CN110166474B

CN110166474B - Message processing method and device

Info

Publication number: CN110166474B
Application number: CN201910458374.0A
Authority: CN
Inventors: 岳炳词
Original assignee: New H3C Security Technologies Co Ltd
Current assignee: New H3C Security Technologies Co Ltd
Priority date: 2019-05-29
Filing date: 2019-05-29
Publication date: 2021-07-09
Anticipated expiration: 2039-05-29
Also published as: CN110166474A

Abstract

The embodiment of the application provides a message processing method and device. The firewall equipment receives an authentication message sent by user equipment, wherein the load of the authentication message comprises a first IP address and first authentication check information of the user equipment; determining second authentication and verification information according to first user information corresponding to the first IP address; if the first authentication and verification information is the same as the second authentication and verification information, determining first data verification information according to the first IP address and the first user information; and sending a response message indicating successful authentication to the user equipment. And the user equipment determines second data verification information by using the first IP address and the first user information according to the response message, and sends a data message carrying the second data verification information to the firewall equipment. And if the second data verification information is the same as the first data verification information, forwarding the data message. By applying the technical scheme provided by the embodiment of the application, the problem that the binding between the user and the IP address is lack of uniqueness can be solved, and the network security is improved.

Description

Message processing method and device

Technical Field

The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for processing a packet.

Background

With the development of Internet technology, more and more devices access the Internet, which makes IPv4(Internet Protocol version 4, fourth edition) address resources more and more in short supply. To solve this problem, IPv6(Internet Protocol version 6, sixth edition) addresses are increasingly widely used. This causes the phenomenon that the IPv4 network and the IPv6 network coexist in the internet.

In addition, in the internet, in order to prevent a user from being counterfeited and improve network security, some servers only allow the user who succeeds in authentication to access. Specifically, the firewall device records a correspondence between the user information that is successfully authenticated and the IP address of the user using device, and binds the user with the IP address. And when the firewall equipment receives that the source IP address of one data message is included in the recorded corresponding relation, determining that the data message is a legal message, and forwarding the data message. In the internet in which an IPv4 Network and an IPv6 Network coexist, if a device in the IPv4 Network and a device in the IPv6 Network have mutual access, a Network Address Translation (NAT) device performs NAT processing on a source IP Address of a packet. After the firewall equipment successfully authenticates the user information, the IP address bound by the user is the IP address processed by the NAT.

However, the NAT device may convert a plurality of different source IP addresses into the same IP address, or may convert the same source IP address into different IP addresses, and the binding between the user and the IP address lacks uniqueness, so that a message of a user who fails to pass authentication may be sent to the server, and a user who succeeds in authentication may not normally access the server, thereby causing a network security problem. In addition, the IP address bound by the user is the IP address processed by the NAT, so that the IP address bound by the user is easy to steal, and an attacker utilizes the attack server to cause the network security problem.

Disclosure of Invention

An object of the embodiments of the present application is to provide a method and an apparatus for processing a packet, so as to solve the problem that the binding between a user and an IP address lacks uniqueness, and improve network security. The specific technical scheme is as follows:

in a first aspect, an embodiment of the present application provides a packet processing method, which is applied to a firewall device, and the method includes:

receiving an authentication message sent by user equipment, wherein the load of the authentication message comprises a first IP address and first authentication check information of the user equipment;

judging whether a first corresponding relation comprising the first IP address exists in the corresponding relation of the IP address which is prestored to allow access and the user information;

if the first corresponding relation exists, determining second authentication and verification information according to first user information included in the first corresponding relation;

if the first authentication and verification information is the same as the second authentication and verification information, determining first data verification information according to the first IP address and the first user information;

sending a response message indicating successful authentication to the user equipment, and receiving a data message which is sent by the user equipment and carries second data check information, wherein the second data check information is generated by the user equipment by using the first IP address and the first user information after receiving the response message;

and if the second data verification information carried by the data message is the same as the first data verification information, forwarding the data message.

In a second aspect, an embodiment of the present application provides a packet forwarding method, which is applied to a user equipment, and the method includes:

determining first authentication and verification information according to second user information of the user equipment;

sending an authentication message to firewall equipment, wherein the load of the authentication message comprises a first IP address of the user equipment and the first authentication check information, so that the firewall equipment judges whether a first corresponding relation comprising the first IP address exists in the corresponding relation, in which the IP address allowing access is stored in advance, and the user information; if the first corresponding relation exists, determining second authentication and verification information according to first user information included in the first corresponding relation; if the first authentication and verification information is the same as the second authentication and verification information, determining first data verification information according to the first IP address and the first user information; sending a response message indicating successful authentication to the user equipment;

according to the response message, second data verification information is determined by using the first IP address and the second user information;

sending a data message carrying the second data verification information to the firewall equipment; and the firewall equipment forwards the data message under the condition that the second data verification information carried by the data message is the same as the first data verification information.

In a third aspect, an embodiment of the present application provides a packet processing apparatus, which is applied to a firewall device, where the apparatus includes:

a receiving unit, configured to receive an authentication packet sent by a user equipment, where a load of the authentication packet includes a first IP address and first authentication check information of the user equipment;

the judging unit is used for judging whether a first corresponding relation comprising the first IP address exists in the corresponding relation of the IP address which is stored with permission to access and the user information in advance;

a first determining unit, configured to determine, if the first corresponding relationship exists, second authentication and verification information according to first user information included in the first corresponding relationship;

a second determining unit, configured to determine first data verification information according to the first IP address and the first user information if the first authentication verification information is the same as the second authentication verification information;

a sending unit, configured to send a response message indicating that authentication is successful to the user equipment, and receive a data message that is sent by the user equipment and carries second data verification information, where the second data verification information is generated by the user equipment using the first IP address and the first user information after receiving the response message;

and the forwarding unit is used for forwarding the data message if the second data verification information carried by the data message is the same as the first data verification information.

In a fourth aspect, an embodiment of the present application provides a packet forwarding apparatus, which is applied to a user equipment, and the apparatus includes:

the first determining unit is used for determining first authentication and verification information according to the second user information of the user equipment;

a first sending unit, configured to send an authentication packet to a firewall device, where a load of the authentication packet includes a first IP address of the user equipment and the first authentication check information, so that the firewall device determines whether a first corresponding relationship including the first IP address exists in a correspondence between an IP address where access is allowed and user information, where the correspondence is stored in advance; if the first corresponding relation exists, determining second authentication and verification information according to first user information included in the first corresponding relation; if the first authentication and verification information is the same as the second authentication and verification information, determining first data verification information according to the first IP address and the first user information; sending a response message indicating successful authentication to the user equipment;

a second determining unit, configured to determine, according to the response packet, second data verification information by using the first IP address and the second user information;

a second sending unit, configured to send a data packet carrying the second data verification information to the firewall device; and the firewall equipment forwards the data message under the condition that the second data verification information carried by the data message is the same as the first data verification information.

In a fifth aspect, an embodiment of the present application provides a message processing method, which is applied to a firewall device, and the method includes:

receiving an authentication message sent by user equipment through NAT equipment, wherein the load of the authentication message comprises a first IP address and first authentication check information of the user equipment;

sending a response message indicating successful authentication to the user equipment through the NAT equipment, and receiving a data message which is sent by the user equipment through the NAT equipment and carries second data inspection information, wherein the second data inspection information is generated by the user equipment by using the first IP address and the first user information after receiving the response message;

In a sixth aspect, an embodiment of the present application provides a packet forwarding method, which is applied to a user equipment, and the method includes:

sending an authentication message to firewall equipment through NAT equipment, wherein the load of the authentication message comprises a first IP address of the user equipment and the first authentication check information, so that the firewall equipment judges whether a first corresponding relation comprising the first IP address exists in the corresponding relation, in which the IP address allowing access is stored in advance, of the user information; if the first corresponding relation exists, determining second authentication and verification information according to first user information included in the first corresponding relation; if the first authentication and verification information is the same as the second authentication and verification information, determining first data verification information according to the first IP address and the first user information; sending a response message indicating successful authentication to the user equipment through the NAT equipment;

sending a data message carrying the second data verification information to the firewall equipment through the NAT equipment; and the firewall equipment forwards the data message under the condition that the second data verification information carried by the data message is the same as the first data verification information.

In a seventh aspect, an embodiment of the present application provides a packet processing apparatus, which is applied to a firewall device, where the apparatus includes:

a receiving unit, configured to receive an authentication packet sent by a user equipment through an NAT device, where a load of the authentication packet includes a first IP address and first authentication check information of the user equipment;

a sending unit, configured to send, to the user equipment through the NAT device, a response message indicating that authentication is successful, and receive, from the user equipment through the NAT device, a data message that carries second data verification information, where the second data verification information is generated by the user equipment using the first IP address and the first user information after receiving the response message;

In an eighth aspect, an embodiment of the present application provides a packet forwarding apparatus, which is applied to a user equipment, and the apparatus includes:

a first sending unit, configured to send an authentication packet to a firewall device through an NAT device, where a load of the authentication packet includes a first IP address of the user equipment and the first authentication check information, so that the firewall device determines whether a first correspondence relationship including the first IP address exists in a correspondence relationship in which an access-permitted IP address and user information are stored in advance; if the first corresponding relation exists, determining second authentication and verification information according to first user information included in the first corresponding relation; if the first authentication and verification information is the same as the second authentication and verification information, determining first data verification information according to the first IP address and the first user information; sending a response message indicating successful authentication to the user equipment through the NAT equipment;

a second sending unit, configured to send, to the firewall device through the NAT device, a data packet carrying the second data verification information; and the firewall equipment forwards the data message under the condition that the second data verification information carried by the data message is the same as the first data verification information.

In a ninth aspect, embodiments of the present application provide a network device, comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: the method steps of any one of the aspects provided above in the first, second, fifth and sixth aspects are achieved.

In a tenth aspect, embodiments of the present application provide a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: the method steps of any one of the aspects provided above in the first, second, fifth and sixth aspects are achieved.

According to the message processing method and device provided by the embodiment of the application, the user equipment carries the first IP address and the first authentication check information of the user equipment in the load of the authentication message and sends the authentication message to the firewall equipment. The firewall equipment determines second authentication and verification information according to first user information corresponding to a first pre-stored IP address, if the first authentication and verification information is the same as the second authentication and verification information, the user equipment can be successfully authenticated, and determines first data verification information according to the first IP address and the first user information, namely, the IP address and the user information are bound through the first data verification information. And when the second data verification information carried by the data message sent by the user equipment is the same as the first data verification information, the firewall equipment forwards the data message.

In the technical scheme provided by the embodiment of the application, the user equipment carries the real IP address in the load of the authentication message and sends the load to the firewall equipment. At this time, even if the NAT device performs NAT processing on the authentication message, the real IP address in the load of the authentication message is not changed, the real IP address of the user device is bound with the user information, and the problem that the binding between the user and the IP address is lack of uniqueness due to the fact that the NAT device performs NAT processing on the source IP address of the message is solved. In addition, the authentication message is verified through the authentication verification information, and the data message is verified through the data verification information, so that the risk caused by the fact that the IP address processed by the NAT is easily stolen is reduced, and the network security is improved.

Of course, it is not necessary for any product or method of the present application to achieve all of the above-described advantages at the same time.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

Fig. 1 is a first architecture diagram of a network architecture according to an embodiment of the present application;

fig. 2 is a second architecture diagram of a network architecture according to an embodiment of the present application;

fig. 3 is a third architecture diagram of a network architecture according to an embodiment of the present application;

fig. 4 is a first flowchart illustrating a message processing method according to an embodiment of the present application;

fig. 5 is a second flowchart of a message processing method according to an embodiment of the present application;

fig. 6 is a schematic diagram of a third flow of a message processing method according to an embodiment of the present application;

fig. 7 is a fourth flowchart illustrating a message processing method according to an embodiment of the present application;

fig. 8 is a signaling diagram of data authentication provided in an embodiment of the present application;

fig. 9 is a signaling diagram of data forwarding provided in an embodiment of the present application;

fig. 10 is a schematic structural diagram of a first message processing apparatus according to an embodiment of the present application;

fig. 11 is a schematic structural diagram of a second message processing apparatus according to an embodiment of the present application;

fig. 12 is a schematic structural diagram of a third message processing apparatus according to an embodiment of the present application;

fig. 13 is a schematic diagram of a fourth structure of a message processing apparatus according to an embodiment of the present application;

fig. 14 is a schematic structural diagram of a firewall device according to an embodiment of the present application;

fig. 15 is a schematic structural diagram of a user equipment according to an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

In the internet in which an IPv4 network and an IPv6 network coexist, there is a case where a device in the IPv4 network and a device in the IPv6 network mutually visit. The description will be given taking an example in which a device in the IPv6 network accesses a device in the IPv4 network. The network architecture shown in fig. 1 includes a user device 100 located in an IPv4 network, a NAT device 101, and a server 102 located in an IPv6 network. Wherein, the IP address of the user equipment 100 is IPv4 address 1. The address of the server 102 is IPv6 address 1. At this time, when the user equipment 100 accesses the server 102, the message is transmitted to the NAT device 101. The NAT device 101 randomly selects an IPv6 address, such as an IPv6 address 2, from a preset address pool, converts the source IP address of the packet (i.e., IPv4 address 1) into an IPv6 address 2, and sends the packet after the address conversion to the server 102, that is, sends the packet whose source IP address is IPv6 address 2 to the server 102. According to different configured policies, the NAT device may perform NAT processing only on the source address of the message sent by the user equipment 100, or may perform NAT processing on both the source address and the destination address of the message sent by the user equipment 100. And is not particularly limited herein.

In the internet, in order to prevent a user from being counterfeited and improve network security, some servers only allow the user equipment with successful authentication to access. At this time, the network architecture is as shown in fig. 2, and includes a user device 200, a firewall device 201, and a server 202. At this time, when the user equipment 200 accesses the server 202, an authentication message is sent to the firewall device 201, where the authentication message includes user information of the user equipment 200. The firewall apparatus 201 determines whether the user information exists in the user information stored in advance. If the authentication message exists, the firewall device 201 records a correspondence between the source IP address of the authentication message (i.e., the IP address of the user device 200) and the user information. After the firewall device 201 receives the data packet sent by the user device 200, if the source IP address of the data packet is included in the recorded corresponding relationship, the firewall device 201 forwards the data packet to the server 202.

Combining the above two cases, namely, there is mutual access between the device in the IPv4 network and the device in the IPv6 network, and the server only allows the access of the user device successfully authenticated, the network structure is shown in fig. 3, and includes the user device 300, the NAT device 301, the firewall device 302, and the server 303. Wherein, if the user equipment 300 is located in the IPv6 network, the server 303 is located in the IPv4 network. If the user equipment 300 is located in an IPv4 network, the server 303 is located in an IPv6 network.

At this time, when the user equipment 300 sends the authentication message to the firewall device 302 through the NAT device 301, the NAT device 301 performs NAT processing on the authentication message. The NAT device 301 may translate multiple different source IP addresses to the same IP address or may translate the same source IP address to different IP addresses. This makes the firewall device 302, after successfully authenticating the user information included in the authentication message, the IP address corresponding to the recorded user information is not unique, that is, the binding between the user and the IP address lacks uniqueness, which may cause that the message of the user who fails to be authenticated may be sent to the server, and the user who succeeds in authentication may not normally access the server, thereby causing a network security problem. In addition, the IP address bound by the user is the IP address processed by the NAT, and the IP address processed by the NAT is the address in the address pool which is open to the public, so that the IP address bound by the user is easy to steal, and an attacker utilizes the attack server to cause the network security problem.

In order to solve the problem that the binding between the user and the IP address lacks uniqueness and improve network security, in the message processing method and the message processing device provided in the embodiment of the present application, the user equipment carries the first IP address and the first authentication check information of the user equipment in the load of the authentication message and sends the authentication message to the firewall device. The firewall equipment determines second authentication and verification information according to first user information corresponding to a first pre-stored IP address, if the first authentication and verification information is the same as the second authentication and verification information, the user equipment can be successfully authenticated, and first data verification information is determined according to the first IP address and the first user information. And when the second data verification information carried by the data message sent by the user equipment is the same as the first data verification information, the firewall equipment forwards the data message.

The following describes in detail a message processing method provided in the embodiment of the present application through a specific embodiment.

Referring to fig. 4, fig. 4 is a schematic flowchart of a first message processing method according to an embodiment of the present application. The message processing method is applied to a firewall device, such as the firewall device 201 shown in fig. 2. The message processing method comprises the following steps.

Step 401, receiving an authentication message sent by a user equipment, where a load of the authentication message includes a first IP address and first authentication check information of the user equipment.

Wherein, the first IP address is the real IP address of the user equipment. The first IP address and the first authentication check information may be carried at any position of a payload (pay load field) of the authentication packet. And when the user equipment needs to access the server, the user equipment determines the first authentication and verification information according to the second user information of the user equipment. And the user equipment carries the first IP address and the first authentication check information in the load of the authentication message and sends the authentication message to the firewall equipment. The user information may include information such as a user name, a user password, and a user identity key.

In one example, the user device may use the second user information of the user device as the first authentication check information. In another example, to improve network security, the user equipment may generate a hash (hash) value using the second user information as an element, that is, calculate the hash value of the second user information as the first authentication check information. In another example, the ue may generate a hash value using the second user information and the first IP address as elements, that is, calculate the hash value of the second user information and the first IP address as the first authentication check information. At this time, data for determining authentication and verification information is added, and the network security is further improved.

In the embodiment of the application, if the user equipment and the server are located in the same network, for example, the user equipment and the server are both located in an IPv4 network, or the user equipment and the server are both located in an IPv6 network, the user equipment directly sends the authentication packet to the firewall device. As shown in fig. 2, the user device 200 may send the authentication message directly to the firewall device 201.

In the embodiment of the application, the first IP address is a real IP address of the user equipment, and since the NAT device converts the IP address of the packet header, the user equipment carries the first IP address in the load of the authentication packet, so that there is no need to worry about NAT processing of the first IP address by the NAT device, and the first IP address can be successfully sent to the firewall device.

Step 402, judging whether a first corresponding relation including a first IP address exists in the corresponding relation between the IP address which is stored in advance and allowed to access and the user information. If yes, go to step 403.

In the embodiment of the application, the firewall device stores the corresponding relation between the IP address allowed to be accessed and the user information in advance. As shown in table 1.

TABLE 1

User

Password

IP Address

SecKey

Wherein User represents a User name. Password represents a user Password. The IP Address represents the IP Address of the user equipment. SecKey represents a user identity key. One or any combination of the User, the Password and the SecKey can be collectively called User information.

In an optional embodiment, when the user equipment sends the authentication packet to the firewall device, the destination port of the authentication packet is modified to be the preset port. And the user equipment sends an authentication message with a destination port as a preset port to the firewall equipment. Wherein the preset port is a port which is not occupied by any service. The preset port is used for indicating that the message is a message needing authentication. For example, port 18889 is not occupied by any service, port 18889 may be considered a default port.

After receiving the authentication message, the firewall device detects whether a destination port of the authentication message is a preset port. If the destination port of the authentication message is detected to be a preset port, the firewall device can determine that authentication processing needs to be performed on the authentication message, namely, the first IP address and the first authentication check information are extracted from the load of the authentication message. Thereafter, the firewall device may execute step 402 to determine whether a first corresponding relationship including the first IP address exists in the correspondence relationship between the IP address and the user information, where access permission is pre-stored. If the destination port of the authentication message is not the preset port, the firewall equipment can determine that the authentication of the authentication message fails, namely the authentication of the second user information fails, and sends a response message indicating the authentication failure to the user equipment.

In an optional embodiment, if the first correspondence does not exist, the firewall device determines that the authentication of the second user information fails, and sends a response message indicating the authentication failure to the user device.

Step 403, determining second authentication and verification information according to the first user information included in the first corresponding relationship.

When determining that the first corresponding relation including the first IP address exists, the firewall equipment extracts the first user information from the first corresponding relation, and determines second authentication and verification information according to the first user information.

In one example, the firewall device may use the first user information as the second authentication check information. In another example, to improve network security, the firewall device may generate a hash value using the first user information as an element, that is, calculate the hash value of the first user information as the second authentication check information. In another example, the firewall device may generate a hash value using the first user information and the first IP address as elements, that is, calculate the hash value of the first user information and the first IP address as the second authentication check information. At this time, data for determining authentication and verification information is added, and the network security is further improved.

In the embodiment of the application, the determination mode of the second authentication check information and the first authentication check information is not specifically limited, and only the determination mode of the second authentication check information and the determination mode of the first authentication check information are required to be the same.

Step 404, detecting whether the first authentication check information and the second authentication check information are the same. If yes, go to step 405.

The firewall device detects whether the first authentication check information and the second authentication check information are the same. If the first authentication check information is the same as the second authentication check information, the firewall device may determine that the second user information is successfully authenticated, and the first user information is the same as the second user information, and perform step 405 and step 406. In one embodiment, if the first authentication check information and the second authentication check information are different, the firewall device may determine that the authentication for the second user information fails, and the first user information and the second user information are different, and send a response message indicating the authentication failure to the user device.

Step 405, determining first data verification information according to the first IP address and the first user information.

And if the firewall equipment determines that the first authentication and verification information is the same as the second authentication and verification information, determining first data verification information according to the first IP address and the first user information.

In one example, the firewall device may splice the first user information and the first IP address, and use a spliced character string as the first data check information. In another example, to improve network security, the firewall device may generate a hash value using the first user information and the first IP address as elements, that is, calculate the hash value of the first user information and the first IP address as the first data check information.

In one embodiment, in order to improve network security, if it is determined that the first authentication check information is the same as the second authentication check information, the firewall device allocates a temporary key to the user device, and determines the first data check information according to the first IP address, the first user information, and the temporary key. The temporary key is used for the current login of the user equipment, and the temporary keys determined during each login of the user equipment are different. In addition, the firewall device stores the temporary key at any position of the load of the response message, and further sends the temporary key to the user equipment.

In one example, the firewall device may generate a hash value using the first user information, the first IP address, and the temporary key as elements, that is, calculate the hash value of the first user information, the first IP address, and the temporary key as the first data verification information. At this time, data for determining data verification information is added, and network security is further improved.

In an optional embodiment, after determining that the first authentication check information is the same as the second authentication check information and successfully authenticating the second user information, the firewall device may record the user login information table, so as to perform authentication processing on the data packet. The user login information table may include information such as the first user information, the first IP address of the user equipment, the temporary key, and the first data verification information, as shown in table 2.

TABLE 2

User

IP Address

SecKey

TempSecKey

DataHashKey

Wherein User represents a User name. The IP Address represents the IP Address of the user equipment, i.e. the source IP Address of the authentication/data message. SecKey represents a user identity key. TempSecKey represents a temporary key. The DataHashKey represents the first data check information.

In the embodiment of the application, the user equipment carries the real IP address in the load of the authentication message and sends the load to the firewall equipment. At this time, even if the NAT device performs NAT processing on the authentication message, the real IP address in the load of the authentication message is not changed, the real IP address of the user device is bound with the user information, and the problem that the binding between the user and the IP address is lack of uniqueness due to the fact that the NAT device performs NAT processing on the source IP address of the message is solved. In addition, the authentication message is verified through the authentication verification information, and the data message is verified through the data verification information, so that the risk caused by the fact that the IP address processed by the NAT is easily stolen is reduced, and the network security is improved.

Step 406, sending a response message indicating successful authentication to the user equipment, and receiving a data message carrying second data verification information sent by the user equipment. And the second data check information is generated by the user equipment by using the first IP address and the first user information after receiving the response message.

Specifically, if the firewall device determines that the first authentication check information is the same as the second authentication check information, the firewall device sends a response message indicating that authentication is successful to the user device. After receiving the response message indicating successful authentication, the user equipment determines that the second user information is successfully authenticated according to the response message, then determines second data verification information by using the first IP address and the first user information, and sends a data message carrying the second data verification information to the firewall equipment.

In one example, the user equipment may splice the second user information and the first IP address, and use a spliced character string as the second data check information. In another example, to improve network security, the ue may generate a hash value using the second user information and the first IP address as elements, that is, calculate the hash value of the second user information and the first IP address as the second data check information.

In one embodiment, the firewall device allocates a temporary key to the user device, and sends a response message indicating that authentication is successful and carrying the temporary key to the user device. And the user equipment determines second data verification information according to the first IP address, the second user information and the temporary key. In one example, the user equipment may generate a hash value using the second user information, the first IP address, and the temporary key as elements, that is, calculate the hash value of the second user information, the first IP address, and the temporary key as the second data verification information. At this time, data for determining data verification information is added, and network security is further improved.

In the embodiment of the application, the determination mode of the first data verification information and the determination mode of the second data verification information are not specifically limited, and only the determination mode of the first data verification information and the determination mode of the second data verification information are required to be the same. In addition, the execution order of step 405 and step 406 is not limited in the embodiments of the present application.

Step 407, detecting whether the second data check information carried in the received data packet is the same as the first data check information. If so, go to step 408.

After receiving the data message, the firewall device detects whether the second data check information carried in the data message is the same as the first data check information. If the second data check information is the same as the first data check information, the firewall device may determine that the data packet is a valid packet, and perform step 408 to forward the data packet. In one embodiment, if the second data check information is different from the first data check information, the firewall device may determine that the data packet is an illegal packet and discard the data packet.

In an optional embodiment, when the user equipment sends the data packet to the firewall device, the destination port of the data packet is modified to be a preset port, and the second data check information is inserted into the preset position of the data packet. And the user equipment sends a data message which has a preset port as a destination port and carries second data verification information to the firewall equipment. The preset port is used for indicating that the message is a message needing authentication. The preset position may be a tail portion of the data packet, a middle portion of the data packet, or a head portion of the data packet, which is not limited in this embodiment of the present application.

After receiving the data message, the firewall device detects whether a destination port of the data message is a preset port. If the destination port of the data message is detected to be a preset port, the firewall device can determine that authentication processing needs to be performed on the data message, namely, second data verification information is extracted from the preset position of the data message. The firewall device may then perform step 407 to detect whether the second data check information carried in the data packet is the same as the first data check information. If the destination port of the data message is not detected to be the preset port, the firewall equipment can determine that the authentication on the data message fails, the data message is an illegal message, and the data message is discarded.

In one embodiment, when the user equipment inserts the second data verification information into the preset position of the data packet, the user equipment obtains the second data verification information and the source port, and splices the second data verification information and the source port together and places the spliced second data verification information and the source port at the preset position. After receiving the data message, if the firewall device detects that the destination port of the data message is a preset port, extracting second data verification information and a character string spliced by the source port from a preset position of the data message, and extracting the second data verification information from the character string. In this way, the security of data transmission can be further improved.

Step 408, forwarding the data message.

In an embodiment of the present application, the firewall device may further store, in advance, a correspondence between an IP address allowed to be accessed and an IP address allowed to be accessed by the IP address. The number of IP addresses allowed to be accessed by the IP address may be one or more. In one example, the correspondence between the IP address allowed to be accessed and the IP address allowed to be accessed is stored in advance, as shown in table 3.

TABLE 3

User

Password

IP Address

SecKey

IP List

Wherein User represents a User name. Password represents a user Password. The IP Address indicates the IP Address of the user equipment, i.e. the IP Address allowed to be accessed. SecKey represents a user identity key. One or any combination of User, Password, and SecKey may be collectively referred to as User information. The IP List represents an IP address List including IP addresses of servers that the user equipment is allowed to access.

In the embodiment of the present application, the user equipment and the server are located in the same network, as shown in fig. 2. If the user device and the server are both located in an IPv4 network, the IP List includes the IPv4 address of the server that the user device is allowed to access. If the user device and the server are both located in an IPv6 network, the IP List includes the IPv6 address of the server that the user device is allowed to access.

If the firewall equipment determines that the first authentication check information is the same as the second authentication check information, determining a second IP address corresponding to the first IP address according to a pre-stored corresponding relation between the IP address allowed to be accessed and the IP address allowed to be accessed by the IP address, wherein the second IP address is the IP address allowed to be accessed by the first IP address. And the firewall equipment sends a response message which indicates that the authentication is successful and carries the second IP address to the user equipment. The second IP address may be stored at any position of the payload of the response packet, but does not overlap with the storage position of other information carried in the payload of the response packet. And the user equipment selects one IP address from the second IP addresses and sends the data message with the destination address of the selected IP address to the firewall equipment.

The description is given by taking the example that the user equipment and the server are both located in the IPv4 network. The correspondence between the IP address allowed to access and the IP address allowed to access configured in the firewall device is shown in table 4.

TABLE 4

The IPv4 address of the user equipment is IPv4_0 (i.e., first IP address). If the firewall device determines that the first authentication check information is the same as the second authentication check information, the user information of the user device is authenticated, and determining the IP address (i.e., the second IP address) corresponding to the IPv4_0 includes: IPv4_1, IPv4_2, and IPv4_ 3. And the firewall equipment carries the IPv4_1, the IPv4_2 and the IPv4_3 in the load of the response message and sends the response message to the user equipment. The user equipment selects one address from 3 addresses of IPv4_1, IPv4_2 and IPv4_3, for example, IPv4_1 is selected, and data messages with the source address of IPv4_0 and the destination address of IPv4_1 are sent to the firewall equipment. The firewall device determines that the IPv4_1 is the IP address permitted to be accessed by the IPv4_0 by combining the table 4 according to the source address IPv4_0 and the destination address IPv4_1 of the data message, and then the firewall device sends the data message to the corresponding server by combining the fact that the second data verification information carried by the data message is the same as the first data verification information.

In the embodiment of the application, the firewall device further verifies the data message by combining the pre-stored corresponding relation between the IP address allowed to be accessed and the IP address allowed to be accessed, so that the network security is improved.

Based on the message processing method applied to the firewall device, the embodiment of the application also provides a message processing method applied to the user equipment. Referring to fig. 5, fig. 5 is a schematic flowchart of a second message processing method according to an embodiment of the present application. The method is applied to the user equipment and comprises the following steps.

Step 501, determining first authentication and verification information according to second user information of the user equipment.

In one example, the user device may use the second user information of the user device as the first authentication check information. In another example, to improve network security, the ue may generate a hash value using the second user information as an element, that is, calculate the hash value of the second user information as the first authentication check information. In another example, the ue may generate a hash value using the second user information and the first IP address as elements, that is, calculate the hash value of the second user information and the first IP address as the first authentication check information. At this time, data for determining authentication and verification information is added, and the network security is further improved.

Step 502, sending an authentication message to the firewall device, where a load of the authentication message includes a first IP address of the user equipment and first authentication check information.

Wherein, the first IP address is the real IP address of the user equipment. The first IP address and the first authentication check information may be carried at any position of the payload of the authentication packet.

After receiving the authentication message, the firewall equipment judges whether a first corresponding relation comprising a first IP address exists in the corresponding relation, which stores the IP address allowed to be accessed in advance, and the user information; if the first corresponding relation exists, determining second authentication and verification information according to the first user information included in the first corresponding relation; if the first authentication and verification information is the same as the second authentication and verification information, determining first data verification information according to the first IP address and the first user information; and sending a response message indicating successful authentication to the user equipment.

In an embodiment of the present application, the sending, by the user equipment, the authentication packet to the firewall device may include: and modifying the destination port of the authentication message into a preset port, and sending the authentication message with the destination port as the preset port to the firewall equipment. Wherein the preset port is a port which is not occupied by any service. The preset port is used for indicating that the message is a message needing authentication. For example, port 18889 is not occupied by any service, port 18889 may be considered a default port.

Step 503, according to the response message, determining second data verification information by using the first IP address and the second user information.

In one embodiment, the firewall device allocates a temporary key to the user device, and sends a response message indicating that authentication is successful and carrying the temporary key to the user device. The temporary key is carried at any location of the payload of the response message, but does not overlap with the storage location of other information carried in the payload of the response message. And the user equipment determines second data verification information according to the first IP address, the second user information and the temporary key. In one example, the user equipment may generate a hash value using the second user information, the first IP address, and the temporary key as elements, that is, calculate the hash value of the second user information, the first IP address, and the temporary key as the second data verification information. At this time, data for determining data verification information is added, and network security is further improved.

Step 504, sending a data message carrying the second data check information to the firewall device. And the firewall equipment forwards the data message under the condition that the second data verification information carried by the data message is the same as the first data verification information.

In an embodiment of the present application, sending, by the user equipment, the data packet carrying the second data check information to the firewall device may include: modifying a destination port of the data message into a preset port; and inserting the second data verification information into the preset position of the data message, and sending the data message with the destination port being the preset port and the second data verification information inserted into the destination port to the firewall equipment.

In an embodiment of the present application, the firewall device may further store, in advance, a correspondence between an IP address allowed to be accessed and an IP address allowed to be accessed by the IP address. And if the firewall equipment determines that the first authentication check information is the same as the second authentication check information, determining a second IP address corresponding to the first IP address according to a pre-stored corresponding relation between the IP address allowed to be accessed and the IP address allowed to be accessed by the IP address. The number of the second IP addresses may be one or more. And the firewall equipment sends a response message which indicates that the authentication is successful and carries the second IP address to the user equipment. The second IP address may be stored at any location of the payload of the response message, but does not overlap with the storage location of other information carried in the payload of the response message. And the user equipment selects one IP address from the second IP addresses and sends the data message with the destination address of the selected IP address to the firewall equipment.

Based on the message processing method applied to the firewall device, the embodiment of the application also provides a message processing method applied to the firewall device. Referring to fig. 6, fig. 6 is a third flowchart illustrating a message processing method according to an embodiment of the present application. The method is applied to a firewall device, such as the firewall device 302 shown in fig. 3, and comprises the following steps.

Step 601, receiving an authentication message sent by a user equipment through an NAT device, where a load of the authentication message includes a first IP address of the user equipment and first authentication check information.

Wherein, the first IP address is the real IP address of the user equipment. The first IP address and the first authentication check information may be carried at any position of the payload of the authentication packet. And when the user equipment needs to access the server, the user equipment determines the first authentication and verification information according to the second user information of the user equipment. And the user equipment carries the first IP address and the first authentication and verification information in the load of the authentication message and sends the first IP address and the first authentication and verification information to the firewall equipment through the NAT equipment. The user information may include information such as a user name, a user password, and a user identity key.

In this embodiment of the application, if the user equipment and the server are located in different networks, for example, the user equipment is located in an IPv4 network and the server is located in an IPv6 network, the user equipment sends the authentication packet to the firewall device through the NAT device. As shown in fig. 3, the user device 300 may send an authentication message to the firewall device 302 through the NAT device 301.

Step 602, determining whether a first correspondence relationship including a first IP address exists in correspondence relationships between IP addresses allowed to access and user information stored in advance. If yes, go to step 603.

After receiving the authentication message, the firewall device judges whether a first corresponding relation including a first IP address exists in the corresponding relation, in which the IP address allowing access and the user information are stored in advance.

Step 603, determining second authentication and verification information according to the first user information included in the first corresponding relationship.

When the first corresponding relation including the first IP address is determined to exist, the firewall equipment extracts the first user information from the first corresponding relation, determines second authentication and verification information according to the first user information, and conducts one-step verification on the user equipment, so that the network security is improved.

Step 604, it is detected whether the first authentication check information and the second authentication check information are the same. If yes, go to step 605.

The firewall device detects whether the first authentication check information and the second authentication check information are the same. If the first authentication check information is the same as the second authentication check information, the firewall device may determine that the second user information is successfully authenticated, and the first user information is the same as the second user information, and perform step 605 and step 606. In one embodiment, if the first authentication check information is different from the second authentication check information, the firewall device may determine that the authentication of the second user information fails, and the first user information is different from the second user information, and send a response message indicating the authentication failure to the user device through the NAT device.

Step 605, determining first data verification information according to the first IP address and the first user information.

And if the firewall equipment determines that the first authentication and verification information is the same as the second authentication and verification information, determining first data verification information according to the first IP address and the first user information. The first data verification information is used for verifying the subsequently received data message, so that the network security is improved.

Step 606, sending a response message indicating successful authentication to the user equipment through the NAT device, and receiving a data message carrying second data verification information sent by the user equipment through the NAT device. And the second data check information is generated by the user equipment by using the first IP address and the first user information after receiving the response message.

And if the firewall equipment determines that the first authentication and verification information is the same as the second authentication and verification information, sending a response message indicating successful authentication to the user equipment through the NAT equipment. And the user equipment determines second data verification information by using the first IP address and the first user information according to the response message, and sends a data message carrying the second data verification information to the firewall equipment through the NAT equipment.

The execution order of

steps

605 and 606 is not limited in the embodiments of the present application.

Step 607, detecting whether the second data check information carried in the received data packet is the same as the first data check information. If so, go to step 608.

After receiving the data message, the firewall device detects whether the second data check information carried in the data message is the same as the first data check information. If the second data check information is the same as the first data check information, the firewall device may determine that the data packet is a legal packet, and perform step 608 to forward the data packet. In one embodiment, if the second data check information is different from the first data check information, the firewall device may determine that the data packet is an illegal packet and discard the data packet.

Step 608, forward the data packet.

In the embodiment of the present application, if the user equipment and the server are located in different networks, as shown in fig. 3. If the user equipment is located in an IPv4 network, the server is located in an IPv6 network, or the user equipment is located in an IPv6 network and the server is located in an IPv4 network, the IP List includes the IPv6 address and the IPv4 address of the server that the user equipment is allowed to access. In the embodiment of the present application, in order to ensure that the user equipment can successfully access the server, the NAT device is configured with the same IP List.

And if the firewall equipment determines that the first authentication check information is the same as the second authentication check information, determining a second IP address pair corresponding to the first IP address according to the pre-stored corresponding relationship between the IP address allowed to be accessed and the IP address pair allowed to be accessed by the IP address. The second IP address pair comprises a third IP address and a fourth IP address, the third IP address and the fourth IP address are respectively IP addresses of different network versions of the server, the version of the third IP address is the same as the network version of the network where the user equipment is located, the third IP address and the first IP address of the user equipment belong to the same network, and the version of the fourth IP address is the same as the network version of the network where the server is located. And the firewall equipment sends a response message which indicates that the authentication is successful and carries the second IP address pair to the user equipment through the NAT equipment. And the user equipment selects one IP address pair or a third IP address from the second IP address pair, and sends a data message with the destination address of the selected third IP address or the third IP address in the IP address pair to the firewall equipment through the NAT equipment.

For example, the ue is located in an IPv6 network, and the IPv6 address of the ue is IPv6_1, that is, the network version of the network where the ue is located is IPv 6. The server is located in an IPv4 network, and the IPv4 addresses of the server are IPv4_1, IPv4_2 and IPv4_3, namely the network version of the network where the server is located is IPv 4. The firewall device has a corresponding relationship between the IP address allowed to access and the IP address pair allowed to access, as shown in table 5.

TABLE 5

The IPv4_1 and IPv6_11 are IP addresses of the same server in different networks, the IPv4_2 and IPv6_12 are IP addresses of the same server in different networks, and the IPv4_3 and IPv6_13 are IP addresses of the same server in different networks. If the firewall device determines that the first authentication check information is the same as the second authentication check information, determining that the IP address pair corresponding to the IPv6_1 includes: IPv4_1-IPv6_11, IPv4_2-IPv6_12 and IPv4_3-IPv6_ 13. The firewall equipment can send the IPv4_1-IPv6_11, IPv4_2-IPv6_12 and IPv4_3-IPv6_13 to the user equipment through the NAT equipment. The user equipment selects an IPv6 address from 3 address pairs of IPv4_1-IPv6_11, IPv4_2-IPv6_12 and IPv4_3-IPv6_13, for example, IPv6_11 is selected, and sends a data message with the destination address of IPv6_11 and the source address of IPv6_1 to the NAT equipment. The NAT equipment also records the corresponding relations of IPv4_1-IPv6_11, IPv4_2-IPv6_12 and IPv4_3-IPv6_13, converts the destination address of the data message into IPv4_1 according to the recorded corresponding relations, and further sends the data message with the destination address of IPv4_1 to the firewall equipment. And the firewall equipment sends the data message to a corresponding server according to the destination address of the data message being IPv4_ 1.

The above-mentioned step 601-608 is relatively simple, and reference may be made to the related description in fig. 4.

Based on the message processing method applied to the user equipment, the embodiment of the application also provides a message processing method applied to the user equipment. Referring to fig. 7, fig. 7 is a fourth flowchart illustrating a message processing method according to an embodiment of the present application. The method is applied to the user equipment and comprises the following steps.

Step 701, determining first authentication and verification information according to second user information of the user equipment.

When the user equipment is authenticated, the user equipment acquires user information of the user equipment, namely second user information, and determines first authentication and verification information according to the second user information.

Step 702, sending an authentication message to the firewall device through the NAT device, where a load of the authentication message includes a first IP address of the user equipment and first authentication check information.

The firewall equipment judges whether a first corresponding relation comprising a first IP address exists in the corresponding relation, which is prestored with the IP address allowed to access, and the user information; if the first corresponding relation exists, determining second authentication and verification information according to the first user information included in the first corresponding relation; if the first authentication and verification information is the same as the second authentication and verification information, determining first data verification information according to the first IP address and the first user information; and sending a response message indicating successful authentication to the user equipment through the NAT equipment.

Step 703, determining second data verification information by using the first IP address and the second user information according to the response packet.

And after receiving the response message indicating successful authentication, the user equipment acquires the first IP address and the second user information of the user equipment, and determines second data verification information according to the first IP address and the second user information.

Step 704, sending the data message carrying the second data verification information to the firewall device through the NAT device.

And the user equipment sends a data message carrying second data verification information to the firewall equipment through the NAT equipment. The second data check information may be carried at a tail portion of the load of the data packet, may also be at a middle portion of the load of the data packet, and may also be at a head portion of the load of the data packet.

And after receiving the data message, the firewall equipment detects whether the second data verification information is the same as the first data verification information. And under the condition that the second data verification information carried by the data message is the same as the first data verification information, the firewall equipment forwards the data message.

The above-mentioned step 701 and step 704 are relatively simple, and reference may be made to the related description of fig. 5.

The following describes the message processing method provided in the embodiment of the present application in detail with reference to the network structure shown in fig. 3, the data authentication signaling diagram shown in fig. 8, and the data forwarding signaling diagram shown in fig. 9. Wherein the user device 300 is located in an IPv6 network, and the firewall device 302 and the server 303 are located in an IPv4 network. The preset port is 18889. The address of the user equipment 300 is IPv6_ a1, the address of the firewall equipment 302 is IPv4_ f1, the address of the firewall equipment in the IPv6 network is IPv6_ f1, the address of the server 303 is IPv4_ a1, and the address of the firewall equipment in the IPv6 network is IPv6_ a 11. Information recorded in the firewall device 302 is shown in table 6.

TABLE 6

The NAT device 301 records in advance IP address information of a server and a firewall device located in different networks, as shown in table 7.

TABLE 7

IP address of IPv6 network	IP address of IPv4 network
		IPv6_a11	IPv4_a1
Pv6_a12	IPv4_a2
		Pv6_a13	IPv4_a3
IPv6_a14	IPv4_a4
		IPv6_f1	IPv4_f1

In order to implement the message processing method provided by the embodiment of the application, a security plug-in can be installed on the user equipment. The security proxy address of the security plug-in is the address IPv6_ f1 of the firewall device 302.

The procedure of data authentication is as follows.

In step 801, the user equipment 300 acquires the user information 1 and the IP address IPv6_ a1 of the user equipment 300 itself. The user information 1 includes a user name 10, a user password 10, and a user key 10.

In step 802, the user equipment 300 generates a hash value of 1 from user information 1 and IPv6_ a1 as elements. The hash value 1 is the first authentication check information.

In step 803, the user equipment 300 sends the authentication packet 11 to the NAT device 301. The source address of the authentication message 11 is IPv6_ a1, the destination address is IPv6_ f1, the destination port is 18889, and the payload of the authentication message 11 includes IPv6_ a1 and a hash value 1.

In step 804, after receiving the authentication packet 11, the NAT device 301 randomly selects an IPv4 address, such as IPv4_ a11, from the address pool, converts the source address of the authentication packet 11 into IPv4_ a11, and converts the destination address of the authentication packet 11 into IPv4_ f1 according to the table 7, thereby obtaining the authentication packet 12. The NAT device 301 records the correspondence 1 of IPv6_ a1 and IPv4_ a 11.

In an embodiment, according to different configured policies, the NAT device may perform NAT processing on both the source address and the destination address of the message sent by the user equipment 100, or may perform NAT processing only on the source address of the message sent by the user equipment 100. For example, the user device 300 sends the authentication packet 13 to the NAT device 301 with the source address being IPv6_ a1 and the destination address being IPv4_ f 1. After receiving the authentication packet 13, the NAT device 301 randomly selects an IPv4 address, such as IPv4_ a11, from the address pool, and converts the source address of the authentication packet 13 into IPv4_ a11, but does not process the destination address of the authentication packet 13.

The following description will be given only by taking an example in which the NAT device can perform NAT processing on both the source address and the destination address of the message sent by the user equipment 100. And are not limiting.

In step 805, the NAT device 301 sends the authentication message 12 to the firewall device 302.

In step 806, after receiving the authentication message 12, the firewall device 302 detects whether the destination port of the authentication message 12 is 18889. If not 18889, step 807 is performed. If 18889, then step 811 is performed.

In step 807, the firewall device 302 sends a response message 11 indicating authentication failure to the NAT device 301. The source address of the response message 11 is IPv4_ f1, and the destination address is IPv4_ a 11.

Step 808, after receiving the response message 11, the NAT device 301 converts the destination address of the response message 11 into IPv6_ a1 according to the recorded correspondence 1, and converts the source address of the response message 11 into IPv6_ f1 according to table 7, so as to obtain a response message 12.

In step 809, the NAT device 301 sends the response message 12 to the user equipment 300.

In step 810, the user equipment 300 receives the response message 12 and determines that the authentication has failed.

In step 811, the firewall device 302 extracts the IPv6_ a1 and the hash value 1 from the payload of the authentication packet 12, and determines that the IPv6_ a1 corresponds to the user information 2 according to table 6, where the user information 2 includes the user 1, the password 1, and the key 1. The firewall device 302 generates a hash value of 2 from the user information 2 and the IPv6_ a1 as elements. The hash value 2 is the second authentication check information.

In step 812, the firewall device 302 determines whether the hash value 2 is the same as the hash value 1. If not, go to step 807. If so, step 813 is performed.

In step 813, firewall device 302 determines that authentication of user device 300 is successful and assigns temporary key 1 to user device 300.

The firewall device 302 generates a hash value of 3 from the user information 2, IPv6_ a1, and temporary key 1 as elements, step 814. The hash value 3 is the first data check information. In addition, the firewall device 302 sends a response message 13 indicating that the authentication is successful to the NAT device 301. The source address of the response message 13 is IPv4_ f1, and the destination address is IPv4_ a 11. The payload of the response packet 13 carries the temporary key 1 and the IP address pair allowing IPv6_ a1 access, i.e. IPv4_ a1-IPv6_ a11 and IPv4_ a2-IPv6_ a 12.

The firewall device 302 records the calculated hash value 3, and records the hash value 3 in the user login information table, as shown in table 2.

Step 815, after receiving the response message 13, the NAT device 301 converts the destination address of the response message 13 into IPv6_ a1 according to the recorded correspondence 1, and converts the source address of the response message 13 into IPv6_ f1 according to table 7, thereby obtaining a response message 14.

In step 816, the NAT device 301 sends the response message 14 to the user equipment 300.

In step 817, the user equipment 300 receives the response message 14, determines that the authentication is successful, and obtains the temporary key 1 and the IP address pair allowing IPv6_ a1 to access from the response message 14: IPv4_ a1-IPv6_ a11 and IPv4_ a2-IPv6_ a 12.

The process of data forwarding is as follows.

In step 901, the user equipment 300 obtains the user information 1, the IPv6_ a1, and the temporary key 1, and selects an address from the IPv4_ a1-IPv6_ a11 and the IPv4_ a2-IPv6_ a12, for example, the IPv6_ a11 is selected, and generates the data packet 1 with the destination address of the IPv6_ a 11.

Step 902, the user equipment 300 generates a hash value 4 by using the user information 1, the IPv6_ a1, and the temporary key 1 as elements, obtains the source port SPort of the data packet 1, splices the hash value 4 and the SPort to obtain a spliced character string, and inserts the spliced character string into the tail of the data packet 1 load.

In step 903, the user equipment 300 sends the data packet 1 inserted with the splicing string to the NAT device 301. The source address of the data packet 1 is IPv6_ a1, the destination address is IPv6_ a11, and the destination port is 18889.

In step 904, after receiving the data packet 1, the NAT device 301 randomly selects an IPv4 address, such as IPv4_ a12, from the address pool, converts the source address of the data packet 1 into IPv4_ a12, and converts the destination address of the data packet 1 into IPv4_ a1 according to the table 7, thereby obtaining the data packet 2.

In step 905, the NAT device 301 sends the data packet 2 to the firewall device 302.

In step 906, after receiving the data packet 2, the firewall device 302 detects whether the destination port of the data packet 2 is 18889. If 18889, step 907 is performed. If not, step 911 is executed.

In step 907, the firewall device 302 extracts the concatenation string from the tail of the data packet 2 payload, and extracts the hash value 4 from the concatenation string.

In step 908, the firewall device 302 detects whether the user login information table has a hash value that is the same as the hash value 4, specifically, detects whether the hash value 4 is the same as the hash value 3. If so, step 909 is performed. If not, step 911 is executed.

In step 909, the firewall apparatus 302 sends the data packet 2 to the server 303.

At step 910, server 303 processes datagram 2.

Step 911, the firewall device 302 discards datagram 2.

The description of the steps 801-.

Corresponding to the message processing method embodiment, the embodiment of the application also provides a message processing device applied to the firewall equipment. Referring to fig. 10, fig. 10 is a schematic view of a first structure of a message processing apparatus according to an embodiment of the present application. The device is applied to firewall equipment and comprises: a receiving unit 1001, a judging unit 1002, a first determining unit 1003, a second determining unit 1004, a transmitting unit 1005, and a forwarding unit 1006.

A receiving unit 1001, configured to receive an authentication packet sent by a user equipment, where a load of the authentication packet includes a first IP address and first authentication check information of the user equipment;

a judging unit 1002, configured to judge whether a first correspondence relationship including a first IP address exists in correspondence relationships between IP addresses for which access is permitted and user information stored in advance;

a first determining unit 1003, configured to determine, if the first corresponding relationship exists, second authentication and verification information according to first user information included in the first corresponding relationship;

a second determining unit 1004, configured to determine first data verification information according to the first IP address and the first user information if the first authentication verification information is the same as the second authentication verification information;

a sending unit 1005, configured to send a response packet indicating that authentication is successful to the user equipment, and receive a data packet carrying second data verification information sent by the user equipment, where the second data verification information is generated by using the first IP address and the first user information after the user equipment receives the response packet;

a forwarding unit 1006, configured to forward the data packet if the second data check information carried in the data packet is the same as the first data check information.

In an optional embodiment, the determining unit 1002 may be specifically configured to detect whether a destination port of the authentication packet is a preset port after receiving the authentication packet; if the port is the preset port, extracting a first IP address and first authentication check information from the load of the authentication message, and judging whether a first corresponding relation comprising the first IP address exists in the corresponding relation of the IP address which is prestored and allowed to access and the user information;

the forwarding unit 1006 may be specifically configured to detect whether a destination port of the data packet is a preset port after receiving the data packet; and if the port is a preset port, extracting second data verification information from a preset position of the data message, and if the second data verification information carried by the data message is the same as the first data verification information, forwarding the data message.

In an optional embodiment, the first determining unit 1003 may be specifically configured to calculate a hash value of the first user information included in the first corresponding relationship, as the second authentication check information;

the second determining unit 1004 may be specifically configured to calculate a hash value of the first user information and the first IP address included in the first corresponding relationship, as the first data verification information.

In an alternative embodiment, the second determining unit 1004 may be specifically configured to assign a temporary key to the user equipment; determining first data verification information according to the first IP address, the first user information and the temporary key;

the sending unit 1005 may be specifically configured to send, to the user equipment, a response message indicating that the authentication is successful and carrying the temporary key.

In an optional embodiment, the sending unit 1005 may be specifically configured to determine, if the first authentication verification information is the same as the second authentication verification information, the second IP address corresponding to the first IP address according to a pre-stored correspondence between the IP address allowed to be accessed and the IP address allowed to be accessed by the IP address; and sending a response message which indicates successful authentication and carries the second IP address to the user equipment so that the user equipment selects one IP address from the second IP address, and sending a data message with the destination address as the selected IP address to the firewall equipment.

Corresponding to the message processing method embodiment, the embodiment of the application also provides a message processing device applied to the user equipment. Referring to fig. 11, fig. 11 is a schematic diagram of a second structure of a message processing apparatus according to an embodiment of the present application. The device is applied to user equipment and comprises: a first determining unit 1101, a first transmitting unit 1102, a second determining unit 1103, and a second transmitting unit 1104.

A first determining unit 1101, configured to determine first authentication check information according to second user information of the user equipment;

a first sending unit 1102, configured to send an authentication packet to a firewall device, where a load of the authentication packet includes a first IP address of a user equipment and first authentication check information, so that the firewall device determines whether a first corresponding relationship including the first IP address exists in a corresponding relationship in which an IP address allowed to be accessed and user information are stored in advance; if the first corresponding relation exists, determining second authentication and verification information according to the first user information included in the first corresponding relation; if the first authentication and verification information is the same as the second authentication and verification information, determining first data verification information according to the first IP address and the first user information; sending a response message indicating successful authentication to the user equipment;

a second determining unit 1103, configured to determine, according to the response packet, second data verification information by using the first IP address and the second user information;

a second sending unit 1104, configured to send a data packet carrying second data check information to the firewall device; and the firewall equipment transmits the data message under the condition that the second data verification information carried by the data message is the same as the first data verification information.

In an optional embodiment, the first sending unit 1102 may be specifically configured to modify a destination port of the authentication packet to a preset port; sending an authentication message with a preset port as a destination port to firewall equipment;

the second sending unit 1104 may be specifically configured to modify a destination port of the data packet into a preset port; and inserting the second data verification information into the preset position of the data message, and sending the data message with the destination port being the preset port and the second data verification information inserted into the destination port to the firewall equipment.

In an optional embodiment, the first determining unit 1101 may be specifically configured to calculate a hash value of the first user information included in the first corresponding relationship, as the first authentication check information;

the second determining unit 1103 may be specifically configured to calculate, according to the response packet, a hash value of the second user information and the first IP address as the second data verification information.

In an optional embodiment, the response packet may further carry a temporary key allocated by the firewall device to the user equipment;

the second determining unit 1103 may be specifically configured to determine the second data verification information according to the first IP address, the second user information, and the temporary key.

In an optional embodiment, the response packet may further carry a second IP address allowing the first IP address to access;

a second sending unit 1104, which may be specifically configured to select one IP address from the second IP address; and sending the data message with the destination address of the selected IP address to the firewall equipment.

Corresponding to the message processing method embodiment, the embodiment of the application also provides a message processing device applied to the firewall equipment. Referring to fig. 12, fig. 12 is a schematic diagram of a third structure of a message processing apparatus according to an embodiment of the present application. The device is applied to firewall equipment and comprises: a receiving unit 1201, a judging unit 1202, a first determining unit 1203, a second determining unit 1204, a sending unit 1205 and a forwarding unit 1206.

A receiving unit 1201, configured to receive an authentication packet sent by a user equipment through an NAT device, where a load of the authentication packet includes a first IP address and first authentication check information of the user equipment;

a determining unit 1202, configured to determine whether a first correspondence relationship including a first IP address exists in correspondence relationships between IP addresses for which access is permitted and user information stored in advance;

a first determining unit 1203, configured to determine, if the first corresponding relationship exists, second authentication and verification information according to first user information included in the first corresponding relationship;

a second determining unit 1204, configured to determine, if the first authentication verification information is the same as the second authentication verification information, the first data verification information according to the first IP address and the first user information;

a sending unit 1205, configured to send a response message indicating that authentication is successful to the user equipment through the NAT device, and receive a data message that is sent by the user equipment through the NAT device and carries second data verification information, where the second data verification information is generated by using the first IP address and the first user information after the user equipment receives the response message;

a forwarding unit 1206, configured to forward the data packet if the second data check information carried by the data packet is the same as the first data check information.

In an optional embodiment, the determining unit 1202 may be specifically configured to detect whether a destination port of the authentication packet is a preset port after receiving the authentication packet; if the port is the preset port, extracting a first IP address and first authentication check information from the load of the authentication message, and judging whether a first corresponding relation comprising the first IP address exists in the corresponding relation of the IP address which is prestored and allowed to access and the user information;

the forwarding unit 1206 may be specifically configured to detect whether a destination port of the data packet is a preset port after the data packet is received; and if the port is a preset port, extracting second data verification information from a preset position of the data message, and if the second data verification information carried by the data message is the same as the first data verification information, forwarding the data message.

In an optional embodiment, the first determining unit 1203 may be specifically configured to calculate a hash value of the first user information included in the first corresponding relationship, as the second authentication check information;

the second determining unit 1204 may be specifically configured to calculate a hash value of the first user information and the first IP address included in the first corresponding relationship, as the first data verification information.

In an alternative embodiment, the second determining unit 1204 may be specifically configured to assign a temporary key to the user equipment; determining first data verification information according to the first IP address, the first user information and the temporary key;

the sending unit 1205 may be specifically configured to send, to the user equipment through the NAT device, a response message indicating that the authentication is successful and carrying the temporary key.

In an optional embodiment, the sending unit 1205 may be specifically configured to determine, if the first authentication verification information is the same as the second authentication verification information, a second IP address pair corresponding to the first IP address according to a correspondence between an IP address allowed to be accessed and an IP address pair allowed to be accessed, which are stored in advance; and sending a response message which indicates successful authentication and carries the second IP address pair to the user equipment through the NAT equipment so that the user equipment selects one IP address from the second IP address pair, and sending a data message with a destination address as the selected IP address to the firewall equipment through the NAT equipment, wherein the selected IP address and the first IP address belong to the same network.

Corresponding to the message processing method embodiment, the embodiment of the application also provides a message processing device applied to the user equipment. Referring to fig. 13, fig. 13 is a schematic diagram of a fourth structure of a message processing apparatus according to an embodiment of the present application. The device is applied to user equipment and comprises: a first determining unit 1301, a first sending unit 1302, a second determining unit 1303, and a second sending unit 1304.

A first determining unit 1301, configured to determine first authentication check information according to second user information of the user equipment;

a first sending unit 1302, configured to send an authentication packet to a firewall device through an NAT device, where a load of the authentication packet includes a first IP address of a user equipment and first authentication check information, so that the firewall device determines whether a first corresponding relationship including the first IP address exists in a correspondence between an IP address where access is allowed and user information, where the first corresponding relationship is stored in advance; if the first corresponding relation exists, determining second authentication and verification information according to the first user information included in the first corresponding relation; if the first authentication and verification information is the same as the second authentication and verification information, determining first data verification information according to the first IP address and the first user information; sending a response message indicating successful authentication to the user equipment through the NAT equipment;

a second determining unit 1303, configured to determine, according to the response packet, second data verification information by using the first IP address and the second user information;

a second sending unit 1304, configured to send, to the firewall device through the NAT device, a data packet carrying second data verification information; and the firewall equipment transmits the data message under the condition that the second data verification information carried by the data message is the same as the first data verification information.

In an optional embodiment, the first sending unit 1302 may be specifically configured to modify a destination port of the authentication packet into a preset port; sending an authentication message with a target port as a preset port to firewall equipment through NAT equipment;

the second sending unit 1304 may be specifically configured to modify a destination port of the data packet into a preset port; and inserting the second data verification information into the preset position of the data message, and sending the data message with the destination port as the preset port and the second data verification information inserted into the destination port to the firewall equipment through the NAT equipment.

In an optional embodiment, the first determining unit 1301 may be specifically configured to calculate a hash value of the first user information included in the first corresponding relationship, as the first authentication check information;

the second determining unit 1303 may be specifically configured to calculate, according to the response packet, a hash value of the second user information and the first IP address as the second data verification information.

the second determining unit 1303 may be specifically configured to determine the second data verification information according to the first IP address, the second user information, and the temporary key.

In an optional embodiment, the response packet may further carry a second IP address pair allowing the first IP address to access;

a second sending unit 1104, which may be specifically configured to select one IP address from the second IP address pair; and sending a data message with the destination address as the selected IP address to the firewall equipment through the NAT equipment, wherein the selected IP address and the first IP address belong to the same network.

Corresponding to the foregoing message processing method embodiment, an embodiment of the present application further provides a firewall device, as shown in fig. 14, including a processor 1401 and a machine-readable storage medium 1402, where the machine-readable storage medium 1002 stores machine-executable instructions that can be executed by the processor 1401. Processor 1401 is caused by machine executable instructions to implement any of the steps shown in fig. 4 and 6.

In an alternative embodiment, as shown in fig. 14, the firewall device may further include: a communication interface 1403 and a communication bus 1404; the processor 1401, the machine-readable storage medium 1402 and the communication interface 1403 are used for communication between the firewall device and other devices through the communication bus 1404.

Corresponding to the foregoing message processing method embodiment, an embodiment of the present application further provides a user equipment, as shown in fig. 15, including a processor 1501 and a machine-readable storage medium 1502, where a machine-readable storage medium 1102 stores machine-executable instructions that can be executed by the processor 1501. Processor 1501 is caused by machine executable instructions to implement any of the steps shown in fig. 5 and 7.

In an alternative embodiment, as shown in fig. 15, the user equipment may further include: a communication interface 1503 and a communication bus 1504; the processor 1501, the machine-readable storage medium 1502 and the communication interface 1503 communicate with each other through the communication bus 1504, and the communication interface 1503 is used for communication between the user equipment and other devices.

Corresponding to the foregoing message processing method embodiment, an embodiment of the present application further provides a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions that can be executed by a processor. The processor is caused by machine executable instructions to implement any of the steps shown in fig. 4 and 6.

Corresponding to the foregoing message processing method embodiment, an embodiment of the present application further provides a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions that can be executed by a processor. The processor is caused by machine executable instructions to implement any of the steps shown in fig. 5 and 7.

The communication bus may be a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in fig. 10 and 11, but this does not indicate only one bus or one type of bus.

The machine-readable storage medium may include a RAM (Random Access Memory) and a NVM (Non-Volatile Memory), such as at least one disk Memory. Additionally, the machine-readable storage medium may be at least one memory device located remotely from the aforementioned processor.

The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also DSPs (Digital Signal Processing), ASICs (Application Specific Integrated circuits), FPGAs (Field Programmable Gate arrays) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.

It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the embodiments of the message processing apparatus, the firewall device, the user equipment, and the machine-readable storage medium, since they are substantially similar to the embodiments of the message processing method, the description is relatively simple, and for relevant points, reference may be made to the partial description of the embodiments of the message processing method.

The above description is only for the preferred embodiment of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.

Claims

1. A message processing method is applied to firewall equipment, and the method comprises the following steps:

receiving an authentication message sent by user equipment, wherein the load of the authentication message comprises a first network protocol (IP) address and first authentication check information of the user equipment;

2. The method of claim 1, wherein after receiving the authentication message, the method further comprises: detecting whether a destination port of the authentication message is a preset port; if the port is a preset port, extracting the first IP address and first authentication check information from the load of the authentication message, and executing the step of judging whether a first corresponding relation including the first IP address exists in the corresponding relation of the IP address which is prestored to allow access and the user information;

after receiving the data packet, the method further includes: detecting whether a destination port of the data message is a preset port; and if the port is a preset port, extracting the second data verification information from a preset position of the data message, and executing the step of forwarding the data message if the second data verification information carried by the data message is the same as the first data verification information.

3. The method according to claim 1, wherein the step of determining second authentication and verification information according to the first user information included in the first corresponding relationship comprises: calculating a hash value of the first user information included in the first corresponding relation to serve as second authentication check information;

the step of determining first data verification information according to the first IP address and the first user information includes: and calculating the hash value of the first user information and the first IP address included in the first corresponding relation as first data verification information.

4. The method of claim 1, wherein the step of determining first data check information according to the first IP address and the first user information comprises:

distributing a temporary key for the user equipment; determining first data verification information according to the first IP address, the first user information and the temporary key;

the step of sending a response message indicating successful authentication to the user equipment includes:

and sending a response message which indicates that the authentication is successful and carries the temporary secret key to the user equipment.

5. The method of claim 1, further comprising:

if the first authentication and verification information is the same as the second authentication and verification information, determining a second IP address corresponding to the first IP address according to a pre-stored corresponding relationship between the IP address allowed to be accessed and the IP address allowed to be accessed by the IP address;

and sending a response message which indicates that the authentication is successful and carries the second IP address to the user equipment, so that the user equipment selects one IP address from the second IP address, and sends a data message with the destination address as the selected IP address to the firewall equipment.

6. A message forwarding method is applied to user equipment, and the method comprises the following steps:

sending an authentication message to firewall equipment, wherein the load of the authentication message comprises a first network protocol (IP) address of the user equipment and the first authentication check information, so that the firewall equipment judges whether a first corresponding relation comprising the first IP address exists in the corresponding relation, in which the IP address allowing access is stored in advance, and the user information; if the first corresponding relation exists, determining second authentication and verification information according to first user information included in the first corresponding relation; if the first authentication and verification information is the same as the second authentication and verification information, determining first data verification information according to the first IP address and the first user information; sending a response message indicating successful authentication to the user equipment;

7. The method of claim 6, wherein the step of sending the authentication message to the firewall device comprises: modifying a destination port of the authentication message into a preset port; sending an authentication message with a destination port as the preset port to the firewall equipment;

the step of sending the data packet carrying the second data verification information to the firewall device includes: modifying a destination port of the data message into a preset port; and inserting the second data verification information into a preset position of the data message, and sending the data message with a destination port being a preset port and the second data verification information inserted into the data message to the firewall equipment.

8. The method of claim 6, wherein the step of determining the first authentication check information according to the first user information of the user equipment comprises: calculating a hash value of first user information included in the first corresponding relation to serve as first authentication and verification information;

the step of determining second data verification information by using the first IP address and the second user information according to the response packet includes: and calculating the hash value of the second user information and the first IP address according to the response message, and using the hash value as second data verification information.

9. The method according to claim 6, wherein the response packet further carries a temporary key allocated by the firewall device to the user equipment;

the step of determining second data verification information by using the first IP address and the second user information according to the response packet includes:

and determining second data verification information according to the first IP address, the second user information and the temporary key.

10. The method according to claim 6, wherein the response packet further carries a second IP address allowing the first IP address to access;

the step of sending the data packet carrying the second data verification information to the firewall device includes:

selecting an IP address from the second IP address;

and sending a data message with the destination address of the selected IP address to the firewall equipment.

11. A message processing method is applied to firewall equipment, and the method comprises the following steps:

receiving an authentication message sent by user equipment through NAT equipment, wherein the load of the authentication message comprises a first network protocol IP address and first authentication check information of the user equipment;

12. A message forwarding method is applied to user equipment, and the method comprises the following steps:

sending an authentication message to firewall equipment through NAT (network address translation) equipment, wherein the load of the authentication message comprises a first network protocol IP (Internet protocol) address of the user equipment and first authentication check information, so that the firewall equipment judges whether a first corresponding relation comprising the first IP address exists in the corresponding relation of the IP address which is prestored and allowed to access and the user information; if the first corresponding relation exists, determining second authentication and verification information according to first user information included in the first corresponding relation; if the first authentication and verification information is the same as the second authentication and verification information, determining first data verification information according to the first IP address and the first user information; sending a response message indicating successful authentication to the user equipment through the NAT equipment;

13. A message processing device is applied to firewall equipment, and the device comprises:

a receiving unit, configured to receive an authentication packet sent by a user equipment, where a load of the authentication packet includes a first network protocol IP address and first authentication check information of the user equipment;

14. A message forwarding apparatus, applied to a user equipment, the apparatus comprising:

a first sending unit, configured to send an authentication packet to a firewall device, where a load of the authentication packet includes a first network protocol IP address of the user equipment and the first authentication check information, so that the firewall device determines whether a first correspondence relationship including the first IP address exists in a correspondence relationship in which an access-permitted IP address and user information are stored in advance; if the first corresponding relation exists, determining second authentication and verification information according to first user information included in the first corresponding relation; if the first authentication and verification information is the same as the second authentication and verification information, determining first data verification information according to the first IP address and the first user information; sending a response message indicating successful authentication to the user equipment;

15. A message processing device is applied to firewall equipment, and the device comprises:

a receiving unit, configured to receive an authentication packet sent by a user equipment through a network address translation NAT device, where a load of the authentication packet includes a first network protocol IP address and first authentication check information of the user equipment;

16. A message forwarding apparatus, applied to a user equipment, the apparatus comprising:

a first sending unit, configured to send an authentication packet to a firewall device through a network address translation NAT device, where a load of the authentication packet includes a first network protocol IP address of the user equipment and the first authentication check information, so that the firewall device determines whether a first correspondence relationship including the first IP address exists in a correspondence relationship between an IP address and user information that are prestored and allowed to be accessed; if the first corresponding relation exists, determining second authentication and verification information according to first user information included in the first corresponding relation; if the first authentication and verification information is the same as the second authentication and verification information, determining first data verification information according to the first IP address and the first user information; sending a response message indicating successful authentication to the user equipment through the NAT equipment;

17. A network device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: carrying out the method steps of any one of claims 1 to 12.

18. A machine-readable storage medium having stored thereon machine-executable instructions executable by a processor, the processor being caused by the machine-executable instructions to: carrying out the method steps of any one of claims 1 to 12.