CN107682473A - A kind of IP address distribution method and device - Google Patents

A kind of IP address distribution method and device Download PDF

Info

Publication number
CN107682473A
CN107682473A CN201711043047.6A CN201711043047A CN107682473A CN 107682473 A CN107682473 A CN 107682473A CN 201711043047 A CN201711043047 A CN 201711043047A CN 107682473 A CN107682473 A CN 107682473A
Authority
CN
China
Prior art keywords
client
address
customer waiting
access customer
priority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711043047.6A
Other languages
Chinese (zh)
Inventor
董瑶
王国利
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201711043047.6A priority Critical patent/CN107682473A/en
Publication of CN107682473A publication Critical patent/CN107682473A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/503Internet protocol [IP] addresses using an authentication, authorisation and accounting [AAA] protocol, e.g. remote authentication dial-in user service [RADIUS] or Diameter
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5061Pools of addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • H04L67/61Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources taking into account QoS or priority requirements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of IP address distribution method and device, and applied to SSL vpn gateway equipment, this method includes:When receiving the authentication request packet that access customer waiting is sent using the first client, the authority information of the access customer waiting is obtained;If the quantity of unappropriated IP address is less than default number of addresses threshold value in IP address pond, the authority information based on the access customer waiting determines the priority of the access customer waiting;If the priority of the access customer waiting is higher than default User Priority, IP address is distributed for first client.The present invention can preferentially ensure that high-priority users access in IP address inadequate resource.

Description

A kind of IP address distribution method and device
Technical field
The present invention relates to network communication technology field, more particularly to a kind of IP address distribution method and device.
Background technology
SSL VPN are with the VPN (Virtual based on SSL (Secure Sockets Layer, security socket layer) Private Network, Virtual Private Network) technology.SSL VPN take full advantage of authentication of the ssl protocol based on certificate, number According to encryption and message integrity verification mechanism, connection setup secure connection that can be between application layer.
In the SSL VPN accessed in a manner of IP, SSL VPN clients that the equipment utilization of SSL vpn gateways and user use SSL VPN protocol interactions between end, complete authentication to user, using authorizing and for by the user's of certification The operations such as SSL VPN clients distribution IP address.
SSL vpn client point of the SSL vpn gateways equipment according to user authentication order for each by the user of certification With IP address, once IP address resource is used up, will be unable to as subsequently through the SSL VPN clients of the user of certification distribution IP Location, i.e., it can not be accessed subsequently through the user of certification.
The content of the invention
It is an object of the invention to provide a kind of IP address distribution method and device, in IP address inadequate resource, The preferential access for ensureing high-priority users.
For achieving the above object, the invention provides following technical scheme:
On the one hand, the present invention provides a kind of IP address distribution method, applied to SSL vpn gateway equipment, methods described bag Include:
When receiving the authentication request packet that access customer waiting is sent using the first client, the use to be accessed is obtained The authority information at family;
If the quantity of unappropriated IP address is less than default number of addresses threshold value in IP address pond, based on described waiting The authority information of access customer determines the priority of the access customer waiting;
If the priority of the access customer waiting is higher than default User Priority, IP is distributed for first client Address.
On the other hand, the present invention provides a kind of IP address distributor, applied to SSL vpn gateway equipment, described device Including:
Acquiring unit, for when receiving the authentication request packet that access customer waiting is sent using the first client, obtaining Take the authority information of the access customer waiting;
Determining unit, if the quantity for unappropriated IP address in IP address pond is less than default number of addresses threshold value, Authority information then based on the access customer waiting determines the priority of the access customer waiting;
Allocation unit, if the priority for the access customer waiting is higher than default User Priority, for described One client distributes IP address.
The present invention can determine the excellent of access customer waiting based on the authority information of access customer waiting it can be seen from above description First level, in IP address inadequate resource, for SSL VPN client of the priority higher than the access customer waiting of pre-set user priority IP address is distributed, is forbidden as priority less than the SSL VPN clients of the access customer waiting of pre-set user priority with distributing IP Location, so as to ensure high-priority users priority access.
Brief description of the drawings
Technical scheme in order to illustrate the embodiments of the present invention more clearly, make required in being described below to embodiment Accompanying drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for For those of ordinary skill in the art, on the premise of not paying creative work, other can also be obtained according to these accompanying drawings Accompanying drawing.
Fig. 1 is a kind of IP address distribution method flow chart shown in the embodiment of the present invention;
Fig. 2 is a kind of networking schematic diagram shown in the embodiment of the present invention;
Fig. 3 is the structural representation of the SSL vpn gateway equipment shown in the embodiment of the present invention;
Fig. 4 is a kind of structural representation of IP address distributor shown in the embodiment of the present invention.
Embodiment
Here exemplary embodiment will be illustrated in detail, its example is illustrated in the accompanying drawings.Following description is related to During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodiment Described in embodiment do not represent and the consistent all embodiments of the present invention.On the contrary, they be only with it is such as appended The example of the consistent apparatus and method of some aspects being described in detail in claims, of the invention.
It is only merely for the purpose of description specific embodiment in terminology used in the present invention, and is not intended to be limiting the present invention. It is also intended in " one kind " of the singulative of the invention with used in appended claims, " described " and "the" including majority Form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein refers to and wrapped Containing the associated list items purpose of one or more, any or all may be combined.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the present invention A little information should not necessarily be limited by these terms.These terms are only used for same type of information being distinguished from each other out.For example, do not departing from In the case of the scope of the invention, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determining ".
The embodiment of the present invention proposes a kind of IP address distribution method, and in this method, SSL vpn gateways equipment is (hereinafter referred to as Gateway device) authority information based on access customer waiting determines the priority of access customer waiting, so as in IP address inadequate resource When, for SSL VPN client (hereinafter referred to as client) distribution of the priority higher than the access customer waiting of pre-set user priority IP address.
It is one embodiment flow chart of IP address distribution method of the present invention referring to Fig. 1, the embodiment is from gateway device side IP address assigning process is described.
Step 101, when receiving the authentication request packet that access customer waiting is sent using the first client, described in acquisition The authority information of access customer waiting.
By SSL VPN protocol interactions between gateway device and client based on SSL VPN agreements, complete to user's Authentication, using authorizing and to distribute the operation such as IP address by the client of the user of certification.Gateway is set in this step The standby authentication stage using SSL VPN agreements obtains the authority information of access customer waiting, at least may include following two realities Apply mode:
In one embodiment, user right information can be obtained by remote authentication mode.Specifically, gateway device turns Sending out access customer waiting please to certificate server, the certification by the authentication request packet that client (being designated as the first client) is sent The information such as the user name that access customer waiting is carried in message, password are sought, certificate server is based on the user profile pair being pre-configured with Access customer waiting is authenticated, if access customer waiting by certification, to gateway device return authentication response message, with to gateway It is legal that equipment notices the user identity to be accessed.The present invention carries to be accessed in the authentication response message that certificate server returns (authority information is one that certificate server is the user profile that each validated user is pre-configured with to the authority information of user Point), for example, the authority information can be that (user for belonging to same user's group generally has phase to user's owning user group to be accessed Same authority), or the rules of competence of the access customer waiting, the authentication response that gateway device is returned by receiving certificate server Message, obtain the authority information for carrying the access customer waiting in authentication response message.
In another embodiment, user right information can be obtained by local authentication mode.Specifically, gateway device On be pre-configured with local user's information (including user name, password, authority information etc.), gateway device receives access customer waiting and led to After crossing the authentication request packet of the first client transmission, direct local authentication, if user identity to be accessed is legal, this is retrieved as The authority information that access customer waiting is pre-configured with.
Step 102, if the quantity of unappropriated IP address is less than default number of addresses threshold value in IP address pond, it is based on The authority information of the access customer waiting determines the priority of access customer waiting.
Gateway device is pre-configured with the scope (i.e. IP address pond) of the IP address available for distribution, when user passes through client During access, IP address is distributed for the client that user uses in gateway device secondary IP address pond.
The amount threshold (abbreviation number of addresses threshold value) of preset IP address of the present invention, if unappropriated IP in IP address pond The quantity of location is less than default number of addresses threshold value, illustrates that the remaining IP address available for distribution is less in IP address pond, i.e. IP Address resource deficiency, now, gateway device by the authority information locally prestored and the corresponding relation of priority, search with Priority corresponding to the authority information of access customer waiting.The authority of user is higher, and it is higher to represent its priority, for example, network pipe Reason person generally has the authorities such as create, delete, and domestic consumer only has access right, therefore, the priority of network manager Usually above the priority of domestic consumer.
Step 103, if the priority of the access customer waiting is higher than default User Priority, for first client End distribution IP address.
Pre-set user priority of the present invention, if the priority of the access customer waiting determined by step 102 is higher than default User Priority, illustrate that the priority of current access customer waiting is higher.For example, priority limit is 1~7, the bigger representative of numerical value Priority is lower, if pre-set user priority is 4, when the priority of access customer waiting is 2, illustrates current access customer waiting Priority it is higher, at this time, it may be necessary to which the first client used for the higher access customer waiting of the priority distributes IP address, i.e., In the case of IP address inadequate resource, the preferential client for ensureing to use for high-priority users distributes IP address.
Specific assigning process is, if unappropriated IP address in IP address pond be present, to be from unappropriated IP address Priority is higher than the first client distribution IP address that the access customer waiting of pre-set user priority uses;If in IP address pond not Unappropriated IP address be present, then selection target client in the second client used from current online user, reclaim target The IP address of client distributes to priority higher than the first client that the access customer waiting of pre-set user priority uses.
Wherein, the process of selection target client is count the second client that each online user uses online Total flow in duration and the online hours, wherein, online hours are time span online after client accesses;Total stream Measure and business caused by intranet server is accessed by the SSL vpn tunnelings between gateway device in online hours for client Flow.Online hours and total flow based on each the second client, it is determined that the average discharge of corresponding second client.If The 3rd client (the less client of bearer service flow that average discharge is less than default flow threshold in second client be present End), then the selection target client from the 3rd client, i.e., the selection target client from bearer service flow less client End.
Further, selection target client specifically may include from the 3rd client, count each the 3rd client Total connection quantity in online hours, wherein, total quantity that connects is that client is visited in online hours by SSL vpn tunnelings Ask the connection quantity of intranet server;Online hours based on each the 3rd client and quantity is always connected, it is determined that corresponding The average connection quantity of 3rd client;If averagely connection quantity in the 3rd client be present is less than default connection amount threshold The 4th client (the less client of bearer service species), then the selection target client from the 4th client, i.e., from holding Carry selection target client in the client that service traffics are smaller and class of business is less.If it is not present in the 3rd client average The 4th client that quantity is less than default connection amount threshold is connected, although the service traffics of i.e. carrying are smaller, carrying When class of business is more, then any client is selected as target customer from less 3rd client of bearer service flow End.
The present invention reclaims to the IP address by the destination client determined with upper type, the IP address distribution of recovery First client of the waiting access customer higher to priority.
Certainly, if that average discharge is less than default flow threshold is not present in the second client that online user uses Three clients, i.e., in the absence of the less client of bearer service flow, destination client just also is not present, therefore, it is impossible to carry out IP address reclaims.
The present invention is reclaimed by IP address, and the not high IP address of some utilization rates can be distributed to the higher user of priority The client used, so as to be further ensured that high-priority users priority access.IP address resource for consuming gateway device Attack without producing practical business flow, by the IP address take-back strategy of the present invention, can effectively suppress to attack User ties up IP address resource, so as to reduce influence of the network attack to gateway device.
It can be seen from the above description that of the invention in IP address inadequate resource, the authority information based on access customer waiting The priority of access customer waiting is determined, so as to which the client used for the higher access customer waiting of priority distributes IP address, is protected Demonstrate,prove high-priority users priority access.
Now by taking networking shown in Fig. 2 as an example, IP address assigning process is discussed in detail.
Network includes shown in Fig. 2:Terminal device PC1~PC13 (wherein, not shown in PC2~PC7 figures), SSL VPN nets Equipment GW, certificate server AAA, Resource Server Server1~ServerN are closed (wherein, in Server2~ServerN-1 figures It is not shown).Each user User can be by the SSL VPN clients (Client) and GW that start on corresponding terminal device PC SSL vpn tunnelings are established, access Resource Server.
It is assumed that the address realm in the IP address pond being pre-configured with GW is IP1~IP10;Preset address amount threshold is 3. Currently online user is User1~User8 (wherein, not shown in User2~User7 figures), is set respectively by counterpart terminal The SSL vpn tunnelings that the SSL VPN clients (Client1~Client8) started on standby PC1~PC8 are established with GW, access money Source server.GW has been respectively Client1~Client8 distribution IP address IP1~IP8.
When the certification for the username and password that user User9 carries User9 by the Client9 transmissions started on PC9 please When seeking message, authentication request packet is transmitted to certificate server AAA by GW, and certificate server AAA is based on username and password etc. After validation of information User9 is validated user, to GW return authentication response messages, User9 authority is carried in authentication response message Information, for example, the authority information is User9 owning user group informations Group5, GW obtains User9's from authentication response message Authority information.
Due to the quantity of the unappropriated IP address of current residual in IP address pond is 2 (unallocated IP address be IP9 and IP10), less than default number of addresses threshold value 3, i.e. current IP address inadequate resource, therefore, GW needs the authority based on User9 Information determines User9 priority.
Referring to table 1, for the authority information and the corresponding relation of priority prestored on GW.
Authority information (user's group) Priority
Group1 1
Group2 2
Group3 3
Group4 4
Group5 5
Table 1
Wherein, smaller to represent priority higher for numerical value.GW searches that to belong to user's group Group5 with User9 corresponding from table 1 Priority be 5, it is assumed that the User Priority pre-set on GW be 4, then understand User9 priority be less than default use Family priority, therefore, the Client9 used for User9 is forbidden to distribute IP address, User9 can not use network.
When recognizing for the username and password that user User10 passes through the Client10 transmission carryings User10 started on PC10 When demonstrate,proving request message, authentication request packet is transmitted to certificate server AAA by GW, and certificate server AAA is based on user name and close Code etc. validation of information User10 be validated user after, to GW return authentication response messages, carried in authentication response message User10 authority information, for example, User10 owning user group informations Group1, GW obtain User10 from authentication response message Authority information.
The quantity of remaining unappropriated IP address is 2 (unallocated IP address is IP9 and IP10) in current IP address pond, small In default number of addresses threshold value 3, IP address inadequate resource, GW is it needs to be determined that User10 priority.As shown in Table 1, Priority corresponding to User10 owning user groups Group1 is 1, higher than default User Priority, therefore, it is necessary to is User10 The Client10 distribution IP address used.Due to unappropriated IP address also be present in current IP address pond, therefore, from unallocated IP address in for Client10 select an IP address, for example, IP9 is distributed into Client10.
When recognizing for the username and password that user User11 passes through the Client11 transmission carryings User11 started on PC11 When demonstrate,proving request message, authentication request packet is transmitted to certificate server AAA by GW, and certificate server AAA is based on user name and close Code etc. validation of information User11 be validated user after, to GW return authentication response messages, carried in authentication response message User11 authority information, for example, User11 owning user group informations Group2, GW obtain User11 from authentication response message Authority information.
The quantity of remaining unappropriated IP address is 1 (unallocated IP address is IP10) in current IP address pond, less than pre- If number of addresses threshold value 3, IP address inadequate resource, GW is it needs to be determined that User11 priority.As shown in Table 1, User11 institutes To belong to priority corresponding to user's group Group2 be 2, higher than default User Priority, therefore, it is necessary to is used for User11 Client11 distributes IP address.Due to unappropriated IP address (IP10) in current IP address pond also be present, therefore, by IP10 points Dispensing Client11.
When recognizing for the username and password that user User12 passes through the Client12 transmission carryings User12 started on PC12 When demonstrate,proving request message, authentication request packet is transmitted to certificate server AAA by GW, and certificate server AAA is based on user name and close Code etc. validation of information User12 be validated user after, to GW return authentication response messages, carried in authentication response message User12 authority information, for example, User11 owning user group informations Group3, GW obtain User12 from authentication response message Authority information.
Without unappropriated IP address in current IP address pond, IP address inadequate resource, GW is it needs to be determined that User12's is excellent First level.As shown in Table 1, priority corresponding to User12 owning users group Group3 is 3, higher than default User Priority, because This for the Client12 that User12 is used, it is necessary to distribute IP address.
Because, without unappropriated IP address, therefore, GW needs to confirm the IP being being currently used in current IP address pond Whether recuperable IP address is had in address.Specially:
GW counts online user User1~User8 Client1~Client8 (corresponding IP1~IP8), User10 respectively Client10 (corresponding IP9), User11 Client11 (corresponding IP10) online hours, total flow and always connect number Amount, as shown in table 2.
User name IP address Online hours (minute) Total flow (byte) Total connection quantity (secondary)
User1 IP1 10 1000 40
User2 IP2 9 810 45
User3 IP3 8 640 48
User4 IP4 7 105 28
User5 IP5 6 420 18
User6 IP6 5 50 5
User7 IP7 4 360 16
User8 IP8 3 300 12
User10 IP9 2 180 10
User11 IP10 1 80 6
Table 2
Each Client average discharge (total flow/online hours) in computational chart 2, for example, Client1 is (corresponding IP1 average discharge) is 1000/10=100, similarly, can respectively obtain Client2~Client8, Client10, Client11 average discharge, as shown in table 3.
IP address Average discharge (byte)
IP1 100
IP2 90
IP3 80
IP4 15
IP5 70
IP6 10
IP7 90
IP8 100
IP9 90
IP10 80
Table 3
Wherein, Client corresponding to the representative of each IP address.It is assumed that default flow threshold is 20, then can from table 3 Know, Client4 (corresponding IP4) average discharge is less than preset flow threshold value 20 for 15;Client6 (corresponding IP6) mean flow Measure and be less than preset flow threshold value 20 for 10, be i.e. Client4 and Client6 service traffics are smaller;Other Client mean flow Amount is all higher than default flow threshold 20, and corresponding service traffics are larger.
Further, it is determined that Client4 and Client6 average connection quantity (always connecting quantity/online hours), by table 2 understand that Client4 average connection quantity is 28/7=4, and Client6 average connection quantity is 5/5=1, it is assumed that default Connection amount threshold be 3, then understand Client6 average connection quantity 1 be less than it is default connection amount threshold 3, therefore, return Contracture dispensing Client6 IP6, that is, force Client6 offline, IP6 is distributed into the Client12 that User12 uses.
When recognizing for the username and password that user User13 passes through the Client13 transmission carryings User13 started on PC13 When demonstrate,proving request message, authentication request packet is transmitted to certificate server AAA by GW, and certificate server AAA is based on user name and close Code etc. validation of information User13 be validated user after, to GW return authentication response messages, carried in authentication response message User13 authority information, for example, User13 owning user group informations Group1, GW obtain User13 from authentication response message Authority information.
Without unappropriated IP address in current IP address pond, IP address inadequate resource, GW is it needs to be determined that User13's is preferential Level.As shown in Table 1, priority corresponding to User13 owning users group Group1 is 1, higher than default User Priority, therefore, The Client13 used for User13 is needed to distribute IP address.
Whether there is recuperable IP address in the IP address that GW needs to confirm to be being currently used.Specially:Unite respectively Client1~Client5 (corresponding IP1~IP5), the User7 Client7 for counting online user User1~User5 are (corresponding IP7), User8 Client8 (corresponding IP8), User10~User12 Client10~Client12 (corresponding IP9, IP10, IP6 online hours), total flow and quantity is always connected, as shown in table 4.
User name IP address Online hours (minute) Total flow (byte) Total connection quantity (secondary)
User1 IP1 11 1100 44
User2 IP2 10 900 50
User3 IP3 9 720 54
User4 IP4 8 120 32
User5 IP5 7 490 21
User7 IP7 5 450 20
User8 IP8 4 400 16
User10 IP9 3 270 15
User11 IP10 2 160 12
User12 IP6 1 80 6
Table 4
Each Client average discharge in computational chart 4, as shown in table 5.
IP address Average discharge (byte)
IP1 100
IP2 90
IP3 80
IP4 15
IP5 70
IP7 90
IP8 100
IP9 90
IP10 80
IP6 80
Table 5
As shown in Table 5, Client4 (corresponding IP4) average discharge is less than preset flow threshold value 20, i.e. Client4 for 15 Service traffics it is smaller;Other Client average discharge is all higher than preset flow threshold value 20, that is, it is larger to correspond to service traffics.
Although Client4 average connection quantity is 32/8=4 as shown in Table 4, not less than default connection amount threshold 3, but due to not having flow small in current network and connecting quantity few Client again, therefore, this is based only upon flow judgement, will Average discharge is less than the Client4 of preset flow threshold value IP4 recovery, that is, forces Client4 offline, IP4 is distributed to The Client13 that User13 is used.
Corresponding with the embodiment of foregoing IP address distribution method, present invention also offers the implementation of IP address distributor Example.
The embodiment of IP address distributor of the present invention can be applied in SSL vpn gateway equipment.Device embodiment can To be realized by software, can also be realized by way of hardware or software and hardware combining.Exemplified by implemented in software, as one Device on logical meaning, it is that corresponding computer program instructions are formed in the processor run memory by equipment where it 's.For hardware view, as shown in figure 3, for a kind of hardware structure diagram of IP address distributor of the present invention place equipment, remove Outside processor and nonvolatile memory shown in Fig. 3, the equipment in embodiment where device is generally according to the equipment Actual functional capability, other hardware can also be included, this is repeated no more.
Fig. 4 is refer to, is the structural representation of the IP address distributor in one embodiment of the invention.The IP address point Include acquiring unit 401, determining unit 402 and allocation unit 403 with device, wherein:
Acquiring unit 401, for receive access customer waiting using the first client send authentication request packet when, Obtain the authority information of the access customer waiting;
Determining unit 402, if the quantity for unappropriated IP address in IP address pond is less than default number of addresses threshold Value, the then authority information based on the access customer waiting determine the priority of the access customer waiting;
Allocation unit 403, if the priority for the access customer waiting is higher than default User Priority, to be described First client distributes IP address.
Further,
The acquiring unit 401, specifically for forwarding the authentication request packet to certificate server;Receive the certification The certification of the authority information for the carrying access customer waiting that server returns after confirming the access customer waiting by certification Response message;The authority information of the access customer waiting is obtained from the authentication response message.
Further,
The determining unit 402, specifically in the authority information and the corresponding relation of priority being locally stored, searching Priority corresponding with the authority information of the access customer waiting.
Further,
The allocation unit 403, if specifically for unappropriated IP address be present in the IP address pond, from unallocated IP address in be first client distribution IP address;If unappropriated IP address is not present in the IP address pond, Selection target client in the second client used from current online user, reclaim the IP address of the destination client;Will The IP address of recovery distributes to first client.
Further, selection target client in the second client that the allocation unit 403 uses from current online user End, including:
Count the online hours of the second client that each online user uses and total in the online hours Flow;Online hours and total flow based on each the second client, it is determined that the average discharge of corresponding second client;If The 3rd client that average discharge is less than default flow threshold in second client be present, then select mesh from the 3rd client Mark client.
Further, the allocation unit 403 selection target client from the 3rd client, including:
Count total connection quantity of each the 3rd client in online hours;Existed based on each the 3rd client Line duration and quantity is always connected, it is determined that the average connection quantity of corresponding 3rd client;If exist in the 3rd client average The 4th client that quantity is less than default connection amount threshold is connected, then the selection target client from the 4th client End.
The function of unit and the implementation process of effect specifically refer to and step are corresponded in the above method in said apparatus Implementation process, it will not be repeated here.
For device embodiment, because it corresponds essentially to embodiment of the method, so related part is real referring to method Apply the part explanation of example.Device embodiment described above is only schematical, wherein described be used as separating component The unit of explanation can be or may not be physically separate, can be as the part that unit is shown or can also It is not physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to reality Need to select some or all of module therein to realize the purpose of the present invention program.Those of ordinary skill in the art are not paying In the case of going out creative work, you can to understand and implement.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present invention God any modification, equivalent substitution and improvements done etc., should be included within the scope of protection of the invention with principle.

Claims (12)

1. a kind of Internet protocol IP address distribution method, applied to security socket layer SSL vpn gateway equipment, its feature exists In methods described includes:
When receiving the authentication request packet that access customer waiting is sent using the first client, the access customer waiting is obtained Authority information;
If the quantity of unappropriated IP address is less than default number of addresses threshold value in IP address pond, based on the use to be accessed The authority information at family determines the priority of the access customer waiting;
If the priority of the access customer waiting is higher than default User Priority, for first client with distributing IP Location.
2. the method as described in claim 1, it is characterised in that the authority information for obtaining the access customer waiting, including:
The authentication request packet is forwarded to certificate server;
Receive the carrying access customer waiting that the certificate server returns after confirming the access customer waiting by certification Authority information authentication response message;
The authority information of the access customer waiting is obtained from the authentication response message.
3. the method as described in claim 1, it is characterised in that the authority information based on the access customer waiting determines institute The priority of access customer waiting is stated, including:
In the authority information and the corresponding relation of priority being locally stored, the authority information pair with the access customer waiting is searched The priority answered.
4. the method as described in claim 1, it is characterised in that it is described to distribute IP address for first client, including:
It is first client point from unappropriated IP address if unappropriated IP address be present in the IP address pond With IP address;
If unappropriated IP address is not present in the IP address pond, selected in the second client used from current online user Destination client is selected, reclaims the IP address of the destination client;
The IP address of recovery is distributed into first client.
5. method as claimed in claim 4, it is characterised in that selected in second client used from current online user Destination client is selected, including:
Count the online hours for the second client that each online user uses and the total flow in the online hours;
Online hours and total flow based on each the second client, it is determined that the average discharge of corresponding second client;
If the 3rd client that average discharge is less than default flow threshold in the second client be present, from the 3rd client Selection target client.
6. method as claimed in claim 5, it is characterised in that the selection target client from the 3rd client, including:
Count total connection quantity of each the 3rd client in online hours;
Online hours based on each the 3rd client and quantity is always connected, it is determined that the average connection of corresponding 3rd client Quantity;
The 4th client that quantity is less than default connection amount threshold is averagely connected if existing in the 3rd client, from described Selection target client in 4th client.
7. a kind of Internet protocol IP address distributor, applied to security socket layer SSL vpn gateway equipment, its feature exists In described device includes:
Acquiring unit, for when receiving the authentication request packet that access customer waiting is sent using the first client, obtaining institute State the authority information of access customer waiting;
Determining unit, if the quantity for unappropriated IP address in IP address pond is less than default number of addresses threshold value, base The priority of the access customer waiting is determined in the authority information of the access customer waiting;
Allocation unit, if the priority for the access customer waiting is higher than default User Priority, for the described first visitor IP address is distributed at family end.
8. device as claimed in claim 7, it is characterised in that:
The acquiring unit, specifically for forwarding the authentication request packet to certificate server;Receive the certificate server The authentication response report of the authority information of the carrying access customer waiting returned after confirming the access customer waiting by certification Text;The authority information of the access customer waiting is obtained from the authentication response message.
9. device as claimed in claim 7, it is characterised in that:
The determining unit, specifically in the authority information and the corresponding relation of priority being locally stored, search with it is described Priority corresponding to the authority information of access customer waiting.
10. device as claimed in claim 7, it is characterised in that:
The allocation unit, if specifically for unappropriated IP address be present in the IP address pond, from unappropriated IP It is the first client distribution IP address in location;If unappropriated IP address is not present in the IP address pond, from current Selection target client in the second client that online user uses, reclaim the IP address of the destination client;By recovery IP address distributes to first client.
11. device as claimed in claim 10, it is characterised in that the allocation unit used from current online user second Selection target client in client, including:
Count the online hours for the second client that each online user uses and the total flow in the online hours; Online hours and total flow based on each the second client, it is determined that the average discharge of corresponding second client;If second The 3rd client that average discharge is less than default flow threshold in client be present, then the selection target visitor from the 3rd client Family end.
12. device as claimed in claim 11, it is characterised in that allocation unit selection target visitor from the 3rd client Family end, including:
Count total connection quantity of each the 3rd client in online hours;During online based on each the 3rd client Grow and always connect quantity, it is determined that the average connection quantity of corresponding 3rd client;If average connection in the 3rd client be present Quantity is less than the 4th client of default connection amount threshold, then the selection target client from the 4th client.
CN201711043047.6A 2017-10-31 2017-10-31 A kind of IP address distribution method and device Pending CN107682473A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711043047.6A CN107682473A (en) 2017-10-31 2017-10-31 A kind of IP address distribution method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711043047.6A CN107682473A (en) 2017-10-31 2017-10-31 A kind of IP address distribution method and device

Publications (1)

Publication Number Publication Date
CN107682473A true CN107682473A (en) 2018-02-09

Family

ID=61143082

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711043047.6A Pending CN107682473A (en) 2017-10-31 2017-10-31 A kind of IP address distribution method and device

Country Status (1)

Country Link
CN (1) CN107682473A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019158010A1 (en) * 2018-02-13 2019-08-22 华为技术有限公司 Resource management method, device and system
CN110225145A (en) * 2019-03-07 2019-09-10 山石网科通信技术股份有限公司 Distribute the methods, devices and systems of address
CN114189469A (en) * 2021-12-09 2022-03-15 重庆紫光华山智安科技有限公司 Public cloud multi-node device access routing method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1744531A (en) * 2004-09-02 2006-03-08 中兴通讯股份有限公司 Off-flow monitoring method for accessing server
CN102932501A (en) * 2012-11-08 2013-02-13 杭州迪普科技有限公司 Address pool resource protecting method and device thereof
CN106209838A (en) * 2016-07-08 2016-12-07 杭州迪普科技有限公司 The IP cut-in method of SSL VPN and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1744531A (en) * 2004-09-02 2006-03-08 中兴通讯股份有限公司 Off-flow monitoring method for accessing server
CN102932501A (en) * 2012-11-08 2013-02-13 杭州迪普科技有限公司 Address pool resource protecting method and device thereof
CN106209838A (en) * 2016-07-08 2016-12-07 杭州迪普科技有限公司 The IP cut-in method of SSL VPN and device

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019158010A1 (en) * 2018-02-13 2019-08-22 华为技术有限公司 Resource management method, device and system
CN110166580A (en) * 2018-02-13 2019-08-23 华为技术有限公司 Method, equipment and the system of resource management
CN110166580B (en) * 2018-02-13 2021-12-24 华为技术有限公司 Resource management method, equipment and system
CN110225145A (en) * 2019-03-07 2019-09-10 山石网科通信技术股份有限公司 Distribute the methods, devices and systems of address
CN114189469A (en) * 2021-12-09 2022-03-15 重庆紫光华山智安科技有限公司 Public cloud multi-node device access routing method and system

Similar Documents

Publication Publication Date Title
US7539193B2 (en) System and method for facilitating communication between a CMTS and an application server in a cable network
CN102845027B (en) For the mthods, systems and devices of priority route are provided at DIAMETER Nodes
US7472411B2 (en) Method for stateful firewall inspection of ICE messages
KR101130448B1 (en) Method for updating a table of correspondence between a logical address and an indentification number
US6895511B1 (en) Method and apparatus providing for internet protocol address authentication
EP1942629A1 (en) Method and system for object-based multi-level security in a service oriented architecture
CN101110847A (en) Method, device and system for obtaining medium access control address
US8832816B2 (en) Authentication tokens for use in voice over internet protocol methods
CN107682473A (en) A kind of IP address distribution method and device
CN103039038A (en) Method and system for efficient use of a telecommunication network and the connection between the telecommunications network and a customer premises equipment
CN101834864A (en) Method and device for preventing attack in three-layer virtual private network
CN105592046A (en) Authentication-free access method and device
CN102893579B (en) For provide method, node and the equipment of bill in communication system
CN104253787A (en) Service authentication method and system
CN103069750A (en) Method and system for efficient use of a telecommunications network and the connection between the telecommunications network and a customer premises equipment
CN100365591C (en) Network address distributing method based on customer terminal
CN106603435A (en) Method and device for distributing port block resource
CN100450011C (en) Device for mediating in management orders
US8868745B1 (en) Method and system for providing configurable route table limits in a service provider for managing VPN resource usage
CN104702612B (en) A kind of user authentication process method and device
US7353405B2 (en) Method and systems for sharing network access capacities across internet service providers
EP1039724A2 (en) Method and apparatus providing for internet protocol address authentication
CN100477609C (en) Method for implementing dedicated network access
CN104902497B (en) A kind of method and device of managing mobile phone hot spot connection
WO2019000597A1 (en) Ip address hiding method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180209

RJ01 Rejection of invention patent application after publication