WO2009067871A1 - Procédé, système et dispositif de gestion de sécurité d'accès d'utilisateur - Google Patents

Procédé, système et dispositif de gestion de sécurité d'accès d'utilisateur Download PDF

Info

Publication number
WO2009067871A1
WO2009067871A1 PCT/CN2008/072243 CN2008072243W WO2009067871A1 WO 2009067871 A1 WO2009067871 A1 WO 2009067871A1 CN 2008072243 W CN2008072243 W CN 2008072243W WO 2009067871 A1 WO2009067871 A1 WO 2009067871A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
link identifier
access
module
control
Prior art date
Application number
PCT/CN2008/072243
Other languages
English (en)
Chinese (zh)
Inventor
Qinfeng Gu
Jiaofeng Li
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009067871A1 publication Critical patent/WO2009067871A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks

Definitions

  • the present invention relates to the field of communications, and in particular, to a method, system and device for user access security control. Background technique
  • the network is also developed into a multi-service bearer network by a traditional network that provides only Internet access services.
  • 1 is a schematic diagram of networking of a broadband access technology provided by the prior art, where a TV set-top box, a VoIP (Voice over Internet Protocol) terminal, a PC connected to a Tnternet, and a mobile phone terminal, a handheld multimedia terminal, etc.
  • the user completes unified access through the RG (Residential Gateway), and the RG passes the telephone twisted pair or ADSL (Asymmetric Digital Subscriber Line)/VDSL (very-high-data-rate Digital Subscriber).
  • ADSL Asymmetric Digital Subscriber Line
  • VDSL very-high-data-rate Digital Subscriber
  • DSLAM Digital Subscriber Line Access Multiplexer
  • DSLAM Digital Subscriber Line Access Multiplexer
  • BNG Broadband Network Gateway
  • BNG Broadband Network Gateway
  • BRAS Broadband Remote Access Server, broadband remote access service Equipment
  • PPPoE PPP over Ethernet, PPP protocol carried on Ethernet
  • DHCP Dynamic Host Configuration Protocol
  • the network also includes a policy server, a gateway server, and the like that implement user/service management by issuing control policies to various gateway devices in the network.
  • BNG is a core node in the network that handles functions such as user access management, service distribution, and service policy implementation.
  • FIG. 2 a schematic diagram of user service access mapping provided by the prior art is provided.
  • the user services are connected to the DSLAM through different VCs (Virtual Circuits).
  • the TV set-top box service is accessed through VC1 access, VoIP services through VC2 access, and PC services through VC3.
  • DSLAM completes VC to VLAN mapping
  • the prior art provides two mapping models:
  • N 1 model: The same service type, mapped to the same S-VLAN, that is, the traffic of the same service type of all users on one DSLAM, when the BNG arrives, the BNG is through the same S-VLAN. Recognized.
  • DSLAM assigns a unique combination of S-VLAN + C-VLAN for each service type, generally S-VLAN to identify the service, C-VLAN to identify the user, that is, a DSLAM, the user's Data message arrival for each type of service
  • BNG is uniquely determined by a combination of S-VLAN + C-VLAN.
  • the BNG identifies the user link of the access through VLAN/QinQ (extended 802.1Q), and the security control is also
  • the VLAN/QinQ is granular. In the multi-service mode, the BNG cannot uniquely identify the user link through VLAN/QinQ, and thus cannot implement security control on a single user link. Summary of the invention
  • an embodiment of the present invention provides a method, system, and device for user access security control.
  • the technical solution is as follows:
  • An embodiment of the present invention provides a method for a user to access security control, where the method includes:
  • the embodiment of the invention further provides a system for user access security control, the system comprising:
  • a user node configured to send an access request message
  • An access device configured to receive an access request message sent by the user node, insert a user link identifier in the access request message sent by the user node, and send an access request message inserted into the user link identifier.
  • the control device is configured to: after receiving the access request message inserted by the access device and inserting the user link identifier, perform the analysis to obtain the user link identifier; and determine the access request according to the user link identifier. Whether the packet meets the preset access condition, and if yes, allows the user node corresponding to the user link identifier to access.
  • An embodiment of the present invention further provides an access device, where the device includes:
  • a receiving module configured to receive an access request message sent by the user node
  • the identifier insertion module is configured to insert a user link identifier in the access request message received by the receiving module, and send a request message, where the sending module inserts the user link identifier into the access request message.
  • An embodiment of the present invention further provides a control device, where the device includes: a receiving module, configured to receive an access request message sent by the access device, where the access request message carries a user link identifier;
  • a parsing module configured to parse the access request packet received by the receiving module to obtain the user link identifier
  • the processing module configured to determine, according to the user link identifier obtained by the parsing module, the access request packet Whether the preset access condition is met, and if so, the user corresponding to the link identifier of the user is allowed to access.
  • the user link can be uniquely identified in the multi-service mode, thereby implementing security control on a single user link according to the user link identification information on the pre-configured logical interface.
  • FIG. 1 is a schematic diagram of networking of a broadband access technology provided by the prior art
  • FIG. 2 is a schematic diagram of user service access mapping provided by the prior art
  • Embodiment 3 is a flowchart of a method for user access security control provided by Embodiment 1 of the present invention.
  • Embodiment 4 is a flowchart of a method for user access security control provided by Embodiment 2 of the present invention.
  • Embodiment 5 is a flowchart of a method for user access security control provided by Embodiment 3 of the present invention.
  • FIG. 6 is a schematic diagram of a system for user access security control provided by Embodiment 4 of the present invention.
  • Embodiment 7 is a detailed schematic diagram of a system for user access security control provided by Embodiment 4 of the present invention.
  • FIG. 8 is a schematic diagram of an access device according to Embodiment 5 of the present invention.
  • FIG. 9 is a schematic diagram of a control device according to Embodiment 6 of the present invention.
  • FIG. 10 is a detailed schematic diagram of a control device according to Embodiment 6 of the present invention.
  • FIG 11 is another schematic diagram of the control device provided in Embodiment 6 of the present invention. detailed description
  • the BNG can uniquely identify the user link identification information in the multi-service mode, and implement security control on a single user link.
  • the method for user access security control provided by the embodiment of the present invention includes:
  • Embodiment 1 Receiving an access request message, the access request message carrying the user link identifier; parsing the access request message to obtain the user link identifier; determining whether the access request message satisfies the preset access condition according to the user link identifier; Yes, the user access corresponding to the user link identifier is allowed.
  • an embodiment of the present invention provides a method for user access security control, and the steps are as follows:
  • Step 101 The BNG obtains a user link identifier.
  • the BNG can obtain the user link identifier information in the following two ways:
  • the DSLAM device information includes: the frame number, slot number, and port number of the device.
  • the DSLAM can uniquely identify a user link to the DSLAM by using the frame number + slot number + port number.
  • the reference command line format is as follows:
  • Access-loop-circuit-identifier dslaml-atm-frame-slot/port [vpi. vci].
  • the access-loop-circuit-identifier is a command word, which indicates that a user link identifier needs to be configured on the BNG, and then a string corresponding to each identifier.
  • the dslaml identifier indicates a DSLAM node name, and the atm indicates the RG and DSLAM chain.
  • the road layer is ATM
  • the frame is the frame number of the DSLAM
  • the slot is the slot number in the DSLAM
  • the port is the port number of the DSLAM
  • the vpi. vci is the optional PVC (Permanent Virtual Circuit) information.
  • the link information reporting function provided by the Access Node Control Protocol (ANCP) protocol is implemented.
  • the ANCP protocol is used as the transport layer protocol to provide the control information transmission between the BNG and the DSLAM.
  • the DSLAM reports the user link information of the user to the ANCP protocol.
  • the BNG where the user link information includes a user link status, a user link identifier, and related user link parameters.
  • the ANCP protocol is defined as follows:
  • Step 102 The BNG creates a corresponding logical link identifier (ie, a logical interface) for the user link identifier according to the obtained user link identifier.
  • a logical link identifier ie, a logical interface
  • the logical link identifier may be a user link identifier or a logical interface created according to the user link identifier.
  • the logical link identifier is a logical interface as an example.
  • the logical interface created by the BNG uniquely corresponds to the user link identifier.
  • the BNG After the BNG creates a logical interface, it can implement the security control policy on the created logical interface.
  • Step 103 User X initiates an access request through DHCP, that is, sends a DHCP access request message.
  • the user initiates an access request through the DHCP protocol or the PPPoE protocol for the service type of the user. For example, if the PC user requests to access the Internet, the PPPoE protocol initiates an access request.
  • the PPPoE protocol initiates an access request.
  • a user requests access to an IPTV service or a VoIP phone terminal user requests access to a VoIP service
  • the access request is initiated through the DHCP protocol.
  • This embodiment uses the user X to initiate an access request through DHCP as an example, but does not limit the type of the access request.
  • Step 104 The DSLAM receives the DHCP access request packet sent by the user X, inserts the user link identifier into the received DHCP access request packet, and forwards the DHCP access request packet after the user link identifier is inserted. To BNG.
  • the agent-Circuit-ID option is used in the packet to indicate the identifier of the line that the user accesses.
  • the DSLAM When receiving the DHCP access request message sent by the user X, the DSLAM knows which frame, slot, and port the access request message is received by, and correspondingly, inserts a corresponding user link identifier.
  • the format of the user link identifier must be the same as the format of the user link identifier preset by the BNG.
  • Step 105 The BNG receives the DHCP access request packet that is sent by the DSLAM and carries the user link identifier, and determines whether the corresponding logical interface can be found according to the user link identifier carried in the DHCP access request packet. Step 106 is performed, otherwise, step 107 is performed.
  • Step 106 The BNG creates a user access entry bound to the logical interface, saves the information of the user X, and executes the step.
  • the information of the user X and the corresponding logical interface identifier may be stored in the user access table, and the information of the user X includes the MAC (Media Access Control) address, IP address, authentication, charging, and the like of the user X. information.
  • MAC Media Access Control
  • Step 107 The BNG discards the received access request packet, prohibits the user X from accessing, and ends.
  • Step 108 The BNG returns a DHCP response message to the DSLAM, where the DHCP response message carries the user link identification information.
  • Step 109 The DSLAM receives the DHCP response packet returned by the BNG, deletes the user link identifier information carried in the DHCP response packet, and forwards the DHCP response packet with the user link identifier information to the user X.
  • Step 110 After the DHCP I is completed, User X successfully accesses the BNG and ends.
  • the user After the user accesses the BNG device, the user can also perform security control on the user.
  • security control E.g:
  • the BNG can also configure a bandwidth parameter for the created logical interface, where the bandwidth parameter specifically includes an uplink bandwidth parameter and a downlink bandwidth parameter.
  • user X After user X successfully accesses the BNG, user X sends a data packet, which carries the user's MAC address and IP address, and the BNG searches for the user based on the user's MAC address and IP address carried in the received data packet. Accessing the table, finding the corresponding logical interface, and performing bandwidth control on the data packet according to the uplink bandwidth parameter configured by the logical interface; when the device (such as ASP) providing the service in the network sends the data packet to the user X through the BNG According to the user MAC address carried in the data packet, the user access table is searched, and the corresponding logical interface is found, and the bandwidth of the data packet sent to the user X is performed according to the downlink bandwidth parameter configured on the logical interface. control. 2) When you need to implement access control on user X, you can use the traffic policy traffic-policy command to configure an access control policy on the BNG logical interface.
  • user X After user X successfully accesses the BNG, user X sends a data packet, which carries the user's MAC address and IP address, and the BNG searches for the user based on the user's MAC address and IP address carried in the received data packet. Accessing the table, finding the logical interface corresponding to the user X, performing flow control on the data packet sent by the user X according to the access control policy configured by the logical interface; and providing the service device (such as ASP) in the network to the user through the BNG
  • X sends a data packet it searches for the user access table according to the MAC address of the user X carried in the data packet, and finds the logical interface corresponding to the user X. The next hop address of the data packet is the user X corresponding to the BNG device.
  • the logical interface performs flow control on the data packet sent to the user X through the BNG according to the access control policy configured by the logical interface.
  • the BNG can also configure the multicast control policy on the logical interface, that is, configure the multicast control list.
  • IGMP Internet Group Management Protocol
  • user X After user X successfully accesses the BNG, user X sends an IGMP message request, and the message request carries the user MAC address. After receiving the TGMP message sent by user X, the RNG searches the user access table according to the MAC address. The logical interface corresponding to the user X determines whether the user X is allowed to join the multicast group according to the multicast control list configured on the logical interface. If yes, the BNG allows the user X to join the multicast group, and the user X sends an IGMP message request. Send multicast data traffic; otherwise, discard user X to send IGMP packet request.
  • the method provided by the embodiment of the present invention can configure the logical interface on the BNG device to uniquely identify the user link in the multi-service mode, thereby implementing the security control policy configured on the logical interface, according to the user link identification information.
  • a single user link implements security controls such as access control, bandwidth control, flow control, and multicast control.
  • an embodiment of the present invention provides a method for user access security control, and the steps are as follows:
  • Step 201 The BNG acquires a user link identifier.
  • Step 202 The BNG creates a corresponding logical link identifier (ie, a logical interface) for the user link identifier information according to the obtained user link identifier.
  • a logical link identifier ie, a logical interface
  • the embodiment of the present invention uses a logical link identifier as a logical interface as an example for description.
  • Step 203 The BNG limits the number of sessions of the user's session IP session on the logical interface, that is, the upper limit of the IP session of the preset user.
  • Step 204 User X initiates an access request through DHCP, that is, sends a DHCP access request message.
  • Step 205 The DSLAM receives the DHCP access request packet sent by the user X, and receives the DHCP access request packet.
  • the user link identifier is inserted, and the DHCP access request packet inserted into the user link identifier is forwarded to the BNG.
  • Step 206 The BNG receives the DHCP access request packet that is sent by the DSLAM and carries the user link identifier, and determines whether the corresponding logical interface can be found according to the user link identifier carried in the access request packet.
  • step 208 is performed.
  • Step 207 Determine whether the number of IP sessions of the user X is smaller than the IP of the preset user on the logical interface.
  • step 209 is performed, otherwise step 208 is performed.
  • Step 208 The BNG discards the received access request packet, prohibits the user X from accessing, and ends.
  • Step 209 The BNG creates a user access entry bound to the logical interface, and saves the information of the user X.
  • the BNG returns a response packet to the DSLAM, where the response packet carries the user link identifier.
  • Step 210 The DSLAM receives the DHCP response packet returned by the BNG, deletes the user link identifier carried in the packet, and forwards the DHCP response packet with the user link identifier to the user X.
  • Step 211 After the DHCP negotiation is complete, user X successfully accesses the BNG.
  • the BNG device adds 1 to the number of recorded IP sessions of the user.
  • the user After the user accesses the RNG device, the user can be securely controlled.
  • the user After the user accesses the RNG device, the user can be securely controlled.
  • the BNG can also configure a bandwidth parameter for the created logical interface, where the bandwidth parameter specifically includes an uplink bandwidth parameter and a downlink bandwidth parameter.
  • user X After user X successfully accesses the BNG, user X sends a data packet, which carries the user's MAC address and IP address, and the BNG searches for the user based on the user's MAC address and IP address carried in the received data packet. Accessing the table, finding the corresponding logical interface, and performing bandwidth control on the data packet according to the uplink bandwidth parameter configured by the logical interface; when the device providing the service in the network (such as ASP) sends the datagram to the user X through the BNG And searching for the user access table according to the user MAC address carried in the data packet, and finding the corresponding logical interface, and performing the data packet sent to the user X according to the downlink bandwidth parameter configured on the logical interface. Bandwidth control.
  • the traffic control is performed, and the access control policy can be configured on the BNG logical interface by using the traffic-policy command.
  • user X After user X successfully accesses the BNG, user X sends a data packet carrying the user MAC address and
  • the information such as the IP address, the BNG searches the user access table according to the user MAC address and IP address carried in the received data packet, and finds the logical interface corresponding to the user X. According to the access control policy configured by the logical interface, the user X
  • the data packet is sent for traffic control.
  • a device such as an ASP
  • the user access table is searched according to the MAC address of the user X carried in the data packet.
  • the logical interface corresponding to the user X is found, and the next hop address of the data packet is a logical interface corresponding to the user X on the BNG device, and the data packet sent to the user X through the BNG is performed according to the access control policy configured by the logical interface. flow control. 3)
  • the BNG can also configure the multicast control policy on the logical interface, that is, configure the multicast control list.
  • user X After user X successfully accesses the BNG, user X sends an IGMP message request, and the message request carries the user MAC address. After receiving the IGMP message request sent by user X, the BNG searches the user access table according to the MAC address. The logical interface corresponding to the user X determines whether the user X is allowed to join the multicast group according to the multicast control list configured on the logical interface. If yes, the BNG allows the user X to join the multicast group, and the user X sends an IGMP message request. Send multicast data traffic; otherwise, discard user X to send IGMP packet request.
  • the method provided by the embodiment of the present invention can configure the logical interface on the BNG device to uniquely identify the user link in the multi-service mode, thereby implementing the security control policy configured on the logical interface, according to the user link identification information.
  • a single user link implements security controls such as access control, bandwidth control, flow control, and multicast control.
  • an embodiment of the present invention provides a method for a user to access security control, and the steps are as follows:
  • Step 301 The BNG obtains the user link identifier.
  • Step 302 The BNG creates a corresponding logical link identifier (ie, a logical interface) for the user link identifier according to the obtained user link identifier.
  • a logical link identifier ie, a logical interface
  • the embodiment of the present invention uses a logical link identifier as a logical interface as an example for description.
  • Step 303 The BNG configures different user types on the logical interface through different keywords.
  • the reference command line is as follows: [BNG] terminal-type voip dhcp-option-60 include VoIP
  • Step 304 User X initiates an access request through DHCP, that is, sends a DHCP access request message.
  • the DHCP access request carries the keyword VoIP-ISP-1, indicating that user X is the VoIP terminal of ISP-1.
  • the user and the BNG are simultaneously defined keywords of different types of users.
  • Step 305 The DSLAM receives the DHCP access request packet sent by the user X, inserts the user link identifier into the DHCP access request packet, and forwards the DHCP access request packet after the user link identifier is inserted. BNG.
  • Step 306 The BNG receives the DHCP access request packet that is sent by the DSLAM and carries the user link identifier information, and determines whether the corresponding logical interface can be found according to the user link identifier carried in the DHCP access request packet. Step 307 is performed, otherwise, step 308 is performed.
  • Step 307 The BNG determines whether the keyword carried in the DHCP access request packet of the user X matches the keyword configured on the logical interface. If yes, the process proceeds to step 309. Otherwise, the process proceeds to step 308. Step 308: The BNG discards the received access request packet, prohibits the user X from accessing, and ends.
  • Step 309 The BNG creates a user access entry bound to the logical interface, and saves the information of the user X.
  • the device returns a DHCP response packet to the DSLAM, where the DHCP response packet carries the user link identifier.
  • Step 310 The DSLAM receives the DHCP response packet returned by the BNG, deletes the user link identifier carried in the packet, and forwards the response packet of the user link identifier to the user X.
  • Step 311 After the DHCP negotiation is completed, user X successfully accesses the BNG and ends.
  • the user After the user accesses the BNG device, the user can be securely controlled.
  • the user After the user accesses the BNG device, the user can be securely controlled.
  • the BNG can also configure a bandwidth parameter for the created logical interface, where the bandwidth parameter specifically includes an uplink bandwidth parameter and a downlink bandwidth parameter.
  • user X After user X successfully accesses the BNG, user X sends a data packet carrying the user MAC address and
  • the BNG searches the user access table according to the user MAC address and IP address carried in the received data packet, finds the corresponding logical interface, and uses the uplink bandwidth parameter configured according to the logical interface to the datagram.
  • the device that provides the service such as ASP
  • the user accesses the user access table according to the user's MAC address carried in the data packet, and finds the corresponding logical interface.
  • the bandwidth control is performed on the data packet sent to the user X according to the downlink bandwidth parameter configured on the logical interface.
  • the traffic control is performed, and the access control policy can be configured on the BNG logical connection U by using the traffic-policy command.
  • user X After user X successfully accesses the BNG, user X sends a data packet, which carries the user's MAC address and IP address, and the BNG searches for the user based on the user's MAC address and IP address carried in the received data packet. Accessing the table, finding the logical interface corresponding to the user X, performing flow control on the data packet sent by the user X according to the access control policy configured by the logical interface; and providing the service device (such as ASP) in the network to the user through the BNG
  • the user access table is searched according to the MAC address of the user X carried in the data packet, and the logical interface corresponding to the user X is found.
  • the hop address of the data packet is the user X corresponding to the BNG device.
  • the logical interface performs flow control on the data packet sent to the user X through the BNG according to the access control policy configured by the logical interface.
  • the BNG can also configure the multicast control policy on the logical interface, that is, configure the multicast control list.
  • IGMP Internet Group Management Protocol
  • user X After user X successfully accesses the BNG, user X sends an IGMP message request, and the message request carries the user MAC address. After receiving the IGMP message request sent by user X, the BNG searches the user access table according to the MAC address. The logical interface corresponding to the user X determines whether the user X is allowed to join the multicast group according to the multicast control list configured on the logical interface. If yes, the BNG allows the user X to join the multicast group, and the user X sends an IGMP message request. Send multicast stream The user X sends an IGMP message request.
  • the method provided by the embodiment of the present invention can directly identify the user link in the multi-service mode by configuring the logical interface on the BNG device, thereby implementing the security control policy configured on the logical interface, according to the user link identification information.
  • Implement security control such as access control, bandwidth control, flow control, and multicast control for a single user link.
  • an embodiment of the present invention provides a system for user access security control, where the system includes:
  • a user node 601 configured to send an access request message
  • the access device 602 is configured to receive an access request message sent by the user node 601, insert a user link identifier in the access request message sent by the user node 601, and send an access request message inserted into the user link identifier.
  • the control device 603 is configured to: after receiving the access request message inserted by the access device 602 and inserting the user link identifier, perform the analysis to obtain the user link identifier; determine whether the access request message satisfies the preset according to the user link identifier. The access condition, if yes, allows the user node 601 corresponding to the user link identifier to access.
  • control device 603 includes:
  • the first receiving module 6031 is configured to receive an access request message sent by the access device 602.
  • the first parsing module 6032 is configured to parse the access request packet received by the first receiving module 6031 to obtain a user link identifier.
  • the first determining module 6033 is configured to determine, according to the user link identifier that is parsed by the first parsing module 6032, whether the logical link identifier corresponding to the user link identifier can be found.
  • the first processing module 6034 when the result of the determination by the first determining module 6033 is that the logical link identifier corresponding to the user link identifier can be found, the user node 601 corresponding to the user link identifier is allowed to access.
  • control device 603 includes:
  • the second receiving module 6035 is configured to receive an access request message sent by the access device 602.
  • the second parsing module 6036 is configured to parse the access request packet received by the second receiving module 6035 to obtain a user link identifier.
  • the searching module 6037 is configured to search, according to the second parsing module 6036, the user link identifier to find a logical link identifier corresponding to the user link identifier.
  • the second determining module 6038 is configured to determine that the logical link identifier that is found by the first searching module 6037 is accessed by the user. Whether the number of sessions reaches a preset threshold;
  • the second processing module 6039 is configured to allow the user node 601 corresponding to the user link identifier to access when the second judgment module 6038 determines that the number of the accessed user sessions does not reach the preset threshold, and the received The number of incoming user sessions is increased by one.
  • control device 603 includes:
  • the third receiving module 60310 is configured to receive an access request message sent by the access device 602.
  • the third parsing module 60311 is configured to parse the access request packet received by the third receiving module 60310 to obtain a user link identifier.
  • the second search module is configured to search for the logical link identifier corresponding to the user link identifier by using the user link identifier according to the third parsing module 60311.
  • the third judging module 60313 is configured to determine whether the user type carried in the access request packet is consistent with the preset user type on the logical link identifier found by the second searching module 60312;
  • the third processing module 60314 is configured to: when the third determination module 60313 determines that the result is that the user type carried in the access request message is consistent with the preset user type on the logical link identifier found by the first search module 60312 The user node 601 corresponding to the user link identifier is allowed to access.
  • the system provided by the embodiment of the present invention can implement the logical link identifier (which can be implemented in the form of creating a logical connection U) on the control device, and can uniquely identify the user link in the multi-service mode, thereby implementing pre-configured
  • the security control policy corresponding to the logical link identifier implements security control policies such as access control, bandwidth control, flow control, and multicast control for a single user link according to the user link identification information.
  • an embodiment of the present invention provides an access device, where the device includes:
  • the receiving module 701 is configured to receive an access request message sent by the user node.
  • the identifier insertion module 702 is configured to insert a user link identifier in the access request message received by the receiving module 701.
  • the sending module 703 is configured to send an access request message after the identifier insertion module 702 inserts the user link identifier.
  • the access device provided by the embodiment of the present invention can receive the access request message sent by the user contact, insert the user link identifier in the received access request message, and send the access after the user link identifier is inserted. Request a message.
  • the device may also insert other information, such as a user type, into the received access request message.
  • an embodiment of the present invention provides a control device, where the device includes:
  • the receiving module 801 is configured to receive an access request message sent by the access device, where the access request message carries the user link.
  • the parsing module 802 is configured to parse the access request packet received by the receiving module 801 to obtain a user link identifier.
  • the processing module 803 is configured to determine, according to the user link identifier parsed by the parsing module 802, whether the access request packet satisfies a preset. The access condition, if yes, allows the user corresponding to the link identifier of the user to access.
  • the processing module 803 includes:
  • the first determining unit 8031 is configured to determine, according to the user link identifier that is parsed by the parsing module 802, whether the logical link identifier corresponding to the user link identifier can be found.
  • the first processing unit 8032 is configured to allow the user corresponding to the user link identifier to access when the first determination unit 8031 determines that the logical link identifier corresponding to the user link identifier can be found.
  • the processing module 803 includes:
  • the first searching unit 8033 is configured to: according to the parsing module 802, parse the user link identifier to find a logical link identifier corresponding to the user link identifier;
  • the second determining unit 8034 is configured to determine whether the number of user sessions that the logical link identifier that is found by the first searching unit 8033 has reached a preset threshold;
  • the second processing unit 8035 is configured to allow the user corresponding to the user link identifier to access when the number of the user sessions that have been accessed by the second determining unit 8034 is not reached, and the access is The number of user sessions is increased by 1.
  • the processing module 803 includes:
  • the second searching unit 8036 is configured to search, according to the parsing module 802, the user link identifier to find a logical link identifier corresponding to the user link identifier.
  • the third determining unit 8037 is configured to determine whether the user type carried in the access request packet and the second searching unit
  • the default user type on the logical link identifier found by the 8036 is the same;
  • the third processing unit 8038 is configured to: when the third determining unit 8037 determines that the result is the user type carried in the access request message and the preset user type on the logical link identifier found by the second searching unit 8036. Allows the user to access the corresponding user ID.
  • control device After the user accesses the control device, it can also perform security control on the accessed user. At this time, see the figure.
  • control device also includes:
  • the first recording module 804 is configured to: when the processing module 803 allows the user corresponding to the user link identifier to access, the media access control address, the IP address, the user link identifier, and the logical link identifier of the user according to the access request message. Recorded in the user access list;
  • the first configuration module 805 is configured to configure a control policy for the logical link identifier according to the logical link identifier recorded by the recording module 803 in the user access table.
  • the first control module 806 is configured to: when receiving the data packet sent by the user, search for a corresponding logical link identifier in the user access table of the recording module according to the media access control address and the IP address carried in the data packet, Controlling data packets according to the corresponding control policy of the logical link identifier that is found;
  • the second control module 807 is configured to: when receiving the data packet sent to the user, search for a corresponding logical link identifier in the recording module according to the media access control address carried in the data packet sent to the user, according to the The logical link identifies the corresponding control policy and controls the data packets sent to the user.
  • the control policy configured by the foregoing configuration module may be an access control policy or/and a bandwidth control policy, and correspondingly, may perform flow control or bandwidth control of data packets.
  • the embodiment of the present invention does not limit the type of control policy configured by the configuration module.
  • the control device further includes: a second recording module 808, configured to: when the processing module 803 allows the user corresponding to the user link identifier to access, according to the access request
  • the packet records the user's media access control address, IP address, user link identifier, and logical link identifier in the user access table.
  • the first-configuration module 809 is configured to configure a multicast control policy for the logical link identifier according to the logical link identifier recorded by the first-recording module 808.
  • the multicast control module 8010 is configured to: when receiving a network group management protocol packet sent by the user to join the multicast group, according to the media access control address carried in the network group management protocol packet, the user access table in the recording module The corresponding logical link identifier is searched for, and the multicast control policy corresponding to the logical link identifier is found to determine whether the user is allowed to join the multicast group. If yes, the user is allowed to join the multicast group.
  • the configuration of the logical link identifier (which can be implemented in the form of creating a logical interface) is provided on the control device according to the embodiment of the present invention, and the user link can be uniquely identified in the multi-service mode, thereby implementing the pre-configured logical chain.
  • the corresponding security control policy of the road identifier implements security control policies such as access control, bandwidth control, flow control, and multicast control for a single user link according to the user link identification information.
  • the technical solution provided by the foregoing embodiment of the present invention can identify a user link in a multi-service mode by configuring a logical link identifier on a similar control device such as a BNG, thereby implementing a logical link identifier corresponding to the pre-configured logical link.
  • the security control policy implements security control policies such as access control, bandwidth control, traffic control, and multicast control for a single user link according to user link identification information.
  • Some steps in the embodiment of the present invention may be implemented by using software, and the corresponding software program may be stored in a readable storage medium, such as an optical disk or a hard disk.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention porte sur un procédé, un système et un dispositif de gestion de sécurité d'accès d'utilisateur. Le procédé comprend : la réception d'un message de requête d'accès qui contient l'identifiant de liaison d'utilisateur ; l'analyse du message de requête d'accès pour obtenir l'identifiant de liaison d'utilisateur ; la détermination du fait que le message de requête d'accès satisfait ou non la condition d'accès prédéfinie selon l'identifiant de liaison d'utilisateur ; si oui, l'autorisation de l'utilisateur correspondant à l'identifiant de liaison d'utilisateur à accéder. Le système comprend des nœuds d'utilisateur, un dispositif d'accès et un dispositif de commande. Le dispositif d'accès comprend un module de réception, un module d'insertion d'identifiant et un module de transmission. Le dispositif de commande comprend un module de réception, un module d'analyse et un module de traitement. La liaison d'utilisateur peut être identifiée de façon unique sous le mode multiservice par configuration d'interface logique sur des dispositifs BNG, ainsi la politique de gestion de sécurité telle que gestion d'accès, gestion de largeur de bande et gestion de multidiffusion pour une liaison d'utilisateur individuel est effectuée par les informations d'identifiant de liaison d'utilisateur selon la politique de gestion de sécurité prédéfinie de l'interface logique.
PCT/CN2008/072243 2007-11-28 2008-09-02 Procédé, système et dispositif de gestion de sécurité d'accès d'utilisateur WO2009067871A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2007101951023A CN101188614B (zh) 2007-11-28 2007-11-28 一种用户接入安全控制的方法、***和设备
CN200710195102.3 2007-11-28

Publications (1)

Publication Number Publication Date
WO2009067871A1 true WO2009067871A1 (fr) 2009-06-04

Family

ID=39480803

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/072243 WO2009067871A1 (fr) 2007-11-28 2008-09-02 Procédé, système et dispositif de gestion de sécurité d'accès d'utilisateur

Country Status (2)

Country Link
CN (1) CN101188614B (fr)
WO (1) WO2009067871A1 (fr)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101188614B (zh) * 2007-11-28 2011-01-19 华为技术有限公司 一种用户接入安全控制的方法、***和设备
CN101902743B (zh) * 2010-08-02 2015-05-13 中兴通讯股份有限公司 一种终端的安全控制方法及装置
CN102457478B (zh) * 2010-10-15 2015-04-29 华为技术有限公司 用于pcp的标记及识别用户的方法及设备
CN102164075A (zh) * 2011-03-18 2011-08-24 杭州华三通信技术有限公司 一种因特网协议视频监控方法和接入层交换机
CN102413009B (zh) * 2011-11-17 2014-04-02 盛科网络(苏州)有限公司 网络设备测试的接口扩展方法及装置
CN103780513B (zh) * 2012-10-24 2018-08-10 中兴通讯股份有限公司 一种基于bng池的响应方法、***及相关设备
CN103905236A (zh) * 2012-12-28 2014-07-02 ***通信集团福建有限公司 一种终端定位方法、***及装置
CN104426686B (zh) * 2013-08-22 2018-06-08 中国电信股份有限公司 宽带接入网关用户接入方法、装置及宽带接入网关
CN104202219A (zh) * 2014-09-17 2014-12-10 上海斐讯数据通信技术有限公司 多业务wan连接绑定测试方法和测试***
CN104363111B (zh) * 2014-10-29 2019-05-17 中国建设银行股份有限公司 一种第三方***接入的控制方法及设备
CN105635068B (zh) * 2014-11-04 2019-06-04 阿里巴巴集团控股有限公司 一种进行业务安全控制的方法及装置
CN104506349A (zh) * 2014-12-18 2015-04-08 易联众信息技术股份有限公司 一种业务平台及其业务管理方法
WO2017012443A2 (fr) * 2015-07-17 2017-01-26 华为技术有限公司 Transmission de message, nœud d'accès, contrôleur d'accès, et système d'accès
CN113225238B (zh) 2015-07-17 2022-08-26 华为技术有限公司 消息传输方法、接入节点、接入控制器及接入***
CN110297211A (zh) * 2019-06-12 2019-10-01 Oppo(重庆)智能科技有限公司 一种定位方法及电子设备
CN114389828A (zh) * 2020-10-19 2022-04-22 南京中兴软件有限责任公司 通讯控制方法、电子设备及存储介质
CN112565031B (zh) * 2020-11-30 2023-05-05 福州汇思博信息技术有限公司 一种ppp连接的参数配置方法与终端

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1553674A (zh) * 2003-05-26 2004-12-08 广东省电信有限公司科学技术研究院 宽带接入服务器获取宽带用户接入端口号的方法
CN1592220A (zh) * 2003-09-04 2005-03-09 华为技术有限公司 控制宽带网络用户接入网络的方法
US20060136715A1 (en) * 2004-12-22 2006-06-22 Kyeong Soo Han MAC security entity for link security entity and transmitting and receiving method therefor
CN101188614A (zh) * 2007-11-28 2008-05-28 华为技术有限公司 一种用户接入安全控制的方法、***和设备

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1553674A (zh) * 2003-05-26 2004-12-08 广东省电信有限公司科学技术研究院 宽带接入服务器获取宽带用户接入端口号的方法
CN1592220A (zh) * 2003-09-04 2005-03-09 华为技术有限公司 控制宽带网络用户接入网络的方法
US20060136715A1 (en) * 2004-12-22 2006-06-22 Kyeong Soo Han MAC security entity for link security entity and transmitting and receiving method therefor
CN101188614A (zh) * 2007-11-28 2008-05-28 华为技术有限公司 一种用户接入安全控制的方法、***和设备

Also Published As

Publication number Publication date
CN101188614A (zh) 2008-05-28
CN101188614B (zh) 2011-01-19

Similar Documents

Publication Publication Date Title
WO2009067871A1 (fr) Procédé, système et dispositif de gestion de sécurité d'accès d'utilisateur
US7801123B2 (en) Method and system configured for facilitating residential broadband service
US7746799B2 (en) Controlling data link layer elements with network layer elements
US8908687B2 (en) Method for transmitting policy information between network equipment
EP3499809B1 (fr) Fonctionnalité point à multipoint dans un réseau avec des ponts
WO2009021458A1 (fr) Procédé, appareil et système de connexion d'un réseau de couche 2 à un réseau de couche 3
WO2008017270A1 (fr) Procédé, dispositif et système ethernet supportant un acheminement multidiffusion à source spécifique
WO2012016536A1 (fr) Procédé et système de communication de service d'un appareil de réseau d'accès
WO2005029773A1 (fr) Procede de mise en oeuvre d'un transfert d'identifier de localisation d'un utilisateur
JP2007536851A (ja) セッションベースのパケット交換装置
WO2007124679A1 (fr) Procédé et système de communication en réseau
WO2006122502A1 (fr) Méthode de transmission de message en couche 2 et dispositif d’accès
WO2012130142A1 (fr) Procédé, système et dispositif d'accès pour un accès à des services d'abonné
WO2008058477A1 (fr) Procédé, appareil et système de gestion d'informations de localisation
WO2014153860A1 (fr) Procédé d'accès réseau, passerelle et système
WO2014015786A1 (fr) Méthode, dispositif et système d'accès à deux couches dans un réseau hfc
WO2014040553A1 (fr) Procédé, système et appareil d'établissement de liaison de communication
EP2073432B1 (fr) Procédé de liaison entre un terminal et un opérateur, et terminal correspondant
WO2011147233A1 (fr) Procédé et dispositif de réalisation d'une limitation de débit dans un réseau privé virtuel
WO2007016809A1 (fr) Procede de gestion de dispositif de pontage
WO2005101948A1 (fr) Procede d'acheminement a fonction d'agregation
Bouchat et al. QoS in DSL access
WO2009030142A1 (fr) Procédé, système de communication et équipement apparenté pour localiser une ressource d'utilisateur
Reddy Building MPLS-based broadband access VPNs
CN101060503A (zh) 一种宽带网络网关的发现方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08800755

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08800755

Country of ref document: EP

Kind code of ref document: A1