CN112765203B - Internet code number resource management method and device - Google Patents

Internet code number resource management method and device Download PDF

Info

Publication number
CN112765203B
CN112765203B CN202110155904.1A CN202110155904A CN112765203B CN 112765203 B CN112765203 B CN 112765203B CN 202110155904 A CN202110155904 A CN 202110155904A CN 112765203 B CN112765203 B CN 112765203B
Authority
CN
China
Prior art keywords
user
resource
code number
query
authorization relationship
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110155904.1A
Other languages
Chinese (zh)
Other versions
CN112765203A (en
Inventor
李丹丹
黄小红
张沛
谢坤
郭玮琦
魏晓宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN202110155904.1A priority Critical patent/CN112765203B/en
Publication of CN112765203A publication Critical patent/CN112765203A/en
Application granted granted Critical
Publication of CN112765203B publication Critical patent/CN112765203B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computing Systems (AREA)
  • Computational Linguistics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The embodiment of the invention provides an Internet code number resource management method and device. The Internet code number resource management method carries out Internet code number resource management by a mixed deployment block chain mode and an RPKI mode, and the resource management process at least comprises the following steps: if a query request of resource query by a user performing resource allocation in an RPKI mode, a query request of resource query by a user not using the RPKI mode for resource management and not joining the blockchain system, or a query request of resource query by a user joining the blockchain system are received, user verification is performed according to a verification mode corresponding to a sending user of the query request, and after verification is passed, the query request is responded; and when a resource application request sent by a target user joining the blockchain system is received, responding to the resource application request. The scheme can realize the credible interaction of resource information of various management mechanisms in the evolution deployment from a centralized code number resource management mechanism to a distributed code number resource management mechanism.

Description

一种互联网码号资源管理方法及装置A method and device for Internet code number resource management

技术领域technical field

本发明属于互联网技术领域,特别是涉及一种互联网码号资源管理方法及装置。The invention belongs to the technical field of the Internet, and in particular relates to an Internet number resource management method and device.

背景技术Background technique

在现今的互联网体系下,互联网码号资源的分配是在一个分级体系中进行的。最顶层是IANA互联网数字分配机构(Internet Assigned Numbers Authority,互联网数字分配机构),IANA的下一层是RIR(Regional Internet Registry,地区性互联网注册管理机构)。在RIR之下存在一些注册机构,如:NIR(National Internet Registry,国家级互联网注册管理机构)和LIR(Local Internet Registry,普通地区级注册机构))。这些注册机构从上级RIR得到互联网码号资源可以自用或继续向下级分配,形成一个层次分明的树形结构。Under the current Internet system, the allocation of Internet number resources is carried out in a hierarchical system. The topmost layer is the IANA Internet Assigned Numbers Authority (Internet Assigned Numbers Authority), and the next layer of IANA is the RIR (Regional Internet Registry, Regional Internet Registry). There are some registration agencies under RIR, such as: NIR (National Internet Registry, national Internet registration management agency) and LIR (Local Internet Registry, general regional registration agency)). These registries obtain Internet code number resources from the upper-level RIRs, which can be used by themselves or continue to be distributed to lower levels, forming a hierarchical tree structure.

为了使得自治网络可以判断接收到的路由信息的正确性,防止恶意攻击者通过伪造BGP(Border Gateway Protocol,边界网关协议)信息来进行前缀劫持,从而保证数据安全性,现有技术中,在上述互联网码号资源分配方式的基础上,使用RPKI(Resource PublicKey Infrastructure,资源公共密钥基础设施)方式,该RPKI方式具体为与上述的互联网码号资源分配方式相对应的证书签发方式。In order to enable the autonomous network to judge the correctness of the received routing information, prevent malicious attackers from forging BGP (Border Gateway Protocol, Border Gateway Protocol) information to carry out prefix hijacking, thereby ensuring data security, in the prior art, in the above On the basis of the Internet number resource allocation method, the RPKI (Resource Public Key Infrastructure) method is used. The RPKI method is specifically a certificate issuance method corresponding to the above-mentioned Internet number resource allocation method.

但是,由于RPKI方式所基于的结构体系是中心化的结构体系,因此,如果树形结构的某一机构撤销证书,则该机构下的所有子树的证书都会失效。为了应对RPKI方式的缺点,集中式码号资源管理机制需要向分布式码号资源管理机制演进部署,例如:结合RPKI和区块链系统来实现码号资源的管理。那么,如何实现在集中式码号资源管理机制向分布式码号资源管理机制演进部署中,多种管理机制可信交互资源信息,是一个亟待解决的问题。However, since the structural system based on the RPKI method is a centralized structural system, if a certain organization in the tree structure revokes the certificate, the certificates of all subtrees under the organization will become invalid. In order to deal with the shortcomings of the RPKI method, the centralized code number resource management mechanism needs to evolve and deploy to the distributed code number resource management mechanism, for example: combining RPKI and blockchain systems to realize the management of code number resources. Then, how to realize the evolution and deployment of centralized code number resource management mechanism to distributed code number resource management mechanism, multiple management mechanisms can trust and exchange resource information is an urgent problem to be solved.

发明内容Contents of the invention

本发明实施例的目的在于提供一种互联网码号资源管理方法及装置,以实现在集中式码号资源管理机制向分布式码号资源管理机制演进部署中,多种管理机制可信交互资源信息。具体技术方案如下:The purpose of the embodiments of the present invention is to provide a method and device for Internet code number resource management, so as to realize the trusted exchange of resource information of multiple management mechanisms during the evolution deployment of the centralized code number resource management mechanism to the distributed code number resource management mechanism . The specific technical scheme is as follows:

本发明实施例提供了一种互联网码号资源管理方法,应用于区块链系统;所述方法包括:An embodiment of the present invention provides a method for managing Internet number resources, which is applied to a blockchain system; the method includes:

获取第一用户发送的第一查询请求;其中,所述第一用户为使用所述RPKI方式进行资源管理的用户,所述第一查询请求中携带有所述第一用户所获取到的RPKI资源证书和关于地址授权关系的第一查询需求信息;Obtain a first query request sent by a first user; wherein, the first user is a user who uses the RPKI method for resource management, and the first query request carries the RPKI resource obtained by the first user Certificate and first query requirements information about address authorization relationship;

通过判断所述第一查询请求所携带的RPKI资源证书是否为合法证书,对所述第一用户的身份进行认证;Authenticating the identity of the first user by judging whether the RPKI resource certificate carried in the first query request is a legal certificate;

如果认证通过,基于所述区块链系统的记账节点所记录的关于IP前缀和自治系统号ASN的目标地址授权关系,向所述第一用户反馈与所述第一查询需求信息相匹配的查询结果,并从所述第一查询请求所携带的RPKI资源证书中提取地址授权关系,基于所提取的地址授权关系更新所述记账节点中的所述目标授权关系。If the authentication is passed, based on the target address authorization relationship about the IP prefix and the autonomous system number ASN recorded by the bookkeeping node of the blockchain system, feedback information matching the first query requirement information is fed back to the first user. Query the result, and extract the address authorization relationship from the RPKI resource certificate carried in the first query request, and update the target authorization relationship in the accounting node based on the extracted address authorization relationship.

可选地,所述方法还包括:Optionally, the method also includes:

获取第二用户发送的第二查询请求;所述第二用户为未使用所述RPKI方式进行资源管理且未加入所述区块链系统的用户,所述第二查询请求中携带有所述第二用户自身的地址授权关系和关于地址授权关系的第二查询需求信息;Obtain a second query request sent by a second user; the second user is a user who has not used the RPKI method for resource management and has not joined the blockchain system, and the second query request carries the first 2. The user's own address authorization relationship and the second query requirement information about the address authorization relationship;

利用所述第二查询请求所携带的地址授权关系,对所述第二用户的身份进行认证;Authenticating the identity of the second user by using the address authorization relationship carried in the second query request;

如果认证通过,向所述第二用户反馈与所述第二查询需求信息相匹配的查询结果,并基于所述第二查询请求中携带的地址授权关系,更新所述记账节点中的所述目标地址授权关系;If the authentication is passed, feed back the query result matching the second query requirement information to the second user, and update the account in the accounting node based on the address authorization relationship carried in the second query request. Target address authorization relationship;

其中,利用所述第二查询请求所携带的地址授权关系,对所述第二用户的身份进行认证,包括:Wherein, using the address authorization relationship carried in the second query request to authenticate the identity of the second user includes:

如果所述目标地址授权关系中,记录有与所述第二查询请求携带的地址授权关系的IP前缀相同且ASN不同的授权关系,则判定所述第二用户的身份认证未通过;否则,判定所述第二用户的身份认证通过。If the target address authorization relationship records an authorization relationship that is the same as the IP prefix of the address authorization relationship carried in the second query request and has a different ASN, it is determined that the identity authentication of the second user has not passed; otherwise, it is determined that The identity authentication of the second user passes.

可选地,所述方法还包括:Optionally, the method also includes:

获取第三用户发送的第三查询请求;所述第三用户为加入所述区块链系统的用户,所述第三查询请求中携带有所述区块链系统下发给所述第三用户的密钥证书,以及关于地址授权关系的第三查询需求信息;Obtain a third query request sent by a third user; the third user is a user who joins the blockchain system, and the third query request carries the information sent by the blockchain system to the third user The key certificate, and the third query requirement information about the address authorization relationship;

利用所述第三查询请求中携带的密钥证书,对所述第三用户的身份进行认证;Authenticating the identity of the third user by using the key certificate carried in the third query request;

如果认证通过,向所述第三用户反馈与所述第三查询请求所携带的第三查询需求信息相匹配的查询结果。If the authentication is passed, the query result matching the third query requirement information carried in the third query request is fed back to the third user.

可选地,所述方法还包括:Optionally, the method also includes:

当接收到加入所述区块链系统的目标用户发送的资源申请请求时,基于所述资源申请请求中携带的密钥证书,对所述目标用户的身份进行认证;其中,所述资源申请请求中携带的密钥证书为所述区块链系统所下发的证书,且所述资源申请请求中还携带有资源需求信息;When receiving a resource application request sent by a target user joining the blockchain system, the identity of the target user is authenticated based on the key certificate carried in the resource application request; wherein, the resource application request The key certificate carried in is the certificate issued by the blockchain system, and the resource application request also carries resource demand information;

如果认证通过,则当所述区块链系统所管理的码号资源满足所述资源需求信息时,从所述区块链系统所管理的码号资源中,确定与所述资源需求信息相匹配的目标码号资源,作为用户资源;If the authentication is passed, when the code number resources managed by the blockchain system meet the resource requirement information, it is determined that the resource requirement information matches the resource requirement information from the code number resources managed by the blockchain system The target code resource of is used as a user resource;

将所述用户资源反馈至所述目标用户,以使得所述目标用户获得所述用户资源,并针对所述用户资源中所述目标用户自身所需使用的码号资源,建立所述目标用户自身的地址授权关系,并将所建立的地址授权关系记录在所述记账节点的目标地址授权关系中。Feedback the user resource to the target user, so that the target user can obtain the user resource, and establish the target user's own resource for the code number resource that the target user needs to use in the user resource and record the established address authorization relationship in the target address authorization relationship of the accounting node.

可选地,所述区块链系统所管理的码号资源中包含第四用户上报的待分配资源;所述第四用户为使用所述RPKI方式进行资源管理的用户,所述待分配资源为所述第四用户自身未使用的码号资源;Optionally, the code number resources managed by the blockchain system include resources to be allocated reported by the fourth user; the fourth user is a user who uses the RPKI method for resource management, and the resources to be allocated are code number resources not used by the fourth user itself;

相应的,所述目标用户为所述第四用户的下一级用户时,所述当所述区块链系统所管理的码号资源满足所述资源需求信息时,从所述区块链系统所管理的码号资源中,确定与所述资源需求信息相匹配的目标码号资源,作为用户资源,包括:Correspondingly, when the target user is the next-level user of the fourth user, when the code number resource managed by the blockchain system satisfies the resource requirement information, from the blockchain system Among the managed code number resources, determine the target code number resources that match the resource requirement information as user resources, including:

在所述第四用户上报的待分配资源满足所述资源需求信息时,从所述第四用户上报的待分配码号资源中,确定与所述资源需求信息相匹配的码号资源,作为用户资源。When the resource to be allocated reported by the fourth user satisfies the resource requirement information, determine a code number resource that matches the resource requirement information from the code number resource to be allocated reported by the fourth user, as the user resource.

第二方面,本发明实施例提供了一种互联网码号资源管理装置,应用于区块链系统;所述装置包括:In the second aspect, the embodiment of the present invention provides an Internet code number resource management device, which is applied to a blockchain system; the device includes:

第一获取模块,用于获取第一用户发送的第一查询请求;其中,所述第一用户为使用所述RPKI方式进行资源管理的用户,所述第一查询请求中携带有所述第一用户所获取到的RPKI资源证书和关于地址授权关系的第一查询需求信息;The first acquisition module is configured to acquire a first query request sent by a first user; wherein, the first user is a user who uses the RPKI method for resource management, and the first query request carries the first The RPKI resource certificate obtained by the user and the first query requirement information about the address authorization relationship;

第一认证模块,用于通过判断所述第一查询请求所携带的RPKI资源证书是否为合法证书,对所述第一用户的身份进行认证;A first authentication module, configured to authenticate the identity of the first user by judging whether the RPKI resource certificate carried in the first query request is a legal certificate;

第一处理模块,用于如果认证通过,基于所述区块链系统的记账节点所记录的关于IP前缀和自治系统号ASN的目标地址授权关系,向所述第一用户反馈与所述第一查询需求信息相匹配的查询结果,并从所述第一查询请求所携带的RPKI资源证书中提取地址授权关系,基于所提取的地址授权关系更新所述记账节点中的所述目标授权关系。The first processing module is configured to, if the authentication is passed, based on the target address authorization relationship recorded by the bookkeeping node of the blockchain system with respect to the IP prefix and the autonomous system number ASN, to feed back the information related to the second user to the first user. A query result matching the requirement information, extracting an address authorization relationship from the RPKI resource certificate carried in the first query request, and updating the target authorization relationship in the billing node based on the extracted address authorization relationship .

可选地,所述装置还包括:Optionally, the device also includes:

第二获取模块,用于获取第二用户发送的第二查询请求;所述第二用户为未使用所述RPKI方式进行资源管理且未加入所述区块链系统的用户,所述第二查询请求中携带有所述第二用户自身的地址授权关系和关于地址授权关系的第二查询需求信息;The second acquisition module is configured to acquire a second query request sent by a second user; the second user is a user who has not used the RPKI method for resource management and has not joined the blockchain system, and the second query The request carries the address authorization relationship of the second user itself and the second query requirement information about the address authorization relationship;

第二认证模块,用于利用所述第二查询请求所携带的地址授权关系,对所述第二用户的身份进行认证;A second authentication module, configured to authenticate the identity of the second user by using the address authorization relationship carried in the second query request;

第二处理模块,用于如果认证通过,向所述第二用户反馈与所述第二查询需求信息相匹配的查询结果,并基于所述第二查询请求中携带的地址授权关系,更新所述记账节点中的所述目标地址授权关系;The second processing module is configured to feed back a query result matching the second query requirement information to the second user if the authentication is passed, and update the address authorization relationship carried in the second query request to the second user. The target address authorization relationship in the accounting node;

其中,利用所述第二查询请求所携带的地址授权关系,对所述第二用户的身份进行认证,包括:Wherein, using the address authorization relationship carried in the second query request to authenticate the identity of the second user includes:

如果所述目标地址授权关系中,记录有与所述第二查询请求携带的地址授权关系的IP前缀相同且ASN不同的授权关系,则判定所述第二用户的身份认证未通过;否则,判定所述第二用户的身份认证通过。If the target address authorization relationship records an authorization relationship that is the same as the IP prefix of the address authorization relationship carried in the second query request and has a different ASN, it is determined that the identity authentication of the second user has not passed; otherwise, it is determined that The identity authentication of the second user passes.

可选地,所述装置还包括:Optionally, the device also includes:

第三获取模块,用于获取第三用户发送的第三查询请求;所述第三用户为加入所述区块链系统的用户,所述第三查询请求中携带有所述区块链系统下发给所述第三用户的密钥证书,以及关于地址授权关系的第三查询需求信息;The third obtaining module is used to obtain a third query request sent by a third user; the third user is a user who joins the block chain system, and the third query request carries information under the block chain system The key certificate issued to the third user, and the third query requirement information about the address authorization relationship;

第三认证模块,用于利用所述第三查询请求中携带的密钥证书,对所述第三用户的身份进行认证;A third authentication module, configured to authenticate the identity of the third user by using the key certificate carried in the third query request;

第三处理模块,用于如果认证通过,向所述第三用户反馈与所述第三查询请求所携带的第三查询需求信息相匹配的查询结果。The third processing module is configured to feed back to the third user a query result that matches the third query requirement information carried in the third query request if the authentication is passed.

可选地,所述装置还包括:Optionally, the device also includes:

第四认证模块,用于当接收到加入所述区块链系统的目标用户发送的资源申请请求时,基于所述资源申请请求中携带的密钥证书,对所述目标用户的身份进行认证;其中,所述资源申请请求中携带的密钥证书为所述区块链系统所下发的证书,且所述资源申请请求中还携带有资源需求信息;The fourth authentication module is used to authenticate the identity of the target user based on the key certificate carried in the resource application request when receiving the resource application request sent by the target user joining the blockchain system; Wherein, the key certificate carried in the resource application request is a certificate issued by the blockchain system, and the resource application request also carries resource demand information;

第四处理模块,用于如果认证通过,则当所述区块链系统所管理的码号资源满足所述资源需求信息时,从所述区块链系统所管理的码号资源中,确定与所述资源需求信息相匹配的目标码号资源,作为用户资源;The fourth processing module is used to determine from the code number resources managed by the blockchain system when the code number resources managed by the blockchain system meet the resource requirement information if the authentication is passed. The target code number resources matching the resource requirement information are used as user resources;

信息反馈模块,用于将所述用户资源反馈至所述目标用户,以使得所述目标用户获得所述用户资源,并针对所述用户资源中所述目标用户自身所需使用的码号资源,建立所述目标用户自身的地址授权关系,并将所建立的地址授权关系记录在所述记账节点的目标地址授权关系中。An information feedback module, configured to feed back the user resources to the target user, so that the target user can obtain the user resources, and for the code number resources that the target user needs to use in the user resources, Establishing the address authorization relationship of the target user itself, and recording the established address authorization relationship in the target address authorization relationship of the billing node.

可选地,所述区块链系统所管理的码号资源中包含第四用户上报的待分配资源;所述第四用户为使用所述RPKI方式进行资源管理的用户,所述待分配资源为所述第四用户自身未使用的码号资源;Optionally, the code number resources managed by the blockchain system include resources to be allocated reported by the fourth user; the fourth user is a user who uses the RPKI method for resource management, and the resources to be allocated are code number resources not used by the fourth user itself;

相应的,所述目标用户为所述第四用户的下一级用户时,所述第四处理模块当所述区块链系统所管理的码号资源满足所述资源需求信息时,从所述区块链系统所管理的码号资源中,确定与所述资源需求信息相匹配的目标码号资源,作为用户资源,包括:Correspondingly, when the target user is the next-level user of the fourth user, when the code number resources managed by the blockchain system meet the resource requirement information, the fourth processing module Among the code number resources managed by the blockchain system, determine the target code number resources that match the resource demand information as user resources, including:

在所述第四用户上报的待分配资源满足所述资源需求信息时,从所述第四用户上报的待分配码号资源中,确定与所述资源需求信息相匹配的码号资源,作为用户资源。When the resource to be allocated reported by the fourth user satisfies the resource requirement information, determine a code number resource that matches the resource requirement information from the code number resource to be allocated reported by the fourth user, as the user resource.

本发明实施例有益效果:Beneficial effects of the embodiments of the present invention:

本方案通过混合部署区块链方式和RPKI方式来进行互联网码号资源管理,在资源管理过程中,以RPKI方式进行资源分配的用户,在通过区块链系统的验证后,能够通过区块链进行资源查询。由于在混合部署区块链方式和RPKI方式的情况下,以RPKI方式进行资源分配的用户能够通过区块链进行可信的资源查询,因此,本方案可以实现在集中式码号资源管理机制向分布式码号资源管理机制演进部署中,多种管理机制可信交互资源信息。This solution manages Internet code number resources through the mixed deployment of blockchain and RPKI. In the process of resource management, users who use RPKI to allocate resources can pass the verification of the blockchain system. Make a resource query. In the case of mixed deployment of blockchain and RPKI, users who use RPKI to allocate resources can conduct credible resource queries through the blockchain. Therefore, this solution can be implemented in the centralized code number resource management mechanism In the evolution and deployment of the distributed code number resource management mechanism, multiple management mechanisms can trust and exchange resource information.

当然,实施本发明的任一产品或方法必不一定需要同时达到以上所述的所有优点。Of course, implementing any product or method of the present invention does not necessarily need to achieve all the above-mentioned advantages at the same time.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without creative work.

图1为本发明实施例提供的一种互联网码号资源管理方法的流程示意图;FIG. 1 is a schematic flow diagram of a method for managing Internet code number resources provided by an embodiment of the present invention;

图2为本发明实施例提供的区块链系统进行资源管理的原理图;Fig. 2 is the schematic diagram of resource management of the block chain system provided by the embodiment of the present invention;

图3为本发明实施例提供的一种互联网码号资源管理装置的结构示意图。Fig. 3 is a schematic structural diagram of an Internet code number resource management device provided by an embodiment of the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

为了实现在集中式码号资源管理机制向分布式码号资源管理机制演进部署中,多种管理机制可信交互资源信息,本发明实施例提供了一种互联网码号资源管理方法及装置。In order to realize the trusted exchange of resource information of multiple management mechanisms during the evolution and deployment of the centralized code number resource management mechanism to the distributed code number resource management mechanism, the embodiment of the present invention provides an Internet code number resource management method and device.

其中,本发明实施例所提供的一种互联网码号资源管理方法,应用于区块链系统,该区块链系统中加入有各个RIR,以及各个RIR所负责的各级机构;其中,RIR所负责的各级机构可以包括:NIR、ISP(Internet Service Provider,互联网服务提供商)等。可以理解的是,区块链技术是利用块链式数据结构来验证与存储数据、利用分布式节点共识算法来生成和更新数据、利用密码学的方式保证数据传输和访问的安全、利用由自动化脚本代码组成的智能合约来编程和操作数据的一种全新的分布式基础架构与计算方式。本发明实施例的区块链系统为采用区块链技术的系统,该区块链系统中包括三类节点:背书节点、记账节点和排序节点,其中,背书节点是用于执行智能合约的节点,通过执行智能合约,背书节点可以处理区块链系统所接收到的各类请求;排序节点是用于进行操作排序的节点;而记账节点是用于实现数据存储的节点;其中,所谓智能合约是部署于背书节点的计算机程序,其基于一些可信的不可篡改的数据,自动化地执行一些预先定义好的规则和条款。Among them, the Internet code number resource management method provided by the embodiment of the present invention is applied to the block chain system, and each RIR is added to the block chain system, as well as the organizations at all levels responsible for each RIR; wherein, the RIR Responsible institutions at all levels may include: NIR, ISP (Internet Service Provider, Internet Service Provider), etc. It can be understood that blockchain technology uses block chain data structure to verify and store data, uses distributed node consensus algorithm to generate and update data, uses cryptography to ensure the security of data transmission and access, and utilizes automated A new distributed infrastructure and computing method that uses smart contracts composed of script code to program and manipulate data. The block chain system of the embodiment of the present invention is a system using block chain technology. The block chain system includes three types of nodes: endorsement nodes, bookkeeping nodes, and ordering nodes. Among them, the endorsement nodes are used to execute smart contracts. Nodes, through the execution of smart contracts, endorsement nodes can process various requests received by the blockchain system; sorting nodes are nodes used to sort operations; accounting nodes are nodes used to implement data storage; among them, the so-called A smart contract is a computer program deployed on an endorsement node, which automatically executes some pre-defined rules and terms based on some credible and non-tamperable data.

本发明实施例中,任意RIR为联盟链的一个联盟,这样,该区块链系统是一个由多联盟构成的区块链系统,联盟的数量与加入该区块链系统的RIR的数量相同。另外,由于现有的RIR的分布形式中包括5个地区互联网注册管理机构,因此,在5个地区互联网注册管理机构的RIR均加入区块链系统时,该区块链系统由5个联盟组成,对应5个RIR,每个联盟下有区块链节点,通过所有的区块链节点共同构成区块链系统。In the embodiment of the present invention, any RIR is an alliance of the alliance chain. In this way, the blockchain system is a blockchain system composed of multiple alliances, and the number of alliances is the same as the number of RIRs joining the blockchain system. In addition, since the distribution of the existing RIRs includes five regional Internet registries, when the RIRs of the five regional Internet registries are all added to the blockchain system, the blockchain system consists of five alliances , corresponding to 5 RIRs, each alliance has blockchain nodes, and all blockchain nodes form a blockchain system.

其中,5个地区互联网注册管理机构,对互联网Internet的IP前缀和AS(自治系统,Autonomous System)号码分配是分级进行的;并且,5个地区互联网注册管理机构可以包括:RIPE(Reseaux IP Europeans,欧洲IP地址注册中心)、LACNIC(Lation American andCaribbean Internet Address Registry,拉丁美洲和加勒比海Internet地址注册中心),ARIN(American Registry for Internet Numvers,美国Internet编号注册中心),AFRINIC(Africa Network Information Centre,非洲网络信息中心),以及APNIC(Asia PacificNetwork Information Centre,亚太地址网络信息中心)。Among them, the five regional Internet registries assign IP prefixes and AS (Autonomous System, Autonomous System) numbers to the Internet in a hierarchical manner; and, the five regional Internet registries can include: RIPE (Reseaux IP Europeans, European IP Address Registration Center), LACNIC (Lation American and Caribbean Internet Address Registry, Latin American and Caribbean Internet Address Registration Center), ARIN (American Registry for Internet Numvers, American Internet Number Registration Center), AFRINIC (Africa Network Information Centre, Africa Network Information Center), and APNIC (Asia Pacific Network Information Centre, Asia Pacific Address Network Information Center).

另外,当任一用户,如ISP用户或Enduser用户(终端用户)等等,期望加入区块链系统时,该用户可以向区块链系统进行认证,认证通过后,获得准入资格,此时,通过记账节点内记录有该用户的身份信息,该身份信息可以包括:标识信息、网络地址、已获得的互联网码号资源、已分配的网络互联网码号资源、准入资格的凭证等。并且,加入区块链系统的任一用户,可以获取到作为准入资格的凭证的证书:区块链系统下发的用于身份认证的密钥证书,以及用于通信认证的通信证书,从而使得区块链系统可以对各个用户进行身份认证的管理,以及通信安全的管理,其中,该用于通信认证的通信证书可以为TLS(TransportLayer Security,安全传输层协议)证书。可以理解的是,本发明实施例中,用于身份认证的密钥证书,以及用于通信认证的通信证书与现有技术中加入到任一区块链中的用户所获取到的证书形式相同。In addition, when any user, such as an ISP user or an Enduser user (end user), etc., wishes to join the blockchain system, the user can authenticate to the blockchain system, and obtain access qualifications after passing the authentication. , the identity information of the user is recorded in the accounting node, and the identity information may include: identification information, network address, obtained Internet number resources, allocated network Internet number resources, access qualification certificates, etc. Moreover, any user who joins the blockchain system can obtain a certificate as a certificate of admission qualification: the key certificate issued by the blockchain system for identity authentication, and the communication certificate for communication authentication, so that This allows the blockchain system to manage identity authentication and communication security for each user, wherein the communication certificate used for communication authentication can be a TLS (TransportLayer Security, Transport Layer Security) certificate. It can be understood that in the embodiment of the present invention, the key certificate used for identity authentication and the communication certificate used for communication authentication are in the same form as the certificates obtained by users who join any blockchain in the prior art .

并且,在部署区块链系统时,可以为加入区块链系统的RIR,部署区块链节点,当然,也可以不部署;可以为RIR下的各级机构部署区块链节点,当然,也可以不部署。另外,整个区块链系统包括若干区块链节点,每一区块链节点可以是为一RIR所部署的节点或者是为一RIR所负责的下层机构所部署的节点。Moreover, when deploying the blockchain system, blockchain nodes can be deployed for the RIR that joins the blockchain system, of course, it does not need to be deployed; blockchain nodes can be deployed for institutions at all levels under the RIR, of course, also Can not be deployed. In addition, the entire blockchain system includes several blockchain nodes, and each blockchain node can be a node deployed for a RIR or a node deployed for a lower-level organization responsible for a RIR.

如图1所示,本发明实施例所提供的一种互联网码号资源管理方法,可以包括如下步骤:As shown in Figure 1, a method for managing Internet code number resources provided by an embodiment of the present invention may include the following steps:

S101,获取第一用户发送的第一查询请求;其中,所述第一用户为使用所述RPKI方式进行资源管理的用户,所述第一查询请求中携带有所述第一用户所获取到的RPKI资源证书和关于地址授权关系的第一查询需求信息;S101. Acquire a first query request sent by a first user; wherein, the first user is a user who uses the RPKI method for resource management, and the first query request carries the information obtained by the first user. RPKI resource certificate and the first query requirement information about the address authorization relationship;

由于基于RPKI方式获取互联网码号资源的用户,例如ISP用户、Enduser用户等,可能存在查询需求,因此,区块链系统可以基于区块链方式,向属于链外节点的、基于RPKI方式获取互联网码号资源的用户,提供查询接口。Since users who obtain Internet code number resources based on RPKI, such as ISP users and Enduser users, may have query requirements, the blockchain system can obtain Internet resources from nodes outside the chain based on RPKI based on blockchain. For users of code number resources, a query interface is provided.

并且,由于属于链外节点且基于RPKI方式获取网络资源的用户,在资源分配时可以获得RPKI资源证书,该RPKI资源证书能够验证身份合法性,因此,本实施例中,第一用户,即属于链外节点且基于RPKI方式获取网络资源的用户,在需要进行地址授权关系查询时,可以向区块链系统发送第一查询请求,第一查询请求中携带有所述第一用户所获取到的RPKI资源证书和关于地址授权关系的第一查询需求信息。其中,第一查询需求信息为待查询信息,示例性的,第一查询需求信息可以包括待查询IP前缀或待查询ASN。Moreover, since users who belong to out-of-chain nodes and obtain network resources based on RPKI can obtain RPKI resource certificates during resource allocation, the RPKI resource certificates can verify the validity of their identities. Therefore, in this embodiment, the first user, that is, belongs to Users who are nodes outside the chain and obtain network resources based on RPKI can send a first query request to the blockchain system when they need to query the address authorization relationship. The first query request carries the information obtained by the first user. RPKI resource certificate and first query requirement information about address authorization relationship. Wherein, the first query requirement information is information to be queried. Exemplarily, the first query requirement information may include an IP prefix to be queried or an ASN to be queried.

S102,通过判断所述第一查询请求所携带的RPKI资源证书是否为合法证书,对所述第一用户的身份进行认证;S102. Authenticate the identity of the first user by judging whether the RPKI resource certificate carried in the first query request is a legal certificate;

其中,区块链系统可以按照现有的关于RPKI资源证书是否有效的认证方式,判断第一查询请求所携带的RPKI资源证书是否为合法证书;进而,通过判断结果,对第一用户的身份进行认证。可以理解的是,当第一查询请求所携带的RPKI资源证书为合法证书时,可以判定第一用户的身份认证通过,而当所述第一查询请求所携带的RPKI资源证书不为合法证书时,可以判定第一用户的身份认证未通过。Among them, the blockchain system can judge whether the RPKI resource certificate carried in the first query request is a legal certificate according to the existing authentication method on whether the RPKI resource certificate is valid; certified. It can be understood that when the RPKI resource certificate carried in the first query request is a legal certificate, it can be determined that the identity authentication of the first user has passed, and when the RPKI resource certificate carried in the first query request is not a legal certificate , it can be determined that the identity authentication of the first user fails.

S103,如果认证通过,基于所述区块链系统的记账节点所记录的关于IP前缀和自治系统号ASN的目标地址授权关系,向所述第一用户反馈与所述第一查询需求信息相匹配的查询结果,并从所述第一查询请求所携带的RPKI资源证书中提取地址授权关系,基于所提取的地址授权关系更新所述记账节点中的所述目标授权关系。S103, if the authentication is passed, based on the target address authorization relationship recorded by the bookkeeping node of the blockchain system about the IP prefix and the autonomous system number ASN, feed back to the first user the information corresponding to the first query requirement matching query results, extracting an address authorization relationship from the RPKI resource certificate carried in the first query request, and updating the target authorization relationship in the accounting node based on the extracted address authorization relationship.

如果认证通过,区块链系统可以基于所述区块链系统的记账节点所记录的关于IP前缀和自治系统号ASN的目标地址授权关系,向第一用户反馈与第一查询请求所携带的第一查询需求信息相匹配的查询结果,并从第一查询请求所携带的RPKI资源证书中提取地址授权关系,基于所提取的地址授权关系更新所述记账节点中的所述目标授权关系,即将所提取的地址授权关系记录在区块链系统中的记账节点的目标地址授权关系中。其中,第一查询需求信息中可以包括待查询IP前缀或待查询ASN,此时,区块链系统可以反馈包含待查询IP前缀的地址授权关系或包含待查询ASN的地址授权关系。If the authentication is passed, the blockchain system can feed back to the first user the information carried in the first query request based on the target address authorization relationship of the IP prefix and the autonomous system number ASN recorded by the bookkeeping node of the blockchain system. The query result matching the first query requirement information, and extracting the address authorization relationship from the RPKI resource certificate carried in the first query request, and updating the target authorization relationship in the billing node based on the extracted address authorization relationship, That is, the extracted address authorization relationship is recorded in the target address authorization relationship of the bookkeeping node in the blockchain system. Wherein, the first query requirement information may include the IP prefix to be queried or the ASN to be queried. At this time, the blockchain system may feed back the address authorization relationship including the IP prefix to be queried or the address authorization relationship including the ASN to be queried.

其中,目标地址授权关系可以通过IP-ASN的形式表征,通过记账节点中的目标地址授权关系,可以便于对已分配的码号资源进行追踪和查询。Among them, the target address authorization relationship can be represented in the form of IP-ASN, and the target address authorization relationship in the accounting node can facilitate the tracking and query of the allocated code number resources.

其中,从第一查询请求所携带的RPKI资源证书中提取地址授权关系的方式可以参照现有技术,本发明实施例对此不做限定。Wherein, the manner of extracting the address authorization relationship from the RPKI resource certificate carried in the first query request may refer to the prior art, which is not limited in the embodiment of the present invention.

为了方便理解方案,图2示出了区块链系统进行资源管理的原理图。具体而言:任一用户,可以通过身份注册的方式加入到区块链系统,并在加入到区块链系统时,区块链系统可以下发给该用户用于身份认证的密钥证书,该用户可以基于该密钥证书,向区块链系统进行资源申请、以及数据查询等;另外,任一用户,可以通过RPKI方式获取网络资源,这样,该用户可以基于RPKI数据库进行数据查询;而当该用户希望在区块链系统中进行数据查询时,可以利用RPKI资源证书,向区块链系统进行数据查询。In order to facilitate the understanding of the solution, Figure 2 shows the schematic diagram of the resource management of the blockchain system. Specifically: any user can join the blockchain system through identity registration, and when joining the blockchain system, the blockchain system can issue a key certificate for identity authentication to the user, The user can apply for resources and query data to the blockchain system based on the key certificate; in addition, any user can obtain network resources through RPKI, so that the user can query data based on the RPKI database; When the user wants to query data in the blockchain system, he can use the RPKI resource certificate to query the data in the blockchain system.

本方案通过混合部署区块链方式和RPKI方式来进行互联网码号资源管理,在资源管理过程中,以RPKI方式进行资源分配的用户,在通过区块链系统的验证后,能够通过区块链进行资源查询。由于在混合部署区块链方式和RPKI方式的情况下,以RPKI方式进行资源分配的用户能够通过区块链进行可信的资源查询,因此,本方案可以实现在集中式码号资源管理机制向分布式码号资源管理机制演进部署中,多种管理机制可信交互资源信息。This solution manages Internet code number resources through the mixed deployment of blockchain and RPKI. In the process of resource management, users who use RPKI to allocate resources can pass the verification of the blockchain system. Make a resource query. In the case of mixed deployment of blockchain and RPKI, users who use RPKI to allocate resources can conduct credible resource queries through the blockchain. Therefore, this solution can be implemented in the centralized code number resource management mechanism In the evolution and deployment of the distributed code number resource management mechanism, multiple management mechanisms can trust and exchange resource information.

由于基于RPKI方式和区块链系统以外的方式获取网络资源的用户,也可能存在查询需求,因此,区块链系统可以向该类用户提供查询接口。在上述的实施例的基础上,在本发明的另一实施例中,该互联网码号资源管理方法,还可以包括A1-A3:Since users who obtain network resources based on RPKI and methods other than the blockchain system may also have query requirements, the blockchain system can provide such users with a query interface. On the basis of the above embodiments, in another embodiment of the present invention, the Internet number resource management method may also include A1-A3:

步骤A1,获取第二用户发送的第二查询请求;第二用户为未使用RPKI方式进行资源管理且未加入区块链系统的用户,所述第二查询请求中携带有所述第二用户自身的地址授权关系和关于地址授权关系的第二查询需求信息;Step A1, obtain the second query request sent by the second user; the second user is a user who has not used RPKI for resource management and has not joined the blockchain system, and the second query request carries the second user himself The address authorization relationship and the second query requirement information about the address authorization relationship;

由于尽管第二用户并未使用所述RPKI方式进行资源管理且未加入区块链系统,因此,第二用户不会具有RPKI资源证书和区块链系统下发的密钥证书。那么,为了数据安全性,可以基于第二用户自身的第二地址授权关系来对第二用户的身份进行认证,并在认证通过时,响应第二用户的查询需求。其中,第二用户自身的地址授权关系为该第二用户自身使用的IP前缀与ASN的授权关系。Although the second user does not use the RPKI method for resource management and has not joined the blockchain system, the second user does not have the RPKI resource certificate and the key certificate issued by the blockchain system. Then, for data security, the second user's identity can be authenticated based on the second user's own second address authorization relationship, and when the authentication is passed, the second user's query requirement can be responded to. Wherein, the address authorization relationship of the second user itself is the authorization relationship between the IP prefix used by the second user itself and the ASN.

步骤A2,利用所述第二查询请求所携带的地址授权关系,对所述第二用户的身份进行认证;Step A2, using the address authorization relationship carried in the second query request to authenticate the identity of the second user;

其中,利用所述第二查询请求所携带的地址授权关系,对所述第二用户的身份进行认证,包括:Wherein, using the address authorization relationship carried in the second query request to authenticate the identity of the second user includes:

如果所述目标地址授权关系中,记录有与所述第二查询请求携带的地址授权关系的IP前缀相同且ASN不同的授权关系,则判定第二用户的身份认证未通过;否则,判定所述第二用户的身份认证通过。If the target address authorization relationship records an authorization relationship that is the same as the IP prefix of the address authorization relationship carried in the second query request and has a different ASN, it is determined that the identity authentication of the second user has not passed; otherwise, it is determined that the The identity authentication of the second user is passed.

可以理解的是,如果区块链系统的记账节点所记录的关于IP前缀与ASN的目标地址授权关系中,记录有与第二用户的地址授权关系的IP前缀相同但与第二用户的地址授权关系的ASN不同的授权关系,则表明该第二用户的地址授权关系与区块链系统所记录的地址授权关系是矛盾,此时,可以判定第二用户的身份认证未通过,即第二用户的身份不合法。It can be understood that if in the target address authorization relationship between the IP prefix and the ASN recorded by the bookkeeping node of the blockchain system, the IP prefix recorded in the address authorization relationship with the second user is the same as that of the second user's address If the ASN of the authorization relationship is different, it indicates that the address authorization relationship of the second user is inconsistent with the address authorization relationship recorded in the blockchain system. At this time, it can be determined that the identity authentication of the second user has not passed, that is, the second The user's identity is invalid.

步骤A3,如果认证通过,向所述第二用户反馈与所述第二查询需求信息相匹配的查询结果,并基于所述第二查询请求中携带的地址授权关系,更新所述记账节点中的所述目标地址授权关系;Step A3, if the authentication is passed, feed back the query result matching the second query requirement information to the second user, and update the account information in the accounting node based on the address authorization relationship carried in the second query request. The target address authorization relationship of ;

为了进一步丰富区块链系统中的记账节点所记录的地址授权关系,如果认证通过,区块链系统可以向第二用户反馈与所述第二查询请求所携带的第二查询需求信息相匹配的查询结果,并将第二用户的地址授权关系记录在记账节点的目标地址授权关系。可以理解的是,由于如果第二用户的地址授权关系中的IP前缀和ASN均未出现在区块链系统中的各个地址授权关系中,该第二用户会被判定认为身份认证通过,因此,为了避免第二用户的地址授权关系中的IP前缀和ASN实际并不属于合法的授权关系,可以对记账节点中所记录的第二用户的地址授权关系进行可信度标注,并且,所标注的可信度为较低的可信度。In order to further enrich the address authorization relationship recorded by the bookkeeping nodes in the blockchain system, if the authentication is passed, the blockchain system can feed back to the second user that it matches the second query requirement information carried by the second query request , and record the address authorization relationship of the second user in the target address authorization relationship of the accounting node. It can be understood that if neither the IP prefix nor the ASN in the address authorization relationship of the second user appears in each address authorization relationship in the blockchain system, the second user will be judged as having passed the identity authentication. Therefore, In order to avoid that the IP prefix and ASN in the address authorization relationship of the second user do not actually belong to the legal authorization relationship, the credibility of the address authorization relationship of the second user recorded in the accounting node can be marked, and the marked is a low confidence level.

本方案中,由于在混合部署区块链方式和RPKI方式的情况下,以RPKI方式进行资源分配的用户以及基于除RPKI方式和区块链系统以外的方式获取网络资源的用户,均能够通过区块链进行可信的资源查询,因此,本方案可以实现在集中式码号资源管理机制向分布式码号资源管理机制演进部署中,多种管理机制可信交互资源信息,并且,本方案在资源管理时所涉及到的管理机制的种类较多,使得能够适用于的资源管理场景范围较广。In this solution, due to the mixed deployment of blockchain and RPKI, users who use RPKI to allocate resources and users who obtain network resources based on methods other than RPKI and blockchain systems can all use the district The block chain conducts credible resource query. Therefore, this scheme can realize the evolution and deployment of the centralized code number resource management mechanism to the distributed code number resource management mechanism. Multiple management mechanisms can trust and exchange resource information, and this scheme is in There are many types of management mechanisms involved in resource management, making it applicable to a wide range of resource management scenarios.

在上述任一实施例的基础上,在本发明的另一实施例中,该互联网码号资源管理方法,还可以包括步骤B1-步骤B3:On the basis of any of the above embodiments, in another embodiment of the present invention, the Internet number resource management method may also include Step B1-Step B3:

步骤B1,获取第三用户发送的第三查询请求;所述第三用户为加入所述区块链系统的用户,所述第三查询请求中携带有所述区块链系统下发给所述第三用户的密钥证书,以及关于地址授权关系的第三查询需求信息;Step B1, obtain a third query request sent by a third user; the third user is a user who joins the blockchain system, and the third query request carries the information sent by the blockchain system to the The key certificate of the third user, and the third query requirement information about the address authorization relationship;

其中,预先获取准入凭证的第三用户,可以在需要查询某些地址授权关系是否合法时,可以向区块链系统发送第三查询请求;该第三查询请求中携带有用于身份认证的信息以及待查询信息。Among them, the third user who has obtained the access certificate in advance can send a third query request to the blockchain system when it needs to query whether certain address authorization relationships are legal; the third query request carries information for identity authentication and information to be requested.

另外,由于第一用户和第二用户在资源查询时,区块链系统会基于第一用户的RPKI资源证书中的地址授权关系,以及第二用户发送的第二查询请求中携带的地址授权关系,更新记账节点中的所述目标授权关系,这样使得目标授权关系中包含有第一用户和第二用户的地址授权关系,此时,目标授权关系得到丰富化。那么,第三用户便可以从目标授权关系中查询到各类用户的地址授权关系。In addition, when the first user and the second user query resources, the blockchain system will be based on the address authorization relationship in the RPKI resource certificate of the first user and the address authorization relationship carried in the second query request sent by the second user. , updating the target authorization relationship in the accounting node, so that the target authorization relationship includes the address authorization relationship of the first user and the second user, and at this time, the target authorization relationship is enriched. Then, the third user can query the address authorization relationship of various users from the target authorization relationship.

步骤B2,利用所述第三查询请求中携带的密钥证书,对所述第三用户的身份进行认证;Step B2, using the key certificate carried in the third query request to authenticate the identity of the third user;

步骤B3,如果认证通过,向所述第三用户反馈与所述第三查询请求所携带的第三查询需求信息相匹配的查询结果。Step B3, if the authentication is passed, feeding back to the third user a query result that matches the third query requirement information carried in the third query request.

其中,区块链系统利用第三查询请求中携带的密钥证书,对第三用户的身份进行认证的具体实现方式可以参照现有技术中任一采用区块链的网络系统的身份认证方式,本发明实施例对此不做限定。Wherein, the blockchain system utilizes the key certificate carried in the third query request to authenticate the identity of the third user for a specific implementation method that can refer to any identity authentication method of a network system using blockchain in the prior art, This embodiment of the present invention does not limit this.

在身份认证通过后,表明该第三用户具有查询权限,此时,该区块链系统可以基于记账节点中所记录的目标地址授权关系,向第三用户反馈与第三查询请求所携带的第三查询需求信息相匹配的查询结果。其中,第三查询需求信息中可以包括待查询IP前缀或待查询ASN,此时,区块链系统可以反馈包含待查询IP前缀的地址授权关系或包含待查询ASN的地址授权关系。After the identity authentication is passed, it indicates that the third user has the query authority. At this time, the blockchain system can feed back the information carried by the third query request to the third user based on the authorization relationship of the target address recorded in the accounting node. The third query is the query result matching the demand information. Wherein, the third query requirement information may include the IP prefix to be queried or the ASN to be queried. At this time, the blockchain system may feed back the address authorization relationship including the IP prefix to be queried or the address authorization relationship including the ASN to be queried.

本方案中,由于在混合部署区块链方式和RPKI方式的情况下,以RPKI方式进行资源分配的用户以及基于区块链系统以外的方式获取网络资源的用户,均能够通过区块链进行可信的资源查询,因此,本方案可以实现在集中式码号资源管理机制向分布式码号资源管理机制演进部署中,多种管理机制可信交互资源信息。In this solution, due to the mixed deployment of blockchain and RPKI methods, users who use RPKI to allocate resources and users who obtain network resources based on methods other than the blockchain system can all use the blockchain. Therefore, this solution can realize the trusted exchange resource information of multiple management mechanisms in the evolution deployment of centralized code number resource management mechanism to distributed code number resource management mechanism.

在本发明的另一实施例中,一种互联网码号资源管理方法,还可以包括步骤C1-步骤C3:In another embodiment of the present invention, an Internet number resource management method may also include step C1-step C3:

步骤C1,当接收到加入所述区块链系统的目标用户发送的资源申请请求时,基于所述资源申请请求中携带的密钥证书,对所述目标用户的身份进行认证;其中,所述资源申请请求中携带的密钥证书为所述区块链系统所下发的证书,且所述资源申请请求中还携带有资源需求信息;Step C1, when receiving a resource application request sent by a target user joining the blockchain system, authenticate the identity of the target user based on the key certificate carried in the resource application request; wherein, the The key certificate carried in the resource application request is the certificate issued by the blockchain system, and the resource application request also carries resource demand information;

加入区块链系统的目标用户在请求资源时,可以基于区块链方式进行资源分配,并且,基于区块链方式进行分配的资源为区块链系统所管理的码号资源。示例性的,在具体应用中,目标用户可以为ISP用户,或者,Enduser用户(终端用户),等等。When the target users who join the blockchain system request resources, they can allocate resources based on the blockchain method, and the resources allocated based on the blockchain method are code number resources managed by the blockchain system. Exemplarily, in a specific application, the target user may be an ISP user, or an Enduser user (terminal user), and so on.

其中,目标用户可以通过资源申请请求来请求互联网码号资源,而目标用户请求到的互联网码号资源可以自身使用,或者,分配给其他用户。例如,user1申请一个地址前缀2f00:0000::/32,同时申请得到一个AS号12345,之后user1将2f00:0000:0001::/48分配给user2,同时使用AS号12345和2f00:0000:0002/48创建一个对应关系。Wherein, the target user can request the Internet code number resource through a resource application request, and the Internet code number resource requested by the target user can be used by itself, or allocated to other users. For example, user1 applies for an address prefix 2f00:0000::/32, and at the same time applies for an AS number 12345, then user1 assigns 2f00:0000:0001::/48 to user2, and uses AS number 12345 and 2f00:0000:0002 at the same time /48 creates a correspondence.

另外,资源申请请求所请求的互联网码号资源可以包括:IP前缀和ASN(Autonomous System Number,自治系统号),也可以仅仅包括:IP前缀。并且,资源需求信息可以包括:资源数据量和资源类型,或者,仅仅包括资源类型。另外,本领域技术人员可以理解的是,资源需要信息还可以包括资源使用时限。示例性的,该资源申请请求中包括需要待分配使用时限为1年的N1个IP前缀和使用时限为2年的N2个ASN。In addition, the Internet code number resource requested by the resource application request may include: an IP prefix and an ASN (Autonomous System Number, autonomous system number), or may only include: an IP prefix. Moreover, the resource requirement information may include: resource data volume and resource type, or only resource type. In addition, those skilled in the art can understand that the resource requirement information may also include resource usage time limit. Exemplarily, the resource application request includes N 1 IP prefixes to be allocated with a use time limit of 1 year and N 2 ASNs with a use time limit of 2 years.

另外,可以理解的是,在互联网中,一个AS是指在一个或多个实体管辖下的所有IP网络和路由器的全体,它们对互联网网站设计执行共同的路由策略。并且,ASN是由互联网地址分派机构成批地分配给各个地区互联网注册机构,再由其从整批的ASN里为每一个实体分配一个ASN,并且,希望获得ASN的实体必须按其所属的地区中心规定的程序进行申请,在申请得到批准后才会分配到一个ASN。In addition, it can be understood that in the Internet, an AS refers to the entirety of all IP networks and routers under the jurisdiction of one or more entities, and they implement a common routing strategy for Internet website design. Moreover, ASNs are allocated in batches by the Internet Address Assignment Agency to various regional Internet registration agencies, and then they assign an ASN to each entity from the entire batch of ASNs, and entities wishing to obtain ASNs must be assigned according to the region to which they belong. An ASN will not be assigned until the application is approved.

另外,当接收到资源申请请求时,区块链系统可以基于该资源申请请求中携带的密钥证书,按照现有技术中的认证方式,对该目标用户的身份进行认证,即认证该目标用户是否为获得准入资格的用户。可以理解的是,该资源申请请求中还可以携带有通信证书,通过该通信证书,对通信安全进行认证。In addition, when a resource application request is received, the blockchain system can authenticate the identity of the target user based on the key certificate carried in the resource application request according to the authentication method in the prior art, that is, authenticate the target user Whether it is a user who has obtained the access qualification. It can be understood that the resource application request may also carry a communication certificate, and the communication security is authenticated through the communication certificate.

如果认证通过,区块链系统可以执行步骤C2,如果认证未通过,则可以结束流程或向目标用户反馈用于表征认证未通过的提示信息。If the authentication is passed, the blockchain system can execute step C2, and if the authentication is not passed, the process can be ended or the target user can be fed back with prompt information indicating that the authentication has not passed.

步骤C2,如果认证通过,则当所述区块链系统所管理的码号资源满足所述资源需求信息时,从所述区块链系统所管理的码号资源中,确定与所述资源需求信息相匹配的目标码号资源,作为用户资源;Step C2, if the authentication is passed, when the code number resources managed by the blockchain system meet the resource requirement information, determine the resource requirements from the code number resources managed by the blockchain system The target code number resources that match the information are used as user resources;

如果该目标用户的身份认证通过后,该区块链系统当所述区块链系统所管理的码号资源满足所述资源需求信息时,可以从所述区块链系统所管理的码号资源中,确定与该资源需求信息相匹配的目标码号资源,作为用户资源。可以理解的是,如果资源需求信息中仅仅包括资源类型时,所述区块链系统所管理的码号资源满足所述资源需求信息具体指:所述区块链系统所管理的码号资源的资源类型中包括该资源需求信息中所请求的资源类型;如果资源需求信息中包括资源类型和资源需求量时,则所述区块链系统所管理的码号资源满足所述资源需求信息具体指:所述区块链系统所管理的码号资源的资源类型中包括该资源需求信息中所请求的资源类型,且所述区块链系统所管理的码号资源中属于所请求的资源类型的资源数据量,大于该资源需求信息中所请求的资源量。If the identity authentication of the target user is passed, when the code number resource managed by the blockchain system satisfies the resource requirement information, the blockchain system can use the code number resource managed by the blockchain system to , determine the target code number resource matching the resource requirement information as the user resource. It can be understood that if the resource requirement information only includes resource types, the code number resources managed by the blockchain system meet the resource requirement information specifically refers to: the code number resources managed by the blockchain system The resource type includes the resource type requested in the resource requirement information; if the resource requirement information includes the resource type and the resource requirement, the code number resources managed by the blockchain system meet the requirements specified in the resource requirement information. : The resource type of code number resources managed by the blockchain system includes the resource type requested in the resource requirement information, and the code number resources managed by the blockchain system belong to the requested resource type The amount of resource data is greater than the amount of resources requested in the resource requirement information.

并且,如果资源需求信息中仅仅包括资源类型,则从所述区块链系统所管理的码号资源中,确定与所述资源需求信息相匹配的目标码号资源具体指:从区块链系统所管理的码号资源中,确定属于该资源需求信息所请求资源类型的网络资源。类似的,如果资源需求信息中包括资源类型和资源需求量,则从区块链系统所关联的码号资源中,确定与该资源需求信息相匹配的目标码号资源具体指:从区块链系统所管理的码号资源,确定属于该资源需求信息所请求资源类型的、该资源需求信息所请求资源需求量的目标码号资源。需要说明的是,从区块链系统所管理的码号资源中,具体采用何种资源分配方式,确定与该资源需求信息相匹配的目标码号资源,可以预先进行设定,本发明实施例对此不做限定。Moreover, if the resource requirement information only includes the resource type, then from the code number resources managed by the blockchain system, determining the target code number resources that match the resource requirement information specifically refers to: from the blockchain system Among the code number resources managed, network resources belonging to the resource type requested by the resource requirement information are determined. Similarly, if the resource requirement information includes the resource type and resource requirement, then from the code number resources associated with the blockchain system, determine the target code number resource that matches the resource requirement information. Specifically refers to: from the blockchain system The code number resource managed by the system determines the target code number resource belonging to the resource type requested by the resource demand information and the resource demand quantity requested by the resource demand information. It should be noted that from the code number resources managed by the blockchain system, which resource allocation method is used specifically to determine the target code number resources that match the resource demand information can be set in advance. The embodiment of the present invention There is no limit to this.

示例性的,如果区块链系统所管理的码号资源包括300个IP前缀和200个ASN,资源需求信息包括:10个IP前缀和20个AS号,则从300个IP前缀和200个ASN中,分配10个IP前缀和20个ASN给目标用户。Exemplarily, if the code number resources managed by the blockchain system include 300 IP prefixes and 200 ASNs, and the resource requirement information includes: 10 IP prefixes and 20 AS numbers, then from 300 IP prefixes and 200 ASNs , assign 10 IP prefixes and 20 ASNs to target users.

步骤C3,将所述用户资源反馈至所述目标用户,以使得所述目标用户获得所述用户资源,并针对所述用户资源中所述目标用户自身所需使用的码号资源,建立所述目标用户自身的地址授权关系,并将所建立的地址授权关系记录在所述记账节点的目标地址授权关系中。Step C3, feeding back the user resource to the target user so that the target user can obtain the user resource, and establishing the The address authorization relationship of the target user itself, and record the established address authorization relationship in the target address authorization relationship of the accounting node.

若目标用户为ISP用户时,如果获得的用户资源中存在自身所需使用的码号资源,则可以针对该目标用户自身所需使用的码号资源,建立地址授权关系;并且,由于ISP节点可以作为下一级机构的资源分发者,因此,目标用户可以将所获得的用户资源中,除自身所需使用的码号资源,作为待分配的码号资源,从而为下一级机构进行互联网码号资源分配。If the target user is an ISP user, if there are code number resources that the target user needs to use in the obtained user resources, an address authorization relationship can be established for the code number resources that the target user needs to use; and, since the ISP node can As the resource distributor of the next-level organization, the target user can use the obtained user resources, except the code number resources that they need to use, as the code number resources to be allocated, so as to carry out Internet code number resources for the next-level organization. No. resource allocation.

若目标用户为Enduser用户(终端用户),由于目标用户不作为互联网码号资源分发者,因此,目标用户在获得用户资源后,将该用户资源作为该目标用户自身所需使用的码号资源,进而,该目标用户可以针对该用户资源,建立地址授权关系。If the target user is an Enduser user (terminal user), since the target user is not a distributor of Internet code number resources, after the target user obtains the user resource, the user resource is used as the code number resource that the target user needs to use. Furthermore, the target user may establish an address authorization relationship with respect to the user resource.

另外,可以理解的是,在区块链系统向目标用户分配用户资源后,则区块链系统中所存储的用户资源由原来的被占用状态,表征为表征已被占用的状态,以便区块链系统能够准确地确定出剩余的当前可用的目标码号资源,便于下次分配。In addition, it is understandable that after the blockchain system allocates user resources to target users, the user resources stored in the blockchain system will be characterized from the original occupied state to the occupied state, so that the block The chain system can accurately determine the remaining currently available target code number resources, which is convenient for the next allocation.

并且,区块链系统在向目标用户分配用户资源时,还可以为用户资源设置该资源需求信息中的使用时限,以便于已分配的用户资源到期后回收,或者,快到期时候对目标用户进行提前提醒,这样,目标用户就可以提前做出续期或是退订的准备。In addition, when the blockchain system allocates user resources to target users, it can also set a usage time limit in the resource demand information for user resources, so that the allocated user resources can be recycled after expiration, or, when the target user resources are about to expire, the target The user reminds in advance, so that the target user can make preparations for renewal or unsubscription in advance.

需要说明的是,上述的区块链系统所管理的码号资源包含预先人工设置在区块链系统的码号资源,以及使用RPKI方式进行资源管理的用户上报的待分配资源;其中,待分配资源为使用RPKI方式进行资源管理的用户请求到的但自身未使用的码号资源。可以理解的是,区块链系统建立时,区块链系统所管理的码号资源可以仅仅包含预先人工设置在区块链系统的码号资源,后续使用RPKI方式进行资源管理的用户可以上报码号资源,这样使得区块链系统所管理的码号资源同时包含人工给定的码号资源以及用户上报的码号资源。示例性的,在一种实现方式中,所述区块链系统所管理的码号资源中包含第四用户上报的待分配资源,第四用户为使用RPKI方式进行资源管理的用户,待分配资源为所述第四用户自身未使用的码号资源;在该种实现方式中,第四用户可以通过区块链方式将资源分配到下一级用户。相应的,所述目标用户为所述第四用户的下一级用户时,所述当所述区块链系统所管理的码号资源满足所述资源需求信息时,从所述区块链系统所管理的码号资源中,确定与所述资源需求信息相匹配的目标码号资源,作为用户资源,包括:It should be noted that the code number resources managed by the above-mentioned blockchain system include the code number resources manually set in the blockchain system in advance, and the resources to be allocated reported by users who use RPKI for resource management; among them, the code number resources to be allocated Resources are code number resources requested by users using RPKI for resource management but not used by themselves. It is understandable that when the blockchain system is established, the code number resources managed by the blockchain system can only include the code number resources manually set in the blockchain system in advance, and users who subsequently use RPKI for resource management can report the code number resources. Number resources, so that the code number resources managed by the blockchain system include both manually given code number resources and code number resources reported by users. Exemplarily, in an implementation manner, the code number resources managed by the blockchain system include resources to be allocated reported by the fourth user, the fourth user is a user who uses RPKI for resource management, and the resources to be allocated It is a code number resource not used by the fourth user itself; in this implementation, the fourth user can allocate resources to the next-level users through the block chain. Correspondingly, when the target user is the next-level user of the fourth user, when the code number resource managed by the blockchain system satisfies the resource requirement information, from the blockchain system Among the managed code number resources, determine the target code number resources that match the resource requirement information as user resources, including:

在所述第四用户上报的待分配资源满足所述资源需求信息时,从所述第四用户上报的待分配码号资源中,确定与所述资源需求信息相匹配的码号资源,作为用户资源。When the resource to be allocated reported by the fourth user satisfies the resource requirement information, determine a code number resource that matches the resource requirement information from the code number resource to be allocated reported by the fourth user, as the user resource.

可以理解的是,在一种实现方式中,第四用户可以在向区块链系统发送查询请求时,向区块链系统上报待分配资源,示例性的,该待分配资源可以携带在RPKI资源证书中,当然并不局限于此;在另一种实现方式中,在需要上报待分配资源时,第四用户可以向区块链系统发送携带有待分配资源和RPKI资源证书的资源分配请求,以使得区块链系统在利用资源分配请求中的RPKI资源证书对第四用户的身份认证通过后,将资源分配请求中的待分配资源进行保存。It can be understood that, in an implementation manner, the fourth user may report the resources to be allocated to the blockchain system when sending a query request to the blockchain system. Exemplarily, the resources to be allocated may be carried in the RPKI resource Of course, the certificate is not limited to this; in another implementation mode, when it is necessary to report the resources to be allocated, the fourth user can send a resource allocation request carrying the resources to be allocated and the RPKI resource certificate to the blockchain system, in order to After the block chain system passes the identity authentication of the fourth user by using the RPKI resource certificate in the resource allocation request, it saves the resources to be allocated in the resource allocation request.

可见,本方案可以实现在集中式码号资源管理机制向分布式码号资源管理机制演进部署中,多种管理机制可信交互资源信息;并且,通过本方案可以实现基于区块链系统的有效的资源分配。It can be seen that this scheme can realize the evolution and deployment of centralized code number resource management mechanism to distributed code number resource management mechanism, and multiple management mechanisms can trust and exchange resource information; moreover, through this scheme, effective blockchain-based system resource allocation.

相应于上述的方法实施例,本发明实施例还提供了一种互联网码号资源管理装置;如图3所示,所述装置包括:Corresponding to the above method embodiment, the embodiment of the present invention also provides an Internet number resource management device; as shown in Figure 3, the device includes:

第一获取模块310,用于获取第一用户发送的第一查询请求;其中,所述第一用户为使用所述RPKI方式进行资源管理的用户,所述第一查询请求中携带有所述第一用户所获取到的RPKI资源证书和关于地址授权关系的第一查询需求信息;The first obtaining module 310 is configured to obtain a first query request sent by a first user; wherein, the first user is a user who uses the RPKI method for resource management, and the first query request carries the first query request The RPKI resource certificate obtained by the user and the first query requirement information about the address authorization relationship;

第一认证模块320,用于通过判断所述第一查询请求所携带的RPKI资源证书是否为合法证书,对所述第一用户的身份进行认证;The first authentication module 320 is configured to authenticate the identity of the first user by judging whether the RPKI resource certificate carried in the first query request is a valid certificate;

第一处理模块330,用于如果认证通过,基于所述区块链系统的记账节点所记录的关于IP前缀和自治系统号ASN的目标地址授权关系,向所述第一用户反馈与所述第一查询需求信息相匹配的查询结果,并从所述第一查询请求所携带的RPKI资源证书中提取地址授权关系,基于所提取的地址授权关系更新所述记账节点中的所述目标授权关系。The first processing module 330 is configured to, if the authentication is passed, based on the target address authorization relationship recorded by the accounting node of the blockchain system with respect to the IP prefix and the autonomous system number ASN, to feed back the information related to the first user to the first user. First query the query result matching the requirement information, and extract the address authorization relationship from the RPKI resource certificate carried in the first query request, and update the target authorization in the accounting node based on the extracted address authorization relationship relation.

本方案通过混合部署区块链方式和RPKI方式来进行互联网码号资源管理,在资源管理过程中,以RPKI方式进行资源分配的用户,在通过区块链系统的验证后,能够通过区块链进行资源查询。由于在混合部署区块链方式和RPKI方式的情况下,以RPKI方式进行资源分配的用户能够通过区块链进行可信的资源查询,因此,本方案可以实现在集中式码号资源管理机制向分布式码号资源管理机制演进部署中,多种管理机制可信交互资源信息。This solution manages Internet code number resources through the mixed deployment of blockchain and RPKI. In the process of resource management, users who use RPKI to allocate resources can pass the verification of the blockchain system. Make a resource query. In the case of mixed deployment of blockchain and RPKI, users who use RPKI to allocate resources can conduct credible resource queries through the blockchain. Therefore, this solution can be implemented in the centralized code number resource management mechanism In the evolution and deployment of the distributed code number resource management mechanism, multiple management mechanisms can trust and exchange resource information.

在本发明的一实施例中,本发明实施例所提供的装置还可以包括:In an embodiment of the present invention, the device provided in the embodiment of the present invention may also include:

第二获取模块,用于获取第二用户发送的第二查询请求;所述第二用户为未使用所述RPKI方式进行资源管理且未加入所述区块链系统的用户,所述第二查询请求中携带有所述第二用户自身的地址授权关系和关于地址授权关系的第二查询需求信息;The second acquisition module is configured to acquire a second query request sent by a second user; the second user is a user who has not used the RPKI method for resource management and has not joined the blockchain system, and the second query The request carries the address authorization relationship of the second user itself and the second query requirement information about the address authorization relationship;

第二认证模块,用于利用所述第二查询请求所携带的地址授权关系,对所述第二用户的身份进行认证;A second authentication module, configured to authenticate the identity of the second user by using the address authorization relationship carried in the second query request;

第二处理模块,用于如果认证通过,向所述第二用户反馈与所述第二查询需求信息相匹配的查询结果,并基于所述第二查询请求中携带的地址授权关系,更新所述记账节点中的所述目标地址授权关系;The second processing module is configured to feed back a query result matching the second query requirement information to the second user if the authentication is passed, and update the address authorization relationship carried in the second query request to the second user. The target address authorization relationship in the accounting node;

其中,利用所述第二查询请求所携带的地址授权关系,对所述第二用户的身份进行认证,包括:Wherein, using the address authorization relationship carried in the second query request to authenticate the identity of the second user includes:

如果所述目标地址授权关系中,记录有与所述第二查询请求携带的地址授权关系的IP前缀相同且ASN不同的授权关系,则判定所述第二用户的身份认证未通过;否则,判定所述第二用户的身份认证通过。If the target address authorization relationship records an authorization relationship that is the same as the IP prefix of the address authorization relationship carried in the second query request and has a different ASN, it is determined that the identity authentication of the second user has not passed; otherwise, it is determined that The identity authentication of the second user passes.

在本发明的一实施例中,本发明实施例所提供的装置还可以包括:In an embodiment of the present invention, the device provided in the embodiment of the present invention may also include:

第三获取模块,用于获取第三用户发送的第三查询请求;所述第三用户为加入所述区块链系统的用户,所述第三查询请求中携带有所述区块链系统下发给所述第三用户的密钥证书,以及关于地址授权关系的第三查询需求信息;The third obtaining module is used to obtain a third query request sent by a third user; the third user is a user who joins the block chain system, and the third query request carries information under the block chain system The key certificate issued to the third user, and the third query requirement information about the address authorization relationship;

第三认证模块,用于利用所述第三查询请求中携带的密钥证书,对所述第三用户的身份进行认证;A third authentication module, configured to authenticate the identity of the third user by using the key certificate carried in the third query request;

第三处理模块,用于如果认证通过,向所述第三用户反馈与所述第三查询请求所携带的第三查询需求信息相匹配的查询结果。The third processing module is configured to feed back to the third user a query result that matches the third query requirement information carried in the third query request if the authentication is passed.

在本发明的一实施例中,所述装置还包括:In an embodiment of the present invention, the device also includes:

第四认证模块,用于当接收到加入所述区块链系统的目标用户发送的资源申请请求时,基于所述资源申请请求中携带的密钥证书,对所述目标用户的身份进行认证;其中,所述资源申请请求中携带的密钥证书为所述区块链系统所下发的证书,且所述资源申请请求中还携带有资源需求信息;The fourth authentication module is used to authenticate the identity of the target user based on the key certificate carried in the resource application request when receiving the resource application request sent by the target user joining the blockchain system; Wherein, the key certificate carried in the resource application request is a certificate issued by the blockchain system, and the resource application request also carries resource demand information;

第四处理模块,用于如果认证通过,则当所述区块链系统所管理的码号资源满足所述资源需求信息时,从所述区块链系统所管理的码号资源中,确定与所述资源需求信息相匹配的目标码号资源,作为用户资源;The fourth processing module is used to determine from the code number resources managed by the blockchain system when the code number resources managed by the blockchain system meet the resource requirement information if the authentication is passed. The target code number resources matching the resource requirement information are used as user resources;

信息反馈模块,用于将所述用户资源反馈至所述目标用户,以使得所述目标用户获得所述用户资源,并针对所述用户资源中所述目标用户自身所需使用的码号资源,建立所述目标用户自身的地址授权关系,并将所建立的地址授权关系记录在所述记账节点的目标地址授权关系中。An information feedback module, configured to feed back the user resources to the target user, so that the target user can obtain the user resources, and for the code number resources that the target user needs to use in the user resources, Establishing the address authorization relationship of the target user itself, and recording the established address authorization relationship in the target address authorization relationship of the billing node.

在本发明的一实施例中,所述区块链系统所管理的码号资源中包含第四用户上报的待分配资源;所述第四用户为使用所述RPKI方式进行资源管理的用户,所述待分配资源为所述第四用户自身未使用的码号资源;In an embodiment of the present invention, the code number resources managed by the blockchain system include resources to be allocated reported by the fourth user; the fourth user is a user who uses the RPKI method for resource management, so The resource to be allocated is a code number resource not used by the fourth user itself;

相应的,所述目标用户为所述第四用户的下一级用户时,所述第四处理模块当所述区块链系统所管理的码号资源满足所述资源需求信息时,从所述区块链系统所管理的码号资源中,确定与所述资源需求信息相匹配的目标码号资源,作为用户资源,包括:Correspondingly, when the target user is the next-level user of the fourth user, when the code number resources managed by the blockchain system meet the resource requirement information, the fourth processing module Among the code number resources managed by the blockchain system, determine the target code number resources that match the resource demand information as user resources, including:

在所述第四用户上报的待分配资源满足所述资源需求信息时,从所述第四用户上报的待分配码号资源中,确定与所述资源需求信息相匹配的码号资源,作为用户资源。When the resource to be allocated reported by the fourth user satisfies the resource requirement information, determine a code number resource that matches the resource requirement information from the code number resource to be allocated reported by the fourth user, as the user resource.

需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。It should be noted that in this article, relational terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply that there is a relationship between these entities or operations. There is no such actual relationship or order between them. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or device. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.

本说明书中的各个实施例均采用相关的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于系统实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。Each embodiment in this specification is described in a related manner, the same and similar parts of each embodiment can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for relevant parts, refer to part of the description of the method embodiment.

以上所述仅为本发明的较佳实施例,并非用于限定本发明的保护范围。凡在本发明的精神和原则之内所作的任何修改、等同替换、改进等,均包含在本发明的保护范围内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present invention are included in the protection scope of the present invention.

Claims (8)

1. The Internet code number resource management method is characterized by being applied to a block chain system; the method comprises the following steps:
acquiring a first query request sent by a first user; the first user is a user performing resource management in an RPKI mode, and the first query request carries an RPKI resource certificate acquired by the first user and first query requirement information about an address authorization relationship;
authenticating the identity of the first user by judging whether the RPKI resource certificate carried by the first query request is a legal certificate or not;
If the authentication is passed, feeding back a query result matched with the first query requirement information to the first user based on a target address authorization relationship recorded by an accounting node of the blockchain system and related to an IP prefix and an ASN (autonomous system number), extracting an address authorization relationship from an RPKI resource certificate carried by the first query request, and updating the target address authorization relationship in the accounting node based on the extracted address authorization relationship;
acquiring a second query request sent by a second user; the second user is a user which does not use the RPKI mode to carry out resource management and does not join the blockchain system, and the second query request carries the address authorization relationship of the second user and second query requirement information about the address authorization relationship;
authenticating the identity of the second user by using the address authorization relationship carried by the second query request;
if the authentication is passed, feeding back a query result matched with the second query requirement information to the second user, and updating the target address authorization relationship in the accounting node based on the address authorization relationship carried in the second query request;
The step of authenticating the identity of the second user by using the address authorization relationship carried by the second query request includes:
if the target address authorization relationship records the authorization relationship which is the same as the IP prefix of the address authorization relationship carried by the second inquiry request and different from the ASN, judging that the identity authentication of the second user is not passed; otherwise, judging that the identity authentication of the second user passes.
2. The method according to claim 1, wherein the method further comprises:
acquiring a third query request sent by a third user; the third user is a user joining the blockchain system, and the third query request carries a key certificate issued to the third user by the blockchain system and third query requirement information about an address authorization relationship;
authenticating the identity of the third user by using a key certificate carried in the third inquiry request;
and if the authentication is passed, feeding back a query result matched with the third query requirement information carried by the third query request to the third user.
3. The method according to claim 1 or 2, characterized in that the method further comprises:
When a resource application request sent by a target user joining the blockchain system is received, authenticating the identity of the target user based on a key certificate carried in the resource application request; the key certificate carried in the resource application request is a certificate issued by the blockchain system, and the resource application request also carries resource demand information;
if the authentication is passed, when the code number resource managed by the block chain system meets the resource demand information, determining a target code number resource matched with the resource demand information from the code number resource managed by the block chain system as a user resource;
and feeding back the user resource to the target user so that the target user obtains the user resource, establishing an address authorization relationship of the target user according to the code number resource required to be used by the target user in the user resource, and recording the established address authorization relationship in the target address authorization relationship of the accounting node.
4. The method of claim 3 wherein the code number resources managed by the blockchain system include resources to be allocated reported by a fourth user; the fourth user is a user for resource management by using the RPKI mode, and the resource to be allocated is code number resource which is not used by the fourth user;
Correspondingly, when the target user is the next user of the fourth user, and when the code number resource managed by the blockchain system meets the resource requirement information, determining the target code number resource matched with the resource requirement information from the code number resource managed by the blockchain system as the user resource, wherein the target code number resource comprises:
and when the resources to be allocated, which are reported by the fourth user, meet the resource demand information, determining the code number resources matched with the resource demand information from the code number resources to be allocated, which are reported by the fourth user, as user resources.
5. An internet code number resource management device is characterized by being applied to a block chain system; the device comprises:
the first acquisition module is used for acquiring a first query request sent by a first user; the first user is a user performing resource management in an RPKI mode, and the first query request carries an RPKI resource certificate acquired by the first user and first query requirement information about an address authorization relationship;
the first authentication module is used for authenticating the identity of the first user by judging whether the RPKI resource certificate carried by the first query request is a legal certificate or not;
The first processing module is used for feeding back a query result matched with the first query requirement information to the first user based on a target address authorization relationship recorded by an accounting node of the blockchain system and related to an IP prefix and an ASN (autonomous system number) if authentication is passed, extracting an address authorization relationship from an RPKI resource certificate carried by the first query request, and updating the target address authorization relationship in the accounting node based on the extracted address authorization relationship;
the second acquisition module is used for acquiring a second query request sent by a second user; the second user is a user which does not use the RPKI mode to carry out resource management and does not join the blockchain system, and the second query request carries the address authorization relationship of the second user and second query requirement information about the address authorization relationship;
the second authentication module is used for authenticating the identity of the second user by utilizing the address authorization relationship carried by the second query request;
the second processing module is used for feeding back a query result matched with the second query requirement information to the second user if the authentication is passed, and updating the target address authorization relationship in the accounting node based on the address authorization relationship carried in the second query request;
The step of authenticating the identity of the second user by using the address authorization relationship carried by the second query request includes:
if the target address authorization relationship records the authorization relationship which is the same as the IP prefix of the address authorization relationship carried by the second inquiry request and different from the ASN, judging that the identity authentication of the second user is not passed; otherwise, judging that the identity authentication of the second user passes.
6. The apparatus of claim 5, wherein the apparatus further comprises:
the third acquisition module is used for acquiring a third query request sent by a third user; the third user is a user joining the blockchain system, and the third query request carries a key certificate issued to the third user by the blockchain system and third query requirement information about an address authorization relationship;
the third authentication module is used for authenticating the identity of the third user by utilizing the key certificate carried in the third inquiry request;
and the third processing module is used for feeding back a query result matched with the third query requirement information carried by the third query request to the third user if the authentication is passed.
7. The apparatus according to claim 5 or 6, further comprising:
the fourth authentication module is used for authenticating the identity of the target user based on a key certificate carried in a resource application request when the resource application request sent by the target user joining the blockchain system is received; the key certificate carried in the resource application request is a certificate issued by the blockchain system, and the resource application request also carries resource demand information;
a fourth processing module, configured to determine, if authentication is passed, a target code number resource that matches the resource requirement information from among code number resources managed by the blockchain system as a user resource when the code number resource managed by the blockchain system satisfies the resource requirement information;
and the information feedback module is used for feeding back the user resource to the target user so that the target user obtains the user resource, establishes an address authorization relationship of the target user for the code number resource required to be used by the target user in the user resource, and records the established address authorization relationship in the target address authorization relationship of the accounting node.
8. The apparatus of claim 7, wherein the code number resources managed by the blockchain system include resources to be allocated reported by a fourth user; the fourth user is a user for resource management by using the RPKI mode, and the resource to be allocated is code number resource which is not used by the fourth user;
correspondingly, when the target user is the next user of the fourth user, the fourth processing module determines, as the user resource, a target code number resource matched with the resource requirement information from the code number resources managed by the blockchain system when the code number resources managed by the blockchain system meet the resource requirement information, including:
and when the resources to be allocated, which are reported by the fourth user, meet the resource demand information, determining the code number resources matched with the resource demand information from the code number resources to be allocated, which are reported by the fourth user, as user resources.
CN202110155904.1A 2021-02-04 2021-02-04 Internet code number resource management method and device Active CN112765203B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110155904.1A CN112765203B (en) 2021-02-04 2021-02-04 Internet code number resource management method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110155904.1A CN112765203B (en) 2021-02-04 2021-02-04 Internet code number resource management method and device

Publications (2)

Publication Number Publication Date
CN112765203A CN112765203A (en) 2021-05-07
CN112765203B true CN112765203B (en) 2023-06-30

Family

ID=75704999

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110155904.1A Active CN112765203B (en) 2021-02-04 2021-02-04 Internet code number resource management method and device

Country Status (1)

Country Link
CN (1) CN112765203B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119788500B (en) * 2024-12-25 2025-10-10 中国长江电力股份有限公司 Method for realizing high-availability converged communication system code number resource management

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106600252A (en) * 2016-12-15 2017-04-26 咪咕文化科技有限公司 Payment method and system based on block chain
US11245721B2 (en) * 2018-12-19 2022-02-08 Mcafee, Llc Using a blockchain for distributed denial of service attack mitigation
CN111598564B (en) * 2019-02-20 2023-11-21 华为技术有限公司 Blockchain node connection establishment method, device and equipment
CN110012119B (en) * 2019-03-12 2019-11-01 广州大学 A kind of IP address prefix authorization and management method
CN111106940B (en) * 2019-11-25 2022-11-04 广州大学 A certificate transaction verification method based on blockchain-based resource public key infrastructure

Also Published As

Publication number Publication date
CN112765203A (en) 2021-05-07

Similar Documents

Publication Publication Date Title
CN111541656B (en) Identity authentication method and system based on converged media cloud platform
CN111106940B (en) A certificate transaction verification method based on blockchain-based resource public key infrastructure
RU2308755C2 (en) System and method for providing access to protected services with one-time inputting of password
US10027670B2 (en) Distributed authentication
US7617522B2 (en) Authentication and authorization across autonomous network systems
CN100583761C (en) Method for realizing uniform authentication
CN109729080B (en) Access attack protection method and system based on blockchain domain name system
CN111818056B (en) A blockchain-based industrial Internet identity authentication method
CN100563155C (en) Internet identity authentication method and system
US11552948B1 (en) Domain management intermediary service
WO2018176406A1 (en) Top-level domain name management method and system based on alliance chain
US11611435B2 (en) Automatic key exchange
CN114338242B (en) Cross-domain single sign-on access method and system based on block chain technology
CN102006299A (en) Trustworthy internet-oriented entity ID (Identity)-based ID authentication method and system
CN111031074A (en) An authentication method, server and client
CN111031010B (en) A certificate transaction alarm method based on blockchain-based resource public key infrastructure
CN114579951B (en) Service access method, electronic device and storage medium
CN109413040A (en) Message authentication method, equipment, system and computer readable storage medium
BR112016000122B1 (en) METHOD AND SYSTEM RELATED TO USER AUTHENTICATION TO ACCESS DATA NETWORKS
CN106559389A (en) A kind of Service Source issue, call method, device, system and cloud service platform
CN101291220B (en) System, device and method for identity security authentication
CN101291221B (en) A method, communication system, and device for user identity privacy protection
CN1248448C (en) Broadband network access method
CN108011873A (en) A kind of illegal connection determination methods based on set covering
CN112765203B (en) Internet code number resource management method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant