CN101465739A - Method and equipment for implementing authentication mode smooth transition - Google Patents
Method and equipment for implementing authentication mode smooth transition Download PDFInfo
- Publication number
- CN101465739A CN101465739A CNA2009100051110A CN200910005111A CN101465739A CN 101465739 A CN101465739 A CN 101465739A CN A2009100051110 A CNA2009100051110 A CN A2009100051110A CN 200910005111 A CN200910005111 A CN 200910005111A CN 101465739 A CN101465739 A CN 101465739A
- Authority
- CN
- China
- Prior art keywords
- authentication mode
- message
- network equipment
- time
- delay
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a method and equipment for realizing smooth transition of authentication mode, which relate to communication field. The method includes that when the message authentication mode in network equipment needs to be modified to a second authentication mode from a first authentication mode, the second authentication mode is respectively configured on each network equipment, and a time delay is configured for the second authentication mode for determining the valid time of the second authentication mode; when the time delay of the second authentication mode is up, or the network equipment receives message sent by counterpart network equipment in second authentication mode, the message authentication mode in the network equipment is modified to the second authentication mode; now, the messages sent by network equipments all adopt the second authentication mode. During the message authentication mode modification process, the technical proposal in the invention is adopted to effectively avoid connected network equipment from disconnection due to failure authentication.
Description
Technical field
The present invention relates to communication field, relate in particular to a kind of method and apparatus of realizing authentication mode smooth transition.
Background technology
Two network equipments are interconnected, in order to strengthen network security, equipment uses authentication modes such as text, md5 usually, and the message that has only authentication to pass through is just think legal message.
At present, set up BGP (Border Gateway Protocol at two, when Border Gateway Protocol) all disposing identical authentication mode (its authenticate key all is " Red ") on the network equipment of neighborhood, communication normally between the bgp neighbor, detailed process as shown in fig. 1:
Step 101: at moment S10, when network equipment router_01 sends message to router_02, can adopt key " Red ", router_02 adopts key " Red " to carry out authentication check, authentication success after receiving message;
Step 102: at moment S11, when network equipment router_02 sends message to router_01, can adopt key " Red ", router_01 adopts key " Red " to carry out authentication check, authentication success after receiving message;
Step 103: at moment S12, S13, it is " Green " that network equipment router_01 revises authenticate key; Router_01 will adopt new key " green " when sending the BGP message, after router_02 receives message, adopt key " Red " to carry out authentication check, find that the key difference causes authentification failure; Same router_02 will adopt key " Red " when sending the BGP message, after router_01 receives message, adopt new key " green " to carry out authentication check, find that the key difference causes authentification failure, such two equipment will think that neighbours are invalid owing to the message that does not receive the opposite end, this moment is invalid by the route of original bgp neighbor announcement, and this equipment need a large amount of advertising of routes occur to other neighbor advertisement route fail messages on network;
Step 104: at moment S14, network equipment router_02 also is revised as authenticate key " Green ", at this time on two network equipments bgp neighbor because the identical neighborhood of setting up again of authentication mode, the route that needs again to announce is again separately given the opposite end, occurs a large amount of advertising of routes once more on network.
As seen from the above, revise in the process of authenticate key, in a short time because the authentication mode difference between the bgp network equipment, to cause two network equipment authentification failures, network linking disconnects, soon these two network equipments are set up link again subsequently, can cause like this announcing routing iinformation in a large number, take a large amount of network bandwidths.
Summary of the invention
Technical problem to be solved by this invention is, a kind of method and apparatus of realizing authentication mode smooth transition is provided, thereby in the process of revising authentication mode, the network linking that establishes between the network equipment of bgp neighbor relation can not disconnect.
In order to address the above problem, the invention discloses a kind of method that realizes authentication mode smooth transition, comprising:
The authentication mode of message is when first authentication mode is revised as second authentication mode in need be with the network equipment, be respectively described second authentication mode of each network equipments configuration, and be described second authentication mode configuration, one time-delay, be used for determining the entry-into-force time of described second authentication mode;
When the time-delay of described second authentication mode arrives, perhaps when the described network equipment receives that message that the opposite end network equipment sends adopts described second authentication mode, the authentication mode of message in the described network equipment is revised as second authentication mode, at this moment, the message of described network equipment transmission all adopts described second authentication mode.
Further, in the said method,, perhaps dispose different time-delays respectively for each network equipment for the unified time-delay of each network equipments configuration.
Wherein, when the time-delay no show of described second authentication mode, and the described network equipment do not receive any message, and when the then described network equipment sent message to the opposite end network equipment, described message adopted described first authentication mode.
When the time-delay no show of described second authentication mode, and the described network equipment receives that the described network equipment returned the message that adopts described first authentication mode when message that the opposite end network equipment sends adopted described first authentication mode to the described opposite end network equipment.
Described authentication mode is authenticate key or auth type.
The invention also discloses a kind of equipment of realizing authentication mode smooth transition, comprise the dispensing unit, judgement resolution unit and the transmitting element that connect successively, wherein:
Described dispensing unit is used to be stored as first authentication mode of this equipment disposition, and second authentication mode that revise and the time-delay of described second authentication mode, described time-delay are used for determining the entry-into-force time of described second authentication mode;
Described judgement resolution unit, be used for reading the time-delay of described dispensing unit second authentication mode, if judge that described time-delay arrives, described second authentication mode is sent to described transmitting element, this unit also is used to resolve the message of receiving, if judge when the message received adopts described second authentication mode, described second authentication mode sent to described transmitting element;
Described transmitting element is used to receive the authentication mode that described judgement resolution unit sends, and sends the message that adopts this authentication mode to opposite equip..
Further, in the said equipment, when described equipment need be when the opposite end network equipment sends message, described judgement resolution unit, read the time-delay of second authentication mode in the described dispensing unit, if judge described time-delay no show, and the described network equipment do not receive any message, then described first authentication mode sent to described transmitting element.
Wherein, described judgement resolution unit, if judge described time-delay no show, and the message received of this unit judges then sends to described transmitting element with described first authentication mode when adopting described first authentication mode.
Described judgement resolution unit, if judging the time-delay of described second authentication mode arrives, when perhaps the message of being received adopted described second authentication mode, this unit also was revised as failure state with first authentication mode described in the described dispensing unit, perhaps deletes described first authentication mode.
Described authentication mode is authenticate key or auth type.
Adopt technical solution of the present invention, when revising the authentication mode of the network equipment, can effectively avoid the original network equipment that connects, and solved the problem that to waste a large amount of network bandwidths when recovering to connect in the prior art owing to authentification failure disconnects connection.
Description of drawings
Fig. 1 is that the available technology adopting bgp protocol carries out the process chart that authentication mode is revised;
Fig. 2 is the structural representation of present device;
The process chart that Fig. 3 is to use authentication mode of the present invention to revise;
Fig. 4 illustrates the process chart that bgp protocol uses authentication mode of the present invention to revise.
Embodiment
Main design of the present invention is, consider to be two authentication modes that network equipments configuration is new simultaneously, therefore, in the authentication mode process that is the network equipments configuration message, can be an authentication mode definition time-delay (delay) of new configuration, so for the network equipment of the authentication mode of receiving this new configuration, the authentication mode of new configuration can not come into force, but just come into force reaching delay time, like this, when if the network equipment receives authentication mode that opposite equip. sends message with original the same (the authentication authorization and accounting mode does not change), as long as the authentication mode Pending The Entry Into Force of new configuration, present networks equipment just can adopt original authentication mode and opposite equip. to carry out alternately; If the network equipment receives opposite equip. when sending the authentication mode of message and being different from original authentication mode (variation has taken place the authentication authorization and accounting mode), present networks equipment will begin to adopt the authentication mode returned packet of new configuration and check whether the message that receives can be by authentication, wherein, the transition change of authentication mode comprises the transition between the authenticate keys different in the auth type of the same race, also comprises the transition between the different authentication type.
Below in conjunction with drawings and Examples technical solution of the present invention is described in further detail.
Embodiment 1
A kind of equipment of realizing authentication mode smooth transition as shown in Figure 2, comprises the dispensing unit, judgement resolution unit and the transmitting element that connect successively.Introduce the function of each unit below in detail.
Dispensing unit is used to be stored as first authentication mode of this equipment disposition, second authentication mode that revise and the time-delay of second authentication mode, and wherein, time-delay is used for determining the entry-into-force time of second authentication mode;
Judge resolution unit, be used for the authentication mode of judging that current device comes into force, and the authentication mode that will come into force sends to transmitting element;
Particularly, this judges resolution unit, reads the time-delay of second authentication mode in the dispensing unit, and judges whether this time-delay arrives, if arrive, thinks that then the authentication mode that is come into force in the current device is second authentication mode; This unit also is used to resolve the message of receiving, and the authentication mode that adopts according to the message received, the authentication mode of determining in the current device to be come into force, as the message of receiving adopts first authentication mode, and the time-delay of no show second authentication mode determines that then the authentication mode that comes into force in the current device still is first authentication mode; If the message received adopts second authentication mode, then no matter whether the time-delay of second authentication mode arrives, and determines that all the authentication mode that comes into force in the current device is second authentication mode.
Transmitting element is used to receive the authentication mode that described judgement resolution unit sends, and sends the message that adopts this authentication mode to opposite equip..
In other embodiments, after judging that resolution unit has determined that the authentication mode that comes into force in the current device is second authentication mode that will revise, can also notify dispensing unit first authentication mode to be set to failure state, perhaps directly delete first authentication mode of storing in the dispensing unit.
Embodiment 2
On the basis of embodiment 1, suppose to have two and set up first network equipment and second network equipment that bgp neighbor concerns, wherein, dispose authentication mode A between first network equipment and second network equipment, and first network equipment has been received the authentication mode B of new configuration, and the time-delay of authentication mode B is 10S, be example with these two network equipments below, explanation realizes as shown in Figure 3, may further comprise the steps the verification process that seamlessly transits between these two network equipments:
Step 301: at moment S20, the authentication mode of first network equipment and second network equipments configuration is A;
At this moment, because authentication mode is identical, so can realize normal communication between these two network equipments;
Step 302: at moment S21, for a certain reason, be that first network equipment has newly disposed authentication mode B, the time-delay of authentication mode B (delay) is 10S, and at this moment, first network equipment still uses authentication mode A in the process of second network equipment transmission message;
B among Fig. 3 (A) promptly represents: be after first network equipment newly disposes authentication mode B, this authentication mode B can not come into force, and this moment, first network equipment still used authentication mode A;
Step 303: second network equipment adopts authentication mode A to first network equipment returned packet;
Step 304: at moment S22, be the second network equipments configuration authentication mode B, but this moment, owing to do not reach the time-delay of authentication mode B, the message that second network equipment sends still adopts authentication mode A;
Step 305: at moment S23, first network equipment is judged the time-delay (delay) that arrives authentication mode B, and authentication authorization and accounting mode B comes into force, and then first network equipment adopts authentication mode B to send message to second network equipment;
B{A} promptly represents among Fig. 3: the authentication mode B of the new configuration of first network equipment comes into effect.
Step 306: second network equipment judgement of receiving above-mentioned message self has also been received authentication mode B, so need not to consider whether the time-delay of authentication mode B arrives, all adopt authentication mode B to send message to first network equipment, like this, at moment S24, the authentication mode of first network equipment and second network equipments configuration is B, thereby has realized seamlessly transitting between the different authentication modes.
Certainly in other embodiments, first network equipment is being received the authentication mode B of new configuration, and when authentication mode B is unenforced, if receive when second network equipment adopts the message of authentication mode B, though the delay time of authentication mode B does not arrive in first network equipment, but the judgement of first network equipment self has also been received authentication mode B, then returns the message that adopts authentication mode B to second network equipment.
In other embodiments, can unify for the time-delay of every kind of authentication mode configuration is a time point, also can dispose time-delay respectively for each network equipment.
Embodiment 3
Introduce two network equipments of setting up bgp neighbor below again, these two network equipments have all used md5 authentication, authenticate key all is " Red ", the authenticate key of these two network equipments is revised as the process of " Green " according to technical solution of the present invention from " Red ", as shown in Figure 4, may further comprise the steps:
Step 401: at moment S30, when network equipment router_01 sent message to network equipment router_02, this message adopted key " Red ", and network equipment router_02 adopts key " Red " to carry out authentication check, authentication success after receiving this message;
Step 402: at moment S31, when network equipment router_02 sent message to network equipment router_01, this message adopted key " Red ", and network equipment router_01 adopts key " Red " to carry out authentication check, authentication success after receiving this message;
Step 403: at moment S32, during the new key Green of network equipment router_01 equipment disposition, can not come into force at once, but the time-delay (delay) of this key expires by the time, perhaps receive message identifying that opposite end network equipment router_02 sends when adopting new authenticate key Green, just can use new authenticate key Green;
Step 404: at moment S33, network equipment router_02 receives the message of opposite equip. router_01, this message has adopted new authenticate key Green, at this moment, network equipment router_02 finds that also there is corresponding key Green this locality, just adopt new key Green to send the BGP message and check receive the BGP message whether can be by authentication, promptly the network equipment revises that can not occur authentication mode in the process of key different and cause the problem of BGP link chain rupture.
From last embodiment as can be seen, because the authentication mode for the new configuration of the network equipment in the technical solution of the present invention can not come into force at once, but time-delay (delay) comes into force to after date by the time, perhaps receive when the opposite end message identifying adopts new authenticate key and come into force, like this, effectively avoided causing BGP link chain rupture, saved a large amount of network bandwidths because revise authentication information.
Certainly; the present invention can also have other various embodiments; under the situation that does not deviate from spirit of the present invention and essence thereof; those of ordinary skill in the art can make various corresponding changes and distortion according to the present invention, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the present invention.
Claims (10)
1, a kind of method that realizes authentication mode smooth transition is characterized in that, comprising:
The authentication mode of message is when first authentication mode is revised as second authentication mode in need be with the network equipment, be respectively described second authentication mode of each network equipments configuration, and be described second authentication mode configuration, one time-delay, be used for determining the entry-into-force time of described second authentication mode;
When the time-delay of described second authentication mode arrives, perhaps when the described network equipment receives that message that the opposite end network equipment sends adopts described second authentication mode, the authentication mode of message in the described network equipment is revised as second authentication mode, at this moment, the message of described network equipment transmission all adopts described second authentication mode.
2, the method for claim 1 is characterized in that,
For the unified time-delay of each network equipments configuration, perhaps dispose different time-delays respectively for each network equipment.
3, method as claimed in claim 1 or 2 is characterized in that,
When the time-delay no show of described second authentication mode, and the described network equipment do not receive any message, and when the then described network equipment sent message to the opposite end network equipment, described message adopted described first authentication mode.
4, method as claimed in claim 1 or 2 is characterized in that,
When the time-delay no show of described second authentication mode, and the described network equipment receives that the described network equipment returned the message that adopts described first authentication mode when message that the opposite end network equipment sends adopted described first authentication mode to the described opposite end network equipment.
5, method as claimed in claim 1 or 2 is characterized in that,
Described authentication mode is authenticate key or auth type.
6, a kind of equipment of realizing authentication mode smooth transition is characterized in that, this equipment comprises dispensing unit, judgement resolution unit and the transmitting element that connects successively, wherein:
Described dispensing unit is used to be stored as first authentication mode of this equipment disposition, and second authentication mode that revise and the time-delay of described second authentication mode, described time-delay are used for determining the entry-into-force time of described second authentication mode;
Described judgement resolution unit, be used for reading the time-delay of described dispensing unit second authentication mode, if judge that described time-delay arrives, described second authentication mode is sent to described transmitting element, this unit also is used to resolve the message of receiving, if judge when the message received adopts described second authentication mode, described second authentication mode sent to described transmitting element;
Described transmitting element is used to receive the authentication mode that described judgement resolution unit sends, and sends the message that adopts this authentication mode to opposite equip..
7, equipment as claimed in claim 6 is characterized in that,
When described equipment need be when the opposite end network equipment sends message, described judgement resolution unit, read the time-delay of second authentication mode in the described dispensing unit, if judge described time-delay no show, and the described network equipment is not received any message, then described first authentication mode is sent to described transmitting element.
8, equipment as claimed in claim 6 is characterized in that,
Described judgement resolution unit, if judge described time-delay no show, and the message received of this unit judges then sends to described transmitting element with described first authentication mode when adopting described first authentication mode.
9, as each described equipment of claim 6 to 8, it is characterized in that,
Described judgement resolution unit, if judging the time-delay of described second authentication mode arrives, when perhaps the message of being received adopted described second authentication mode, this unit also was revised as failure state with first authentication mode described in the described dispensing unit, perhaps deletes described first authentication mode.
10, as each described equipment of claim 6 to 8, it is characterized in that,
Described authentication mode is authenticate key or auth type.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100051110A CN101465739B (en) | 2009-01-15 | 2009-01-15 | Method and equipment for implementing authentication mode smooth transition |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100051110A CN101465739B (en) | 2009-01-15 | 2009-01-15 | Method and equipment for implementing authentication mode smooth transition |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101465739A true CN101465739A (en) | 2009-06-24 |
| CN101465739B CN101465739B (en) | 2011-08-10 |
Family
ID=40806115
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009100051110A Active CN101465739B (en) | 2009-01-15 | 2009-01-15 | Method and equipment for implementing authentication mode smooth transition |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101465739B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103199990A (en) * | 2013-04-16 | 2013-07-10 | 杭州华三通信技术有限公司 | Method and device for routing protocol authentication transfer |
| CN105207911A (en) * | 2015-10-12 | 2015-12-30 | 安徽皖通邮电股份有限公司 | IS-IS protocol message authentication method and system |
| WO2017031984A1 (en) * | 2015-08-26 | 2017-03-02 | 中兴通讯股份有限公司 | Bmp message authentification method and device |
| CN107040509A (en) * | 2016-11-23 | 2017-08-11 | 杭州迪普科技股份有限公司 | A kind of file transmitting method and device |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1140978C (en) * | 2001-04-17 | 2004-03-03 | 陈常嘉 | Method for implementing accommodate control based on cipher code and circuit |
| CN1150726C (en) * | 2002-10-01 | 2004-05-19 | 华中科技大学 | Safe network transmission method and system |
| CN1881870A (en) * | 2005-11-18 | 2006-12-20 | 华为技术有限公司 | Method for safety communication between devices |
-
2009
- 2009-01-15 CN CN2009100051110A patent/CN101465739B/en active Active
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103199990A (en) * | 2013-04-16 | 2013-07-10 | 杭州华三通信技术有限公司 | Method and device for routing protocol authentication transfer |
| WO2014169735A1 (en) * | 2013-04-16 | 2014-10-23 | Hangzhou H3C Technologies Co., Ltd. | Routing protocol authentication migration |
| CN103199990B (en) * | 2013-04-16 | 2016-04-06 | 杭州华三通信技术有限公司 | A kind of method and apparatus of Routing Protocol certification migration |
| WO2017031984A1 (en) * | 2015-08-26 | 2017-03-02 | 中兴通讯股份有限公司 | Bmp message authentification method and device |
| CN106487746A (en) * | 2015-08-26 | 2017-03-08 | 中兴通讯股份有限公司 | A kind of method and device of BMP message authentication |
| CN105207911A (en) * | 2015-10-12 | 2015-12-30 | 安徽皖通邮电股份有限公司 | IS-IS protocol message authentication method and system |
| CN105207911B (en) * | 2015-10-12 | 2018-11-23 | 安徽皖通邮电股份有限公司 | A kind of Intermediate System to Intermediate System message authentication method and its system |
| CN107040509A (en) * | 2016-11-23 | 2017-08-11 | 杭州迪普科技股份有限公司 | A kind of file transmitting method and device |
| CN107040509B (en) * | 2016-11-23 | 2019-12-06 | 杭州迪普科技股份有限公司 | message sending method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101465739B (en) | 2011-08-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101094102B (en) | Main and standby switching method and route standby system for route device | |
| EP2237587A1 (en) | Radio communication system, base station device, gateway device, and radio communication method | |
| CN102292962B (en) | Methods and apparatus related to address generation, communication and/or validation | |
| CN102035676A (en) | ARP (Address Resolution Protocol) interaction based method and equipment for detecting and recovering link fault | |
| CN110622471B (en) | Switching device, communication control method, and communication control program | |
| CN101815106B (en) | Method and equipment for establishing dynamic GRE (Generic Routing Encapsulation) tunnel | |
| US10855516B2 (en) | System for restoring services provided by a residential gateway | |
| CN101465739B (en) | Method and equipment for implementing authentication mode smooth transition | |
| CN102355743B (en) | Management method and management device for UE (User Equipment) context information | |
| CN1953606A (en) | A method for mobile subscriber device to register mobile Internet protocol | |
| CN102833873A (en) | Wireless communication apparatus | |
| CN102111728B (en) | Network connection management module and method of mobile terminal | |
| CN101730062A (en) | Method for processing exception between nonadjacent nodes | |
| CN102143077A (en) | Method and system for realizing multi-service link of route equipment and route equipment thereof | |
| US20060034203A1 (en) | Mobile communication system and service control device | |
| CN101635671A (en) | Method, system and equipment for accelerating multicast convergence | |
| WO2014059570A1 (en) | Method, device and system for establishing label switched path | |
| CN101997724A (en) | Method and device for updating multicast forwarding entries | |
| CN102281580A (en) | M2M system and service processing method thereof | |
| CN107113230B (en) | Method, equipment and system for determining Generic Routing Encapsulation (GRE) tunnel identifier | |
| CN103957079A (en) | Negotiation method and equipment in HDLC network | |
| CN109788520A (en) | Method for switching network, AMF and RAN node | |
| CN103109504A (en) | Pseudo-wire providing an in-band control channel using an offset | |
| CN102223241A (en) | Method and equipment for informing network change | |
| CN101834739A (en) | Repeater network management system, and repeater network management communication method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |