CN101656738A - Method and device for verifying terminal accessed to network - Google Patents
Method and device for verifying terminal accessed to network Download PDFInfo
- Publication number
- CN101656738A CN101656738A CN200910176044A CN200910176044A CN101656738A CN 101656738 A CN101656738 A CN 101656738A CN 200910176044 A CN200910176044 A CN 200910176044A CN 200910176044 A CN200910176044 A CN 200910176044A CN 101656738 A CN101656738 A CN 101656738A
- Authority
- CN
- China
- Prior art keywords
- terminal
- sign
- discriminating
- network
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The embodiment of the invention relates to a network communication technology, in particular to a method and a device for verifying a terminal accessed to the network, which are used for identifying aterminal accessed to the network in an illegal mode. The method comprises the following steps: receiving a PPP LCP Identification message of PPPoE from the terminal and then extracting an authentication identification from the PPP LCP Identification message; matching an authentication identification in a preset authentication identification list with the extracted authentication identification; and when the matching fails, determining that the terminal is the illegal terminal. The method can identify illegally-accessed terminals when the terminal is accessed to the network, thereby improvingthe security of the network.
Description
Technical field
The present invention relates to the network communications technology, particularly a kind of method and apparatus that the terminal of access network is verified.
Background technology
PPPoE (point to point protocal over Ethernet, the point-to-point connection protocol on the Ethernet) is a kind of more common consumer wideband access way at present.
The user adopts the mode of dialing to import username and password on main frame, by ADSL (Asymmetrical Digital Subscriber Loop, Asymmetrical Digital Subscriber Line) inserts DSLAM (Data Subscriber Line Access Multiplexer, digital subscriber line access multiplex), go up the authentication and accounting mandate at BRAS (Broadband Remo te Access Server, BAS Broadband Access Server) then.
At present, the positional information of the user name of importing by the user that PPPoE is inserted, password and user's access judges whether the user of access is legal.Therefore as long as user name, password and user access point are correct, the user just can normally insert.Verification mode above adopt most of operation commercial city is verified the legitimacy that PPPoE inserts.
Existing operator can allow the user of transacting business adopt the router dialing, hangs the mode of PC then down and shares online.
Router PPPoE dialing, obtain the legal address that operator distributes, different subsequently main frames can obtain the private net address that home gateway distributes on router, home gateway is NAT by the public network address that the own private net address that distributes and operator are distributed and is changed to reach and share the purpose of surfing the Net.
Because the verification mode that PPPoE inserts is not rigorous, so much there is not the user of transacting business to dial by illegal router, following extension PC shares online.Because when the user dialled by illegal router, the positional information that the user name of input, password and user insert all was correct, be legal access so network side is difficult to which terminal of identification, which terminal is illegal access.
In sum, network side is difficult to the illegal terminal that inserts of identification at present.
Summary of the invention
The embodiment of the invention provides a kind of method and apparatus that the terminal of access network is verified, in order to the terminal of identification un-authorised access to network.
A kind of method that the terminal of access network is verified that the embodiment of the invention provides, this method comprises:
After service node SN receives the PPP LCPIdentifiaction message of Point-to-Point Protocol over Ethernet PPPoE of self terminal, from described PPP LCP Identifiaction message, extract and differentiate sign;
The described discriminating sign that SN identifies and extracts the discriminating in the predefined discriminating identification list is mated;
When it fails to match, determine that this terminal is illegal terminal.
A kind of system that the terminal of access network is verified that the embodiment of the invention provides, this system comprises:
Terminal is used to send the PPP LCPIdentifiaction message that comprises the Point-to-Point Protocol over Ethernet PPPoE that differentiates sign;
Network equipment, after being used to receive PPP LCP Identifiaction message, from described PPP LCPIdentifiaction message, extract and differentiate sign, the described discriminating sign that discriminating in the predefined discriminating identification list identifies and extracts is mated, when it fails to match, determine that this terminal is illegal terminal.
A kind of network equipment that the embodiment of the invention provides, this network measurement equipment comprises:
Extraction module, be used to receive the PPP LCPIdentifiaction message of Point-to-Point Protocol over Ethernet PPPoE of self terminal after, from described PPP LCP Identifiaction message, extract and differentiate sign;
Matching module is used for the discriminating sign of predefined discriminating identification list and the described discriminating sign that extracts are mated;
Processing module is used for when it fails to match, determines that this terminal is illegal terminal.
After embodiment of the invention SN receives the PPP LCPIdentifiaction message of Point-to-Point Protocol over Ethernet PPPoE of self terminal, from the PPP LCP Identifiaction message that comes self terminal that receives, extract and differentiate sign, the discriminating sign that discriminating in the predefined discriminating identification list identifies and extracts is mated, and when it fails to match, determine that this terminal is illegal terminal.The embodiment of the invention can be when accessing terminal to network, and which just can be discerned is the illegal terminal that inserts, thereby improves internet security.
Description of drawings
The system configuration schematic diagram that Fig. 1 verifies the terminal of access network for the embodiment of the invention;
Fig. 2 is the structural representation of embodiment of the invention network equipment;
The method flow schematic diagram that Fig. 3 verifies the terminal of access network for the embodiment of the invention;
Fig. 4 only allows the method flow schematic diagram of computer dialing for the embodiment of the invention;
Fig. 5 only allows the method flow schematic diagram of Designated Router dialing for the embodiment of the invention.
Embodiment
The embodiment of the invention is at PPPoE (Point to Point Protocol over Ethernet, Point-to-Point Protocol over Ethernet) inserts PPP (the Point-to-Point Protocol set up in the protocol negotiation process from the PPPoE that comes self terminal that receives, peer-peer protocol) LCP (Link Control Protocol, LCP) extracts the discriminating sign in Identifiaction (evaluation) message, the discriminating sign that discriminating in the predefined discriminating identification list identifies and extracts is mated, and when it fails to match, determine that this terminal is illegal terminal.The embodiment of the invention can be when accessing terminal to network, and which just can be discerned is the illegal terminal that inserts, thereby improves internet security.
Below in conjunction with Figure of description the embodiment of the invention is described in further detail.
As shown in Figure 1, the embodiment of the invention system that the terminal of access network is verified comprises: terminal 10 and network equipment 20.
Concrete, terminal 10 inserts to set up to send in the protocol negotiation process at PPPoE and comprises the PPP LCP Identifiaction message of differentiating sign.
Wherein, during the PPPoE subscriber dialing, set up meeting transmission PPPLCP Identifiaction message in the protocol negotiation process in the PPPoE access, different dialers differentiates that sign is also inequality.
For example in the information of the ppp protocol stack band of Microsoft, descriptive statement a: Message:MSRASV 5.0 (Microsoft Remote Access Service, the long-range access service of Microsoft) is arranged after this message packet capturing.
Wherein, MSRASV 5.0 differentiates sign.
Also can be different for different operating system of user ppp protocol stacks, the discriminating sign in the PPP LCP Identification message also is different.For example because operating system is different, the discriminating sign of the PPPoE dialing of router is just inequality with the discriminating sign of the ppp protocol stack of Microsoft.
Based on this, the discriminating that allows to insert can be set in predefined discriminating identification list identify, such as the discriminating sign of microsoft operation system, the discriminating sign of legal router etc.
In specific implementation process, differentiate that the discriminating sign in the identification list can be set as required, and can upgrade as required, such as increasing, delete the discriminating sign of differentiating in the identification list.
In order further to improve internet security, terminal 10 can be encrypted differentiating sign according to predefined key, and the sign of the discriminating after will encrypting places PPP LCP Identifiaction message;
Accordingly, network equipment 20 extracts to be differentiated after the sign, is decrypted the discriminating sign after obtaining deciphering according to predefined key.
Such as, the predefined PKI of terminal 10 usefulness is encrypted differentiating sign, and the discriminating after will encrypting sign places PPP LCP Identifiaction message, and network equipment 20 can be decrypted according to predefined private key, is mating checking behind successful decryption.
Differentiate that sign can be the character string after a string encryption, can carry out sending by PPP LCP Identification message after the md5 encryption to a string character string (for example chinamobile) such as terminal 10 (can be the dialer or the router of operator's appointment);
Such as can only showing that this terminal is illegal interruption, still allow this accessing terminal to network; Also can directly refuse this accessing terminal to network; Can also both show that this terminal is illegal terminal, refused this accessing terminal to network again.
Need to prove that the mode that embodiment of the invention ciphertext is encrypted is not limited to MD5, anyly can all be suitable for the embodiment of the invention differentiating the mode that sign is encrypted.
Wherein, the terminal 10 of the embodiment of the invention can be dialer (such as the legal home gateway of dialer software, the operator of subscriber's main station), router of operator's appointment etc.The network equipment 20 of the embodiment of the invention can be SN (Service Node, service node) equipment is such as BRAS (BroadbandRemote Access Server, BAS Broadband Access Server), SR (ServiceRouter, business router), can also be the new equipment of network side.
As shown in Figure 2, embodiment of the invention network equipment comprises: extraction module 200, matching module 210 and processing module 220.
Wherein, the discriminating that allows to insert can be set in predefined discriminating identification list identify, such as the discriminating sign of microsoft operation system, the discriminating sign of legal router etc.
In specific implementation process, differentiate that the discriminating sign in the identification list can be set as required, and also can upgrade as required, such as increasing, delete the discriminating sign of differentiating in the identification list.
Differentiate that sign can be also can be ciphertext expressly, ciphertext is compared expressly can further improve internet security.
If ciphertext, terminal can be encrypted differentiating sign according to predefined key, and the sign of the discriminating after will encrypting places PPP LCP Identifiaction message;
Accordingly, extraction module 200 extracts to be differentiated after the sign, is decrypted the discriminating sign after obtaining deciphering according to predefined key.
Wherein, whether matching module 210 is checked from predefined discriminating identification list has the identical discriminating sign of discriminating sign that extracts with extraction module 200, if having, determine that then the match is successful; Otherwise, determine that it fails to match.
Preferable, processing module 220 can also be after definite terminal be illegal terminal, the discriminating sign of correspondence is placed differentiate the sign blacklist list, for the inquiry use.
As shown in Figure 3, the embodiment of the invention method that the terminal of access network is verified comprises the following steps:
After step 301, RN receive the PPP LCP Identifiaction message of PPPoE of self terminal, from PPP LCP Identifiaction message, extract and differentiate sign.
The discriminating sign that step 302, RN identify and extract the discriminating in the predefined discriminating identification list is mated.
Can further include before the step 301:
Step 300, terminal send the PPP LCP Identifiaction message that comprises the PPPoE that differentiates sign.
Concrete, terminal inserts to set up to send in the protocol negotiation process at PPPoE and comprises the PPPLCP Identifiaction message of differentiating sign.
In the step 300, during the PPPoE subscriber dialing, set up meeting transmission PPP LCP Identifiaction message in the protocol negotiation process in the PPPoE access, different dialers differentiates that sign is also inequality.
For example in the information of the ppp protocol stack band of Microsoft, descriptive statement a: Message:MSRASV 5.0 is arranged after this message packet capturing.
Wherein, MSRASV 5.0 differentiates sign.
Also can be different for different operating system of user ppp protocol stacks, the discriminating sign in the PPP LCP Identification message also is different.For example because operating system is different, the discriminating sign of the PPPoE dialing of router is just inequality with the discriminating sign of the ppp protocol stack of Microsoft.
Based on this, RN can be provided with the discriminating that allows to insert and identify in predefined discriminating identification list, such as the discriminating sign of microsoft operation system, the discriminating sign of legal router etc.
In specific implementation process, differentiate that the discriminating sign in the identification list can be set as required, and can upgrade as required, such as increasing, delete the discriminating sign of differentiating in the identification list.
Differentiate that sign can be also can be ciphertext expressly, ciphertext is compared expressly can further improve internet security.
If ciphertext, in the step 300, terminal can be encrypted differentiating sign according to predefined key, and the sign of the discriminating after will encrypting places PPP LCP Identifiaction message
Accordingly, in the step 301, RN extracts and differentiates after the sign, is decrypted the discriminating sign after obtaining deciphering according to predefined key.
Such as, terminal is encrypted differentiating sign with predefined PKI, and the discriminating after will encrypting sign places PPP LCP Identifiaction message, can be decrypted according to predefined private key in the step 301, mating checking behind successful decryption.
Differentiate that sign can be the character string (such as the Identification character string) after a string encryption, can carry out sending by PPP LCP Identification message after the md5 encryption to a string character string (for example chinamobile) such as terminal (can be the dialer or the router of operator's appointment);
RN deciphering back finds it is chinamobile in the step 301, then allows to insert, if be not chinamobile or deciphering failure after the deciphering, shows that then this terminal is illegal terminal and/or does not allow to insert.
Such as can only showing that this terminal is illegal interruption, still allow this accessing terminal to network; Also can directly refuse this accessing terminal to network; Can also both show that this terminal is illegal terminal, refused this accessing terminal to network again.
Need to prove that the mode that embodiment of the invention ciphertext is encrypted is not limited to MD5, anyly can all be suitable for the embodiment of the invention differentiating the mode that sign is encrypted.
In 302, RN checks the identical discriminating sign of discriminating sign that whether has and extract from predefined discriminating identification list, if having, determine that then the match is successful; Otherwise, determine that it fails to match.
Accordingly, RN can refuse this accessing terminal to network in the step 303 after definite this terminal is illegal terminal, stops illegal terminal access network sidelong glance thereby reach.
Preferable, RN can also be after definite terminal be illegal terminal, the discriminating sign of correspondence is placed differentiate the sign blacklist list, for the inquiry use.
RN determines that this terminal is a legal terminal in the step 303 when the match is successful, and sets up protocol negotiation success back (being that user name, password and user access point are correct) in the PPPoE access, allows this accessing terminal to network.
Wherein, the executive agent of the embodiment of the invention can be a SN equipment, can also be the new equipment of network side.
As shown in Figure 4, the embodiment of the invention only allows the method for computer dialing to comprise the following steps:
SN equipment only allows to use the computer dial-up access of microsoft operation system.
The access request of step 403, SN equipment refusing user's.
As shown in Figure 5, the embodiment of the invention only allows the method for Designated Router dialing to comprise the following steps:
SN equipment only allows to use the soho router dial-up access of operator's appointment, and soho router adopts fixed key to encrypt and differentiates sign.
The access request of step 503, SN equipment refusing user's.
From the foregoing description as can be seen: after embodiment of the invention SN receives the PPP LCP Identifiaction message of PPPoE of self terminal, from PPP LCP Identifiaction message, extract and differentiate sign; The discriminating sign that discriminating in the predefined discriminating identification list identifies and extracts is mated; When it fails to match, determine that this terminal is illegal terminal.
The embodiment of the invention can be when accessing terminal to network, and which just can be discerned is the illegal terminal that inserts, thereby improves internet security.
Further, because when accessing terminal to network, which just can be discerned is the illegal terminal that inserts, thereby can stop illegal terminal to be linked in the network, has reduced the difficulty of operator to network bandwidth management, has improved efficiency of managing.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (11)
1, a kind of method that the terminal of access network is verified is characterized in that, this method comprises:
After service node SN receives the PPP LCPIdentifiaction message of Point-to-Point Protocol over Ethernet PPPoE of self terminal, from described PPP LCP Identifiaction message, extract and differentiate sign;
The described discriminating sign that SN identifies and extracts the discriminating in the predefined discriminating identification list is mated;
When it fails to match, determine that this terminal is illegal terminal.
2, the method for claim 1 is characterized in that, described discriminating sign is plaintext or ciphertext.
3, method as claimed in claim 2 is characterized in that, if described discriminating sign is a ciphertext;
Described terminal also comprises before sending PPP LCP Identifiaction message:
Described terminal is encrypted differentiating sign according to predefined key, and the sign of the discriminating after will encrypting places PPP LCP Identifiaction message;
Described SN extracts and differentiates after the sign, also comprises before the sign of the discriminating in the predefined discriminating identification list and the described discriminating sign that extracts are mated:
SN is decrypted according to predefined key, the discriminating sign after obtaining deciphering.
4, the method for claim 1 is characterized in that, described SN determines that this terminal is that illegal terminal also comprises afterwards:
SN shows that this terminal is illegal terminal and/or refuses this accessing terminal to network.
5, the method for claim 1 is characterized in that, this method also comprises:
SN determines that this terminal is a legal terminal when the match is successful, and after the protocol negotiation success is set up in the PPPoE access, allows this accessing terminal to network.
6, a kind of system that the terminal of access network is verified is characterized in that, this system comprises:
Terminal is used to send the PPP LCPIdentifiaction message that comprises the Point-to-Point Protocol over Ethernet PPPoE that differentiates sign;
Network equipment, after being used to receive PPP LCP Identifiaction message, from described PPP LCPIdentifiaction message, extract and differentiate sign, the described discriminating sign that discriminating in the predefined discriminating identification list identifies and extracts is mated, when it fails to match, determine that this terminal is illegal terminal.
7, system as claimed in claim 6 is characterized in that, described terminal also is used for:
Encrypt differentiating sign according to predefined key, and the sign of the discriminating after will encrypting places PPP LCP Identifiaction message;
Described network equipment also is used for
After extracting the discriminating sign, be decrypted the discriminating sign after obtaining deciphering according to predefined key.
8, a kind of network equipment is characterized in that, this network measurement equipment comprises:
Extraction module, be used to receive the PPP LCPIdentifiaction message of Point-to-Point Protocol over Ethernet PPPoE of self terminal after, from described PPP LCP Identifiaction message, extract and differentiate sign;
Matching module is used for the discriminating sign of predefined discriminating identification list and the described discriminating sign that extracts are mated;
Processing module is used for when it fails to match, determines that this terminal is illegal terminal.
9, network equipment as claimed in claim 8 is characterized in that, described extraction module also is used for:
Extract and differentiate after the sign, be decrypted, the discriminating sign after obtaining deciphering according to predefined key.
10, network equipment as claimed in claim 8 is characterized in that, described processing module also is used for:
Determine that this terminal is after the illegal terminal, shows that this terminal is illegal terminal and/or refuses this accessing terminal to network.
11, network equipment as claimed in claim 8 is characterized in that, described processing module also is used for:
When the match is successful, determine that this terminal is a legal terminal, and after the protocol negotiation success is set up in the PPPoE access, allow this accessing terminal to network.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200910176044A CN101656738B (en) | 2009-09-22 | 2009-09-22 | Method and device for verifying terminal accessed to network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200910176044A CN101656738B (en) | 2009-09-22 | 2009-09-22 | Method and device for verifying terminal accessed to network |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101656738A true CN101656738A (en) | 2010-02-24 |
CN101656738B CN101656738B (en) | 2012-10-03 |
Family
ID=41710825
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN200910176044A Active CN101656738B (en) | 2009-09-22 | 2009-09-22 | Method and device for verifying terminal accessed to network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101656738B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103701837A (en) * | 2012-09-27 | 2014-04-02 | 中兴通讯股份有限公司 | PPP (Point-to-point Protocol) on-demand dialing method and home gateway |
CN104518874A (en) * | 2013-09-26 | 2015-04-15 | 中兴通讯股份有限公司 | Network access control method and system |
CN110784431A (en) * | 2018-07-30 | 2020-02-11 | 比亚迪股份有限公司 | Vehicle-mounted Ethernet secure access method, system, vehicle-mounted gateway and network equipment |
CN111464837A (en) * | 2020-04-10 | 2020-07-28 | 洪镒 | Video terminal access verification method and server of online live broadcast system |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2005236537A (en) * | 2004-02-18 | 2005-09-02 | Nec Access Technica Ltd | Voip wireless telephone system and method using wireless lan |
-
2009
- 2009-09-22 CN CN200910176044A patent/CN101656738B/en active Active
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103701837A (en) * | 2012-09-27 | 2014-04-02 | 中兴通讯股份有限公司 | PPP (Point-to-point Protocol) on-demand dialing method and home gateway |
CN104518874A (en) * | 2013-09-26 | 2015-04-15 | 中兴通讯股份有限公司 | Network access control method and system |
CN110784431A (en) * | 2018-07-30 | 2020-02-11 | 比亚迪股份有限公司 | Vehicle-mounted Ethernet secure access method, system, vehicle-mounted gateway and network equipment |
CN111464837A (en) * | 2020-04-10 | 2020-07-28 | 洪镒 | Video terminal access verification method and server of online live broadcast system |
CN111464837B (en) * | 2020-04-10 | 2021-04-02 | 杭州秋茶网络科技有限公司 | Video terminal access verification method and server of online live broadcast system |
Also Published As
Publication number | Publication date |
---|---|
CN101656738B (en) | 2012-10-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8537841B2 (en) | Connection support apparatus and gateway apparatus | |
CN1694454B (en) | Communication method and system between a terminal and at least a communication device | |
US8091116B2 (en) | Communication system and method | |
KR100645512B1 (en) | Apparatus and method for authenticating user for network access in communication | |
US20060155984A1 (en) | Apparatus, method and computer software products for controlling a home terminal | |
EP2717635B1 (en) | Communication system and method | |
JP5192077B2 (en) | Secret communication method using VPN, system thereof, program thereof, and recording medium of program | |
JP5536628B2 (en) | Wireless LAN connection method, wireless LAN client, and wireless LAN access point | |
CN104025542A (en) | Method for secured backup and restore of configuration data of end-user device, and device using the method | |
KR20080104180A (en) | Sim based authentication | |
US8274401B2 (en) | Secure data transfer in a communication system including portable meters | |
CN109792601B (en) | Method and equipment for deleting eUICC configuration file | |
CN101656738B (en) | Method and device for verifying terminal accessed to network | |
US7562142B2 (en) | System and method for network connection | |
CN114143788A (en) | Method and system for realizing authentication control of 5G private network based on MSISDN | |
US20130183934A1 (en) | Methods for initializing and/or activating at least one user account for carrying out a transaction, as well as terminal device | |
CN101800984A (en) | Method and server terminal for obtaining WAPI certification and WAPI authentication system | |
CN101771684A (en) | Internet compuphone authentication method and service system thereof | |
US8699675B2 (en) | Method and apparatus for exchanging information in a voice communication system | |
JP2006229265A (en) | Gateway system | |
CN114338218A (en) | PPPoE dialing method | |
JP3521837B2 (en) | Location information service system and method, and storage medium storing location information service program | |
CN105812416A (en) | Method and system for transmitting files between different networks | |
CN115278676A (en) | WAPI certificate application method, wireless terminal and certificate discriminator | |
JP2003229955A (en) | Call method and call system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |