CN1300721C - Method for realizing peer-to-peer network system architecture - Google Patents

Abstract

A method for implementing a peer-to-peer network architecture. The peer-to-peer network in this architecture is established on top of the TCP/IP protocol, and a logical network without a hierarchical structure is formed between abstract peer entities, and the status of the entities is completely equal. , each entity acts as a server providing services to other entities, and as a client using services provided by other entities. The specific implementation form of an entity is a specific software instance running on a computer or a dedicated information terminal device. This method can realize a light-load peer-to-peer network structure without a central switch or a central server in a normal network form and a network with a firewall or a NAT router, and can make any entity of this type immediately know through authentication after connecting to the Internet Whether other relevant entities are online or not, and notify the online entities to inform the entity that they are online.

Description

A Realization Method of Peer-to-Peer Network Architecture

1. Technical field

The invention relates to the field of network and communication technology, and in particular to a method for realizing a peer-to-peer network architecture.

2. Background technology

The so-called peer-to-peer network (P2P, peer-to-peer) is a technology used to directly exchange data or services between different PC users without going through a server. It allows Internet users to directly use each other's resources or communicate directly. Each networked user can directly connect to other users' computers and exchange data without connecting to the server for browsing and downloading. Peer-to-peer network technology makes communication on the network faster and more direct because of the elimination of intermediate links.

At present, the software that can realize peer-to-peer network technology includes Napstere and ICQ in foreign countries, and OICQ and Ezpeer in China. The specific operation mode of Ezpeer is as follows: First, all users who have installed Ezpeer software will log in to the Ezpeer server, and the server can be Grasp the file data stored in each computer; when a user connects to the Internet, he can see all other networked users who have installed this software and their shared information. After entering the keywords to be searched, the Ezpeer server will Find other computer data storing such files, and then display them in this user's search results, and the user can then directly download the required data from other users' computers. The transmission of the entire data is only carried out between users' computers, without going through Ezpeer's server, but the connection between users is not direct, and a central server is needed for coordination.

There are some existing related inventions, but they are fundamentally different from the present invention. For example, the invention patent "System and method for secure peer-to-peer communication between downloaded programs (publication number: 1163433)" is used to communicate between computer programs from the same security domain but running on the first and second computers A system and method for establishing a peer-to-peer communication relationship between peers. The peer-to-peer communication establishment process is as follows: the first computer program runs on the first computer, and at the same time sends a message to the second computer, requesting to establish a peer-to-peer communication relationship. When receiving this information on the second computer, the second computer determines whether there is a second computer program that meets the predetermined conditions for establishing a peer-to-peer communication connection to run on the second computer, and if so, the second computer sends a message to the first computer Send a reply message accepting the request. When the response message is received by the first computer, the requested peer-to-peer communication link between the first and second computer programs is established. The above-mentioned peer-to-peer network software and method are implemented either through the P2P server of the telecommunications company in the form of ASP or through the enterprise's own P2P server in the IDC of the telecommunications company. The burden on the server cannot be completely separated from the server, and it cannot penetrate firewalls and NAT routers. At the same time, there are trust and security issues.

3. Contents of the invention

The present invention proposes a kind of peer-to-peer network system structure realization method at the weak point of above-mentioned prior art, the technical scheme that the present invention adopts to solve its technical problem is:

The peer-to-peer network in this architecture is established on top of the TCP/IP protocol, and a logical network without hierarchical structure is formed between abstract peer entities. The server of the service acts as a client using the services provided by other entities, and the specific implementation form of the entity is a specific software instance running on a computer or a dedicated information terminal device.

The steps for establishing a peer-to-peer network between entities are as follows: (1) Entity A, which is newly connected to the network, sends a message indicating that entity A is online to one of entity B in the online entity list of this entity through a UDP port. notification information. (2) The entity B receiving the information returns a response to the entity A that sent the information, confirming the receipt of the information, and at the same time sends a data packet to it, the content of which is the name of all online entities that entity B knows; (3 ) Entity A adds the received list to the entity's online entity list; (4) Entity B adds entity A to the entity's online entity list; (5) Entity A selects the next online entity list from the online entity list online entities, and repeat the above four steps until the above communication process is completed with all online entities.

The communication steps between network entities are as follows: (1) When entity A needs to communicate with entity B, entity A sends a communication request to entity B; (2) entity B that receives the information returns a response to entity A that sent the information , to confirm receipt of the information; (3) Entity A negotiates with entity B to determine that one of them will be the server and the other end will be the client. The selection principle is: if entity A and entity B are in the same transparent network environment, there is no If the firewall is isolated, entity B acts as the server, and entity A acts as the client; if there is only one entity behind the firewall, the entity not behind the firewall acts as the server, and the entity behind the firewall acts as the client; if both parties are behind the firewall Afterwards and belonging to different firewalls, request an entity C that is not behind the firewall as a service agent, entity B as a server, its service is represented by entity C, and entity A as a client; (4) between entity B and entity A The server communicates with the client. (5) After the transmission of the communication content is completed, entity A initiates a teardown service request, entity B responds, and the communication process ends.

The implementation method in the present invention can realize the light-load peer-to-peer network structure without a center switch or a center server in a normal network form and a network with a firewall or a NAT router, and can make any entity of this type connect to the Internet and pass through Authentication can immediately know whether other relevant entities are online, and notify the online entities to inform the entity that it is online. Thus, information exchange and resource sharing can be safely carried out between various networked enterprises and users.

The invention creates a secure peer-to-peer network architecture by combining three elements of authentication, authorization and encryption. Authentication involves peers authenticating themselves to other peers in a network such as the Internet; authorization involves the process of granting an authenticated entity permission to perform certain actions or access certain resources. In a peer-to-peer application, a peer may be authenticated to only have access to a portion of another peer's resources; encryption involves converting intelligible information into a form that is incomprehensible to unauthorized individuals and systems The form of the process, decryption is the reverse process of this process. Encryption protects the information flowing between peers in an insecure network (such as the Internet), and this, combined with the security authentication of each peer, ensures that the exchanged data cannot be eavesdropped on the communication, If the message is digitally signed or has a MAC (Message Authentication Code) added to it, both parties can also be sure that the message has not been modified.

4. Description of drawings

The present invention will be further described below in conjunction with drawings and embodiments.

FIG. 1 is a schematic diagram of establishing a peer-to-peer network among network entities in the present invention.

Fig. 2 is a flow chart of the end-to-end communication based on the proprietary protocol in the present invention.

Fig. 3 is a flow chart of the communication process between network entities in different firewalls in the present invention.

5. Specific implementation

The steps for establishing a peer-to-peer network between entities (peer points) are shown in Figure 1: (1) Entity A newly connected to the network sends a message to one of the entity B in the online entity list through the UDP port to indicate that this entity A notification message that A is online; (2) The entity B that received the message returns a response to the entity A that sent the message, confirming the receipt of the message and asking entity A to authenticate entity B, and at the same time send a data packet to it, the content of which is Names of all online entities known to entity B. During the authentication process, both entity A and entity B exchange secret information with a shared key; (3) after entity A authenticates entity B, it adds the received list to entity A's online entity list and requires entity B to authenticate Entity A; (4) After Entity B authenticates Entity A, Entity A is added to the entity's online entity list, and Entity A is authorized to access certain resources by assigning Entity A privilege; (5) In further Before the communication takes place, the two peers can negotiate to encrypt the channel connection between them. Then, entity A selects the next online entity from the online entity list, and repeats the above four steps until the above-mentioned peer-to-peer network connection is completed with all online entities.

The verification of content between peer entities adopts a mechanism based on digital signatures, and the process is as follows: (1) As shown in Figure 1, entity A and entity B establish a secure connection; (2) after they have established a channel, entities A requests a content from entity B. If entity B creates the content, it will digitally sign the content before transmitting it. If entity B just publishes the content created elsewhere, then the content has already been signed; (3) After entity A receives the content, it will verify the digital signature attached to the content.

The proprietary protocol (Firewall Special Protocol, FSP) based on TCP/IP proposed in the present invention can enable entities behind the firewall to run various end-to-end applications without restriction. Its core technology is the re-encapsulation of TCP/IP data packets. The following describes the end-to-end communication process based on this protocol: As shown in Figure 2, first, the application program on entity A located outside the firewall communicates with entity B located inside the firewall. Send a network request. After passing through the network layer, the data packet is processed by the local FSP software, encoded and encapsulated into an HTTP data packet, and then sent to the HTTP/TCP/IP channel, and then reaches entity B through the firewall through port 80. In entity B, the data packet is first sent to the above FSP software through the HTTP/TCP/IP channel, after being decoded, it is inserted into the network protocol stack of the entity, and finally reaches the application program of entity B, as if it has not passed through the firewall. In FSP, each TCP/IP packet appears in the form of HTTP GET request or response GET request message, so it will not cause compatibility problems when passing through the firewall. The IP packet is encoded into the HTTP message body through MIME, and the TCP header information is analyzed and encoded into the HTTP header information. where a packet is defined as an arbitrarily sized bundle consisting of an envelope and a body. The envelope is a standard format, which includes: header, source endpoint information (URI format), destination endpoint information (URI format), message digest (for security purposes), the length of the message body is arbitrary, and contains an optional Credentials (for security purposes) and content.

The specific embodiment of the present invention is the application in the collaborative development of networked products, as shown in Figure 3, both enterprise 1 and enterprise 2 have set up their own local area network, and are connected with the wide area network of the outside through the firewall, and are installed with FSP agreement Computer A and computer B of the application software belong to LAN 1 and LAN 2, respectively. Computer A and computer B set up the architecture of peer-to-peer network according to the method among the present invention: because both sides are all behind the firewall and belong to different firewalls, then computer A requests a networked computer C that is not behind the firewall as a service agent, and the computer B acts as a server whose services are proxied by computer C, and computer A acts as a client. The peer-to-peer communication between computer B and computer A is carried out in the way of server and client. After the communication process between computer A and computer B is established, the users of both parties only need to save or drag and drop their various design documents into the shared folder of the computer during the product collaborative design process, and the other party can access these files. At the same time, both users can also communicate online in real time. All departments and business partners in Enterprise 1 and Enterprise 2 can establish a peer-to-peer network relationship through the above methods, without directly sharing and transmitting data, files, information, codes or multimedia information through servers.

Claims (1)

1. A method for implementing a peer-to-peer network architecture. The peer-to-peer network realized by the method is established on the TCP/IP protocol, and a logical network without a hierarchical structure is formed between abstract peer entities, and the status between entities is completely Equality; each entity serves as a server providing services to other entities, and as a client using services provided by other entities; the specific implementation form of an entity is a specific software instance running on a computer or a dedicated information terminal device; its characteristics in: I. The steps to establish a peer-to-peer network between entities are as follows: (1) The entity A newly connected to the network sends a notification message indicating that the entity A is online to one of the entities B in the entity's online entity list through the UDP port; (2) The entity B receiving the information returns a response to the entity A that sent the information, confirming the receipt of the information, and at the same time sends a data packet to it, the content of which is the name of all known online entities of the entity B; (3) Entity A adds the received list to its online entity list; (4) Entity B adds entity A to its online entity list; (5) Entity A selects the next online entity from the online entity list, and repeats the above four steps until the above communication process is completed with all online entities; II. The communication steps between network entities are as follows: (1) When entity A needs to communicate with entity B, entity A sends a communication request to entity B; (2) The entity B receiving the information returns a response to the entity A that sent the information, confirming the receipt of the information; (3) Entity A negotiates with Entity B to determine that one of them will be the server and the other end will be the client. The selection principle is: if Entity A and Entity B are in the same transparent network environment and there is no isolation firewall in between, then Entity B will serve as The server, entity A as the client; if there is one and only one of the entities behind the firewall, the entity not behind the firewall acts as the server, and the entity behind the firewall acts as the client; if both parties are behind the firewall and belong to different firewalls , then request an entity C that is not behind the firewall as a service proxy, entity B as a server, its service is proxied by entity C, and entity A as a client; (4) Entity B communicates with entity A in a server-client manner; (5) After the transmission of the communication content is completed, entity A initiates a teardown service request, entity B responds, and the communication process ends.

Images