Interpretation | How to build an access layer for Alibaba Cloud IoT devices-Alibaba Cloud Developer Community

from: HaaS technology 2021-08-24 106

introduction: there are many kinds of "things" with different application scenarios and costs. For example, the water meter is usually installed outdoors and is usually powered by batteries. This kind of equipment has very strict requirements on energy consumption, for example, the backup power supply of the base station tower is generally installed in the wilderness. This kind of equipment has very strict network requirements, such as switches. This kind of equipment has very strict requirements on storage, memory and cpu, different TSL features create different IoT access layers. Let's take a look at what the IoT access layer needs to do?
+ Follow to continue viewing
SOURCE | HaaS Technical Community

A preface

different access layers

internet products basically need to solve the terminal access problem. Each access layer has its own design features due to different factors such as the number of terminals, terminal capabilities, and network environment, such: taobao needs to solve the problem of massive short connections, WeChat needs to solve the problem of massive long connections, and everyone needs to solve the problem of mobile network. What does the Alibaba Cloud IoT access layer need to solve? Before answering this question, let's take a look at the features of the internet of things.

Different properties

there are many kinds of "things" with different application scenarios and costs. For example, the water meter is usually installed outdoors and is usually powered by batteries. This kind of equipment has very strict requirements on energy consumption, for example, the backup power supply of the base station tower is generally installed in the wilderness. This kind of equipment has very strict network requirements, such as switches. This kind of equipment has very strict requirements on storage, memory and cpu, different TSL features create different IoT access layers. Let's take a look at what the IoT access layer needs to do?

Two what problems do the IoT access layer need to solve?

2.1 Key issues of access layer

  • Select http, protobuf, mqtt, coap, and private protocols.

  • Network problems: Nearby/fast access, system and TCP/IP protocol kernel parameters tuning, etc.

how can the IoT access layer solve these device features?

2.2 different solutions for the same problem

  • security: after all kinds of devices are connected to the Internet, the devices will become more deeply rooted in our life, bringing greater challenges to safety belts. For example, when cars, door locks, pacemakers, etc. receive security attacks, users' privacy, property and life will bring serious threats. In IoT scenarios, many devices have requirements for storage, memory, cpu, and network. Therefore, when designing security, you cannot simply solve this problem by strengthening encryption security, because they perform complex encryption and decryption at a low speed, they can safely transmit data in real time. The IoT access layer must consider both security and compromise on restricted devices. How can we balance the needs of the two?

  • Protocol selection: generally, the access layer only selects one protocol (such as Taobao's http, DingTalk's lwp, and WeChat's private protocol). However, IoT needs to support multiple protocols, to solve different business scenarios. For example, the business already has a large number of existing devices and uses private protocols to connect to the self-built platform. However, now you want to connect to the Alibaba Cloud IoT platform and use various capabilities of the platform (data analysis, monitoring, ecosystem, and so on), then Generic Access is a reasonable approach, through the generic protocol to convert the private protocol to the standard protocol, the device does not need to change, just make an adaptation layer on the self-built platform.

3. How to solve these problems? What are the advantages of Alibaba Cloud?

3.1 Security Design

for system design, security is the foundation, but it cannot affect the user experience because of security issues. It is necessary to find a balance between security and experience. At the same time, different security considerations are required for low-power devices, how does the Alibaba Cloud IoT access layer work?

Core idea : ensures device security through a three-layer security protection mechanism and a cloud security risk control model.

Three-layer protection mechanism

layer 1: DDos protection system

based on Alibaba Cloud's powerful and professional anti-DDos protection system, this system prevents significant economic losses and data leakage in IoT services. For more information, see anti-DDos protection.

Layer 2: Channel security

supports TLS, DTLS, X509, and ID2 to resolve Channel security issues. It Also optimizes low-power devices in multiple dimensions.

Note: ID2 is a TLS-like Protocol implemented by the Alibaba Cloud security team. Its capability is equivalent to X509 two-way TLS. In addition to two-way authentication, ID2 reduces the transmission of device certificates, it is applicable to scenarios that require high security levels and device traffic.

Layer 3: device Authentication and authentication

the device identity of Alibaba Cloud IoT platform is called trituple. The device identity information is authorized and issued by the platform. Each device is globally unique. When a device is connected, the device signs the device information through the DeviceSecret, then, a platform verifies the signature information to log on to the IoT platform and ensure the security of the device.

The trituple refers ProductKey , DeviceName , DeviceSecret the combination.

  • ProductKey : is a globally unique identifier issued by IoT platform.

  • DeviceName : the device name that is customized or generated by the system when you register a device. It is unique within the product dimension.

  • DeviceSecret : The device Key issued by IoT platform to the device. It is displayed in pairs with the DeviceName.

Cloud-integrated security risk control system

to further improve the security level of devices, Alibaba Cloud IoT establishes a security risk control model to take active warning and fast blocking measures for device brute-force authentication and malicious connection, protects the device security. For example, a device does not stop authentication, but each authentication fails due to signature verification. At the same time, the signature uploaded by the device is different, according to these three conditions, it can be basically judged that the device has violent authentication.

3.2 Network Optimization

direct connection network

different communication modules and different deployment environments (elevators, underground garages, wilderness) will lead to various network differences, bringing risks to the connection stability of equipment, how does Alibaba Cloud IoT solve these problems? Core idea: connect the device to the nearest and provide a stable and high-speed network environment. The Alibaba Cloud IoT access layer deploys multiple regions (as shown in the following figure) to provide users with the nearest access capability, and provides a stable and high-speed network environment for devices through BGP networks.

What are the advantages of BGP networks?

  • Remove barriers to north-south access. BGP can "merge" the lines of China Unicom, China Telecom, China Mobile and other operators, making barrier-free communication between North and South China possible. For the access layer, it can make the difference between "China Unicom and China Telecom" disappear, and even make a website resource accessible nationwide without limitation, you do not need to deploy a VPN or a remote acceleration station to implement remote accessibility.

  • High-speed interconnection. It used to take many layers of routes for one line to access another line, but after BGP is implemented, it is like entering the expressway.

Nearest access

first, let's see how the user accesses the nearest one? There are two cases:

  • the region used by the device is determined as follows: when the device manufacturer manufactures the device, it already knows where the device needs to be sold. In this case, the device directly writes the nearest region access address.

  • The region of the device is not determined: when the device is in production, it is not clear where the device is used? In this case, an access address cannot be directly written to death. The first thing to be solved is the region ownership of the device. There are two ways to solve this problem: one way is to let the user specify the location of the device, which is relatively common. For example, when buying Apple products, no matter iphone or ipad, they will require to set a location when the device is initialized, another method is to determine according to the IP address of the device, which can be completely automated without manual intervention. However, due to certain errors in IP inventory, this automation will also lead to errors in location determination.

What optimizations have Alibaba Cloud IoT made for these two regions?

  • User-specified home location: you can set the location to the device when configuring the network, or preset the location of the device on the Alibaba Cloud IoT platform in advance, the device only needs to go to the device guide service to obtain the nearest access point address before connecting to the IoT platform. It looks perfect. Here is a question: where can I obtain the access point address of the device? Alibaba Cloud IoT deploys only one center. You can use the global device Guide Service Center, acceleration channel, and smart domain name to solve this problem.

  • Automatically determine the location of the device: to reduce errors caused by IP determination, Alibaba Cloud IoT supports multi-region designation of products. For example, you can specify that devices may be used in Singapore, Shanghai, and US east, then the location of the device is dynamically determined according to the IP + set area, so the accuracy will be significantly improved.

Network optimization solutions for regions that cannot be covered by regions

  • alibaba Cloud IoT deploys devices in multiple regions to access the nearest device. However, the number of regions is limited (the cost of deploying regions is high), which cannot solve network problems in some remote areas, ioT access will solve this problem by deploying pre-nodes and intelligent dynamic routing capabilities. For example, deploy the front access point of IoT (without deploying the entire region) in the data center nearest to the remote region, and then log on to the specified region through the proxy device of the front access point, then deploy the acceleration channel in the front access point and the specified region to solve the network problems of the devices in these remote areas.

Edge Gateway

what problems will arise if there are many sub-devices for gateway devices?

  • There are 10 thousand sub-devices under the Gateway, and each sub-device reports data regularly. What should I do?

  • The 10W sub-devices under the Gateway need to be disconnected and reconnected because the gateway is offline. How can we ensure that the sub-devices can go online quickly?

Big data reporting solution

core technical points of Alibaba Cloud IoT Gateway:

  • multi-channel: a gateway has multiple physical TCP connections. Each physical connection is equivalent. The Gateway can send or receive data to any physical connection.

  • Sub-device virtual connection: the gateway proxy sub-device goes online, and each sub-device corresponds to a virtual connection session

  • Child device & Self-with equipment tie: server pair equipment with directly connected devices equivalent treatment, the only difference is the directly connected devices with independent channel, child device is shared physical channel, this design facilitates various O & M operations of devices.

The multi-channel solution solves the problem of massive data reporting and channel hotspot of the Gateway, and also solves the problem of channel disaster recovery.

Virtual connection solves the problem of sub-device Channel reuse, and does not need to establish a TCP connection for each sub-device.

By balancing sub-devices with directly connected devices, various O & M complexity is solved. Sub-devices are equivalent to a directly connected device.

Solution to slow logon of sub-devices

core idea: optimize login speed, reduce offline times, delay offline time and incremental synchronization strategy.

Business Scenario: different policies can be adopted for different number of sub-devices. For example, if the number of sub-devices is less than 1,000, you can only increase the login speed. If the number of sub-devices is more than 100,000, we recommend that you combine multiple policies and define these policies based on the sensitivity of the service to the device status. For example, if all sub-devices are offline and the service does not matter, we recommend that the Gateway handle these policies simply, both serial and parallel batch logon are acceptable.

Optimization policy:

  • improved logon speed: multiple logons are used.

  • Reduce the number of times the gateway is offline: you must define the Gateway offline. The Gateway is disconnected only when all channels of the Gateway are disconnected. In this way, the number of times the gateway is offline can be reduced through multi-channel mode.

  • Delayed offline time + incremental synchronization policy: the server disconnects all sub-devices only after the Gateway is offline for a period of time. If The Gateway relogs in within this period of time, then, the gateway only needs to log on to or offline sub-devices that have changed during this period of time.

Other optimization points

the Alibaba Cloud IoT access layer has made many active optimizations to the application layer, as well as the system kernel, CPU, Nic, and TCP memory parameters, intermediate network devices such as routers have been specially optimized.

3.3 Architecture Design

for Protocol selection, Alibaba Cloud IoT adopts a standardized strategy to solve the communication problem between devices through standardization, and solve the understanding Cost of device access platform through standardization. The standard has many advantages, do not list one by one. This topic describes how to adapt various standard protocols to the access layer? How can the device be imperceptible when the system is released? How can each device achieve high availability at the connection layer and protocol layer?

Protocol layer and access layer adaptation

core idea: the access layer and protocol layer are separated to make the access layer purer and allow the protocol layer to support more capabilities. What does the access layer mean more? What does the protocol layer support more capabilities?

  • The access layer is more pure: the access layer only supports access, including basic network optimization, intelligent routing, TLS uninstallation, certificate management, and rate limiting, no business features are supported. Without business features, system changes are reduced, and system changes are more stable.

  • The standard protocol layer supports the following capabilities: the capabilities here refer to various business features at the protocol layer, including the scalability of the protocol itself. Business features include logical isolation of instances, limits on instance specifications, and protocol expansion.

The two-layer separation mechanism enables more stable access and faster iterative business development.

3.4 connect to high availability

common high-availability policies: replica, isolation, and failover mechanisms. Replica is the most commonly used method. For connection, replica is to establish multiple channels for each device. If the same device has multiple communication modules (such as 4G + wifi), what is the current strategy of Alibaba Cloud IoT? Isolation + failover:

  • physical isolation of connected instances: A connection-type instance is provided, allowing devices to monopolize physical resources and physically isolate instance connections.

  • Device retry (failover): provides SDKs to support fast reconnection of devices, and supports exponential backoff policies for reconnection to prevent the consumption of device resources caused by continuous reconnection due to service problems.

  • Each device has one dedicated channel (isolation + failover): devices <--> access layer <--> protocol layer, which correspond to each other one by one. The purpose of this is that the connections of each device do not affect each other, all messages in the connection channel are isolated from each other. failover is also supported between the access layer <--> protocol layer. For example, when an application is published at the protocol layer, the access layer automatically restores the Channel 1-1 to another protocol layer, the device is not perceived.

4. End

the IoT access layer involves many technical points. The above is a brief introduction to the three core issues. The key points will be introduced in the future. For example, how is the device SDK designed? What are the technical details of the unified access layer? How can the high availability of the entire access layer be guaranteed.

SQL data retrieval associate table data SQL join table iot device access table associated data
developer Community&gt; HaaS technology
Selected, One-Stop Store for Enterprise Applications
Support various scenarios to meet companies' needs at different stages of development

Start Building Today with a Free Trial to 50+ Products

Learn and experience the power of Alibaba Cloud.

Sign Up Now