WO2011041963A1 - Method, apparatus and system for controlling user to access network - Google Patents

Method, apparatus and system for controlling user to access network Download PDF

Info

Publication number
WO2011041963A1
WO2011041963A1 PCT/CN2010/075908 CN2010075908W WO2011041963A1 WO 2011041963 A1 WO2011041963 A1 WO 2011041963A1 CN 2010075908 W CN2010075908 W CN 2010075908W WO 2011041963 A1 WO2011041963 A1 WO 2011041963A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
network
user
data packet
access
Prior art date
Application number
PCT/CN2010/075908
Other languages
French (fr)
Chinese (zh)
Inventor
张世伟
符涛
许志军
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011041963A1 publication Critical patent/WO2011041963A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/084Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol

Definitions

  • the present invention relates to the field of communication technologies, and relates to a method and system for controlling a user access identity and a network node in a location separation network under the framework of identity identification and location separation networks.
  • the IP address in the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol widely used in the existing Internet has a dual function, and serves as the location identifier of the network terminal of the communication terminal host network layer in the network topology. And as the identity of the transport layer host network interface.
  • the TCP/IP protocol was not designed at the beginning of the host. However, as host mobility becomes more prevalent, the semantic overload defects of such IP addresses are becoming increasingly apparent.
  • IP address of the host changes, not only the route changes, but also the identity of the communication terminal host changes. This causes the routing load to become heavier and heavy, and the change of the host ID causes the application and connection to be interrupted.
  • the purpose of identification and location separation is to solve the problem of semantic overload of IP address and serious routing load, security, etc., to separate the dual functions of IP address, realize dynamic redistribution of mobility, multiple townships, and IP addresses. Support for mitigating routing load and mutual visits between different network areas in the next generation Internet.
  • ZTE proposes an identity and location separation network architecture.
  • the user identity and location separation network is simply referred to as SILSN (Subscriber Identifier & Locator Separation Network).
  • SILSN Subscriber Identifier & Locator Separation Network
  • LIN legacy Internet Network
  • the SILSN is composed of an Access Service Node (ASN) and a User Equipment (UE), an Identity & Location Register (ILR), and an Inter-working Service Node (Inter-working Service Node, ISN) and other components. among them
  • ASN Access Service Node
  • UE User Equipment
  • ILR Identity & Location Register
  • ISN Inter-working Service Node
  • the ASN is used to implement the access of the user terminal and bear the functions of charging and switching.
  • the ILR is responsible for the location registration and identity of the user.
  • the ISN is used to communicate with the traditional Internet.
  • the ISN and the ASN can also be physically set.
  • UE1 is a traditional Internet user and UE2 is a user of SILSN.
  • the network composed of network nodes such as ASN, ILR, and ISN is called the core network of SILSN (also called backbone network).
  • the LIN network and the SILSN core network coexist in the communication system.
  • the user in the LIN network sends data to the external network, according to the final destination of the data packet sent by the user terminal UE1 in the LIN, the UE1 may send the data.
  • Packets are divided into the following two types:
  • the first type is when the LIN user accesses the SILSN user, such as UE1-XJE2, which is the most common access mode;
  • This type of packet is sent to the SILSN user, that is, the final destination is outside the SILSN core network.
  • the network nodes in the core network only serve to encapsulate and forward, and do not analyze the actual content of the data packets. Therefore, the first data packet does not affect the performance of the core network of the SILSN.
  • the security of the core network node has a significant impact;
  • the second type is a traditional Internet LIN user accessing a network node within the SILSN core network, that is, the final destination is a network node within the SILSN core network, such as UE1->ASN2.
  • This method is mainly for the remote management and diagnosis of the SILSN network.
  • the administrator of the SILSN may not be in the coverage area of the SILSN. For example, the administrator of the SILSN is on vacation in the field. If the SILSN fails.
  • the SILSN core network node must be accessible via LIN;
  • the network node in the core network Since the final destination of the data packet sent by the SILSN administrator user is the network node in the core network, the network node in the core network not only needs to parse its content, but also performs corresponding processing according to the content, such as modification configuration, fault diagnosis, testing and control. Etc., the above operations have a great impact on the normal operation of the SILSN network. Once a malicious user in the LIN pretends to be maliciously controlled by the SILSN administrator, the SILSN network will be seriously affected. Therefore, the LIN user must be strictly authenticated. And limit the user's behavior mode according to user permissions.
  • the SILSN administrator is referred to as the administrator below. That is to say, the administrators mentioned in this document are administrators of SILSN, and do not include administrators of other networks such as LIN.
  • SILSN In order to protect the security of the SILSN core network, SILSN only provides users of SILSN and users of LIN interworking, and prohibits LIN users from accessing network nodes in these core networks, such as ASN, ILR, ISN, but there is currently no way to avoid LIN user access. Method of network nodes in the SILSN core network. Summary of the invention
  • Embodiments of the present invention provide a method, apparatus, and system for controlling user access to a network, which can protect the security of the identity identification and the location separation network.
  • the present invention provides a method of controlling user access to a network, which includes:
  • the node for access control receives the user access identity and the data packet of the network node in the location separation network
  • the destination address and the destination port of the data packet are obtained. If the destination address and the destination port belong to the address and port of the destination network element to be accessed, the source address and the source port of the data packet are obtained.
  • the node for access control searches for the source address and the source port according to the obtained source address and source port of the data packet and the source address of the record, the source port, and the corresponding relationship information of accessing the network node authority. Access rights; and
  • the access control node controls communication between the user and the network node according to the permission.
  • the method can also have features:
  • the address and port to be controlled by the access means the address and port of one or more core network management node (CNMP) nodes configured, and/or the configured identity and the address of the network node in the location separated network port.
  • CNMP core network management node
  • the method further includes:
  • the node for access control determines whether the format of the data packet conforms to a format of a predetermined network management request data packet. ;
  • the method further includes the node for access control dropping the data packet in any of the following cases:
  • the node for access control finds the source address and the source port of the data packet in the recorded correspondence information, and the access rights corresponding to the source address and the source port are not open;
  • the node for access control determines that the format of the data packet does not conform to a format of a predetermined network management request data packet
  • the node for access control determines that the format of the data packet conforms to a format of a predetermined network management request data packet, but the verification determines that the user is not a network administrator.
  • the method further includes:
  • the node for access control determines whether the format of the data packet conforms to a format of a predetermined network management request data packet. ;
  • the node for access control is determined according to the configured network node information accessible by the network administrator. Whether the user has the right to access the network node;
  • the user If there is permission to access the network node, the user is allowed to communicate with the network node, otherwise the data packet is discarded.
  • the method can also have features:
  • the step of the node for access control controlling the communication between the user and the network node according to the authority includes: allowing the user to communicate with the network node when the permission is open, otherwise , discard the packet.
  • the method further includes:
  • the node for access control receives a source address and a source with a corresponding access right as a mask Drop the packet directly after the packet.
  • the method may also have the following features:
  • the step of verifying whether the user is a network administrator includes:
  • the node for access control sends an administrator identity request to the identity location register, carrying the user identity of the user;
  • the administrator identity authentication response including a result of the identity location register authenticating the user identity according to the configured network administrator identity;
  • the method can also have features:
  • the network management request packet includes an administrator identifier.
  • the node for access control sends an administrator identity request to the identity location register, and the step of carrying the user identity of the user includes: the node for access control is extracted from the network management request packet An administrator identifier, sent to the identity location register;
  • the administrator identity authentication response is the result of the identity location register authenticating the user identity based on the configured administrator identifier and the received administrator identifier.
  • the method further includes:
  • the node for access control further adds a source address and a source port of the data packet to the open state table, and configures the access authority corresponding to the source address and the source port to be frozen.
  • the method further includes:
  • the node for access control further modifies the source address of the data packet in the open state table and the access permission corresponding to the source port to be open.
  • the method further includes:
  • the state table contains the record deletion of the source address and source port of the packet.
  • the method may further have the following: the step of allowing the user to communicate with the network node includes:
  • the communication between the network node and the user is established by using the encryption method.
  • the method may also have the following features: the node used for access control is a combination of an interworking gateway and a core network management node, or the node used for access control is an interworking gateway.
  • the node for access control in a network system includes: a receiving module, configured to: receive a data packet of a network node in a user access identity and a location separation network in a traditional Internet;
  • the obtaining module is configured to: obtain a destination address and a destination port of the data packet, and determine, by determining an address and a port of the destination network element that needs to perform access control, and obtain a data packet received by the receiving module.
  • a search module configured to: search for a source address and a source port of the data packet in a correspondence between the source address of the record, the source port, and the access authority of the network node;
  • control module configured to: find, by the lookup module, a source address and a source port of the data packet, and an access right corresponding to the source address and the source port is open, allowing the user to communicate with the network node .
  • the node further includes:
  • a first determining module configured to: when the source address and the source port of the data packet are not found in the open state table, determine whether the format of the data packet meets a predetermined network management request data packet. Format;
  • a first verification module configured to: when the first determining module determines that the format of the data packet conforms to a format of a predetermined network management request data packet, verify whether the user is a network administrator;
  • the control module is further configured to: allow the user to communicate with the network node when the first verification module verifies that it is a network administrator.
  • the node further includes:
  • a second determining module configured to: if the source address and the source port of the data packet are not found in the open state table, the node for access control determines whether the format of the data packet meets a pre-determination The format of the specified network management request packet;
  • a second verification module configured to: if the second determining module determines that the format of the data packet conforms to a format of a predetermined network management request data packet, and verifies whether the user is a network administrator, when the verification determines that When the user is a network administrator, it is determined according to the configured network node information that the network administrator can access, whether the user has the right to access the network node;
  • the control module is further configured to: allow the user to communicate with the network node when the second verification module determines that the user has permission to access the network node.
  • the node may also have characteristics:
  • the control module is further configured to discard the data packet in any of the following cases:
  • the node further includes:
  • a fourth configuration module configured to: add a source address and a source port of the data packet when the total number of times the control module discards data packets having the same source address and source port exceeds a preset threshold Go to the open state table, and configure the access rights corresponding to the source address and the source port to be masked;
  • Discard the module which is set to: Receive the source address and source port with the corresponding access rights as masked The data packet is discarded directly.
  • the node may also have a feature
  • the second verification module includes:
  • a sending unit configured to: send an administrator identity request to the identity location register, and carry the user identity of the user;
  • a receiving unit configured to: receive an administrator identity authentication response, where the administrator identity authentication response includes a result of authenticating, by the identity location register, the user identity according to the configured identity of the network administrator; as well as
  • a determining unit configured to: determine, according to the authentication result in the administrator identity authentication response, whether the user is a network administrator.
  • the node further includes:
  • a first configuration module configured to: when the first determining module determines that the format of the data packet conforms to a format of a predetermined network management request data packet, adding a source address and a source port of the data packet to the The open state table is configured, and the access rights corresponding to the source address and the source port are configured to be frozen.
  • the node further includes:
  • a second configuration module configured to: when the first verification module determines that the user is a network administrator, modify the source address of the data packet in the open state table and the access permission corresponding to the source port to be open .
  • the node further includes:
  • a third configuration module configured to: when the verification module determines that the user is not a network administrator, delete the record that includes the source address and the source port of the data packet in the open state table.
  • the node may also have characteristics, and the control module further includes: a force. Secret mode
  • an establishing unit configured to: establish communication between the network node and the user by using an encryption manner obtained by the acquiring unit.
  • the system can also have features:
  • the address and port of the destination network element to be subjected to access control are: the address and port of one or more core network management node (CNMP) nodes configured, and/or the configured identity identifier and the network node in the location separation network Address and port.
  • CNMP core network management node
  • the present invention also provides an identity identification and location separation network system that includes the nodes described above for access control.
  • the method for the network management user located in the LIN to access the SILSN core network element is solved, and the security of the core network is ensured.
  • an ordinary user in the LIN cannot access the SILSN core network element node.
  • the attack from the ordinary user in the LIN on the CNMP can also be prevented; and the encrypted transmission of the network management flow between the UE1 and the CNMP can be implemented.
  • all core network nodes only accept management packets from CNMP, which helps the security of core network element management.
  • FIG. 1 is a schematic diagram of a network diagram of two types of data packets that a LIN user accesses a SILSN in a SILSN network architecture in the prior art;
  • FIG. 2 is a schematic diagram of a network accessing a SILSN core network element by an administrator of a SILSN located in a LIN according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram of a network architecture based on CNMP further refinement according to an embodiment of the present invention
  • FIG. 4 is a timing diagram of a method for controlling a user access identity and a network node in a location separation network in Embodiment 1;
  • FIG. 5 is a flowchart of a method for controlling a user access identity and a network node in a location separation network in Embodiment 2;
  • FIG. 6 is a schematic structural diagram of a node for access control in an identity identification and location separation network system according to an embodiment of the present invention
  • FIG. 7 is another schematic structural diagram of a node for access control in the embodiment shown in FIG. 6.
  • FIG. 8 is a schematic structural diagram of a risk module in the embodiment shown in FIG.
  • FIG. 9 is another schematic structural diagram of a node for access control in the embodiment shown in FIG. 7;
  • FIG. 10 is another schematic structural diagram of a node for access control in the embodiment shown in FIG. 9.
  • FIG. 11 is a schematic structural diagram of a control module in the embodiment shown in FIG. 6.
  • the ISN plays the role of the SILSN network and the LIN network interworking.
  • the SILSN intranet addressing mode and the LIN addressing mode are different.
  • the ISN is responsible for converting the data format and the addressing space of the two parties, wherein the addressing space is a user identity (AID, also referred to as an access identifier) space and a public network IP address space.
  • AID also referred to as an access identifier
  • the ISN maps the data packet of the user equipment in the SILSN with the AID as the data packet identified by the one or more public network IP addresses and port numbers of the LIN network, and the address space formed by the one or more public network IP addresses is recorded as SI, therefore, for users in the SILSN, no matter how their identity AID changes, when the data packet is sent to LIN through ISN conversion, all user's identity AID will be mapped to an IP address and port in S1. No. Therefore, for the users in the LIN network, the users in the SILSN they see are all in the S1 space, so that the users in the LIN network access the users in the SILSN network, and actually only access the address of the S1 space.
  • the ISN In order to protect the security of the network element in the SILSN core network, the ISN cannot allow the LIN user to directly access the network element address of the SILSN core network, and only allows access to the SILSN user. That is, the user in the LIN can only access the address space within the S1 range.
  • SILSN network management Since the data traffic for network management in SILSN is generally much smaller than the data traffic for services, and most network management measures (such as remote diagnosis, testing, and control) are initiated from within SILSN, that is, network management in SILSN. Most of the traffic comes from inside the SILSN.
  • the network management traffic for managing SILSN network elements from LIN is very small, just as a supplement to remote management. It is used in emergency situations and requires equipment manufacturer support, or the administrator who has experience in an emergency is not in the network management office. This kind of situation is usually rare, so the data traffic is generally small and does not need to be processed too much.
  • centralized management is implemented.
  • a core network management node Core Network Management Proxy, CNMP
  • CNMP Core Network Management Proxy
  • CNMP Core Network Management Proxy
  • the ISN is configured to receive a data packet sent by a user in the LIN, and determine whether the data packet is sent to the CNMP data packet, and if yes, forward the data packet to the CNMP; otherwise, determine whether the destination address is in the S1 range. If the ISN converts the data packet, the destination address is converted to the AID, and then forwarded to the ASN, and then sent to the destination user of the SILSN. If the address is not in the range of S1, it is directly discarded. Normally accessing the users in the SILSN, but not accessing the network nodes in the core network, the ISN needs to distinguish between two types of data packets.
  • the embodiment is preferably in the security restriction measure.
  • the address of the CNMP is an IP address, which may be an IPv4 or IPv6 address.
  • the ISN in order to further prevent the user in the LIN network from attacking the SILSN network, the ISN only accepts the data packet whose destination address is in the S1 space or the destination address is the CNMP address, and discards other data packets.
  • the ISN decides whether to submit it to CNMP for processing based on the source address of the packet and the open information of the port.
  • the destination address in the data packet initiated by the user equipment is the address of the CNMP, and is considered to be the second type of data packet; when the address of the data packet is not the CNMP address but the destination address
  • the first type of data packet is processed, and after being queried for the destination user location, and re-encapsulated, it is forwarded to the ASN currently registered by the destination user.
  • the CNMP identifies the identity of the initiator, and the initiator can be identified by interacting with the ILR.
  • CNMP judges that the initiator of the data packet is the administrator of the SILSN, CNMP forwards the data packet to the managed core network element.
  • the CNMP may further perform identity authentication on the initiator by interacting with the ILR. After the identity authentication of the initiator is passed, a secure tunnel is established between the initiator and the CNMP. Through the secure tunnel, the CNMP can forward the message sent by the initiator to the managed NE to the corresponding managed NE. .
  • FIG. 3 is a schematic diagram of a network architecture based on CNMP further refinement in the embodiment of the present invention.
  • the format of the network management request packet is determined by the ISN1, and the source address and port are not When it belongs to the restricted range, it is handled by CNN1 by CNN; after receiving the packet, CNMP extracts the user identity in the data packet, and then CNMP sends this identity to ILR to identify the identity of user UE1 by ILR. Determine whether UE1 is the administrator user identity of the SILSN, and then notify CNMP of the result of the user identity.
  • the CNMP determines that the initiator of the data packet is the administrator of the SILSN, and forwards the data packet to the managed core network element, it may also include the following Steps:
  • the CNMP notifies the ISN1 to open the source address and port corresponding to the data packet sent by the UE1, and then further enables the ILR to authenticate the identity of the UE1 through the message interaction with the UE1 via CNMP, and then the ILR notifies the CNMP of the result of the identity authentication; Afterwards, the CNMP forwards the data packet sent by the subsequent UE1 to the CNMP to the managed core network element, such as ASN2.
  • the ILR After the ILR authenticates the identity of the UE1, the ILR can further check whether the UE1 has the right to manage the managed core network element, such as the ASN2 right. If the ILR does not pass the identity authentication of the UE1 or the ILR does not check the UE1.
  • CNMP With the authority to manage the managed core network elements, CNMP notifies the ISN to perform anti-attack processing, such as "closing” or “masking" the open source address of UE1 and the corresponding port; If CNMP finds that a LIN user repeatedly initiates a network management request to CNMP, but the identity authentication fails multiple times, CNMP can notify the ISN of the source address and port number of the data packet sent by the ISN when the number of failures exceeds a certain number of thresholds. Change the status to "Shield";
  • the ISN will no longer forward any packets from this user to CNMP.
  • the source address and source port of the data packet sent by the source address of the administrator user may be saved on the ISN.
  • the status of these states can be saved in a LIN SILSN administrator to manage the user's source address and source port in the Open State Table (OPT), the ISN checks if the user source address is in OPT.
  • OPT Open State Table
  • the packet is discarded. If the status is "masked”, the packet is discarded and alarmed;
  • the subsequent ISN can change the state of the source address/source port of the user in the OPT according to the CNMP instruction, such as changing "freeze” to "open” or "mask”.
  • the ISN forwarding the data packet to the CNMP includes the following scenarios:
  • the ISN forwards only the first packet sent by the source address/source port to CNMP, and puts the source address/source port into the OPT, and its state is set to "frozen".
  • the functions of the core network management node and the interworking gateway may be set on one node in the SILSN network, such as the interworking gateway in the network architecture in the present invention, through internal logic.
  • the interface is used for communication, and the method and the process are the same as those of the core network management node and the interworking gateway.
  • the description is omitted here.
  • the above two cases are used to implement the access control node. Referred to as a node for access control.
  • Embodiment 1 Description, as shown in Figure 4:
  • Step 401 The user UE1 located in the LIN needs to access the core network node in the SILSN network, and sends a network management request message to the ISN, where the network management request message may be encapsulated in an IP data packet, and the destination address is the address of the CNMP.
  • the ISN receives the network management request message, if it is detected that the receiver of the message is CNMP, step 402 is performed;
  • CNMP should pre-specify the format of this network management request message.
  • ISN finds that the source address/source port of the data packet from LIN is not in the OPT
  • CNMP checks whether the data is in this message format, if not throw away. If yes, extract the source address port and use the source address port as the index in the OPT to generate a record, set its status to "frozen", and then no longer receive the user UE1 sent before receiving the CNMP open port command. Other messages to avoid user-initiated denial of service attacks.
  • Step 402 The ISN receives the network management request message, and sends the message to the CNMP.
  • Step 403 The CNMP directly extracts the access identifier of the user in the network management request message.
  • Step 404 The ILR determines, according to the AID, whether the user UE1 has an administrator identity, and returns an "identify administrator identity response" to the CNMP. If the AID is not the administrator's identity, the ILR is used. The identification of the administrator identity response notification CNMP fails. If the AID is the administrator identifier, the CNP can be notified by the verification AID to continue the service;
  • Step 405 After receiving the identification of the administrator identity, the CNMP notifies the ISN to open the source address and port corresponding to the user UE1 through the "port control message", and if it fails, notifies the ISN to close the user.
  • Step 406 After the ISN receives the port control message, if the CNMP requests the port to be shut down abnormally, the ISN determines the number of times the source address is abnormally closed, and determines whether the source address is to be blacklisted according to a preset threshold. Mask, and then delete the source address and source port number in the "source address temporary mask entry", save the source address to temporarily block the table space, and the process ends;
  • the ISN opens the corresponding source port and the destination port, and allows the ISN to forward the message sent by the user UE1 to the CNMP, and step 407 is performed;
  • Step 407 The CNMP performs authentication on the user UE1 by interacting with the ILR, and checks whether the core network element address that the user UE1 wants to manage and the core network element address that is pre-configurable to the user in the ILR are consistent. If the authentication and the managed NE addresses are the same, continue.
  • UE1 performs step 408;
  • the CNMP sends a "port control" message to the ISN, and the ISN is required to close the source address and the source port, and the process ends;
  • Step 408 After the normal authentication is passed, the UE1 sends a specific network management message to the corresponding network element, such as the ASN, via the CNMP, and the CNMP forwards the message to the ASN, and the CNMP also sends the ASN message to the UE1.
  • the UE1 sends a specific network management message to the corresponding network element, such as the ASN, via the CNMP, and the CNMP forwards the message to the ASN, and the CNMP also sends the ASN message to the UE1.
  • the message sent by the UE1 to the ASN may also be sent to the CNMP in an encrypted manner, and the CNMP may also encrypt the data sent by the ASN.
  • the CNMP may also encrypt the data sent by the ASN.
  • the authentication process of the step 407 can be authenticated by using the authentication method of the prior art.
  • Step 409 The CNMP forwards the message sent by the UE1 to the corresponding network element, such as an ASN, and sends a corresponding message to the CNMP with the ASN.
  • Step 410 After the network management process is completed, the managed network element, such as the ASN, sends a "process end" message to the CNMP, and the CNMP corresponding network management process is terminated.
  • Step 411 After receiving the "End of Process” message, CNMP sends a "port control" message to the ISN, requesting the ISN to properly close the port.
  • the ISN After receiving the message, the ISN closes the corresponding port and no longer receives and forwards other messages except the XI format to the SNM.
  • the method provided in this embodiment controls the access of the traditional network user that initiates the access request, controls the access rights of the network node in the core network of the SILSN according to the result of the identity verification, protects the security of the core network, and implements the common user in the LIN.
  • the purpose of the SILSN core network element node cannot be accessed.
  • the ISN port control is used to prevent attacks from CNMP from ordinary users in the LIN.
  • the transmission security is improved by the encrypted transmission of the network management flow between the UE and the CNMP.
  • This embodiment is described by an application example initiated by a common user of a LIN network, as shown in FIG. 5:
  • Step 501 The ISN receives a data packet of the LIN and extracts its destination address.
  • Step 502 The ISN determines whether the destination address of the data packet is a CNMP address. If yes, step 503 is performed; otherwise, step 507 is performed.
  • Step 503 When the destination address is a CNMP address, extract a source address and a source port number of the data packet.
  • Step 504 Determine whether the source address and the port number are in the OPT. If yes, execute step 505. Otherwise, go to step 508.
  • Step 505 further determining whether the status is "open”, if it is “open”, executing step 506, if not "open", executing step 510.
  • Step 506 If it is open, forward the data packet to CNMP.
  • Step 507 When the destination address is not the CNMP address, the first type of data packet is processed, and details are not described herein again.
  • Step 508 If the source address of the data packet is not in the OPT, determine whether it is a network management request message, if yes, execute step 509, otherwise perform step 510.
  • Step 509 When determining that it is a network management request message, the ISN puts the source address and port into the OPT, and sets the status to "freeze", and sends the data packet to CNMP.
  • Step 510 Discard the data packet.
  • the destination address of all data from the ISN from the LIN network can only be an address in the S1 space or a CNMP address;
  • CNMP handles access, authentication, and encryption functions from the network management user of LIN. Only the network management users who pass the CNMP and ILR authentication can access the SILSN core network element. The ordinary users from LIN can only access the S1 space address.
  • the ISN opens and closes the source address port from the LIN user according to the instruction sent by the CNMP;
  • the ISN freezes the source address port of the UE1, and then the ASN does not receive other data packets whose source address is the user UE1 before receiving the CNMP "port control" to open the port. ;
  • CNMP and ILR should compare the manageable NE addresses of network management users, and do not allow users to access core network addresses that are not administrator rights.
  • CNMP Only CNMP believes that the identity is the administrator's user, and CNMP forwards the user data packet to the ILR for user authentication.
  • CNMP forwards the user data packet to the corresponding core network element.
  • CNMP can selectively encrypt and decrypt the data of UE1 and CNMP.
  • the present invention is described by taking the identity identification and location separation network architecture proposed by ZTE as an example, but is not limited thereto, and is applicable to other network architectures in which multiple identity and location are separated, such as HIP, LISP, and Beijing.
  • the transportation university proposed to belong to the identity identification and location separation network. Because the implementation methods are similar, they will not be described here.
  • the method provided in this embodiment controls the access of the traditional network user that initiates the access request, controls the access rights of the network node in the core network of the SILSN according to the result of the identity verification, protects the security of the core network, and implements the common user in the LIN. Unable to access SILSN core network element section The purpose of the point.
  • an embodiment of the present invention provides an identity identification and location separation network system, including a node for access control, where the user access control node includes:
  • the receiving module 601 is configured to receive a data packet of a user access identifier in the traditional Internet and a network node in the location separation network;
  • the obtaining module 602 is configured to obtain a source address and a source port of the data packet received by the receiving module, where the searching module 603 is configured to search for a source address, a source port, and a correspondence relationship between the source port and the access authority of the network node.
  • the control module 604 is configured to find, by the lookup module 603, the source address and the source port of the data packet, and the access rights corresponding to the source address and the source port are open, allowing the user to communicate with the network node.
  • the node for access control may further include: a first determining module 701, configured to find, in the open state table, a source address and a source of the data packet. And determining whether the data packet is a predetermined network management request data packet;
  • the first verification module 702 is configured to verify, when the determining module 701 determines that the predetermined network management request data packet is the network administrator;
  • the control module 604 is further configured to allow the user to communicate with the network node when the verification module verifies that it is a network administrator. Further, the node for access control further includes:
  • a second determining module configured to: if the source address and the source port of the data packet are not found in the open state table, the node used for access control determines whether the data packet is a predetermined network management Request packet
  • a second verification module if yes, verifying whether the user is a network administrator, and when the verification determines that the user is a network administrator, the node for access control is accessible only to the configured network administrator
  • the network node information determines whether the user has the right to access the network node;
  • the control module is further configured to: at the verification module, determine that the user has the right to access the network node, and allow the user to communicate with the network node.
  • the control module 604 is further configured to discard the data packet in any of the following situations: if the source address and the source port of the data packet are found in the recorded correspondence information, and the source address and The access rights corresponding to the source port are not open.
  • Determining that the format of the data packet is a predetermined network management request data packet, but verifying that the user is not a network administrator;
  • the data packet is judged to be a predetermined network management request packet, and the verification determines that the user is a network administrator, but determines that the user does not have the right to access the network node.
  • the node for access control further includes: a fourth configuration module, configured to: when the total number of times the control module discards data packets having the same source address and source port exceeds a preset threshold
  • the source address and the source port of the data packet are added to the open state table, and the access rights corresponding to the source address and the source port are configured as a mask; and the discarding module is configured to receive the source with the corresponding access right as a mask.
  • the address and source port packets are discarded directly.
  • the verification module 702 may further include: a sending unit 7021, configured to send an administrator identity request to the identity location register, and carry the user identity of the user;
  • the receiving unit 7022 is configured to receive an administrator identity identification response, where the administrator identity authentication response includes a result of authenticating, by the identity location register, the user identity according to the configured identity of the network administrator.
  • the determining unit 7023 is configured to determine, according to the authentication result in the administrator identity authentication response, whether the user is a network administrator.
  • the node used for access control may further include:
  • the first configuration module 901 is configured to: when the first determining module determines that the data packet meets a predetermined network management request data packet, add a source address and a source port of the data packet to the open state table, And configuring the access rights corresponding to the source address and the source port to be frozen.
  • the node for access control may further include: a second configuration module 1001, configured to: when the first verification module determines that the user is a network administrator, The source address of the data packet and the access authority corresponding to the source port in the open state table are modified to be open.
  • the third configuration module 1002 is configured to delete, when the verification module determines the user is not a network administrator, the record that includes the source address and the source port of the data packet in the open state table.
  • the control module 604 may further include: an encryption method;
  • the establishing unit 6042 is configured to establish communication between the network node and the user by using an encryption manner obtained by the acquiring unit 6041.
  • the system provided by the embodiment controls the access of the traditional Internet user that initiates the access request, controls the access rights of the network node in the core network of the SILSN according to the result of the identity verification, protects the security of the core network, and implements the common user in the LIN.
  • the purpose of the SILSN core network element node cannot be accessed.
  • the ISN port control is used to prevent attacks from CNMP from ordinary users in the LIN.
  • the transmission security is improved by the encrypted transmission of the network management flow between the UE and the CNMP.
  • each functional unit in each embodiment of the present invention may be implemented in the form of hardware, or may be implemented in the form of a software functional module.
  • the integrated modules, if implemented in the form of software functional modules and sold or used as separate products, may also be stored in a computer readable storage medium.
  • the above-mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
  • the above is only the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the claims.
  • the method and system of the present invention solves the method for the network management user located in the LIN to access the core network element of the SILSN, thereby ensuring the security of the core network.
  • the CNMP attack from the ordinary user in the LIN (through the port control in the ISN) can also be prevented; and the encrypted transmission of the network management flow between the UE1 and the CNMP can be implemented.
  • all core network nodes only accept management packets from CNMP, which helps the security of core network element management.

Abstract

The present invention discloses a method, apparatus and system for controlling a user to access a network. The method includes: the node used for access control receives a data package of a user accessing the network node in an identifier and locator separation network; the destination address and destination port of the data package are obtained, and if the destination address and destination port belong to the addresses and ports of the destination network elements which need to execute an access control, then the source address and source port of the data package are obtained; the node used for access control researches the corresponding access authority of the source address and source port according to the obtained source address and source port of the data package and the corresponding relation information between the recorded source address, source port and the authority for accessing the network node; if the corresponding access authority of the source address and source port is found, the node used for access control controls the communication from the user to the network node according to the authority. The present invention solves the problem of the network management user in a Legacy Internet network (LIN) accessing the Subscriber Identifier and Locator Separation Network (SILSN) core network element, and guarantees the security of the core network.

Description

控制用户访问网络的方法、 装置和系统  Method, device and system for controlling user access to a network
技术领域 Technical field
本发明涉及通信技术领域, 涉及身份标识和位置分离网络框架下的一种 控制用户访问身份标识和位置分离网络中网络节点的方法和系统。  The present invention relates to the field of communication technologies, and relates to a method and system for controlling a user access identity and a network node in a location separation network under the framework of identity identification and location separation networks.
背景技术 Background technique
现有因特网广泛使用的传输控制协议 /网络协议(Transmission Control Protocol/Internet Protocol, TCP/IP )协议中 IP地址具有双重功能, 既作为网络 层的通信终端主机网络接口在网络拓朴中的位置标识, 又作为传输层主机网 络接口的身份标识。 TCP/IP协议设计之初并未考虑主机移动的情况。 但是, 当主机移动越来越普遍时, 这种 IP地址的语义过载缺陷日益明显。 当主机的 IP地址发生变化时, 不仅路由要发生变化, 通信终端主机的身份标识也发生 变化, 这样会导致路由负载越来越重, 而且主机标识的变化会导致应用和连 接的中断。 身份标识和位置分离问题提出的目的是为了解决 IP地址的语义过 载和路由负载严重, 安全等问题, 将 IP地址的双重功能进行分离, 实现对移 动性、 多家乡性、 IP地址动态重分配、 减轻路由负载及下一代互联网中不同 网络区域之间的互访等问题的支持。  The IP address in the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol widely used in the existing Internet has a dual function, and serves as the location identifier of the network terminal of the communication terminal host network layer in the network topology. And as the identity of the transport layer host network interface. The TCP/IP protocol was not designed at the beginning of the host. However, as host mobility becomes more prevalent, the semantic overload defects of such IP addresses are becoming increasingly apparent. When the IP address of the host changes, not only the route changes, but also the identity of the communication terminal host changes. This causes the routing load to become heavier and heavy, and the change of the host ID causes the application and connection to be interrupted. The purpose of identification and location separation is to solve the problem of semantic overload of IP address and serious routing load, security, etc., to separate the dual functions of IP address, realize dynamic redistribution of mobility, multiple townships, and IP addresses. Support for mitigating routing load and mutual visits between different network areas in the next generation Internet.
目前提出了多种身份与位置分离的网络架构, 包括 HIP, LISP以及北京 交通大学提出的均属身份标识和位置分离网络, 本文以身份标识和位置分离 网络架构为例进行描述。  At present, a variety of network architectures with identity and location separation are proposed, including HIP, LISP and Beijing Jiaotong University, both of which are identity and location separation networks. This paper describes the identity and location separation network architecture as an example.
为解决上述问题,中兴通讯提出了的一种身份标识和位置分离网络架构, 如图 1 所示, 为描述方便, 下文将此用户身份标识和位置分离网络简称为 SILSN ( Subscriber Identifier & Locator Separation Network ) , 将传统因特网简 称为 LIN ( legacy Internet Network ) 。  In order to solve the above problems, ZTE proposes an identity and location separation network architecture. As shown in Figure 1, for convenience of description, the user identity and location separation network is simply referred to as SILSN (Subscriber Identifier & Locator Separation Network). ), the traditional Internet is simply referred to as LIN (legacy Internet Network).
在图 1中, 此 SILSN由接入服务节点 (Access Service Node, ASN )和 用户终端(User Equipment, UE )、 身份位置寄存器( Identification & Location Register, ILR )、 互通网关( Inter-working Service Node , ISN )等组成。 其中 ASN用来实现用户终端的接入, 并承担计费和切换等功能, ILR承担用户的 位置注册和身份识别功能, ISN用于和传统 Internet互通, ISN和 ASN在物 理上也可以合一设置。 UE1是传统互联网用户, UE2是 SILSN的用户。 在本 文将 ASN、 ILR、 ISN等网络节点组成的网络称为 SILSN的核心网 (也可称 为骨干网) 。 In FIG. 1, the SILSN is composed of an Access Service Node (ASN) and a User Equipment (UE), an Identity & Location Register (ILR), and an Inter-working Service Node (Inter-working Service Node, ISN) and other components. among them The ASN is used to implement the access of the user terminal and bear the functions of charging and switching. The ILR is responsible for the location registration and identity of the user. The ISN is used to communicate with the traditional Internet. The ISN and the ASN can also be physically set. UE1 is a traditional Internet user and UE2 is a user of SILSN. In this paper, the network composed of network nodes such as ASN, ILR, and ISN is called the core network of SILSN (also called backbone network).
如图 1所示, 通信系统中 LIN网络和 SILSN核心网共存, 当 LIN网络中 的用户向外网发送数据时,根据 LIN中用户终端 UE1发送的数据包的最终目 的地, 可以将 UE1发送的数据包分为如下二种类型:  As shown in FIG. 1 , the LIN network and the SILSN core network coexist in the communication system. When the user in the LIN network sends data to the external network, according to the final destination of the data packet sent by the user terminal UE1 in the LIN, the UE1 may send the data. Packets are divided into the following two types:
第一种类型为当 LIN用户访问 SILSN用户, 如 UE1-XJE2, 即最普通的 访问方式;  The first type is when the LIN user accesses the SILSN user, such as UE1-XJE2, which is the most common access mode;
这种类型数据包是发向 SILSN的用户,也就是最终目的地是 SILSN核心 网外部。 在这种情况下, 核心网内的网络节点只起封装和转发的作用, 并不 解析数据包的实际内容, 因此第一种数据包除了对 SILSN的核心网的性能造 成影响, 并不会对核心网节点的安全性等造成明显影响;  This type of packet is sent to the SILSN user, that is, the final destination is outside the SILSN core network. In this case, the network nodes in the core network only serve to encapsulate and forward, and do not analyze the actual content of the data packets. Therefore, the first data packet does not affect the performance of the core network of the SILSN. The security of the core network node has a significant impact;
第二种类型为传统因特网 LIN用户访问 SILSN核心网内的网络节点, 也 就是最终目的地是 SILSN核心网内的网络节点,如 UE1->ASN2。这种方式主 要是方便对 SILSN网络的远程管理和诊断, 在 SILSN建网初期, SILSN的管 理员有可能不在 SILSN本网覆盖区域内, 如 SILSN的管理员正在外地度假, 这时候如果 SILSN出现故障,需要远程诊断、测试和控制,就必须能通过 LIN 来对 SILSN核心网节点进行访问;  The second type is a traditional Internet LIN user accessing a network node within the SILSN core network, that is, the final destination is a network node within the SILSN core network, such as UE1->ASN2. This method is mainly for the remote management and diagnosis of the SILSN network. In the initial stage of SILSN network construction, the administrator of the SILSN may not be in the coverage area of the SILSN. For example, the administrator of the SILSN is on vacation in the field. If the SILSN fails. For remote diagnostics, testing, and control, the SILSN core network node must be accessible via LIN;
由于 SILSN管理员用户发出的数据包最终目的地为核心网内的网络节 点, 核心网内网络节点不仅要解析其内容, 还要根据内容进行相应的处理, 如修改配置、 故障诊断、 测试和控制等, 上述操作对 SILSN网络的正常运行 影响很大,一旦有 LIN中的恶意用户冒充 SILSN管理员对网络进行恶意控制, 将对 SILSN的网络造成严重影响, 因此必须对 LIN用户进行严格的认证, 并 根据用户权限限制用户的行为模式。  Since the final destination of the data packet sent by the SILSN administrator user is the network node in the core network, the network node in the core network not only needs to parse its content, but also performs corresponding processing according to the content, such as modification configuration, fault diagnosis, testing and control. Etc., the above operations have a great impact on the normal operation of the SILSN network. Once a malicious user in the LIN pretends to be maliciously controlled by the SILSN administrator, the SILSN network will be seriously affected. Therefore, the LIN user must be strictly authenticated. And limit the user's behavior mode according to user permissions.
为叙述方便, 下文将 SILSN管理员简称为管理员, 也就是说, 本文中提 及的管理员都是 SILSN的管理员, 不包括 LIN等其他网络的管理员。 为保护 SILSN核心网的安全, SILSN只提供 SILSN的用户和 LIN的用户 互通, 而禁止 LIN用户访问这些核心网内的网络节点, 如 ASN、 ILR、 ISN, 但目前还没有一种避免 LIN用户访问 SILSN核心网内网络节点的方法。 发明内容 For the convenience of description, the SILSN administrator is referred to as the administrator below. That is to say, the administrators mentioned in this document are administrators of SILSN, and do not include administrators of other networks such as LIN. In order to protect the security of the SILSN core network, SILSN only provides users of SILSN and users of LIN interworking, and prohibits LIN users from accessing network nodes in these core networks, such as ASN, ILR, ISN, but there is currently no way to avoid LIN user access. Method of network nodes in the SILSN core network. Summary of the invention
本发明实施例提供一种控制用户访问网络的方法、 装置和系统, 能够保 护身份标识和位置分离网络的安全。  Embodiments of the present invention provide a method, apparatus, and system for controlling user access to a network, which can protect the security of the identity identification and the location separation network.
为了解决上述问题, 本发明提供了一种控制用户访问网络的方法, 其包 括:  In order to solve the above problems, the present invention provides a method of controlling user access to a network, which includes:
用于访问控制的节点接收用户访问身份标识和位置分离网络中网络节点 的数据包;  The node for access control receives the user access identity and the data packet of the network node in the location separation network;
获取所述数据包的目的地址和目的端口, 如果目的地址和目的端口属于 需进行访问控制的目的网元的地址和端口, 再获取所述数据包的源地址和源 端口;  Obtaining the destination address and the destination port of the data packet. If the destination address and the destination port belong to the address and port of the destination network element to be accessed, the source address and the source port of the data packet are obtained.
用于访问控制的节点根据所述获取的所述数据包的源地址和源端口以及 记录的源地址、 源端口与访问所述网络节点权限的对应关系信息, 查找所述 源地址和源端口对应的访问权限; 以及  The node for access control searches for the source address and the source port according to the obtained source address and source port of the data packet and the source address of the record, the source port, and the corresponding relationship information of accessing the network node authority. Access rights; and
如果查找到所述源地址和源端口对应的访问权限, 所述访问控制的节点 根据所述权限控制所述用户与所述网络节点的通信。  If the access authority corresponding to the source address and the source port is found, the access control node controls communication between the user and the network node according to the permission.
所述方法还可具有特点:  The method can also have features:
所述需进行访问控制的地址和端口是指: 配置的一个或多个核心网管理 节点 (CNMP )节点的地址和端口, 和 /或, 配置的身份标识和位置分离网络 中网络节点的地址和端口。  The address and port to be controlled by the access means: the address and port of one or more core network management node (CNMP) nodes configured, and/or the configured identity and the address of the network node in the location separated network port.
所述方法还包括:  The method further includes:
如果在所述开放状态表中没有查找到所述数据包的源地址和源端口, 所 述用于访问控制的节点再判断所述数据包的格式是否符合预先规定的网络管 理请求数据包的格式;  If the source address and the source port of the data packet are not found in the open state table, the node for access control determines whether the format of the data packet conforms to a format of a predetermined network management request data packet. ;
如果符合, 验证所述用户是否为网络管理员; 以及 如果是网络管理员, 允许所述用户与所述网络节点进行通信。 If yes, verify that the user is a network administrator; If it is a network administrator, the user is allowed to communicate with the network node.
所述方法还包括, 所述用于访问控制的节点在以下任一情况下丟弃所述 数据包:  The method further includes the node for access control dropping the data packet in any of the following cases:
所述用于访问控制的节点如果在记录的对应关系信息中查找到所述数据 包的源地址和源端口且所述源地址和源端口对应的访问权限不为开放;  The node for access control finds the source address and the source port of the data packet in the recorded correspondence information, and the access rights corresponding to the source address and the source port are not open;
所述用于访问控制的节点判断所述数据包的格式不符合预先规定的网络 管理请求数据包的格式;  The node for access control determines that the format of the data packet does not conform to a format of a predetermined network management request data packet;
所述用于访问控制的节点判断所述数据包的格式符合预先规定的网络管 理请求数据包的格式, 但验证确定所述用户非网络管理员。  The node for access control determines that the format of the data packet conforms to a format of a predetermined network management request data packet, but the verification determines that the user is not a network administrator.
所述方法还包括:  The method further includes:
如果在所述开放状态表中没有查找到所述数据包的源地址和源端口, 所 述用于访问控制的节点再判断所述数据包的格式是否符合预先规定的网络管 理请求数据包的格式;  If the source address and the source port of the data packet are not found in the open state table, the node for access control determines whether the format of the data packet conforms to a format of a predetermined network management request data packet. ;
如果符合, 验证所述用户是否为网络管理员, 当验证确定所述用户为网 络管理员时, 所述用于访问控制的节点再才艮据配置的该网络管理员可访问的 网络节点信息判断所述用户是否具有访问所述网络节点的权限;  If the user is a network administrator, if the user determines that the user is a network administrator, the node for access control is determined according to the configured network node information accessible by the network administrator. Whether the user has the right to access the network node;
如果具有访问所述网络节点的权限, 允许所述用户与所述网络节点进行 通信, 否则丟弃所述数据包。  If there is permission to access the network node, the user is allowed to communicate with the network node, otherwise the data packet is discarded.
所述方法还可具有特点:  The method can also have features:
所述用于访问控制的节点才艮据所述权限控制所述用户与所述网络节点的 通信的步骤包括: 在所述权限为开放时, 允许所述用户与所述网络节点进行 通信, 否则, 丟弃所述数据包。  The step of the node for access control controlling the communication between the user and the network node according to the authority includes: allowing the user to communicate with the network node when the permission is open, otherwise , discard the packet.
所述方法还包括:  The method further includes:
当所述用于访问控制的节点丟弃具有同一源地址和源端口的数据包的总 次数超过预先设置的次数阔值时, 将所述数据包的源地址和源端口添加到开 放状态表, 并配置所述源地址和源端口对应的访问权限为屏蔽;  Adding a source address and a source port of the data packet to an open state table when the total number of times the node for access control discards the data packet having the same source address and the source port exceeds a preset threshold value, And configuring the access authority corresponding to the source address and the source port as a mask;
所述用于访问控制的节点收到具有对应访问权限为屏蔽的源地址和源端 口的数据包后直接丟弃。 The node for access control receives a source address and a source with a corresponding access right as a mask Drop the packet directly after the packet.
所述方法还可具有特点: 所述验证所述用户是否为网络管理员的步骤包 括:  The method may also have the following features: The step of verifying whether the user is a network administrator includes:
所述用于访问控制的节点向身份位置寄存器发送管理员身份识别请求, 携带所述用户的用户身份标识;  The node for access control sends an administrator identity request to the identity location register, carrying the user identity of the user;
接收管理员身份认证识别响应, 所述管理员身份认证识别响应中包括所 述身份位置寄存器根据配置的网络管理员的身份标识对所述用户身份标识进 行认证的结果; 以及  Receiving an administrator identity authentication response, the administrator identity authentication response including a result of the identity location register authenticating the user identity according to the configured network administrator identity;
根据所述管理员身份认证识别响应中的认证结果, 确定所述用户是否为 网络管理员。  Determining whether the user is a network administrator according to the authentication result in the administrator identity authentication response.
所述方法还可具有特点:  The method can also have features:
所述网络管理请求数据包中包含有管理员标识符,  The network management request packet includes an administrator identifier.
所述用于访问控制的节点向身份位置寄存器发送管理员身份识别请求, 携带所述用户的用户身份标识的步骤包括: 所述用于访问控制的节点是从所 述网络管理请求数据包提取出其中的管理员标识符, 发送到所述身份位置寄 存器;  The node for access control sends an administrator identity request to the identity location register, and the step of carrying the user identity of the user includes: the node for access control is extracted from the network management request packet An administrator identifier, sent to the identity location register;
所述管理员身份认证识别响应是是所述身份位置寄存器根据配置的管理 员标识符与收到的管理员标识符来对所述用户身份标识进行认证的结果。  The administrator identity authentication response is the result of the identity location register authenticating the user identity based on the configured administrator identifier and the received administrator identifier.
所述方法还包括:  The method further includes:
时, 所述用于访问控制的节点还将所述数据包的源地址和源端口添加到所述 开放状态表, 并配置所述源地址和源端口对应的访问权限为冻结。 The node for access control further adds a source address and a source port of the data packet to the open state table, and configures the access authority corresponding to the source address and the source port to be frozen.
所述方法还包括:  The method further includes:
如确定所述用户为网络管理员, 所述用于访问控制的节点还将所述开放 状态表中所述数据包的源地址和源端口对应的访问权限修改为开放。  If it is determined that the user is a network administrator, the node for access control further modifies the source address of the data packet in the open state table and the access permission corresponding to the source port to be open.
所述方法还包括:  The method further includes:
如确定所述用户非网络管理员, 所述用于访问控制的节点将所述开放状 态表中包含所述数据包的源地址和源端口的记录删除。 If it is determined that the user is not a network administrator, the node for access control will be open The state table contains the record deletion of the source address and source port of the packet.
所述方法还可具有特点: 所述允许所述用户与所述网络节点进行通信的 步骤包括:  The method may further have the following: the step of allowing the user to communicate with the network node includes:
信的加密方式; 以及 The encryption method of the letter;
釆用所述加密方式建立所述网络节点与所述用户的通信。  The communication between the network node and the user is established by using the encryption method.
所述方法还可具有特点: 所述用于访问控制的节点为互通网关和核心网 管理节点的组合, 或者所述用于访问控制的节点为互通网关。  The method may also have the following features: the node used for access control is a combination of an interworking gateway and a core network management node, or the node used for access control is an interworking gateway.
相应地, 本发明提供的一种网络系统中的用于访问控制的节点, 包括: 接收模块, 其设置为: 接收传统因特网中用户访问身份标识和位置分离 网络中网络节点的数据包; Correspondingly, the node for access control in a network system provided by the present invention includes: a receiving module, configured to: receive a data packet of a network node in a user access identity and a location separation network in a traditional Internet;
获取模块, 其设置为: 获取所述数据包的目的地址和目的端口, 如判断 目的地址和目的端口属于需进行访问控制的目的网元的地址和端口, 再获取 所述接收模块接收的数据包的源地址和源端口;  The obtaining module is configured to: obtain a destination address and a destination port of the data packet, and determine, by determining an address and a port of the destination network element that needs to perform access control, and obtain a data packet received by the receiving module. Source address and source port;
查找模块, 其设置为: 在记录的源地址、 源端口与访问所述网络节点权 限的对应关系信息中查找所述数据包的源地址和源端口; 以及  And a search module, configured to: search for a source address and a source port of the data packet in a correspondence between the source address of the record, the source port, and the access authority of the network node; and
控制模块, 其设置为: 在所述查找模块查找到所述数据包的源地址和源 端口且所述源地址和源端口对应的访问权限为开放, 允许所述用户与所述网 络节点进行通信。  a control module, configured to: find, by the lookup module, a source address and a source port of the data packet, and an access right corresponding to the source address and the source port is open, allowing the user to communicate with the network node .
所述节点还包括:  The node further includes:
第一判断模块, 其设置为: 在所述开放状态表中没有查找到所述数据包 的源地址和源端口时, 再判断所述数据包的格式是否符合预先规定的网络管 理请求数据包的格式; 以及  a first determining module, configured to: when the source address and the source port of the data packet are not found in the open state table, determine whether the format of the data packet meets a predetermined network management request data packet. Format;
第一验证模块, 其设置为: 在所述第一判断模块确定所述数据包的格式 符合预先规定的网络管理请求数据包的格式时, 验证所述用户是否为网络管 理员; 所述控制模块还设置为: 在所述第一验证模块验证是网络管理员时, 允 许所述用户与所述网络节点进行通信。 a first verification module, configured to: when the first determining module determines that the format of the data packet conforms to a format of a predetermined network management request data packet, verify whether the user is a network administrator; The control module is further configured to: allow the user to communicate with the network node when the first verification module verifies that it is a network administrator.
所述节点还包括:  The node further includes:
第二判断模块, 其设置为: 如果在所述开放状态表中没有查找到所述数 据包的源地址和源端口, 所述用于访问控制的节点再判断所述数据包的格式 是否符合预先规定的网络管理请求数据包的格式;  a second determining module, configured to: if the source address and the source port of the data packet are not found in the open state table, the node for access control determines whether the format of the data packet meets a pre-determination The format of the specified network management request packet;
第二验证模块, 其设置为: 如果所述第二判断模块判断所述数据包的格 式符合预先规定的网络管理请求数据包的格式, 验证所述用户是否为网络管 理员, 当验证确定所述用户为网络管理员时, 再根据配置的该网络管理员可 访问的网络节点信息判断所述用户是否具有访问所述网络节点的权限;  a second verification module, configured to: if the second determining module determines that the format of the data packet conforms to a format of a predetermined network management request data packet, and verifies whether the user is a network administrator, when the verification determines that When the user is a network administrator, it is determined according to the configured network node information that the network administrator can access, whether the user has the right to access the network node;
所述控制模块还设置为: 在所述第二验证模块确定所述用户具有访问所 述网络节点的权限时, 允许所述用户与所述网络节点进行通信。  The control module is further configured to: allow the user to communicate with the network node when the second verification module determines that the user has permission to access the network node.
所述节点还可具有特点: 所述控制模块还设置为在以下任一情况下丟弃 所述数据包:  The node may also have characteristics: The control module is further configured to discard the data packet in any of the following cases:
在记录的对应关系信息中查找到所述数据包的源地址和源端口且所述源 地址和源端口对应的访问权限不为开放;  Finding, by the recorded correspondence information, a source address and a source port of the data packet, and the access rights corresponding to the source address and the source port are not open;
判断所述数据包的格式符合预先规定的网络管理请求数据包的格式, 但 险证确定所述用户非网络管理员; Determining that the format of the data packet conforms to a format of a predetermined network management request data packet, but the risk certificate determines that the user is not a network administrator;
判断所述数据包的格式符合预先规定的网络管理请求数据包的格式, 且 验证确定所述用户是网络管理员, 但判断所述用户不具有访问所述网络节点 的权限。  Determining that the format of the data packet conforms to a format of a predetermined network management request data packet, and verifying that the user is a network administrator, but determining that the user does not have the right to access the network node.
所述节点还包括:  The node further includes:
第四配置模块, 其设置为: 当所述控制模块丟弃具有同一源地址和源端 口的数据包的总次数超过预先设置的次数阔值时, 将所述数据包的源地址和 源端口添加到开放状态表, 并配置所述源地址和源端口对应的访问权限为屏 蔽; 以及  a fourth configuration module, configured to: add a source address and a source port of the data packet when the total number of times the control module discards data packets having the same source address and source port exceeds a preset threshold Go to the open state table, and configure the access rights corresponding to the source address and the source port to be masked;
丟弃模块, 其设置为: 收到具有对应访问权限为屏蔽的源地址和源端口 的数据包后直接丟弃。 Discard the module, which is set to: Receive the source address and source port with the corresponding access rights as masked The data packet is discarded directly.
所述节点还可具有特点, 所述第二验证模块包括:  The node may also have a feature, and the second verification module includes:
发送单元, 其设置为: 向身份位置寄存器发送管理员身份识别请求, 携 带所述用户的用户身份标识;  a sending unit, configured to: send an administrator identity request to the identity location register, and carry the user identity of the user;
接收单元, 其设置为: 接收管理员身份认证识别响应, 所述管理员身份 认证识别响应中包括所述身份位置寄存器根据配置的网络管理员的身份标识 对所述用户身份标识进行认证的结果; 以及  a receiving unit, configured to: receive an administrator identity authentication response, where the administrator identity authentication response includes a result of authenticating, by the identity location register, the user identity according to the configured identity of the network administrator; as well as
确定单元, 其设置为: 根据所述管理员身份认证识别响应中的认证结果, 确定所述用户是否为网络管理员。  And a determining unit, configured to: determine, according to the authentication result in the administrator identity authentication response, whether the user is a network administrator.
所述节点还包括:  The node further includes:
第一配置模块, 其设置为: 在所述第一判断模块确定所述数据包的格式 符合预先规定的网络管理请求数据包的格式时, 将所述数据包的源地址和源 端口添加到所述开放状态表, 并配置所述源地址和源端口对应的访问权限为 冻结。  a first configuration module, configured to: when the first determining module determines that the format of the data packet conforms to a format of a predetermined network management request data packet, adding a source address and a source port of the data packet to the The open state table is configured, and the access rights corresponding to the source address and the source port are configured to be frozen.
所述节点还包括:  The node further includes:
第二配置模块, 其设置为: 在所述第一验证模块确定所述用户为网络管 理员时, 将所述开放状态表中所述数据包的源地址和源端口对应的访问权限 修改为开放。  a second configuration module, configured to: when the first verification module determines that the user is a network administrator, modify the source address of the data packet in the open state table and the access permission corresponding to the source port to be open .
所述节点还包括:  The node further includes:
第三配置模块, 其设置为: 在所述验证模块确定所述用户非网络管理员 时, 将所述开放状态表中包含所述数据包的源地址和源端口的记录删除。  And a third configuration module, configured to: when the verification module determines that the user is not a network administrator, delete the record that includes the source address and the source port of the data packet in the open state table.
所述节点还可具有特点, 所述控制模块还包括: 的力。密方式;  The node may also have characteristics, and the control module further includes: a force. Secret mode
建立单元, 其设置为: 釆用所述获取单元获取的加密方式建立所述网络 节点与所述用户的通信。  And an establishing unit, configured to: establish communication between the network node and the user by using an encryption manner obtained by the acquiring unit.
所述系统还可具有特点: 所述需进行访问控制的目的网元的地址和端口是: 配置的一个或多个核 心网管理节点 (CNMP )节点的地址和端口, 和 /或, 配置的身份标识和位置 分离网络中网络节点的地址和端口。 The system can also have features: The address and port of the destination network element to be subjected to access control are: the address and port of one or more core network management node (CNMP) nodes configured, and/or the configured identity identifier and the network node in the location separation network Address and port.
本发明还提供一种身份标识和位置分离网络系统, 该系统包括以上所述 的用于访问控制的节点。  The present invention also provides an identity identification and location separation network system that includes the nodes described above for access control.
釆用上述方法、 装置和系统, 解决了位于 LIN内的网管用户访问 SILSN 核心网元的方法,保证了核心网的安全。在一实施例中,还可以实现位于 LIN 内普通用户无法访问 SILSN核心网元节点。 在一实施例中, 还可防止来自于 LIN内普通用户对 CNMP的攻击(通过 ISN中的端口控制 ) ; 以及可以实现 UE1和 CNMP之间网管流的加密传送。 此外, 所有核心网节点只接受来自于 CNMP的管理数据包, 有助于核心网网元管理的安全。 附图概述  Using the above method, device and system, the method for the network management user located in the LIN to access the SILSN core network element is solved, and the security of the core network is ensured. In an embodiment, it is also possible that an ordinary user in the LIN cannot access the SILSN core network element node. In an embodiment, the attack from the ordinary user in the LIN on the CNMP (through the port control in the ISN) can also be prevented; and the encrypted transmission of the network management flow between the UE1 and the CNMP can be implemented. In addition, all core network nodes only accept management packets from CNMP, which helps the security of core network element management. BRIEF abstract
图 1为 现有技术中 SILSN网络架构下 LIN用户访问 SILSN的两种类型 的数据包的网络示意图;  FIG. 1 is a schematic diagram of a network diagram of two types of data packets that a LIN user accesses a SILSN in a SILSN network architecture in the prior art;
图 2为本发明实施例中位于 LIN中的 SILSN的管理员访问 SILSN核心网 网元的网络示意图;  2 is a schematic diagram of a network accessing a SILSN core network element by an administrator of a SILSN located in a LIN according to an embodiment of the present invention;
图 3为本发明实施例中基于 CNMP进一步细化的网络架构示意图; 图 4为实施例一中控制用户访问身份标识和位置分离网络中网络节点的 方法时序图;  3 is a schematic diagram of a network architecture based on CNMP further refinement according to an embodiment of the present invention; FIG. 4 is a timing diagram of a method for controlling a user access identity and a network node in a location separation network in Embodiment 1;
图 5为实施例二中中控制用户访问身份标识和位置分离网络中网络节点 的方法流程图;  5 is a flowchart of a method for controlling a user access identity and a network node in a location separation network in Embodiment 2;
图 6为本发明实施例提供的一种身份标识和位置分离网络系统中用于访 问控制的节点的结构示意图;  6 is a schematic structural diagram of a node for access control in an identity identification and location separation network system according to an embodiment of the present invention;
图 7为图 6所示实施例中中用于访问控制的节点的另一结构示意图; 图 8为图 6所示实施例中险证模块的结构示意图;  7 is another schematic structural diagram of a node for access control in the embodiment shown in FIG. 6. FIG. 8 is a schematic structural diagram of a risk module in the embodiment shown in FIG.
图 9为图 7所示实施例中用于访问控制的节点的另一结构示意图; 图 10为图 9所示实施例中用于访问控制的节点的另一结构示意图; 图 11为图 6所示实施例中控制模块的结构示意图。 本发明的较佳实施方式 FIG. 9 is another schematic structural diagram of a node for access control in the embodiment shown in FIG. 7; FIG. FIG. 10 is another schematic structural diagram of a node for access control in the embodiment shown in FIG. 9. FIG. 11 is a schematic structural diagram of a control module in the embodiment shown in FIG. 6. Preferred embodiment of the invention
下面结合附图详细描述本发明的具体实施方式。  Specific embodiments of the present invention are described in detail below with reference to the accompanying drawings.
在 SILSN网络中, ISN起到 SILSN网络和 LIN网络互通的作用, 当 LIN 网络中的用户和 SILSN核心网中的用户相互访问时, 由于 SILSN网内寻址方 式和 LIN的寻址方式不同, 需要 ISN负责对双方数据格式和编址空间进行转 换, 其中所述编址空间为用户身份标识 (AID, 又称接入标识符) 空间和公 网 IP地址空间。  In the SILSN network, the ISN plays the role of the SILSN network and the LIN network interworking. When the users in the LIN network and the users in the SILSN core network access each other, the SILSN intranet addressing mode and the LIN addressing mode are different. The ISN is responsible for converting the data format and the addressing space of the two parties, wherein the addressing space is a user identity (AID, also referred to as an access identifier) space and a public network IP address space.
ISN将 SILSN内的用户设备以 AID为标识的数据包映射成以 LIN网络一 段或多段公网 IP地址和端口号为标识的数据包,其中这些一段或多段公网 IP 地址组成的地址空间记为 SI , 因此对于 SILSN内的用户, 无论他们的身份标 识 AID如何变化, 当数据包经过 ISN的转换而最终发向 LIN后, 所有用户的 身份标识 AID都会映射到 S1内的某一个 IP地址和端口号, 因而对于 LIN网 络中的用户, 他们看到的 SILSN内的用户都在 S1空间内, 这样 LIN网络中 的用户访问 SILSN网内用户, 实际上只是访问 S1空间的地址。  The ISN maps the data packet of the user equipment in the SILSN with the AID as the data packet identified by the one or more public network IP addresses and port numbers of the LIN network, and the address space formed by the one or more public network IP addresses is recorded as SI, therefore, for users in the SILSN, no matter how their identity AID changes, when the data packet is sent to LIN through ISN conversion, all user's identity AID will be mapped to an IP address and port in S1. No. Therefore, for the users in the LIN network, the users in the SILSN they see are all in the S1 space, so that the users in the LIN network access the users in the SILSN network, and actually only access the address of the S1 space.
为保护 SILSN核心网内网元安全, ISN不能让 LIN用户直接访问 SILSN 核心网的网元地址, 只允许其访问 SILSN用户, 也就是说, LIN内用户只能 访问 S1范围内的地址空间。  In order to protect the security of the network element in the SILSN core network, the ISN cannot allow the LIN user to directly access the network element address of the SILSN core network, and only allows access to the SILSN user. That is, the user in the LIN can only access the address space within the S1 range.
如上文所述,为了方便 SILSN管理员在紧急情况下操作 SILSN核心网网 元, 需要为 SILSN管理员提供在 LIN网络中访问核心网网元的能力, 在保证 SILSN管理员能从 LIN管理 SILSN的同时,也必须防止在 LIN内的普通用户 访问核心网元。  As mentioned above, in order to facilitate the SILSN administrator to operate the SILSN core network element in an emergency, it is necessary to provide the SILSN administrator with the ability to access the core network element in the LIN network, and to ensure that the SILSN administrator can manage the SILSN from the LIN. At the same time, it is also necessary to prevent ordinary users in the LIN from accessing the core network element.
由于 SILSN中用于网络管理的数据流量一般比用于业务的数据流量要小 的多, 并且大多数网管管理措施(如远程诊断、 测试和控制)都从 SILSN内 部发起,也就是说 SILSN中网管的流量大多来自 SILSN内部,对于从 LIN管 理 SILSN网元的网管流量很小, 只是作为一个远程管理的补充, 这种应用多 用于紧急且需要设备厂商支持, 或者紧急情况下有经验的管理员不在网管办 公场所的情况, 这种场合通常是比较少见的, 因此此类数据流量一般是很小 的, 不需要太大处理能力, 为便于此类数据流量的统一控制和管理, 实现集 中管理,为此本实施例引入了一个核心网管理节点( Core Network Management Proxy, CNMP ) , 用 CNMP来实现位于 LIN中的管理员对 SILSN网络管理, 如图 2所示: Since the data traffic for network management in SILSN is generally much smaller than the data traffic for services, and most network management measures (such as remote diagnosis, testing, and control) are initiated from within SILSN, that is, network management in SILSN. Most of the traffic comes from inside the SILSN. The network management traffic for managing SILSN network elements from LIN is very small, just as a supplement to remote management. It is used in emergency situations and requires equipment manufacturer support, or the administrator who has experience in an emergency is not in the network management office. This kind of situation is usually rare, so the data traffic is generally small and does not need to be processed too much. In order to facilitate the unified control and management of such data traffic, centralized management is implemented. For this purpose, a core network management node (Core Network Management Proxy, CNMP) is introduced in this embodiment, and the administrator in the LIN is implemented by CNMP. SILSN network management, as shown in Figure 2:
核心网管理节点(Core Network Management Proxy, CNMP ) , 用于处理  Core Network Management Proxy (CNMP) for processing
ISN, 用于接收到 LIN 中的用户发送来的数据包, 并判断所述数据包是 否发送给 CNMP的数据包, 如果是, 将该数据包转发给 CNMP; 否则, 判断 目的地址是否位于 S1范围内, 如果位于 S1范围内, ISN对数据包进行转换 后, 将目的地址转换为 AID, 然后转发给 ASN, 再发给 SILSN的目的用户; 如果地址不位于 S1范围内, 则直接丟弃。 正常访问 SILSN内用户, 但不能访问核心网内的网络节点, 需要由 ISN区分 两种类型的数据包, 通过识别 UE1发出的数据包是类型一还是类型二, 本实 施例优选是在安全限制措施下, 如特定报文格式, 控制同一个源地址发送第 一个数据包等, 通过由 ISN识别数据包的目的地址是否 CNMP的地址, 来区 分是否是来自于 LIN网络的对 SILSN进行数据流量的管理。 在本发明中, 所 述 CNMP的地址为 IP地址, 可以是 IPv4或 IPv6地址。 The ISN is configured to receive a data packet sent by a user in the LIN, and determine whether the data packet is sent to the CNMP data packet, and if yes, forward the data packet to the CNMP; otherwise, determine whether the destination address is in the S1 range. If the ISN converts the data packet, the destination address is converted to the AID, and then forwarded to the ASN, and then sent to the destination user of the SILSN. If the address is not in the range of S1, it is directly discarded. Normally accessing the users in the SILSN, but not accessing the network nodes in the core network, the ISN needs to distinguish between two types of data packets. By identifying whether the data packets sent by the UE1 are type one or type two, the embodiment is preferably in the security restriction measure. Next, if a specific message format, control the same source address to send the first data packet, etc., by the ISN to identify whether the destination address of the data packet is CNMP address, to distinguish whether the data flow from the LIN network to the SILSN management. In the present invention, the address of the CNMP is an IP address, which may be an IPv4 or IPv6 address.
当然, 也可以通过其他实施方式, 如可以釆用不同的数据包的格式, 或 者通过约定的标识使 ISN识别是否为发送给 CNMP的数据包。  Of course, other embodiments may be used, such as using different data packet formats, or using the agreed identifier to make the ISN identify whether it is a data packet sent to CNMP.
可选的, 为了进一步防止 LIN网络内用户攻击 SILSN网络, ISN只接受 目的地址在 S1空间内的地址或者目的地址为 CNMP地址的数据包, 对其他 数据包给予丟弃。 ISN根据数据包的源地址和端口的开放信息, 决定是否交 由 CNMP处理。  Optionally, in order to further prevent the user in the LIN network from attacking the SILSN network, the ISN only accepts the data packet whose destination address is in the S1 space or the destination address is the CNMP address, and discards other data packets. The ISN decides whether to submit it to CNMP for processing based on the source address of the packet and the open information of the port.
如果不交给 CNMP, 判断所述用户设备发起的数据包中的目的地址是 CNMP的地址, 则认为是第二种类型的数据包; 当所述数据包的地址是不是 CNMP地址但该目的地址在 S1空间内时,认为是第一种类型的数据包,将按 第一种类型的数据包进行处理, 经过查询目的用户位置, 并重新封装后, 转 发给目的用户当前注册的 ASN。 If it is not handed over to the CNMP, it is determined that the destination address in the data packet initiated by the user equipment is the address of the CNMP, and is considered to be the second type of data packet; when the address of the data packet is not the CNMP address but the destination address When in the S1 space, it is considered to be the first type of data packet and will be pressed. The first type of data packet is processed, and after being queried for the destination user location, and re-encapsulated, it is forwarded to the ASN currently registered by the destination user.
如果交给 CNMP进行处理 , CNMP对发起方的身份进行识别 , 可以通过 与 ILR进行交互对所述发起方进行识别。 当 CNMP判断该数据包的发起方为 SILSN的管理员时, CNMP将该数据包转发到被管理的核心网网元。  If the CNMP is processed for processing, the CNMP identifies the identity of the initiator, and the initiator can be identified by interacting with the ILR. When CNMP judges that the initiator of the data packet is the administrator of the SILSN, CNMP forwards the data packet to the managed core network element.
可选的, 当 ISN将该数据包发送到 CNMP后, CNMP还可以进一步通过 和 ILR交互对发起方进行身份认证。 在发起方的身份认证通过后, 发起方和 CNMP之间将建立一条安全隧道, 通过这条安全隧道, CNMP可将所述发起 方发送给被管理网元的消息转发给对应的被管理网元。  Optionally, after the ISN sends the data packet to the CNMP, the CNMP may further perform identity authentication on the initiator by interacting with the ILR. After the identity authentication of the initiator is passed, a secure tunnel is established between the initiator and the CNMP. Through the secure tunnel, the CNMP can forward the message sent by the initiator to the managed NE to the corresponding managed NE. .
图 3所示是本发明实施例中基于 CNMP进一步细化的网络架构示意图, 类型二的数据包从 UE1发出后, 经过 ISN1判断其格式为网络管理请求数据 包格式, 且其源地址和端口不属于被限制的范围内时, 由 ISN1 交由 CNMP 处理; CNMP收到该数据包后, 提取数据包中用户身份标识, 然后 CNMP将 此身份发给 ILR, 对由 ILR对用户 UE1的身份进行识别, 确定 UE1是否为 SILSN的管理员用户身份, 再将用户身份识别的结果通知 CNMP。  FIG. 3 is a schematic diagram of a network architecture based on CNMP further refinement in the embodiment of the present invention. After the type 2 packet is sent from the UE1, the format of the network management request packet is determined by the ISN1, and the source address and port are not When it belongs to the restricted range, it is handled by CNN1 by CNN; after receiving the packet, CNMP extracts the user identity in the data packet, and then CNMP sends this identity to ILR to identify the identity of user UE1 by ILR. Determine whether UE1 is the administrator user identity of the SILSN, and then notify CNMP of the result of the user identity.
为了避免 LIN内普通用户以 SILSN的管理员身份进行访问, CNMP若判 断该数据包的发起方为 SILSN的管理员后, 将该数据包转发到被管理的核心 网网元之前, 还可以包括如下步骤:  In order to prevent the ordinary user in the LIN from accessing the administrator of the SILSN, if the CNMP determines that the initiator of the data packet is the administrator of the SILSN, and forwards the data packet to the managed core network element, it may also include the following Steps:
CNMP通知 ISN1开放 UE1发送的数据包对应的源地址和端口, 然后还 可以进一步经由 CNMP, 使 ILR通过和 UE1经过消息交互对 UE1的身份进 行认证, 然后 ILR将身份认证的结果通知 CNMP; 认证通过后, CNMP将后 续 UE1发送给 CNMP的数据包转交给被管理的核心网网元处理, 如 ASN2 处理。  The CNMP notifies the ISN1 to open the source address and port corresponding to the data packet sent by the UE1, and then further enables the ILR to authenticate the identity of the UE1 through the message interaction with the UE1 via CNMP, and then the ILR notifies the CNMP of the result of the identity authentication; Afterwards, the CNMP forwards the data packet sent by the subsequent UE1 to the CNMP to the managed core network element, such as ASN2.
其中, ILR对 UE1的身份认证通过后, ILR还可以进一步检查 UE1是否 具备管理被管理的核心网网元的权限, 如 ASN2的权限, 如果 ILR对 UE1的 身份认证不通过或者 ILR检查到 UE1 不具备管理被管理的核心网网元的权 限, 则 CNMP通知 ISN进行防攻击处理, 如可以 "关闭" 或 "屏蔽" 已经开 放的 UE1的源地址和所对应的端口; 其中, 如果 CNMP发现某 LIN用户反复向 CNMP发起网络管理请求, 但身份认证多次不通过, 当不通过次数超过一定次数门限时, CNMP可通知 ISN将其发出的数据包的源地址和端口号状态改为 "屏蔽" ; After the ILR authenticates the identity of the UE1, the ILR can further check whether the UE1 has the right to manage the managed core network element, such as the ASN2 right. If the ILR does not pass the identity authentication of the UE1 or the ILR does not check the UE1. With the authority to manage the managed core network elements, CNMP notifies the ISN to perform anti-attack processing, such as "closing" or "masking" the open source address of UE1 and the corresponding port; If CNMP finds that a LIN user repeatedly initiates a network management request to CNMP, but the identity authentication fails multiple times, CNMP can notify the ISN of the source address and port number of the data packet sent by the ISN when the number of failures exceeds a certain number of thresholds. Change the status to "Shield";
处于"屏蔽"状态的用户, ISN将不再转发此用户的任何数据包到 CNMP。 进一步的,为防止位于 LIN内的用户频繁发送数据包对 CNMP发起拒绝 服务攻击(如 DOS攻击), 还可以在 ISN上保存以管理员用户的源地址发出 的数据包的源地址和源端口开放的状态, 这些状态可以保存在一个 LIN中的 SILSN 的管理员用于管理用户的源地址和源端口的开放状态表 (Open State Table, OPT)中, ISN检查用户源地址是否在 OPT。 当 ISN收到来自于 LIN用 户的数据包时, 提取数据包的源地址, 然后在 OPT检查这些源地址和源端口 的开放状态;  For users in the "masked" state, the ISN will no longer forward any packets from this user to CNMP. Further, in order to prevent users located in the LIN from sending data packets frequently to initiate a denial of service attack (such as DOS attack) on CNMP, the source address and source port of the data packet sent by the source address of the administrator user may be saved on the ISN. The status of these states can be saved in a LIN SILSN administrator to manage the user's source address and source port in the Open State Table (OPT), the ISN checks if the user source address is in OPT. When the ISN receives the data packet from the LIN user, it extracts the source address of the data packet, and then checks the open state of the source address and the source port at the OPT;
如果状态是 "开放", 则直接转发用户的数据到 CNMP, 如果状态是 "冻 结" , 则丟弃此数据包, 如果状态是 "屏蔽" , 则丟弃并告警;  If the status is "open", the user's data is directly forwarded to CNMP. If the status is "frozen", the packet is discarded. If the status is "masked", the packet is discarded and alarmed;
如果用户源地址不在 OPT 中, 则将这个数据包中携带的用户的源地址 / 源端口号放入 OPT中, 并将其状态改为 "冻结" ;  If the user source address is not in the OPT, put the source address/source port number of the user carried in the data packet into the OPT, and change its status to "freeze";
后续 ISN可以根据 CNMP的指令, 更改 OPT内用户的源地址 /源端口的 状态, 如将 "冻结" 改为 "开放" 或者 "屏蔽" 等。  The subsequent ISN can change the state of the source address/source port of the user in the OPT according to the CNMP instruction, such as changing "freeze" to "open" or "mask".
综上所述, 本实施例中为防止来自于 LIN的普通用户攻击核心网网元, ISN转发数据包到 CNMP包括以下几个场景:  In summary, in this embodiment, in order to prevent an ordinary user from the LIN from attacking the core network element, the ISN forwarding the data packet to the CNMP includes the following scenarios:
1、 目的地址不是 CNMP的地址的数据包都不转发给 CNMP;  1. The data packet whose destination address is not the address of CNMP is not forwarded to CNMP;
2、 对于目的地址为 CNMP的地址且源地址 /源端口在 OPT中的数据包, 如果其状态为 "开放" , 则无条件转发给相应被管理的网元;  2. For a packet whose destination address is CNMP and whose source address/source port is in the OPT, if its status is "open", it is unconditionally forwarded to the corresponding managed NE.
3、 对于目的地址为 CNMP的地址且源地址 /源端口在 OPT的数据包,如 果其状态为 "屏蔽" , 则将此用户行为计入日志, 丟弃此数据包, 并根据条 件选择告警;  3. For a packet whose destination address is CNMP and the source address/source port is in the OPT, if the status is "masked", the user behavior is counted in the log, the packet is discarded, and an alarm is selected according to the condition;
4、 对于目的地址为 CNMP的地址且源地址 /源端口在 OPT的数据包,如 果其状态为 "冻结" , 则丟弃此数据包;  4. For a packet whose destination address is CNMP and the source address/source port is in the OPT, if the status is "freeze", the packet is discarded;
5、对于目的地址为 CNMP的地址且源地址 /源端口不在 OPT中的数据包, ISN只向 CNMP转发该源地址 /源端口发送来的第一个数据包,并将该源地址 /源端口放入 OPT中, 其状态设为 "冻结 " 。 5. For a packet whose destination address is CNMP and the source address/source port is not in the OPT, The ISN forwards only the first packet sent by the source address/source port to CNMP, and puts the source address/source port into the OPT, and its state is set to "frozen".
需要说明的是, 在实际应用中过程中, 所述核心网管理节点和互通网关 的功能可以在所述 SILSN网络中一个节点上设置, 如本发明中网络架构中的 互通网关, 通过内部的逻辑接口进行通信, 其方法和流程与所述核心网管理 节点和互通网关分开部署的情况下相同, 此处不再赘述, 为便于描述, 本发 明中将上述两种情况用于实现访问控制的节点简称为用于访问控制的节点。  It should be noted that, in actual application, the functions of the core network management node and the interworking gateway may be set on one node in the SILSN network, such as the interworking gateway in the network architecture in the present invention, through internal logic. The interface is used for communication, and the method and the process are the same as those of the core network management node and the interworking gateway. The description is omitted here. For convenience of description, the above two cases are used to implement the access control node. Referred to as a node for access control.
为了使本领域技术人员更加清楚地理解本发明提供的技术方案, 下面以 具体应用场景为例进行说明: In order to make the technical solutions provided by the present invention more clear to those skilled in the art, the specific application scenarios are taken as an example for description:
实施例一 说明, 如图 4所示:  Embodiment 1 Description, as shown in Figure 4:
步骤 401 :位于 LIN中的用户 UE1需要访问 SILSN网络中的核心网节点, 发送网络管理请求消息到 ISN, 其中所述网络管理请求消息可以封装在 IP数 据包内, 其目的地址为 CNMP的地址, ISN接收到网络管理请求消息后, 如 果检查到消息的接收方为 CNMP , 执行步骤 402;  Step 401: The user UE1 located in the LIN needs to access the core network node in the SILSN network, and sends a network management request message to the ISN, where the network management request message may be encapsulated in an IP data packet, and the destination address is the address of the CNMP. After the ISN receives the network management request message, if it is detected that the receiver of the message is CNMP, step 402 is performed;
需要说明的是, CNMP应预先规定此网络管理请求消息的格式, 当 ISN 发现来自于 LIN的数据包的源地址 /源端口不在 OPT中时, CNMP检查数据 是否为这种消息格式,如果不是则丟弃。如果是则提取源地址端口,并在 OPT 中以此源地址端口为索引, 生成一个记录, 将其状态设为 "冻结" , 之后在 收到 CNMP开放端口命令前, 不再接收用户 UE1发送的其他消息, 以避免用 户发起的拒绝服务攻击。  It should be noted that CNMP should pre-specify the format of this network management request message. When the ISN finds that the source address/source port of the data packet from LIN is not in the OPT, CNMP checks whether the data is in this message format, if not throw away. If yes, extract the source address port and use the source address port as the index in the OPT to generate a record, set its status to "frozen", and then no longer receive the user UE1 sent before receiving the CNMP open port command. Other messages to avoid user-initiated denial of service attacks.
步骤 402: ISN收到网络管理请求消息, 并将此消息发送给 CNMP; 步骤 403: CNMP在网络管理请求消息中直接提取用户的接入标识符 Step 402: The ISN receives the network management request message, and sends the message to the CNMP. Step 403: The CNMP directly extracts the access identifier of the user in the network management request message.
AID, 然后通过 "识别管理员身份请求" 发送到 ILR; AID, then sent to the ILR via "Identify Administrator Identity Request";
步骤 404: ILR根据 AID判断该用户 UE1 是否具有管理员身份, 并向 CNMP返回 "识别管理员身份响应" , 如果该 AID不是管理员的标识, 则用 识别管理员身份响应通知 CNMP失败,如果该 AID是管理员标识, 则用验证 AID响应通知 CNMP可继续进行业务; Step 404: The ILR determines, according to the AID, whether the user UE1 has an administrator identity, and returns an "identify administrator identity response" to the CNMP. If the AID is not the administrator's identity, the ILR is used. The identification of the administrator identity response notification CNMP fails. If the AID is the administrator identifier, the CNP can be notified by the verification AID to continue the service;
步骤 405: CNMP收到识别管理员身份响应后, 如果是可继续进行业务, 即通过 "端口控制消息" 通知 ISN开放该用户 UE1对应的源地址和端口 , 如 果是失败, 则通知 ISN关闭该用户 UE1对应的源端口和目的端口;  Step 405: After receiving the identification of the administrator identity, the CNMP notifies the ISN to open the source address and port corresponding to the user UE1 through the "port control message", and if it fails, notifies the ISN to close the user. Source port and destination port corresponding to UE1;
步骤 406: ISN收到端口控制消息后, 如果 CNMP要求异常关闭端口, 则 ISN判断此源地址异常关闭的次数, 根据预先设置的门限决定是否要将此 源地址放入黑名单, 进行较长期的屏蔽, 然后在 "源地址临时屏蔽表项" 中 删除该源地址和源端口号, 节省源地址临时屏蔽表空间, 流程结束;  Step 406: After the ISN receives the port control message, if the CNMP requests the port to be shut down abnormally, the ISN determines the number of times the source address is abnormally closed, and determines whether the source address is to be blacklisted according to a preset threshold. Mask, and then delete the source address and source port number in the "source address temporary mask entry", save the source address to temporarily block the table space, and the process ends;
如果 CNMP要求 ISN正常开放端口, ISN开放对应的源端口和目的端口, 允许 ISN转发该用户 UE1后续发送的消息到 CNMP, 执行步骤 407;  If the CNMP requires the ISN to open the port normally, the ISN opens the corresponding source port and the destination port, and allows the ISN to forward the message sent by the user UE1 to the CNMP, and step 407 is performed;
步骤 407: CNMP通过和 ILR交互 , 对该用户 UE1进行认证, 同时检验 该用户 UE1当前希望管理的核心网网元地址和 ILR中对该用户预先设定可管 理的核心网网元地址是否一致, 如果认证通过且管理的网元地址一致, 则继 续进行;  Step 407: The CNMP performs authentication on the user UE1 by interacting with the ILR, and checks whether the core network element address that the user UE1 wants to manage and the core network element address that is pre-configurable to the user in the ILR are consistent. If the authentication and the managed NE addresses are the same, continue.
如果认证通过, UE1则执行步骤 408;  If the authentication is passed, UE1 performs step 408;
如果认证不通过或者 UE1要求管理的核心网网元和 ILR中对 UE1设置 的可管理的网元地址不一致, CNMP向 ISN发送 "端口控制"消息,要求 ISN 关闭源地址和源端口 , 流程结束;  If the authentication fails or the core network element that the UE1 requires to manage is inconsistent with the manageable network element address set by the UE1 in the ILR, the CNMP sends a "port control" message to the ISN, and the ISN is required to close the source address and the source port, and the process ends;
步骤 408: UE1在正常认证通过后, 经由 CNMP向对应的网元如 ASN, 发送具体的网管消息, CNMP将此消息转发给 ASN, CNMP还将收到 ASN 的消息发送给 UE1 ;  Step 408: After the normal authentication is passed, the UE1 sends a specific network management message to the corresponding network element, such as the ASN, via the CNMP, and the CNMP forwards the message to the ASN, and the CNMP also sends the ASN message to the UE1.
可选的, 如果步骤 407的认证过程中已经协商了加密密钥, 在此步骤中, UE1发送给 ASN的消息也可以通过加密的方式发送给 CNMP, CNMP也可 以将 ASN发的数据加密后发给 UE1;  Optionally, if the encryption key has been negotiated in the authentication process in step 407, the message sent by the UE1 to the ASN may also be sent to the CNMP in an encrypted manner, and the CNMP may also encrypt the data sent by the ASN. Give UE1;
其中, 步骤 407的认证过程可釆用现有技术的认证方式进行认证; 步骤 409: CNMP将 UE1发送的消息转发给相应的网元, 如 ASN, 同 ASN将相应消息发送给 CNMP; 步骤 410: 当网管处理流程即步骤 409结束后, 被管理的核心网网元如 ASN向 CNMP发送 "流程结束" 消息, 通知 CNMP对应的网管处理流程已 结束; The authentication process of the step 407 can be authenticated by using the authentication method of the prior art. Step 409: The CNMP forwards the message sent by the UE1 to the corresponding network element, such as an ASN, and sends a corresponding message to the CNMP with the ASN. Step 410: After the network management process is completed, the managed network element, such as the ASN, sends a "process end" message to the CNMP, and the CNMP corresponding network management process is terminated.
步骤 411 : CNMP收到 "流程结束" 消息后, 向 ISN发送 "端口控制" 消息, 要求 ISN正常关闭端口。  Step 411: After receiving the "End of Process" message, CNMP sends a "port control" message to the ISN, requesting the ISN to properly close the port.
ISN收到此消息后,将对应端口关闭, 不再接收和转发除了 XI格式外的 其他消息到 SNM。  After receiving the message, the ISN closes the corresponding port and no longer receives and forwards other messages except the XI format to the SNM.
本实施例提供的方法, 通过对发起访问请求的传统因特网用户进行身份 验证, 根据身份验证的结果控制访问 SILSN核心网中网络节点的权限, 保护 了核心网的安全, 同时实现位于 LIN内普通用户无法访问 SILSN核心网元节 点的目的, 同时通过 ISN的端口控制, 防止来自 LIN内普通用户对 CNMP的 攻击; 通过 UE和 CNMP之间网管流的加密传送, 提高了传输的安全性。  The method provided in this embodiment controls the access of the traditional network user that initiates the access request, controls the access rights of the network node in the core network of the SILSN according to the result of the identity verification, protects the security of the core network, and implements the common user in the LIN. The purpose of the SILSN core network element node cannot be accessed. At the same time, the ISN port control is used to prevent attacks from CNMP from ordinary users in the LIN. The transmission security is improved by the encrypted transmission of the network management flow between the UE and the CNMP.
实施例二  Embodiment 2
本实施例以 LIN网络的普通用户发起访问的应用实例进行说明, 如图 5 所示:  This embodiment is described by an application example initiated by a common user of a LIN network, as shown in FIG. 5:
步骤 501、 ISN收到 LIN的一个数据包, 提取其目的地址。  Step 501: The ISN receives a data packet of the LIN and extracts its destination address.
步骤 502、 ISN判断此数据包的目的地址是否为 CNMP地址, 如果是, 则执行步骤 503 , 否则, 执行步骤 507。  Step 502: The ISN determines whether the destination address of the data packet is a CNMP address. If yes, step 503 is performed; otherwise, step 507 is performed.
步骤 503、 在目的地址为 CNMP地址时,提取数据包的源地址和源端口 号。  Step 503: When the destination address is a CNMP address, extract a source address and a source port number of the data packet.
步骤 504、 判断源地址和端口号是否在 OPT 中, 如果在, 则执行步骤 505, 否则, 执行步骤 508。  Step 504: Determine whether the source address and the port number are in the OPT. If yes, execute step 505. Otherwise, go to step 508.
步骤 505、 进一步判断其状态是否为 "开放" , 如果是 "开放" , 则执 行步骤 506, 如果不为 "开放" , 则执行步骤 510。  Step 505, further determining whether the status is "open", if it is "open", executing step 506, if not "open", executing step 510.
步骤 506、 如果是开放, 则转发该数据包到 CNMP。  Step 506: If it is open, forward the data packet to CNMP.
步骤 507、 在目的地址不是 CNMP地址时, 按第一种数据包处理, 此处 不再赘述。 步骤 508、 在所述数据包的源地址不在 OPT中 , 则判断是否为网络管理 请求消息, 如果是, 则执行步骤 509, 否则执行步骤 510。 Step 507: When the destination address is not the CNMP address, the first type of data packet is processed, and details are not described herein again. Step 508: If the source address of the data packet is not in the OPT, determine whether it is a network management request message, if yes, execute step 509, otherwise perform step 510.
步骤 509、在确定是网络管理请求消息时, ISN将源地址和端口放入 OPT 中, 并将状态设置为 "冻结" , 将此数据包发送给 CNMP。  Step 509: When determining that it is a network management request message, the ISN puts the source address and port into the OPT, and sets the status to "freeze", and sends the data packet to CNMP.
步骤 510、 丟弃该数据包。  Step 510: Discard the data packet.
上述应用示例中, ISN为来自于 LIN网络的所有数据的目的地址只能为 S1空间内的地址或者 CNMP地址;  In the above application example, the destination address of all data from the ISN from the LIN network can only be an address in the S1 space or a CNMP address;
CNMP处理来自于 LIN的网管用户接入、 认证、 加密等功能, 只有经过 CNMP和 ILR认证通过的网管用户, 才可以访问 SILSN核心网网元, 来自于 LIN的普通用户只能访问 S1空间地址;  CNMP handles access, authentication, and encryption functions from the network management user of LIN. Only the network management users who pass the CNMP and ILR authentication can access the SILSN core network element. The ordinary users from LIN can only access the S1 space address.
ISN根据 CNMP发送的指令,开放和关闭来自于 LIN用户的源地址端口; The ISN opens and closes the source address port from the LIN user according to the instruction sent by the CNMP;
ISN在收到 UE1的第一个发向 CNMP数据包后, 将 UE1的源地址端口 冻结起来, 然后 ASN在收到 CNMP "端口控制"打开端口之前, 不接收源地 址为用户 UE1的其他数据包; After receiving the first UE1 packet sent to the CNMP packet, the ISN freezes the source address port of the UE1, and then the ASN does not receive other data packets whose source address is the user UE1 before receiving the CNMP "port control" to open the port. ;
CNMP和 ILR要对网管用户可管理网元地址进行比较, 不允许用户访问 不属于管理员权限的核心网地址;  CNMP and ILR should compare the manageable NE addresses of network management users, and do not allow users to access core network addresses that are not administrator rights.
只有 CNMP认为身份标识是管理员的用户, CNMP才转发此用户数据包 到 ILR进行用户认证。  Only CNMP believes that the identity is the administrator's user, and CNMP forwards the user data packet to the ILR for user authentication.
只有 ILR认证通过, 且具备管理对应核心网网元地址能力的网管用户, CNMP才转发此用户数据包到对应的核心网网元。  Only when the ILR authentication is passed and the network management user who manages the network element address corresponding to the core network is enabled, CNMP forwards the user data packet to the corresponding core network element.
CNMP可选择性的为 UE1与 CNMP的数据进行加密和解密。  CNMP can selectively encrypt and decrypt the data of UE1 and CNMP.
需要说明的是, 本发明以中兴通信提出的身份标识和位置分离网络架构 为例进行说明, 但不限于此, 对于其他了多种身份与位置分离的网络架构同 样适用, 例如 HIP, LISP以及北京交通大学提出的均属身份标识和位置分离 网络, 因实现方法相似, 此处不再赘述。  It should be noted that the present invention is described by taking the identity identification and location separation network architecture proposed by ZTE as an example, but is not limited thereto, and is applicable to other network architectures in which multiple identity and location are separated, such as HIP, LISP, and Beijing. The transportation university proposed to belong to the identity identification and location separation network. Because the implementation methods are similar, they will not be described here.
本实施例提供的方法, 通过对发起访问请求的传统因特网用户进行身份 验证, 根据身份验证的结果控制访问 SILSN核心网中网络节点的权限, 保护 了核心网的安全, 同时实现位于 LIN内普通用户无法访问 SILSN核心网元节 点的目的。 The method provided in this embodiment controls the access of the traditional network user that initiates the access request, controls the access rights of the network node in the core network of the SILSN according to the result of the identity verification, protects the security of the core network, and implements the common user in the LIN. Unable to access SILSN core network element section The purpose of the point.
如图 6所示, 本发明实施例提供一种身份标识和位置分离网络系统, 包 括用于访问控制的节点, 所述用户访问控制的节点包括:  As shown in FIG. 6, an embodiment of the present invention provides an identity identification and location separation network system, including a node for access control, where the user access control node includes:
接收模块 601 , 用于接收传统因特网中用户访问身份标识和位置分离网 络中网络节点的数据包;  The receiving module 601 is configured to receive a data packet of a user access identifier in the traditional Internet and a network node in the location separation network;
获取模块 602, 用于获取所述接收模块接收的数据包的源地址和源端口; 查找模块 603 , 用于在记录的源地址、 源端口与访问所述网络节点权限 的对应关系信息中查找所述数据包的源地址和源端口;  The obtaining module 602 is configured to obtain a source address and a source port of the data packet received by the receiving module, where the searching module 603 is configured to search for a source address, a source port, and a correspondence relationship between the source port and the access authority of the network node. The source address and source port of the data packet;
控制模块 604, 用于在所述查找模块 603查找到所述数据包的源地址和 源端口且所述源地址和源端口对应的访问权限为开放, 允许所述用户与所述 网络节点进行通信。 可选的, 如图 7所示, 所述用于访问控制的节点还可以进一步包括: 第一判断模块 701 , 用于在所述开放状态表中没有查找到所述数据包的 源地址和源端口时, 再判断所述数据包是否为预先规定的网络管理请求数据 包;  The control module 604 is configured to find, by the lookup module 603, the source address and the source port of the data packet, and the access rights corresponding to the source address and the source port are open, allowing the user to communicate with the network node. . Optionally, as shown in FIG. 7, the node for access control may further include: a first determining module 701, configured to find, in the open state table, a source address and a source of the data packet. And determining whether the data packet is a predetermined network management request data packet;
第一验证模块 702, 用于在所述判断模块 701确定是所述预先规定的网 络管理请求数据包时, 验证所述用户是否为网络管理员;  The first verification module 702 is configured to verify, when the determining module 701 determines that the predetermined network management request data packet is the network administrator;
所述控制模块 604 , 还用于在所述验证模块验证是网络管理员时, 允许 所述用户与所述网络节点进行通信。 进一步的, 所述用于访问控制的节点还包括:  The control module 604 is further configured to allow the user to communicate with the network node when the verification module verifies that it is a network administrator. Further, the node for access control further includes:
第二判断模块, 用于如果在所述开放状态表中没有查找到所述数据包的 源地址和源端口, 所述用于访问控制的节点再判断所述数据包是否为预先规 定的网络管理请求数据包;  a second determining module, configured to: if the source address and the source port of the data packet are not found in the open state table, the node used for access control determines whether the data packet is a predetermined network management Request packet
第二验证模块, 如果符合, 验证所述用户是否为网络管理员, 当验证确 定所述用户为网络管理员时, 所述用于访问控制的节点再才艮据配置的该网络 管理员可访问的网络节点信息判断所述用户是否具有访问所述网络节点的权 限; 所述控制模块, 还用于在所述验证模块确定所述用户具有访问所述网络 节点的权限, 允许所述用户与所述网络节点进行通信。 进一步的,所述控制模块 604还用于在以下任一情况下丟弃所述数据包: 如果在记录的对应关系信息中查找到所述数据包的源地址和源端口且所 述源地址和源端口对应的访问权限不为开放; a second verification module, if yes, verifying whether the user is a network administrator, and when the verification determines that the user is a network administrator, the node for access control is accessible only to the configured network administrator The network node information determines whether the user has the right to access the network node; The control module is further configured to: at the verification module, determine that the user has the right to access the network node, and allow the user to communicate with the network node. Further, the control module 604 is further configured to discard the data packet in any of the following situations: if the source address and the source port of the data packet are found in the recorded correspondence information, and the source address and The access rights corresponding to the source port are not open.
判断所述数据包非预先规定的网络管理请求数据包;  Determining that the data packet is not a predetermined network management request data packet;
判断所述数据包的格式是预先规定的网络管理请求数据包, 但验证确定 所述用户非网络管理员;  Determining that the format of the data packet is a predetermined network management request data packet, but verifying that the user is not a network administrator;
判断所述数据包是预先规定的网络管理请求数据包, 且验证确定所述用 户是网络管理员, 但判断所述用户不具有访问所述网络节点的权限。 。 可选的, 所述用于访问控制的节点还包括: 第四配置模块,用于当所述控制模块丟弃具有同一源地址和源端口的数 据包的总次数超过预先设置的次数阔值时,将所述数据包的源地址和源端口 添加到开放状态表, 并配置所述源地址和源端口对应的访问权限为屏蔽; 丟弃模块, 用于收到具有对应访问权限为屏蔽的源地址和源端口的数据 包后直接丟弃。 进一步的, 如图 8所示, 所述验证模块 702还可以进一步包括: 发送单元 7021 , 用于向身份位置寄存器发送管理员身份识别请求, 携带 所述用户的用户身份标识;  The data packet is judged to be a predetermined network management request packet, and the verification determines that the user is a network administrator, but determines that the user does not have the right to access the network node. . Optionally, the node for access control further includes: a fourth configuration module, configured to: when the total number of times the control module discards data packets having the same source address and source port exceeds a preset threshold The source address and the source port of the data packet are added to the open state table, and the access rights corresponding to the source address and the source port are configured as a mask; and the discarding module is configured to receive the source with the corresponding access right as a mask. The address and source port packets are discarded directly. Further, as shown in FIG. 8, the verification module 702 may further include: a sending unit 7021, configured to send an administrator identity request to the identity location register, and carry the user identity of the user;
接收单元 7022, 用于接收管理员身份认证识别响应, 所述管理员身份认 证识别响应中包括所述身份位置寄存器根据配置的网络管理员的身份标识对 所述用户身份标识进行认证的结果;  The receiving unit 7022 is configured to receive an administrator identity identification response, where the administrator identity authentication response includes a result of authenticating, by the identity location register, the user identity according to the configured identity of the network administrator.
确定单元 7023 , 用于根据所述管理员身份认证识别响应中的认证结果, 确定所述用户是否为网络管理员。 可选的, 如图 9所示, 所述用于访问控制的节点还可以进一步包括: 第一配置模块 901 , 用于在所述第一判断模块确定所述数据包符合预先 规定的网络管理请求数据包时, 将所述数据包的源地址和源端口添加到所述 开放状态表, 并配置所述源地址和源端口对应的访问权限为冻结。 The determining unit 7023 is configured to determine, according to the authentication result in the administrator identity authentication response, whether the user is a network administrator. Optionally, as shown in FIG. 9, the node used for access control may further include: The first configuration module 901 is configured to: when the first determining module determines that the data packet meets a predetermined network management request data packet, add a source address and a source port of the data packet to the open state table, And configuring the access rights corresponding to the source address and the source port to be frozen.
可选的, 如图 10所示, 所述用于访问控制的节点还可以进一步包括: 第二配置模块 1001 , 用于在所述第一验证模块确定所述用户为网络管理 员时, 将所述开放状态表中所述数据包的源地址和源端口对应的访问权限修 改为开放。 第三配置模块 1002, 用于在所述验证模块确定所述用户非网络管理员 时, 将所述开放状态表中包含所述数据包的源地址和源端口的记录删除。 进一步的, 如图 11所示, 所述控制模块 604还可以进一步包括: 加密方式;  Optionally, as shown in FIG. 10, the node for access control may further include: a second configuration module 1001, configured to: when the first verification module determines that the user is a network administrator, The source address of the data packet and the access authority corresponding to the source port in the open state table are modified to be open. The third configuration module 1002 is configured to delete, when the verification module determines the user is not a network administrator, the record that includes the source address and the source port of the data packet in the open state table. Further, as shown in FIG. 11, the control module 604 may further include: an encryption method;
建立单元 6042, 用于釆用所述获取单元 6041获取的加密方式建立所述 网络节点与所述用户的通信。  The establishing unit 6042 is configured to establish communication between the network node and the user by using an encryption manner obtained by the acquiring unit 6041.
本实施例提供的系统, 通过对发起访问请求的传统因特网用户进行身份 验证, 根据身份验证的结果控制访问 SILSN核心网中网络节点的权限, 保护 了核心网的安全, 同时实现位于 LIN内普通用户无法访问 SILSN核心网元节 点的目的, 同时通过 ISN的端口控制, 防止来自 LIN内普通用户对 CNMP的 攻击; 通过 UE和 CNMP之间网管流的加密传送, 提高了传输的安全性。  The system provided by the embodiment controls the access of the traditional Internet user that initiates the access request, controls the access rights of the network node in the core network of the SILSN according to the result of the identity verification, protects the security of the core network, and implements the common user in the LIN. The purpose of the SILSN core network element node cannot be accessed. At the same time, the ISN port control is used to prevent attacks from CNMP from ordinary users in the LIN. The transmission security is improved by the encrypted transmission of the network management flow between the UE and the CNMP.
本领域普通技术人员可以理解实现上述实施例方法携带的全部或部分步 骤是可以通过程序来指令相关的硬件完成, 所述的程序可以存储于一种计算 机可读存储介质中, 该程序在执行时, 包括方法实施例的步骤之一或其组合。  A person skilled in the art can understand that all or part of the steps carried by the method of the foregoing embodiment can be completed by a program to instruct related hardware, and the program can be stored in a computer readable storage medium. , including one or a combination of the steps of the method embodiments.
另外, 在本发明各个实施例中的各功能单元可以釆用硬件的形式实现, 也可以釆用软件功能模块的形式实现。 所述集成的模块如果以软件功能模块 的形式实现并作为独立的产品销售或使用时, 也可以存储在一个计算机可读 取存储介质中。  In addition, each functional unit in each embodiment of the present invention may be implemented in the form of hardware, or may be implemented in the form of a software functional module. The integrated modules, if implemented in the form of software functional modules and sold or used as separate products, may also be stored in a computer readable storage medium.
上述提到的存储介质可以是只读存储器, 磁盘或光盘等。 以上所述, 仅为本发明的具体实施方式, 但本发明的保护范围并不局限 于此, 任何熟悉本技术领域的技术人员在本发明揭露的技术范围内, 可轻易 想到变化或替换, 都应涵盖在本发明的保护范围之内。 因此, 本发明的保护 范围应以权利要求所述的保护范围为准。 The above-mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like. The above is only the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the claims.
工业实用性 Industrial applicability
本发明的方法和系统, 解决了位于 LIN内的网管用户访问 SILSN核心网 元的方法, 保证了核心网的安全。 在一实施例中, 还可以实现位于 LIN内普 通用户无法访问 SILSN核心网元节点。 在一实施例中, 还可防止来自于 LIN 内普通用户对 CNMP的攻击(通过 ISN中的端口控制 ) ; 以及可以实现 UE1 和 CNMP之间网管流的加密传送。此外,所有核心网节点只接受来自于 CNMP 的管理数据包, 有助于核心网网元管理的安全。  The method and system of the present invention solves the method for the network management user located in the LIN to access the core network element of the SILSN, thereby ensuring the security of the core network. In an embodiment, it is also possible that the internal user in the LIN cannot access the SILSN core network element node. In an embodiment, the CNMP attack from the ordinary user in the LIN (through the port control in the ISN) can also be prevented; and the encrypted transmission of the network management flow between the UE1 and the CNMP can be implemented. In addition, all core network nodes only accept management packets from CNMP, which helps the security of core network element management.

Claims

权 利 要 求 书 Claim
1、 一种控制用户访问网络的方法, 其包括: A method of controlling user access to a network, comprising:
用于访问控制的节点接收用户访问身份标识和位置分离网络中网络节点 的数据包;  The node for access control receives the user access identity and the data packet of the network node in the location separation network;
获取所述数据包的目的地址和目的端口, 如果目的地址和目的端口属于 需进行访问控制的目的网元的地址和端口, 再获取所述数据包的源地址和源 端口;  Obtaining the destination address and the destination port of the data packet. If the destination address and the destination port belong to the address and port of the destination network element to be accessed, the source address and the source port of the data packet are obtained.
用于访问控制的节点根据所述获取的所述数据包的源地址和源端口以及 记录的源地址、 源端口与访问所述网络节点权限的对应关系信息, 查找所述 源地址和源端口对应的访问权限; 以及  The node for access control searches for the source address and the source port according to the obtained source address and source port of the data packet and the source address of the record, the source port, and the corresponding relationship information of accessing the network node authority. Access rights; and
如果查找到所述源地址和源端口对应的访问权限, 所述访问控制的节点 根据所述权限控制所述用户对所述网络节点的通信。  If the access authority corresponding to the source address and the source port is found, the node of the access control controls the communication of the user to the network node according to the authority.
2、 根据权利要求 1所述的方法, 其中, 2. The method according to claim 1, wherein
所述需进行访问控制的地址和端口是指: 配置的一个或多个核心网管理 节点 (CNMP )节点的地址和端口, 和 /或, 配置的身份标识和位置分离网络 中网络节点的地址和端口。  The address and port to be controlled by the access means: the address and port of one or more core network management node (CNMP) nodes configured, and/or the configured identity and the address of the network node in the location separated network port.
3、 根据权利要求 1所述的方法, 该方法还包括: 3. The method of claim 1 further comprising:
如果在所述开放状态表中没有查找到所述数据包的源地址和源端口, 所 述用于访问控制的节点再判断所述数据包的格式是否符合预先规定的网络管 理请求数据包的格式;  If the source address and the source port of the data packet are not found in the open state table, the node for access control determines whether the format of the data packet conforms to a format of a predetermined network management request data packet. ;
如果符合, 验证所述用户是否为网络管理员; 以及  If yes, verify that the user is a network administrator;
如果是网络管理员, 允许所述用户与所述网络节点进行通信。  If it is a network administrator, the user is allowed to communicate with the network node.
4、 根据权利要求 3所述的方法, 该方法还包括: 所述用于访问控制 的节点在以下任一情况下丟弃所述数据包: 4. The method of claim 3, the method further comprising: the node for access control discarding the data packet in any of the following cases:
所述用于访问控制的节点如果在记录的对应关系信息中查找到所述数据 包的源地址和源端口且所述源地址和源端口对应的访问权限不为开放; 所述用于访问控制的节点判断所述数据包的格式不符合预先规定的网络 管理请求数据包的格式; The node for access control finds the source address and the source port of the data packet in the recorded correspondence information, and the access rights corresponding to the source address and the source port are not open; The node for access control determines that the format of the data packet does not conform to a format of a predetermined network management request data packet;
所述用于访问控制的节点判断所述数据包的格式符合预先规定的网络管 理请求数据包的格式, 但验证确定所述用户非网络管理员。  The node for access control determines that the format of the data packet conforms to a format of a predetermined network management request data packet, but the verification determines that the user is not a network administrator.
5、 根据权利要求 1所述的方法, 该方法还包括: 5. The method of claim 1 further comprising:
如果在所述开放状态表中没有查找到所述数据包的源地址和源端口, 所 述用于访问控制的节点再判断所述数据包的格式是否符合预先规定的网络管 理请求数据包的格式;  If the source address and the source port of the data packet are not found in the open state table, the node for access control determines whether the format of the data packet conforms to a format of a predetermined network management request data packet. ;
如果符合, 验证所述用户是否为网络管理员, 当验证确定所述用户为网 络管理员时, 所述用于访问控制的节点再才艮据配置的该网络管理员可访问的 网络节点信息判断所述用户是否具有访问所述网络节点的权限; 如果具有访问所述网络节点的权限,允许所述用户与所述网络节点进行 通信, 否则丟弃所述数据包。  If the user is a network administrator, if the user determines that the user is a network administrator, the node for access control is determined according to the configured network node information accessible by the network administrator. Whether the user has the right to access the network node; if there is permission to access the network node, the user is allowed to communicate with the network node, otherwise the data packet is discarded.
6、 根据权利要求 1所述的方法, 其中 6. The method of claim 1 wherein
所述用于访问控制的节点才艮据所述权限控制所述用户对所述网络节点的 通信的步骤包括: 在所述权限为开放时, 允许所述用户与所述网络节点进行 通信, 否则, 丟弃所述数据包。  The step of the node for access control controlling the communication of the user to the network node according to the permission includes: allowing the user to communicate with the network node when the permission is open, otherwise , discard the packet.
7、 根据权利要求 4或 5所述的方法, 该方法还包括: 7. The method of claim 4 or 5, further comprising:
当所述用于访问控制的节点丟弃具有同一源地址和源端口的数据包的总 次数超过预先设置的次数阔值时, 将所述数据包的源地址和源端口添加到开 放状态表, 并配置所述源地址和源端口对应的访问权限为屏蔽;  Adding a source address and a source port of the data packet to an open state table when the total number of times the node for access control discards the data packet having the same source address and the source port exceeds a preset threshold value, And configuring the access authority corresponding to the source address and the source port as a mask;
所述用于访问控制的节点收到具有对应访问权限为屏蔽的源地址和源端 口的数据包后直接丟弃。  The node for access control directly discards the data packet with the source address and the source port with the corresponding access rights as masked.
8、 根据权利要求 3或 5所述的方法, 其中, 所述验证所述用户是否 为网络管理员的步骤包括: The method according to claim 3 or 5, wherein the step of verifying whether the user is a network administrator comprises:
所述用于访问控制的节点向身份位置寄存器发送管理员身份识别请求, 携带所述用户的用户身份标识; The node for access control sends an administrator identity request to the identity location register, Carrying the user identity of the user;
接收管理员身份认证识别响应, 所述管理员身份认证识别响应中包括所 述身份位置寄存器根据配置的网络管理员的身份标识对所述用户身份标识进 行认证的结果; 以及  Receiving an administrator identity authentication response, the administrator identity authentication response including a result of the identity location register authenticating the user identity according to the configured network administrator identity;
根据所述管理员身份认证识别响应中的认证结果, 确定所述用户是否为 网络管理员。  Determining whether the user is a network administrator according to the authentication result in the administrator identity authentication response.
9、 根据权利要求 8所述的方法, 其中, 9. The method according to claim 8, wherein
所述网络管理请求数据包中包含有管理员标识符,  The network management request packet includes an administrator identifier.
所述用于访问控制的节点向身份位置寄存器发送管理员身份识别请求, 携带所述用户的用户身份标识的步骤包括: 所述用于访问控制的节点从所述 网络管理请求数据包提取出其中的管理员标识符, 发送到所述身份位置寄存 器;  The node for access control sends an administrator identity request to the identity location register, and the step of carrying the user identity of the user includes: the node for access control extracting the packet from the network management request packet Admin identifier, sent to the identity location register;
所述管理员身份认证识别响应是身份位置寄存器根据配置的管理员标识 符与收到的管理员标识符来对所述用户身份标识进行认证的结果。  The administrator identity authentication response is a result of the identity location register authenticating the user identity based on the configured administrator identifier and the received administrator identifier.
10、 根据权利要求 5所述的方法, 该方法还包括: 10. The method of claim 5, further comprising:
时, 所述用于访问控制的节点还将所述数据包的源地址和源端口添加到所述 开放状态表, 并配置所述源地址和源端口对应的访问权限为冻结。 The node for access control further adds a source address and a source port of the data packet to the open state table, and configures the access authority corresponding to the source address and the source port to be frozen.
11、 根据权利要求 10所述的方法, 该方法还包括: 11. The method of claim 10, further comprising:
如确定所述用户为网络管理员, 所述用于访问控制的节点还将所述开放 状态表中所述数据包的源地址和源端口对应的访问权限修改为开放。  If it is determined that the user is a network administrator, the node for access control further modifies the source address of the data packet in the open state table and the access permission corresponding to the source port to be open.
12、 根据权利要求 10所述的方法, 该方法还包括: 12. The method of claim 10, further comprising:
如确定所述用户非网络管理员, 所述用于访问控制的节点将所述开放状 态表中包含所述数据包的源地址和源端口的记录删除。  If it is determined that the user is not a network administrator, the node for access control deletes the record in the open state table that includes the source address and the source port of the data packet.
13、 根据权利要求 6所述的方法, 其中, 所述允许所述用户与所述网 络节点进行通信的步骤包括: 信的加密方式; 以及 13. The method according to claim 6, wherein the step of allowing the user to communicate with the network node comprises: The encryption method of the letter;
釆用所述加密方式建立所述网络节点与所述用户的通信。  The communication between the network node and the user is established by using the encryption method.
14、 根据权利要求 1所述的方法, 其中, 所述用于访问控制的节点为 互通网关和核心网管理节点的组合,或者所述用于访问控制的节点为互通网 关。 The method according to claim 1, wherein the node for access control is a combination of an interworking gateway and a core network management node, or the node for access control is an interworking gateway.
15、 一种网络系统中用于访问控制的节点, 该节点包括: 15. A node for access control in a network system, the node comprising:
接收模块, 其设置为: 接收传统因特网中用户访问身份标识和位置分离 网络中网络节点的数据包;  a receiving module, configured to: receive a data packet of a network node in a user access identity and a location separation network in a traditional Internet;
获取模块, 其设置为: 获取所述数据包的目的地址和目的端口, 如判断 目的地址和目的端口属于需进行访问控制的目的网元的地址和端口, 再获取 所述接收模块接收的数据包的源地址和源端口;  The obtaining module is configured to: obtain a destination address and a destination port of the data packet, and determine, by determining an address and a port of the destination network element that needs to perform access control, and obtain a data packet received by the receiving module. Source address and source port;
查找模块, 其设置为: 在记录的源地址、 源端口与访问所述网络节点权 限的对应关系信息中查找所述数据包的源地址和源端口; 以及  And a search module, configured to: search for a source address and a source port of the data packet in a correspondence between the source address of the record, the source port, and the access authority of the network node; and
控制模块, 其设置为: 在所述查找模块查找到所述数据包的源地址和源 端口且所述源地址和源端口对应的访问权限为开放, 允许所述用户与所述网 络节点进行通信。  a control module, configured to: find, by the lookup module, a source address and a source port of the data packet, and an access right corresponding to the source address and the source port is open, allowing the user to communicate with the network node .
16、 根据权利要求 15所述的节点, 该节点还包括: 16. The node of claim 15, the node further comprising:
第一判断模块, 其设置为: 在所述开放状态表中没有查找到所述数据包 的源地址和源端口时, 再判断所述数据包的格式是否符合预先规定的网络管 理请求数据包的是个; 以及  a first determining module, configured to: when the source address and the source port of the data packet are not found in the open state table, determine whether the format of the data packet meets a predetermined network management request data packet. Is a; and
第一验证模块, 其设置为: 在所述第一判断模块确定所述数据包的格式 符合预先规定的网络管理请求数据包的格式时, 验证所述用户是否为网络管 理员;  a first verification module, configured to: when the first determining module determines that the format of the data packet conforms to a format of a predetermined network management request data packet, verify whether the user is a network administrator;
所述控制模块还设置为: 在所述第一验证模块验证所述用户是网络管理 员时, 允许所述用户与所述网络节点进行通信。 The control module is further configured to: when the first verification module verifies that the user is a network administrator, allow the user to communicate with the network node.
17、 根据权利要求 15所述的节点, 该节点还包括: 17. The node of claim 15, the node further comprising:
第二判断模块, 其设置为: 如果在所述开放状态表中没有查找到所述数 据包的源地址和源端口, 所述用于访问控制的节点再判断所述数据包的格式 是否符合预先规定的网络管理请求数据包的格式; 以及  a second determining module, configured to: if the source address and the source port of the data packet are not found in the open state table, the node for access control determines whether the format of the data packet meets a pre-determination The format of the specified network management request packet;
第二验证模块, 其设置为: 如果所述第二判断模块判断所述数据包的格 式符合预先规定的网络管理请求数据包的格式, 验证所述用户是否为网络管 理员, 当验证确定所述用户为网络管理员时, 再根据配置的该网络管理员可 访问的网络节点信息判断所述用户是否具有访问所述网络节点的权限; 所述控制模块还设置为:在所述第二验证模块确定所述用户具有访问所 述网络节点的权限时, 允许所述用户与所述网络节点进行通信。  a second verification module, configured to: if the second determining module determines that the format of the data packet conforms to a format of a predetermined network management request data packet, and verifies whether the user is a network administrator, when the verification determines that When the user is a network administrator, it is determined whether the user has the right to access the network node according to the configured network node information that the network administrator can access; the control module is further configured to: in the second verification module The user is allowed to communicate with the network node when the user is determined to have access to the network node.
18、 根据权利要求 17所述的节点, 其中, 18. The node according to claim 17, wherein
所述控制模块还设置为在以下任一情况下丟弃所述数据包:  The control module is further configured to discard the data packet in any of the following cases:
在记录的对应关系信息中查找到所述数据包的源地址和源端口且所述源 地址和源端口对应的访问权限不为开放;  Finding, by the recorded correspondence information, a source address and a source port of the data packet, and the access rights corresponding to the source address and the source port are not open;
判断所述数据包的格式符合预先规定的网络管理请求数据包的格式, 但 险证确定所述用户非网络管理员; Determining that the format of the data packet conforms to a format of a predetermined network management request data packet, but the risk certificate determines that the user is not a network administrator;
判断所述数据包的格式符合预先规定的网络管理请求数据包的格式, 且 验证确定所述用户是网络管理员, 但判断所述用户不具有访问所述网络节点 的权限。  Determining that the format of the data packet conforms to a format of a predetermined network management request data packet, and verifying that the user is a network administrator, but determining that the user does not have the right to access the network node.
19、 根据权利要求 18所述的节点, 该节点还包括: 第四配置模块, 其设置为: 当所述控制模块丟弃具有同一源地址和源端 口的数据包的总次数超过预先设置的次数阔值时,将所述数据包的源地址和 源端口添加到开放状态表,并配置所述源地址和源端口对应的访问权限为屏 蔽; 以及 丟弃模块, 其设置为: 收到具有对应访问权限为屏蔽的源地址和源端口 的数据包后直接丟弃。 The node according to claim 18, further comprising: a fourth configuration module, configured to: when the control module discards the total number of times of data packets having the same source address and source port exceeds a preset number of times When the value is wide, the source address and the source port of the data packet are added to the open state table, and the access rights corresponding to the source address and the source port are configured as masks; and the discarding module is set to: Access rights are blocked source and source ports The data packet is discarded directly.
20、 根据权利要求 17所述的节点, 其中所述第二验证模块包括: 发送单元, 其设置为: 向身份位置寄存器发送管理员身份识别请求, 携 带所述用户的用户身份标识; The node according to claim 17, wherein the second verification module comprises: a sending unit, configured to: send an administrator identity request to the identity location register, and carry the user identity of the user;
接收单元, 其设置为: 接收管理员身份认证识别响应, 所述管理员身份 认证识别响应中包括所述身份位置寄存器根据配置的网络管理员的身份标识 对所述用户身份标识进行认证的结果; 以及  a receiving unit, configured to: receive an administrator identity authentication response, where the administrator identity authentication response includes a result of authenticating, by the identity location register, the user identity according to the configured identity of the network administrator; as well as
确定单元, 其设置为: 根据所述管理员身份认证识别响应中的认证结果, 确定所述用户是否为网络管理员。  And a determining unit, configured to: determine, according to the authentication result in the administrator identity authentication response, whether the user is a network administrator.
21、 根据权利要求 16所述的节点, 该节点还包括: 21. The node of claim 16, the node further comprising:
第一配置模块, 其设置为: 在所述第一判断模块确定所述数据包的格式 符合预先规定的网络管理请求数据包的格式时, 将所述数据包的源地址和源 端口添加到所述开放状态表, 并配置所述源地址和源端口对应的访问权限为 冻结。  a first configuration module, configured to: when the first determining module determines that the format of the data packet conforms to a format of a predetermined network management request data packet, adding a source address and a source port of the data packet to the The open state table is configured, and the access rights corresponding to the source address and the source port are configured to be frozen.
22、 根据权利要求 21所述的节点, 该节点还包括: 22. The node of claim 21, the node further comprising:
第二配置模块, 其设置为: 在所述第一验证模块确定所述用户为网络管 理员时, 将所述开放状态表中所述数据包的源地址和源端口对应的访问权限 修改为开放。  a second configuration module, configured to: when the first verification module determines that the user is a network administrator, modify the source address of the data packet in the open state table and the access permission corresponding to the source port to be open .
23、 根据权利要求 21所述的节点, 该节点还包括: 第三配置模块, 其设置为: 在所述验证模块确定所述用户非网络管理员 时, 将所述开放状态表中包含所述数据包的源地址和源端口的记录删除。 The node according to claim 21, the node further comprising: a third configuration module, configured to: when the verification module determines that the user is not a network administrator, include the The source address of the packet and the record of the source port are deleted.
24、 根据权利要求 15或 16所述的节点,其中,所述控制模块还包括: 的力。密方式; 24. The node of claim 15 or 16, wherein the control module further comprises: a force. Secret mode
建立单元, 其设置为: 釆用所述获取单元获取的加密方式建立所述网络 节点与所述用户的通信。 Establishing a unit, which is configured to: establish the network by using an encryption method obtained by the acquiring unit The communication of the node with the user.
25、 根据权利要求 15所述的节点, 其中, 所述需进行访问控制的目的网元的地址和端口是: 配置的一个或多个核 心网管理节点 (CNMP )节点的地址和端口, 和 /或, 配置的身份标识和位置 分离网络中网络节点的地址和端口。 The node according to claim 15, wherein the address and port of the destination network element to be subjected to access control are: an address and a port of one or more core network management node (CNMP) nodes configured, and/or Or, configure the identity and location of the network node's address and port in the network.
26、 一种身份标识和位置分离网络系统, 该系统包括如权利要求 15-25 任意一项所述的用于访问控制的节点。 26. An identity and location separation network system, the system comprising a node for access control as claimed in any of claims 15-25.
PCT/CN2010/075908 2009-10-10 2010-08-11 Method, apparatus and system for controlling user to access network WO2011041963A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910205326.7 2009-10-10
CN200910205326.7A CN102045313B (en) 2009-10-10 2009-10-10 Method and system for controlling SILSN (Subscriber Identifier & Locator Separation Network)

Publications (1)

Publication Number Publication Date
WO2011041963A1 true WO2011041963A1 (en) 2011-04-14

Family

ID=43856369

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/075908 WO2011041963A1 (en) 2009-10-10 2010-08-11 Method, apparatus and system for controlling user to access network

Country Status (2)

Country Link
CN (1) CN102045313B (en)
WO (1) WO2011041963A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102752266A (en) * 2011-04-20 2012-10-24 中国移动通信集团公司 Access control method and equipment thereof

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111193727A (en) * 2019-12-23 2020-05-22 成都烽创科技有限公司 Operation monitoring system and operation monitoring method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040160975A1 (en) * 2003-01-21 2004-08-19 Charles Frank Multicast communication protocols, systems and methods
CN1801764A (en) * 2006-01-23 2006-07-12 北京交通大学 Internet access method based on identity and location separation

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1310467C (en) * 2003-06-24 2007-04-11 华为技术有限公司 Port based network access control method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040160975A1 (en) * 2003-01-21 2004-08-19 Charles Frank Multicast communication protocols, systems and methods
CN1801764A (en) * 2006-01-23 2006-07-12 北京交通大学 Internet access method based on identity and location separation

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102752266A (en) * 2011-04-20 2012-10-24 中国移动通信集团公司 Access control method and equipment thereof
CN102752266B (en) * 2011-04-20 2015-11-25 中国移动通信集团公司 Access control method and equipment thereof

Also Published As

Publication number Publication date
CN102045313A (en) 2011-05-04
CN102045313B (en) 2014-03-12

Similar Documents

Publication Publication Date Title
US10630725B2 (en) Identity-based internet protocol networking
TWI362859B (en)
EP1825652B1 (en) Method and system for including network security information in a frame
US7552323B2 (en) System, apparatuses, methods, and computer-readable media using identification data in packet communications
JP4758442B2 (en) Providing security in unauthorized mobile access networks
US8418241B2 (en) Method and system for traffic engineering in secured networks
US9602485B2 (en) Network, network node with privacy preserving source attribution and admission control and device implemented method therfor
US20070234428A1 (en) Method for secure single-packet remote authorization
CA2506418C (en) Systems and apparatuses using identification data in network communication
WO2015174100A1 (en) Packet transfer device, packet transfer system, and packet transfer method
CN115378625B (en) Cross-network information security interaction method and system
CN115603932A (en) Access control method, access control system and related equipment
WO2011041964A1 (en) Method, network system and network access node for network device management
CN112615866B (en) Pre-authentication method, device and system for TCP connection
WO2011082584A1 (en) Implementing method, network and terminal for processing data packet classification
WO2011041963A1 (en) Method, apparatus and system for controlling user to access network
JP4302004B2 (en) Packet filter setting method and packet filter setting system
JP2006099590A (en) Access controller, access control method and access control program
WO2009006842A1 (en) Method of evaluating security status of web side and system of security authentication
JP4112962B2 (en) Content transmission / reception system, content transmission device, content reception device, and content transmission / reception method
WO2023109450A1 (en) Access control method and related device thereof
JP5598302B2 (en) Pass control device, pass control method, and pass control program
Frank Securing Smart Homes with OpenFlow: Feasibility, Implementation, and Performance
Ma et al. Security Architecture Framework
Kbar et al. Securing the Wireless LANs that is based on Distributed Resource Management against internal attacks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10821572

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10821572

Country of ref document: EP

Kind code of ref document: A1