设备发送的第一消息,所述第一消息用于为所述第一设备申请工业互联网标识。S601: The second device receives a first message sent by the first device, where the first message is used to apply for an Industrial Internet ID for the first device.
当方法600应用于方法100时,所述第一消息对应方法100中的消息1。When method 600 is applied to method 100 , the first message corresponds to message 1 in method 100 .
当方法600应用于方法300时,所述第一消息对应方法300中的消息1’。When method 600 is applied to method 300, the first message corresponds to message 1' in method 300.
S602:第二设备向第三设备发送所述第二消息,所述第二消息用于为所述第一设备申请工业互联网标识,所述第二消息包括所述第一设备的设备信息。S602: The second device sends the second message to the third device, where the second message is used to apply for an Industrial Internet identifier for the first device, and the second message includes device information of the first device.
当方法600应用于方法100时,所述第二消息对应方法100中的消息2。When method 600 is applied to method 100 , the second message corresponds to message 2 in method 100 .
当方法600应用于方法300时,所述第二消息对应方法300中的消息2’。When method 600 is applied to method 300, the second message corresponds to message 2' in method 300.
S603:第二设备接收所述第三设备发送的第三消息,所述第三消息指示为所述第一设备申请工业互联网标识的结果。S603: The second device receives a third message sent by the third device, where the third message indicates a result of applying for an Industrial Internet ID for the first device.
当方法600应用于方法100时,所述第三消息对应方法100中的消息3。When method 600 is applied to method 100 , the third message corresponds to message 3 in method 100 .
当方法600应用于方法300时,所述第三消息对应方法300中的消息3’。When method 600 is applied to method 300, the third message corresponds to message 3' in method 300.
S604:第二设备将所述第三消息发送给所述第一设备。S604: The second device sends the third message to the first device.
在一种可能的实现方式中,所述第一消息包括所述目标工业互联网标识。In a possible implementation manner, the first message includes the target Industrial Internet identifier.
在一种可能的实现方式中,所述第三消息包括所述目标工业互联网标识。In a possible implementation manner, the third message includes the target Industrial Internet identifier.
在一种可能的实现方式中,在接收所述第一消息之前,所述方法还包括:接收所述第一设备发送的第一认证消息;根据所述第一认证消息确定所述第一设备的第一网络访问权限。In a possible implementation manner, before receiving the first message, the method further includes: receiving a first authentication message sent by the first device; determining the first authentication message of the first device according to the first authentication message 1st network access for .
方法600中的第一认证消息,可以对应以上实施例中的认证消息1,也可以对应以上实施例中的认证消息1’。The first authentication message in method 600 may correspond to authentication message 1 in the above embodiment, or may correspond to authentication message 1' in the above embodiment.
在一种可能的实现方式中,所述方法还包括:接收所述第一设备发送的第二认证消息,所述第二认证消息中包括所述目标工业互联网标识;根据所述第二认证消息确定所述第一设备的第二网络访问权限。In a possible implementation manner, the method further includes: receiving a second authentication message sent by the first device, where the second authentication message includes the target Industrial Internet identifier; A second network access right of the first device is determined.
方法600中的第二认证消息,可以对应以上实施例中的认证消息2,也可以对应以上实施例中的认证消息2’。The second authentication message in method 600 may correspond to authentication message 2 in the above embodiment, or may correspond to authentication message 2' in the above embodiment.
在一种可能的实现方式中,所述第一消息包括所述第一设备的初始工业互联网标识。In a possible implementation manner, the first message includes an initial Industrial Internet identifier of the first device.
在一种可能的实现方式中,所述第一消息为认证消息。In a possible implementation manner, the first message is an authentication message.
在一种可能的实现方式中,所述第二消息用于请求为第一设备分配工业互联网标识。In a possible implementation manner, the second message is used to request to assign an industrial Internet identifier to the first device.
在一种可能的实现方式中,所述第二消息用于请求为第一设备注册目标工业互联网标识。In a possible implementation manner, the second message is used to request to register the target industrial internet identifier for the first device.
在一种可能的实现方式中,所述第二消息基于如下方式获得:获取预先配置的第一前缀和所述第一设备的设备信息;基于所述第一前缀和所述初始工业互联网标识,得到所述目标工业互联网标识;基于所述目标工业互联网标识和所述设备信息,得到包括所述设备信息和所述目标工业互联网标识的第二消息,所述第二消息用于请求为所述第一设备注册所述目标工业互联网标识。其中:In a possible implementation manner, the second message is obtained based on the following manner: obtaining a pre-configured first prefix and device information of the first device; based on the first prefix and the initial industrial Internet identifier, Obtain the target Industrial Internet ID; based on the target Industrial Internet ID and the device information, obtain a second message including the device information and the target Industrial Internet ID, and the second message is used to request for the The first device registers the target Industrial Internet identifier. in:
关于所述方法600的具体实现,可以参考前文对于方法100以及方法300的相关描述部分,此处不做详述。Regarding the specific implementation of the method 600, reference may be made to the above relevant descriptions of the method 100 and the method 300, and details are not described here.
本申请实施例还提供了一种基于工业互联网标识的处理装置,参见图9,该图为本申请实施例提供的一种基于工业互联网标识的处理装置的结构示意图。图9所示的装置900可以应用于第一设备,用于执行以上由第一设备执行的方法500。所述装置900包括:发送单元901、接收单元902和处理单元903。The embodiment of the present application also provides an Industrial Internet ID-based processing device, see FIG. 9 , which is a schematic structural diagram of an Industrial Internet ID-based processing device provided in the embodiment of the present application. The apparatus 900 shown in FIG. 9 may be applied to the first device, for executing the above method 500 performed by the first device. The apparatus 900 includes: a sending unit 901 , a receiving unit 902 and a processing unit 903 .
发送单元901,用于向第二设备发送第一消息,所述第一消息用于为所述第一设备申请工业互联网标识,所述第二设备为网管或者网络准入控制器;接收单元902,用于接收所述第二设备发送的第二消息,所述第二消息指示为所述第一设备申请工业互联网标识的结果;处理单元903,用于基于所述第二消息,将目标工业互联网标识写入到所述第一设备中。The sending unit 901 is configured to send a first message to a second device, the first message is used to apply for an Industrial Internet ID for the first device, and the second device is a network manager or a network admission controller; a receiving unit 902 , configured to receive a second message sent by the second device, the second message indicating the result of applying for an Industrial Internet ID for the first device; the processing unit 903 is configured to, based on the second message, assign the target industrial The Internet identifier is written into the first device.
在一种实现可能的实现方式中,所述发送单元901,用于:向所述第二设备发送携带所 述目标工业互联网标识的第一消息,所述第一消息用于请求注册所述目标工业互联网标识。In a possible implementation manner, the sending unit 901 is configured to: send a first message carrying the target Industrial Internet identifier to the second device, where the first message is used to request registration of the target Industrial internet logo.
在一种实现可能的实现方式中,所述处理单元903还用于:获取动态主机配置协议DHCP选项option的扩展信息中的第一前缀;根据所述第一前缀和所述第一设备的初始工业互联网标识,得到所述目标工业互联网标识。In a possible implementation manner, the processing unit 903 is further configured to: obtain the first prefix in the extended information of the DHCP option option of the Dynamic Host Configuration Protocol; according to the first prefix and the initial Industrial Internet ID, to obtain the target Industrial Internet ID.
在一种实现可能的实现方式中,所述第一消息携带所述第一设备的初始工业互联网标识。In a possible implementation manner, the first message carries the initial Industrial Internet identifier of the first device.
在一种实现可能的实现方式中,所述第一消息用于请求为所述第一设备分配工业互联网标识。In a possible implementation manner, the first message is used to request allocation of an industrial internet identifier for the first device.
在一种实现可能的实现方式中,所述第二消息包括所述目标工业互联网标识。In a possible implementation manner, the second message includes the target Industrial Internet identifier.
在一种实现可能的实现方式中,所述发送单元901还用于:在发送所述第一消息之前,向所述第二设备发送第一认证消息,以获得接入网络的权限。In a possible implementation manner, the sending unit 901 is further configured to: before sending the first message, send a first authentication message to the second device, so as to obtain a network access permission.
在一种实现可能的实现方式中,所述第一认证消息包括所述初始工业互联网标识。In a possible implementation manner, the first authentication message includes the initial Industrial Internet identifier.
在一种实现可能的实现方式中,所述发送单元901还用于:向所述第二设备发送第二认证消息,所述第二认证消息中包括所述目标工业互联网标识。In a possible implementation manner, the sending unit 901 is further configured to: send a second authentication message to the second device, where the second authentication message includes the target industrial Internet identifier.
在一种实现可能的实现方式中,所述处理单元903还用于:获取指示信息,所述指示信息用于指示为所述第一设备申请工业互联网标识。In a possible implementation manner, the processing unit 903 is further configured to: acquire indication information, where the indication information is used to instruct to apply for an industrial Internet identifier for the first device.
在一种实现可能的实现方式中,所述指示信息携带在DHCP option扩展信息中。In a possible implementation manner, the indication information is carried in DHCP option extension information.
在一种实现可能的实现方式中,所述第一消息为认证消息。In a possible implementation manner, the first message is an authentication message.
在一种实现可能的实现方式中,所述接收单元903,用于:接收所述网络准入控制器发送的安全认证信息,所述安全认证信息包括所述目标工业互联网标识。In a possible implementation manner, the receiving unit 903 is configured to: receive security authentication information sent by the network admission controller, where the security authentication information includes the target industrial Internet identifier.
关于所述装置900的具体实现,可以参考以上对于方法500的相关描述部分,此处不再重复描述。Regarding the specific implementation of the apparatus 900, reference may be made to the relevant description of the method 500 above, and the description will not be repeated here.
本申请实施例还提供了一种基于工业互联网标识的处理装置,参见图10,该图为本申请实施例提供的又一种基于工业互联网标识的处理装置的结构示意图。图10所示的装置1000可以应用于第二设备,用于执行以上由第二设备执行的方法600。所述装置1000包括:接收单元1001和发送单元1002。The embodiment of the present application also provides an Industrial Internet ID-based processing device, see FIG. 10 , which is a schematic structural diagram of another Industrial Internet ID-based processing device provided in the embodiment of the present application. The apparatus 1000 shown in FIG. 10 may be applied to a second device, for executing the above method 600 performed by the second device. The apparatus 1000 includes: a receiving unit 1001 and a sending unit 1002 .
接收单元1001,用于接收第一设备发送的第一消息,所述第一消息用于为所述第一设备申请工业互联网标识;发送单元1002,用于向第三设备发送所述第二消息,所述第二消息用于为所述第一设备申请工业互联网标识,所述第二消息包括所述第一设备的设备信息;所述接收单元1001,还用于接收第三消息,所述第三消息指示为所述第一设备申请工业互联网标识的结果;所述发送单元1002,还用于将所述第三消息发送给所述第一设备。The receiving unit 1001 is configured to receive a first message sent by the first device, and the first message is used to apply for an Industrial Internet ID for the first device; the sending unit 1002 is configured to send the second message to a third device , the second message is used to apply for an Industrial Internet ID for the first device, the second message includes device information of the first device; the receiving unit 1001 is also used to receive a third message, the The third message indicates a result of applying for an Industrial Internet ID for the first device; the sending unit 1002 is further configured to send the third message to the first device.
在一种实现可能的实现方式中,所述第一消息包括所述目标工业互联网标识。In a possible implementation manner, the first message includes the target Industrial Internet identifier.
在一种实现可能的实现方式中,所述第三消息包括所述目标工业互联网标识。In a possible implementation manner, the third message includes the target Industrial Internet identifier.
在一种实现可能的实现方式中,所述接收单元1001还用于:在接收所述第一消息之前,接收所述第一设备发送的第一认证消息;所述装置还包括处理单元,用于根据所述第一认证消息确定所述第一设备的第一网络访问权限。In a possible implementation manner, the receiving unit 1001 is further configured to: before receiving the first message, receive a first authentication message sent by the first device; the apparatus further includes a processing unit configured to: Determine the first network access right of the first device according to the first authentication message.
在一种实现可能的实现方式中,所述接收单元1001还用于接收所述第一设备发送的第二认证消息,所述第二认证消息中包括所述目标工业互联网标识;所述装置包括的处理单 元用于根据所述第二认证消息确定所述第一设备的第二网络访问权限。In a possible implementation manner, the receiving unit 1001 is further configured to receive a second authentication message sent by the first device, where the second authentication message includes the target Industrial Internet identifier; the apparatus includes The processing unit is configured to determine the second network access right of the first device according to the second authentication message.
在一种实现可能的实现方式中,所述第一消息包括所述第一设备的初始工业互联网标识。In a possible implementation manner, the first message includes an initial Industrial Internet identifier of the first device.
在一种实现可能的实现方式中,所述第一消息为认证消息。In a possible implementation manner, the first message is an authentication message.
在一种实现可能的实现方式中,所述第二消息用于请求为第一设备分配工业互联网标识。In a possible implementation manner, the second message is used to request to assign an industrial internet identifier to the first device.
在一种实现可能的实现方式中,所述第二消息用于请求为第一设备注册目标工业互联网标识。In a possible implementation manner, the second message is used to request to register the target industrial internet identifier for the first device.
在一种实现可能的实现方式中,所述第二消息基于如下方式获得:获取预先配置的第一前缀和所述第一设备的设备信息;基于所述第一前缀和所述初始工业互联网标识,得到所述目标工业互联网标识;基于所述目标工业互联网标识和所述设备信息,得到包括所述设备信息和所述目标工业互联网标识的第二消息,所述第二消息用于请求为所述第一设备注册所述目标工业互联网标识。关于所述装置1000的具体实现,可以参考以上对于方法600的相关描述部分,此处不再重复描述。In a possible implementation manner, the second message is obtained based on the following methods: obtaining a pre-configured first prefix and the device information of the first device; based on the first prefix and the initial Industrial Internet identifier , to obtain the target Industrial Internet ID; based on the target Industrial Internet ID and the device information, obtain a second message including the device information and the target Industrial Internet ID, and the second message is used to request for the The first device registers the target industrial Internet identifier. Regarding the specific implementation of the apparatus 1000, reference may be made to the relevant description of the method 600 above, and the description will not be repeated here.
需要说明的是,前述提及的基于工业互联网标识的处理装置900和基于工业互联网标识的处理装置1000,其硬件结构可以为如图11所示的结构,图11为本申请实施例提供的一种设备的结构示意图。It should be noted that the hardware structure of the above-mentioned Industrial Internet ID-based processing device 900 and Industrial Internet ID-based processing device 1000 can be as shown in FIG. Schematic diagram of the structure of the device.
请参阅图11所示,设备1100包括:处理器1110、通信接口1120和和存储器1130。其中设备1100中的处理器1110的数量可以一个或多个,图11中以一个处理器为例。本申请实施例中,处理器1110、通信接口1120和存储器1130可通过总线***或其它方式连接,其中,图11中以通过总线***1140连接为例。Referring to FIG. 11 , a device 1100 includes: a processor 1110 , a communication interface 1120 and a memory 1130 . The number of processors 1110 in the device 1100 may be one or more, and one processor is taken as an example in FIG. 11 . In the embodiment of the present application, the processor 1110, the communication interface 1120, and the memory 1130 may be connected through a bus system or other methods, wherein the connection through the bus system 1140 is taken as an example in FIG. 11 .
处理器1110可以是中央处理器(central processing unit,CPU),网络处理器(network processor,NP)或者CPU和NP的组合。处理器1110还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路(application-specific integrated circuit,ASIC),可编程逻辑器件(programmable logic device,PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logic device,CPLD),现场可编程逻辑门阵列(field-programmable gate array,FPGA),通用阵列逻辑(generic array logic,GAL)或其任意组合。The processor 1110 may be a central processing unit (central processing unit, CPU), a network processor (network processor, NP) or a combination of CPU and NP. The processor 1110 may further include a hardware chip. The aforementioned hardware chip may be an application-specific integrated circuit (application-specific integrated circuit, ASIC), a programmable logic device (programmable logic device, PLD) or a combination thereof. The aforementioned PLD may be a complex programmable logic device (complex programmable logic device, CPLD), a field-programmable gate array (field-programmable gate array, FPGA), a general array logic (generic array logic, GAL) or any combination thereof.
存储器1130可以包括易失性存储器(英文:volatile memory),例如随机存取存储器(random-access memory,RAM);存储器1130也可以包括非易失性存储器(英文:non-volatile memory),例如快闪存储器(英文:flash memory),硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD);存储器1130还可以包括上述种类的存储器的组合。当设备1100对应前述基于工业互联网标识的处理装置900时,存储器1130例如可以存储包括第一前缀的DHCP选项的扩展信息;当设备1100对应图10所示的基于工业互联网标识的处理装置1000时,存储器1130例如可以存储第一设备的设备信息。The memory 1130 may include a volatile memory (English: volatile memory), such as a random-access memory (random-access memory, RAM); the memory 1130 may also include a non-volatile memory (English: non-volatile memory), such as a fast Flash memory (English: flash memory), hard disk (hard disk drive, HDD) or solid-state drive (solid-state drive, SSD); the memory 1130 may also include a combination of the above types of memory. When the device 1100 corresponds to the aforementioned processing device 900 based on the Industrial Internet ID, the memory 1130 may, for example, store extended information of DHCP options including the first prefix; when the device 1100 corresponds to the processing device 1000 based on the Industrial Internet ID shown in FIG. 10 , The storage 1130 may, for example, store device information of the first device.
可选地,存储器1130存储有操作***和程序、可执行模块或者数据结构,或者它们的子集,或者它们的扩展集,其中,程序可包括各种操作指令,用于实现各种操作。操作***可包括各种***程序,用于实现各种基础业务以及处理基于硬件的任务。处理器1110可以读取存储器1130中的程序,实现本申请实施例提供的基于工业互联网标识的处理方法(例 如第一设备执行的基于工业互联网标识的处理方法,又如第二设备执行的基于工业互联网标识的处理方法)。Optionally, the memory 1130 stores an operating system and programs, executable modules or data structures, or their subsets, or their extended sets, where the programs may include various operating instructions for implementing various operations. The operating system may include various system programs for implementing various basic services and processing hardware-based tasks. The processor 1110 can read the program in the memory 1130 to implement the processing method based on the Industrial Internet ID provided by the embodiment of the present application (such as the processing method based on the Industrial Internet ID executed by the first device, or the industrial Internet ID-based processing method executed by the second device). treatment of Internet identifiers).
总线***1140可以是外设部件互连标准(peripheral component interconnect,PCI)总线或扩展工业标准结构(extended industry standard architecture,EISA)总线等。总线***1140可以分为地址总线、数据总线、控制总线等。为便于表示,图11中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The bus system 1140 may be a peripheral component interconnect standard (peripheral component interconnect, PCI) bus or an extended industry standard architecture (extended industry standard architecture, EISA) bus or the like. The bus system 1140 can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used in FIG. 11 , but it does not mean that there is only one bus or one type of bus.
本申请实施例还提供了一种计算机可读存储介质,包括指令或计算机程序,当其在计算机上运行时,使得计算机执行以上实施例提供的基于工业互联网标识的处理方法。The embodiment of the present application also provides a computer-readable storage medium, including an instruction or a computer program, which, when run on a computer, causes the computer to execute the industrial Internet identification-based processing method provided in the above embodiments.
本申请实施例还提供了一种包含指令或计算机程序的计算机程序产品,当其在计算机上运行时,使得计算机执行以上实施例提供的基于工业互联网标识的处理方法。The embodiment of the present application also provides a computer program product including an instruction or a computer program, which, when run on a computer, causes the computer to execute the industrial Internet identification-based processing method provided in the above embodiments.
本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”、“第三”、“第四”等(如果存在)是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的实施例能够以除了在这里图示或描述的内容以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、***、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。The terms "first", "second", "third", "fourth", etc. (if any) in the specification and claims of the present application and the above drawings are used to distinguish similar objects, and not necessarily Used to describe a specific sequence or sequence. It is to be understood that the terms so used are interchangeable under appropriate circumstances such that the embodiments described herein can be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "comprising" and "having", as well as any variations thereof, are intended to cover a non-exclusive inclusion, for example, a process, method, system, product or device comprising a sequence of steps or elements is not necessarily limited to the expressly listed instead, may include other steps or elements not explicitly listed or inherent to the process, method, product or apparatus.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的***,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described system, device and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的***,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,单元的划分,仅仅为一种逻辑业务划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个***,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed system, device and method can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of units is only a logical business division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or integrated. to another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。A unit described as a separate component may or may not be physically separated, and a component displayed as a unit may or may not be a physical unit, that is, it may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本申请各个实施例中的各业务单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件业务单元的形式实现。In addition, each business unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware or in the form of software business units.
集成的单元如果以软件业务单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例方法的全部或部分步骤。 而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is realized in the form of a software business unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or part of the contribution to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods in various embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disc, etc., which can store program codes. .
本领域技术人员应该可以意识到,在上述一个或多个示例中,本发明所描述的业务可以用硬件、软件、固件或它们的任意组合来实现。当使用软件实现时,可以将这些业务存储在计算机可读介质中或者作为计算机可读介质上的一个或多个指令或代码进行传输。计算机可读介质包括计算机存储介质和通信介质,其中通信介质包括便于从一个地方向另一个地方传送计算机程序的任何介质。存储介质可以是通用或专用计算机能够存取的任何可用介质。Those skilled in the art should be aware that, in one or more examples above, the services described in the present invention may be implemented by hardware, software, firmware or any combination thereof. When implemented in software, the services may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
以上的具体实施方式,对本发明的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上仅为本发明的具体实施方式而已。The above specific implementation manners have further described the purpose, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above are only specific implementation manners of the present invention.
以上,以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的范围。Above, the above embodiments are only used to illustrate the technical solutions of the present application, rather than to limit them; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still be applied to the foregoing embodiments The technical solutions described in the examples are modified, or some of the technical features are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the application.

Claims (32)

  1. 一种基于工业互联网标识的处理方法,其特征在于,应用于第一设备,所述方法包括:A processing method based on Industrial Internet identification, characterized in that it is applied to the first device, and the method includes:
    向第二设备发送第一消息,所述第一消息用于为所述第一设备申请工业互联网标识,所述第二设备为网管或者网络准入控制器;Sending a first message to a second device, where the first message is used to apply for an Industrial Internet ID for the first device, where the second device is a network manager or a network admission controller;
    接收所述第二设备发送的第二消息,所述第二消息指示为所述第一设备申请工业互联网标识的结果;receiving a second message sent by the second device, where the second message indicates a result of applying for an Industrial Internet ID for the first device;
    基于所述第二消息,将目标工业互联网标识写入到所述第一设备中。Based on the second message, write the target Industrial Internet identifier into the first device.
  2. 根据权利要求1所述的方法,其特征在于,所述向第二设备发送第一消息,包括:The method according to claim 1, wherein the sending the first message to the second device comprises:
    向所述第二设备发送携带所述目标工业互联网标识的第一消息,所述第一消息用于请求注册所述目标工业互联网标识。Sending a first message carrying the target Industrial Internet identifier to the second device, where the first message is used to request registration of the target Industrial Internet identifier.
  3. 根据权利要求2所述的方法,其特征在于,所述方法还包括:The method according to claim 2, further comprising:
    获取动态主机配置协议DHCP选项option的扩展信息中的第一前缀;Obtain the first prefix in the extended information of the Dynamic Host Configuration Protocol DHCP option option;
    根据所述第一前缀和所述第一设备的初始工业互联网标识,得到所述目标工业互联网标识。Obtain the target Industrial Internet identifier according to the first prefix and the initial Industrial Internet identifier of the first device.
  4. 根据权利要求1所述的方法,其特征在于,所述第一消息携带所述第一设备的初始工业互联网标识。The method according to claim 1, wherein the first message carries the initial Industrial Internet identifier of the first device.
  5. 根据权利要求1所述的方法,其特征在于,所述第一消息用于请求为所述第一设备分配工业互联网标识。The method according to claim 1, wherein the first message is used to request to assign an Industrial Internet ID to the first device.
  6. 根据权利要求1或4或5所述的方法,其特征在于,所述第二消息包括所述目标工业互联网标识。The method according to claim 1, 4 or 5, wherein the second message includes the target Industrial Internet identifier.
  7. 根据权利要求1-6任意一项所述的方法,其特征在于,在发送所述第一消息之前,所述方法还包括:The method according to any one of claims 1-6, wherein before sending the first message, the method further comprises:
    向所述第二设备发送第一认证消息,以获得接入网络的权限。Send a first authentication message to the second device, so as to obtain permission to access the network.
  8. 根据权利要求7所述的方法,其特征在于,所述第一认证消息包括所述初始工业互联网标识。The method according to claim 7, wherein the first authentication message includes the initial Industrial Internet ID.
  9. 根据权利要求1-8任意一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1-8, wherein the method further comprises:
    向所述第二设备发送第二认证消息,所述第二认证消息中包括所述目标工业互联网标识。Sending a second authentication message to the second device, where the second authentication message includes the target Industrial Internet identifier.
  10. 根据权利要求1-9任意一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1-9, wherein the method further comprises:
    获取指示信息,所述指示信息用于指示为所述第一设备申请工业互联网标识。Obtain instruction information, where the instruction information is used to instruct to apply for an Industrial Internet ID for the first device.
  11. 根据权利要求10所述的方法,其特征在于,所述指示信息携带在DHCP option扩展信息中。The method according to claim 10, wherein the indication information is carried in DHCP option extension information.
  12. 根据权利要求1或4所述的方法,其特征在于,所述第一消息为认证消息。The method according to claim 1 or 4, wherein the first message is an authentication message.
  13. 根据权利要求1或4或12所述的方法,其特征在于,所述接收所述第二设备发送的第二消息,包括:The method according to claim 1, 4 or 12, wherein the receiving the second message sent by the second device comprises:
    接收所述网络准入控制器发送的安全认证信息,所述安全认证信息包括所述目标工业互联网标识。Receive security authentication information sent by the network admission controller, where the security authentication information includes the target industrial Internet identifier.
  14. 一种基于工业互联网标识的处理方法,其特征在于,应用于第二设备,所述第二设 备为网管或者网络准入控制器,所述方法包括:A processing method based on Industrial Internet identification, characterized in that it is applied to a second device, and the second device is a network manager or a network admission controller, and the method includes:
    接收第一设备发送的第一消息,所述第一消息用于为所述第一设备申请工业互联网标识;receiving a first message sent by the first device, where the first message is used to apply for an Industrial Internet identifier for the first device;
    向第三设备发送所述第二消息,所述第二消息用于为所述第一设备申请工业互联网标识,所述第二消息包括所述第一设备的设备信息;Sending the second message to a third device, the second message is used to apply for an Industrial Internet identifier for the first device, and the second message includes device information of the first device;
    接收第三消息,所述第三消息指示为所述第一设备申请工业互联网标识的结果;receiving a third message, the third message indicating the result of applying for an Industrial Internet ID for the first device;
    将所述第三消息发送给所述第一设备。sending the third message to the first device.
  15. 根据权利要求14所述的方法,其特征在于,所述第一消息包括所述目标工业互联网标识。The method according to claim 14, wherein the first message includes the target Industrial Internet identifier.
  16. 根据权利要求14所述的方法,其特征在于,所述第三消息包括所述目标工业互联网标识。The method according to claim 14, wherein the third message includes the target Industrial Internet identifier.
  17. 根据权利要求14-16任意一项所述的方法,其特征在于,在接收所述第一消息之前,所述方法还包括:The method according to any one of claims 14-16, wherein before receiving the first message, the method further comprises:
    接收所述第一设备发送的第一认证消息;receiving a first authentication message sent by the first device;
    根据所述第一认证消息确定所述第一设备的第一网络访问权限。Determine the first network access right of the first device according to the first authentication message.
  18. 根据权利要求14-17任意一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 14-17, wherein the method further comprises:
    接收所述第一设备发送的第二认证消息,所述第二认证消息中包括所述目标工业互联网标识;receiving a second authentication message sent by the first device, where the second authentication message includes the target Industrial Internet identifier;
    根据所述第二认证消息确定所述第一设备的第二网络访问权限。Determine the second network access right of the first device according to the second authentication message.
  19. 根据权利要求14或16所述的方法,其特征在于,所述第一消息包括所述第一设备的初始工业互联网标识。The method according to claim 14 or 16, wherein the first message includes the initial Industrial Internet identifier of the first device.
  20. 根据权利要求14或19所述的方法,其特征在于,所述第一消息为认证消息。The method according to claim 14 or 19, wherein the first message is an authentication message.
  21. 根据权利要求14或16所述的方法,其特征在于,所述第二消息用于请求为第一设备分配工业互联网标识。The method according to claim 14 or 16, wherein the second message is used to request to assign an Industrial Internet ID to the first device.
  22. 根据权利要求14或15所述的方法,其特征在于,所述第二消息用于请求为第一设备注册目标工业互联网标识。The method according to claim 14 or 15, wherein the second message is used to request registration of a target industrial internet identifier for the first device.
  23. 根据权利要求19所述的方法,其特征在于,所述第二消息基于如下方式获得:The method according to claim 19, wherein the second message is obtained based on the following manner:
    获取预先配置的第一前缀和所述第一设备的设备信息;Acquiring a pre-configured first prefix and device information of the first device;
    基于所述第一前缀和所述初始工业互联网标识,得到所述目标工业互联网标识;Obtain the target Industrial Internet identifier based on the first prefix and the initial Industrial Internet identifier;
    基于所述目标工业互联网标识和所述设备信息,得到包括所述设备信息和所述目标工业互联网标识的第二消息,所述第二消息用于请求为所述第一设备注册所述目标工业互联网标识。Based on the target industrial Internet identifier and the device information, obtain a second message including the device information and the target industrial Internet identifier, where the second message is used to request registration of the target industrial Internet for the first device Internet logo.
  24. 一种基于工业互联网标识的处理***,其特征在于,所述***包括第一设备和第二设备;A processing system based on Industrial Internet identification, characterized in that the system includes a first device and a second device;
    所述第一设备用于向第二设备发送第一消息,所述第一消息用于为所述第一设备申请工业互联网标识,所述第二设备为网管或者网络准入控制器;The first device is used to send a first message to a second device, the first message is used to apply for an Industrial Internet ID for the first device, and the second device is a network manager or a network admission controller;
    所述第二设备向所述第一设备发送第二消息,所述第二消息指示为所述第一设备申请工业互联网标识的结果;The second device sends a second message to the first device, and the second message indicates a result of applying for an Industrial Internet ID for the first device;
    所述第一设备根据所述第二消息,将目标工业互联网标识写入到所述第一设备中。The first device writes the target Industrial Internet identifier into the first device according to the second message.
  25. 根据权利要求24所述的***,其特征在于,所述第一消息包括所述目标工业互联网标识。The system according to claim 24, wherein the first message includes the target industrial internet identification.
  26. 根据权利要求24所述的***,其特征在于,所述第一消息包括所述第一设备的初始工业互联网标识。The system according to claim 24, wherein the first message includes an initial Industrial Internet identification of the first device.
  27. 根据权利要求24或26所述的***,其特征在于,所述第二消息包括所述目标工业互联网标识。The system according to claim 24 or 26, wherein the second message includes the target Industrial Internet identifier.
  28. 根据权利要求24或26或27所述的***,其特征在于,所述第一消息为认证消息。The system according to claim 24 or 26 or 27, wherein the first message is an authentication message.
  29. 根据权利要求24或26-28任意一项所述的***,其特征在于,所述第二消息为包括所述目标互联网标识的安全认证信息。The system according to any one of claims 24 or 26-28, wherein the second message is security authentication information including the target Internet ID.
  30. 一种设备,其特征在于,包括:处理器和存储器;A device, characterized in that it includes: a processor and a memory;
    所述存储器,用于存储指令或计算机程序;said memory for storing instructions or computer programs;
    所述处理器,用于执行所述指令或计算机程序,执行权利要求1-23任意一项所述的方法。The processor is configured to execute the instruction or the computer program to perform the method according to any one of claims 1-23.
  31. 一种计算机存储介质,其特征在于,所述计算机可读存储介质中存储有指令,当其在处理器上运行时,实现权利要求1-23任意一项所述的方法。A computer storage medium, characterized in that instructions are stored in the computer-readable storage medium, and when the instructions are run on a processor, the method according to any one of claims 1-23 is implemented.
  32. 一种计算机程序产品,其特征在于,包括程序,当所述程序在处理器上运行时,实现权利要求1-23任意一项所述的方法。A computer program product, characterized in that it includes a program, and when the program is run on a processor, the method according to any one of claims 1-23 is implemented.
PCT/CN2023/070847 2022-01-13 2023-01-06 Processing method and apparatus based on industrial internet identifier WO2023134557A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210038368.1 2022-01-13
CN202210038368.1A CN116489123A (en) 2022-01-13 2022-01-13 Industrial Internet identification-based processing method and device

Publications (1)

Publication Number Publication Date
WO2023134557A1 true WO2023134557A1 (en) 2023-07-20

Family

ID=87210571

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/070847 WO2023134557A1 (en) 2022-01-13 2023-01-06 Processing method and apparatus based on industrial internet identifier

Country Status (2)

Country Link
CN (1) CN116489123A (en)
WO (1) WO2023134557A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117749761A (en) * 2024-02-19 2024-03-22 中国信息通信研究院 Identification analysis method and device based on industrial Internet identification, equipment and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190334860A1 (en) * 2018-04-30 2019-10-31 Siemens Aktiengesellschaft Control Component and Method for Registering Device Names Assigned to Industrial Automation Devices or Communication Devices in a Name Service System
CN111767484A (en) * 2020-08-31 2020-10-13 中国信息通信研究院 Industrial Internet identification analysis method and related device
CN113037773A (en) * 2021-03-30 2021-06-25 中国联合网络通信集团有限公司 Active identification carrier, management method thereof and service platform
CN113779605A (en) * 2021-09-14 2021-12-10 码客工场工业科技(北京)有限公司 Industrial internet Handle identification system analysis authentication method based on alliance chain

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190334860A1 (en) * 2018-04-30 2019-10-31 Siemens Aktiengesellschaft Control Component and Method for Registering Device Names Assigned to Industrial Automation Devices or Communication Devices in a Name Service System
CN111767484A (en) * 2020-08-31 2020-10-13 中国信息通信研究院 Industrial Internet identification analysis method and related device
CN113037773A (en) * 2021-03-30 2021-06-25 中国联合网络通信集团有限公司 Active identification carrier, management method thereof and service platform
CN113779605A (en) * 2021-09-14 2021-12-10 码客工场工业科技(北京)有限公司 Industrial internet Handle identification system analysis authentication method based on alliance chain

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117749761A (en) * 2024-02-19 2024-03-22 中国信息通信研究院 Identification analysis method and device based on industrial Internet identification, equipment and medium
CN117749761B (en) * 2024-02-19 2024-05-14 中国信息通信研究院 Identification analysis method and device based on industrial Internet identification, equipment and medium

Also Published As

Publication number Publication date
CN116489123A (en) 2023-07-25

Similar Documents

Publication Publication Date Title
US8239549B2 (en) Dynamic host configuration protocol
US10776489B2 (en) Methods and systems for providing and controlling cryptographic secure communications terminal operable to provide a plurality of desktop environments
CN110650076B (en) VXLAN implementation method, network equipment and communication system
US8806565B2 (en) Secure network location awareness
JP4879643B2 (en) Network access control system, terminal, address assignment device, terminal system authentication device, network access control method, and computer program
US20090122798A1 (en) Ip network system and its access control method, ip address distributing device, and ip address distributing method
US10595320B2 (en) Delegating policy through manufacturer usage descriptions
US10397047B2 (en) Apparatus, system, and method for secure remote configuration of network devices
US8887237B2 (en) Multimode authentication
US20090025079A1 (en) Communication system for authenticating or relaying network access, relaying apparatus, authentication apparatus, and communication method
WO2013013481A1 (en) Access authentication method, device, server and system
US20190081931A1 (en) Virtual private networks without software requirements
WO2023134557A1 (en) Processing method and apparatus based on industrial internet identifier
US20220417039A1 (en) Manufacturer usage description mud file obtaining method and device
CN113890864B (en) Data packet processing method, device, electronic equipment and storage medium
US20220394009A1 (en) Network security from host and network impersonation
US8087066B2 (en) Method and system for securing a commercial grid network
US20220210192A1 (en) Network configuration security using encrypted transport
JP2009272693A (en) Connection control system, connection control method and connection control program
US20230370453A1 (en) Authentication and enforcement of differentiated policies for a bridge mode virtual machine behind a wireless host in a mac based authentication network
WO2022222524A1 (en) Access control method and related device
US20240187858A1 (en) Enhanced authentication procedure for o-ran network elements
JP7338070B2 (en) Information processing method and related network equipment
WO2021103986A1 (en) Network device management method and apparatus, network management device, and medium
WO2023227057A1 (en) Service authorization method, apparatus, network function, and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23739900

Country of ref document: EP

Kind code of ref document: A1