CN115065576B - VXLAN tunnel establishment method, device, network system and storage medium - Google Patents

VXLAN tunnel establishment method, device, network system and storage medium Download PDF

Info

Publication number
CN115065576B
CN115065576B CN202210984909.XA CN202210984909A CN115065576B CN 115065576 B CN115065576 B CN 115065576B CN 202210984909 A CN202210984909 A CN 202210984909A CN 115065576 B CN115065576 B CN 115065576B
Authority
CN
China
Prior art keywords
vti
tunnel
authentication
request message
identity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210984909.XA
Other languages
Chinese (zh)
Other versions
CN115065576A (en
Inventor
何维兵
肖海彤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Saixun Information Technology Co ltd
Original Assignee
Guangzhou Saixun Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Saixun Information Technology Co ltd filed Critical Guangzhou Saixun Information Technology Co ltd
Priority to CN202210984909.XA priority Critical patent/CN115065576B/en
Publication of CN115065576A publication Critical patent/CN115065576A/en
Application granted granted Critical
Publication of CN115065576B publication Critical patent/CN115065576B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method, a device, a network system and a storage medium for establishing a VXLAN tunnel, which can meet the requirement of communication host resource safety protection, and the method comprises the following steps: authenticating the received detection authorization request message sent by the VTI, and sending authentication request information to an AAA authentication server after the authentication is passed; after receiving the identity permission passing information sent by the AAA authentication server, determining that the VTI has VXLAN tunnel access permission, opening a service port applying for accessing the VXLAN tunnel for the VTI, and returning an authentication result and a communication token to the VTI; after receiving a tunnel establishment request message sent by the VTI based on the communication token, sending tunnel parameters and a tunnel establishment preparation instruction to the VTI and the VTR respectively, so that the VTI and the VTR perform VXLAN tunnel establishment negotiation to the opposite-end IP address open tunnel connection service respectively, and finishing VXLAN tunnel establishment.

Description

VXLAN tunnel establishment method, device, network system and storage medium
Technical Field
The present invention relates to the field of network communication technologies, and in particular, to a method, an apparatus, a network system, and a storage medium for establishing a VXLAN tunnel.
Background
A Virtual eXtensible Local Area Network (VXLAN) Network virtualization technology, which can solve the problem that a traditional Virtual Local Area Network (VLAN) cannot meet the requirements of a large two-layer Network. The original message is encapsulated in a User Data Protocol (UDP) message, and a 2-layer Ethernet frame encapsulated by VXLAN can cross a 3-layer network boundary, so that networking and application deployment become more flexible.
Communication can be performed by configuring VXLAN Tunnel parameters of both ends on Virtual Tunnel End Point (VTEP) of both ends. The VXLAN tunnel is originally used for solving the problems of easy exhaustion of VLAN resources, virtual machine migration and the like, and therefore, the VXLAN tunnel has no functions of adding authentication, identification and the like in other tunnel technologies such as IPSec and L2 TP. In the public internet scene, in the VXLAN tunnel establishment and communication process, the VTEP must be exposed on the fixed public network IP, the evaluation of factors such as users and terminals in an untrusted area is lacked, the identification and authentication of user accounts are lacked, the potential security threat is easily caused, and the requirement of communication host resource security protection is difficult to meet.
Disclosure of Invention
Based on this, the present invention provides a method, an apparatus, a network system and a storage medium for establishing a VXLAN tunnel, which are used to solve the problem of network security threat caused by public network exposure in the VXLAN tunnel establishment and communication process in the public internet scenario, so as to meet the requirement of security protection of communication host resources.
In a first aspect, the present invention provides a method for establishing a VXLAN tunnel, including:
receiving a detection authorization request message sent by a VTI, wherein the VTI is a VTEP connected with a user terminal, and the detection authorization request message is a user data protocol UDP message;
the detection authorization request message is authenticated, and authentication request information is sent to an AAA authentication server after the detection authorization request message passes the authentication;
receiving identity permission passing information sent by the AAA authentication server based on the authentication request information, wherein the identity permission passing information is sent by the AAA authentication server after the AAA authentication server determines that a user passes identity authentication and tunnel access permission authentication based on the authentication request information;
determining that the VTI has VXLAN tunnel access authority through information based on the identity authority, opening a service port applying for accessing a VXLAN tunnel for the VTI, and returning an authentication result and a communication token to the VTI, wherein the authentication result comprises the service port;
after receiving a tunnel establishment request message sent by the VTI based on the communication token, sending tunnel parameters to the VTI and sending a tunnel establishment preparation instruction to the VTR so that the VTI and the VTR respectively open a tunnel connection service to an opposite end IP address to establish a VXLAN tunnel and complete VXLAN tunnel establishment; the VTR is a VTEP connected with the server.
In one possible design, the probe authorization request message includes a first probe key and a UDP packet, where the UDP packet includes: the method comprises the steps that a terminal identification, a client IP, a VTR port and a first account password of a user terminal are obtained; the first detection secret key is obtained by the VTI through calculation by a preset algorithm based on a shared secret key, a user account, a timestamp and a controller IP, and is stored in the first 16 bytes of the detection authorization request message.
In one possible design, authenticating the probe authorization request packet includes:
obtaining the first detection secret key based on the detection authorization request message;
acquiring a stored second detection key list, wherein the second detection key list contains second detection keys of all users in the current time period;
and if the first detection key is determined to be located in the second detection key list, determining that the detection authorization request message passes authentication.
In one possible design, after determining that the probe authorization request message is authenticated, the method further includes:
analyzing the detection authorization request message to obtain the UDP data packet;
recording the UDP data packet as the last valid authorized data packet received.
In one possible design, the authentication request information carries the user account and the first account password; receiving the identity permission passing information sent by the AAA authentication server, wherein the identity permission passing information comprises:
comparing the first account password with a prestored second account password corresponding to the user account through the AAA authentication server based on the authentication request information, and judging whether the user has VXLAN tunnel access authority or not based on prestored service attributes corresponding to the user account;
and receiving the identity permission passing information which is sent after the AAA authentication server determines that the first account password is the same as the second account password and the user has VXLAN tunnel access permission.
In one possible design, determining that the VTI has VXLAN tunnel access rights through information based on the identity rights, opening a service port for the VTI to apply for access to a VXLAN tunnel, and returning an authentication result and a communication token to the VTI includes:
based on the identity permission passing information, determining that the user passes identity authentication and has VXLAN tunnel access permission, and determining that the VTI has the VXLAN tunnel access permission;
and designating one free port of the VTI as the service port, and returning an authentication result and a communication token to the VTI.
In one possible design, the identity pass information includes a RADIUS message; before sending the tunnel parameters to the VTI, the method further comprises:
and acquiring the tunnel parameters based on the attribute value of the RADIUS message, wherein the tunnel parameters comprise a VXLAN tunnel target IP, a tunnel password, a VXLAN network identifier VNI and a tunnel bandwidth.
In a second aspect, the present invention further provides an apparatus for establishing a VXLAN tunnel, including:
a receiving unit, configured to receive a probe authorization request packet sent by a VTI, where the VTI is a VTEP connected to a user terminal, and the probe authorization request packet is a user data protocol UDP packet;
the authentication unit is used for authenticating the detection authorization request message;
a sending unit, configured to send authentication request information to an AAA authentication server after the probe authorization request packet passes authentication;
the receiving unit is further configured to receive identity permission passing information sent by the AAA authentication server, where the identity permission passing information is sent after the AAA authentication server determines that the user passes identity authentication and tunnel access permission authentication based on the authentication request information;
the authentication unit is further configured to determine that the VTI has a VXLAN tunnel access right based on the identity right through information, and open a service port applying for accessing a VXLAN tunnel for the VTI;
the sending unit is further configured to return an authentication result and a communication token to the VTI, where the authentication result includes the service port;
the sending unit is configured to send a tunnel parameter to the VTI and send a tunnel establishment preparation instruction to the VTR after the receiving unit receives the tunnel establishment request packet sent by the VTI based on the communication token, so that the VTI and the VTR perform a VXLAN tunnel establishment negotiation to an opposite-end IP address open tunnel connection service respectively to complete VXLAN tunnel establishment; the VTR is a VTEP connected with the server.
In one possible design, the probe authorization request message includes a first probe key and a UDP packet, where the UDP packet includes: the detection authorization method comprises a terminal identification of a user terminal, a client IP, a VTR port and a first account password, wherein the first detection secret key is obtained by the VTI through calculation by a preset algorithm based on a shared secret key, a user account, a timestamp and a controller IP, and is stored in the first 16 bytes of the detection authorization request message.
In one possible design, the authentication unit is specifically configured to: obtaining the first detection secret key based on the detection authorization request message; acquiring a stored second detection key list, wherein the second detection key list contains second detection keys of all users in the current time period; and if the first detection secret key is determined to be located in the second detection secret key list, determining that the detection authorization request message passes authentication.
In one possible design, the authentication unit is further configured to: analyzing the detection authorization request message to obtain the UDP data packet; and recording the UDP data packet as the last valid authorized data packet received.
In one possible design, the authentication request information carries the user account and the first account password; the receiving unit is specifically configured to: comparing the first account password with a prestored second account password corresponding to the user account through the AAA authentication server based on the authentication request information, and judging whether the user has VXLAN tunnel access authority or not based on prestored service attributes corresponding to the user account; and receiving the identity permission passing information which is sent after the AAA authentication server determines that the first account password is the same as the second account password and the user has VXLAN tunnel access permission.
In one possible design, the authentication unit is specifically configured to: based on the identity permission passing information, determining that the user passes identity authentication and has VXLAN tunnel access permission, and determining that the VTI has the VXLAN tunnel access permission; designating a free port of the VTI as the service port;
the sending unit is specifically configured to: and returning an authentication result and a communication token to the VTI.
In one possible design, the identity pass information includes a RADIUS message; the authentication unit is further configured to: and acquiring the tunnel parameters based on the attribute value of the RADIUS message, wherein the tunnel parameters comprise a VXLAN tunnel target IP, a tunnel password, a VXLAN network identifier VNI and a tunnel bandwidth.
In a third aspect, the present invention further provides a device for establishing a VXLAN tunnel, where the device for establishing a VXLAN tunnel includes: at least one memory and at least one processor;
the at least one memory is for storing one or more programs;
the one or more programs, when executed by the at least one processor, implement the method as recited in any one of the possible designs of the first aspect above.
In a fourth aspect, the present invention further provides a network system, including: VTI, VTR, AAA authentication server and controller, VTI is VTE connected with user terminal, VTR is VTEP connected with server; wherein, the first and the second end of the pipe are connected with each other,
the VTI is used for sending a detection authorization request message to the controller, wherein the detection authorization request message is a User Data Protocol (UDP) message;
the controller is used for authenticating the detection authorization request message and sending authentication request information to the AAA authentication server after the detection authorization request message passes the authentication;
the AAA authentication server is used for carrying out identity authentication and tunnel access authority authentication on the user based on the authentication request information, and sending identity authority passing information to the controller after determining that the user passes the identity authentication and the tunnel access authority authentication;
the controller is further configured to open a service port applying for accessing a VXLAN tunnel for the VTI after determining that the VTI has the VXLAN tunnel access permission based on the identity permission passing information, and then return an authentication result and a communication token to the VTI, where the authentication result includes the service port;
the VTI is further used for sending a tunnel establishment request message to the controller based on the communication token;
the controller is further configured to receive the tunnel establishment request packet, send a tunnel parameter to the VTI based on the tunnel establishment request packet, and send a tunnel establishment preparation instruction to the VTR;
the VTI is further configured to open a tunnel connection service to the IP address of the VTR based on the tunnel parameter, and perform VXLAN tunnel establishment negotiation with the VTR to complete establishment of a VXLAN tunnel;
and the VTR is used for opening a tunnel connection service to the IP address of the VTI based on the tunnel establishment preparation instruction, and carrying out VXLAN tunnel establishment negotiation with the VTI so as to complete the establishment of the VXLAN tunnel.
In a fifth aspect, the present invention also provides a computer-readable storage medium storing at least one program; the at least one program, when executed by a processor, performs the method of any one of the possible designs of the first aspect.
The invention has the following beneficial technical effects:
in the invention, the identity authentication is carried out on the VTI through the cooperation of the controller and the AAA authentication server, compared with the condition that the association with the account number cannot be realized in the traditional VXLAN management mode, the personalized rate configuration requirement of a customer can be met, the IP addresses of the VTI and the VTR are dynamically opened through the control of the controller, the requirement that the IP addresses of the tunnel endpoints of the two parties are configured in advance in a VXLAN tunnel can be met, compared with the traditional VXLAN tunnel establishment which mostly depends on manual configuration, the requirement of large-scale popularization for public customers can be met, and the IP addresses of the VTI and the VTR can be hidden, so that the problem of network security threat caused by exposing the VTI and the VTR on the IP of a fixed public network can be solved, and the safety protection requirement of a communication host (such as a user terminal, the VTI and the VTR) can be furthest met.
Drawings
Fig. 1 is a schematic diagram of a network system according to the present invention;
fig. 2 is a schematic flow chart of a method for establishing a VXLAN tunnel according to the present invention;
fig. 3 is a schematic structural diagram of a VXLAN tunnel establishment apparatus provided in the present invention;
fig. 4 is a schematic structural diagram of another VXLAN tunnel establishment apparatus provided in the present invention.
Detailed Description
The directional terms upper, lower, left, right, front, rear, front, back, top, bottom, etc. referred to or which may be referred to in this specification are defined relative to their construction and are relative concepts. Therefore, it may be changed according to different positions and different use states. Therefore, these and other directional terms should not be construed as limiting terms.
The implementations described in the exemplary embodiments below do not represent all implementations consistent with the present disclosure. Rather, they are merely examples of implementations consistent with certain aspects of the present disclosure.
The terminology used in the present disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in this disclosure, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used in this disclosure refers to and encompasses any and all possible combinations of one or more of the associated listed items.
Unless stated to the contrary, in the present disclosure, reference to "first", "second", and the like are used for distinguishing a plurality of objects and are not used for limiting the order, timing, priority, or importance of the plurality of objects.
For a better understanding and implementation, the technical solutions of the present application are described in detail below with reference to the accompanying drawings.
Fig. 1 is a schematic diagram of a network system according to the present invention. The network system 10 may include a Virtual Tunnel Initiator (VTI) 11, a Virtual Tunnel Receiver (VTR) 12, an Authentication, authorization and Accounting (AAA) Authentication server 13 and a controller 14. The VTI 11 is a Virtual Tunnel End Point (VTEP) connected to the user terminal 15. VTR 12 is a VTEP connected to server 16.
It should be understood that the application scenarios of the network system 10 provided in the present invention may include, but are not limited to: a Long Term Evolution (LTE) System, a Universal Mobile Telecommunications System (UMTS), a fifth-generation (5 th generation,5 g) System in the future, and the like.
It should be understood that VTI 11 provided in the present invention is primarily responsible for VXLAN tunnel establishment initiation, for communicating with controller 14, and for interfacing with target VTR 12 according to the inventory list (including authentication results and tunnel parameters) returned by controller 14.
It should be understood that the VTR 12 provided in the present invention is primarily responsible for VXLAN tunnel response and termination, and for opening corresponding services and communicating with the originating VTI 11 according to the instructions (e.g., tunnel setup preparation instructions) of the controller 14. The VTR 12 service port number does not open any service to the requester before detection and authorization, and the requirements of authentication before connection are enforced, so that the VTR 12 service is hidden and opened as required, the attack surface is reduced, and DDoS attack resistance is facilitated.
It should be understood that the AAA authentication server 13 provided in the present invention may be, but is not limited to, implementing authentication, authorization, and accounting services for the tunnel access user. The AAA authentication server 13 is mainly responsible for receiving and processing the authentication request information sent by the controller 14, and realizes functions of authenticating, authorizing, charging, issuing a tunnel rate attribute according to an account attribute, and the like for a user access identity.
It should be understood that the controller 14 provided in the present invention may implement, but is not limited to, functions of responding to a probe authorization request message, processing a tunnel establishment request message, and the like. The controller 14 is mainly responsible for receiving and processing the probe authorization request message sent by the VTI 11, and guiding both the VTI 11 and the VTR 12 to perform tunnel establishment negotiation according to the authentication result of the AAA authentication server 13.
It should be understood that the user terminal 15 shown in fig. 1 may be, but is not limited to: the mobile phone, the tablet, the notebook computer, the desktop computer, the intelligent wearable device and other devices.
Referring to fig. 1, the communication between the VTI 11 and the controller 14, the communication between the controller 14 and the AAA authentication server 13, and the communication between the controller 14 and the VTR 12 may be performed directly or indirectly through an intermediary device, which is not limited in the present invention. Wherein:
in particular implementation, VTI 11 is configured to send a probe authorization request message to controller 14. Accordingly, controller 14 receives a probe authorization request message from VTI 11. The detection authorization request message is a User Data Protocol (UDP) message.
In a specific implementation, the controller 14 is configured to authenticate the probe authorization request packet, and send authentication request information to the AAA authentication server 13 after the probe authorization request packet passes authentication. Accordingly, the AAA authentication server 13 receives authentication request information from the controller 14.
In a specific implementation, the AAA authentication server 13 is configured to perform identity authentication and tunnel access permission authentication on the user based on the authentication request information, and send identity permission passing information to the controller 14 after determining that the user passes the identity authentication and tunnel access permission authentication. Accordingly, the controller 14 receives the identity authorization pass information from the AAA authentication server 13.
In specific implementation, the controller 14 is configured to determine that the VTI 11 has the VXLAN tunnel access right through the information based on the identity right, open a service port for applying for accessing the VXLAN tunnel for the VTI 11, and return an authentication result and a communication token to the VTI 11, where the authentication result includes the service port;
in particular implementations, VTI 11 is also configured to send a tunnel establishment request message to controller 14 based on the communication token. Accordingly, controller 14 receives a tunnel establishment request message from VTI 11.
In particular implementation, controller 14 is further configured to send tunnel parameters to VTI 11 based on the tunnel establishment request message, and send a tunnel establishment preparation instruction to VTR 12.
In specific implementation, VTI 11 is further configured to open a tunnel connection service to an IP address of VTR 12 based on the tunnel parameters, and perform VXLAN tunnel establishment negotiation with VTR 12.
In particular implementation, VTR 12 is further configured to open a tunnel connection service to an IP address of VTI 11 based on the tunnel setup preparation instruction, and perform VXLAN tunnel setup negotiation with VTI 11.
After VTI 11 and VTR 12 complete VXLAN tunnel establishment, user terminal 11 and server 16 may communicate via a two-layer lan.
In the invention, the network stealth requirements of communication facilities such as VTI 11, VTR 12 and the like can be met by a detection authorization mode, thereby solving the network security threat problem caused by public network exposure of tunnel communication terminal facilities, realizing the rapid security management and control of the communication between VTI 11 and VTR 12 in the public network internet environment, and meeting the security protection requirements of communication hosts (such as user terminals 15, VTI 11 and VTR 12) to the maximum extent. Meanwhile, the controller 14 and the AAA authentication server 14 cooperate to realize the automatic, manageable and controllable management of the VXLAN tunnel establishment between the VTI 11 and the VTR 12, and provide the VXLAN connection service capability facing public customers.
The technical solution of the VXLAN tunnel establishment method provided by the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the method of the present invention is not only applicable to the network system shown in fig. 1, but also to other network systems in the future.
The invention provides a method for establishing a VXLAN tunnel, please refer to fig. 2, taking an execution main body as a controller as an example, the method includes the following steps:
and S21, receiving a detection authorization request message sent by the VTI.
In some embodiments, the probe authorization request message is a UDP message.
In a specific implementation, in an initial state, the configuration parameters of the VTI may be manually input by a user, so that the VTI sends a probe authorization request message to the controller according to the configuration parameters. The configuration parameters of the VTI may include, but are not limited to: the account password of the user, the IP address or domain name of the controller.
In a specific implementation, the VTI may send the probe authorization request message to the controller according to a preset manner, for example, the VTI may send the probe authorization request message to the controller periodically. The detection authorization request message is a message sent by the VTI to the controller before the VXLAN tunnel is not established between the VTI and the VTR.
In a specific implementation, the VTI may obtain the first probing key by calculating through a preset key algorithm based on the shared key, the user account, the timestamp, and the controller IP. Then, the VTI may package information such as the terminal identifier of the user terminal, the user terminal IP, the VTR port, and the first account password into a UDP data packet, package the first detection key and the UDP data packet into a detection authorization request packet in a UDP message format, and send the detection authorization request packet to the controller, for example, send the detection authorization request packet to a detection port specified by the controller. That is, the probe authorization request message includes the first probe key and the UDP packet, where the UDP packet includes: and the information of the terminal identifier of the user terminal, the IP of the user terminal, the VTR port, the first account password and the like. The first probe key may be stored in the first 16 bytes of the probe authorization request message.
It should be noted that the shared key may be pre-stored in the VTI, or may also be pre-stored in the controller, and the VTI obtains the shared key from the controller, and the like, which is not limited in this respect. The key algorithm may be an existing key algorithm, such as a Data Encryption Standard (DES) algorithm or other existing key algorithms, which is not limited by the invention.
S22, the detection authorization request message is authenticated, and after the detection authorization request message passes the authentication, authentication request information is sent to an AAA authentication server.
In an implementation, the controller stores a second probe key list, where the second probe key list includes second probe keys of all users currently.
In a specific implementation, after receiving the probe authorization request message, the controller may obtain the first probe key based on the probe authorization request message. The controller may determine whether the probe authorization request packet passes authentication by determining whether the first probe key is in the second probe key list. For example, if the controller determines that the first probe key is in the second probe key list, it determines that the probe authorization request message is authenticated. Or, if the controller determines that the first probe key is not located in the second probe key list, and determines that the probe authorization request packet is not authenticated, the controller may directly drop the probe authorization request packet, and does not attempt to analyze other data in the probe authorization request packet, such as a UDP packet, and does not perform subsequent steps.
It should be noted that the first probe key and the second probe key are dynamically updated, that is, the first probe key in different time periods and the second probe key in different time periods may be different.
In specific implementation, after determining that the detection authorization request message passes the authentication, the controller may further analyze the detection authorization request message to obtain a UDP data packet, and record the UDP data packet as the last received data packet that is effectively authorized, so as to prevent an attacker from sending an old data packet to replay an attack.
In specific implementation, after determining that the probe authorization request message passes the authentication, the controller may send authentication request information to the AAA authentication server, so as to request VXLAN tunnel access authority authentication for the VTI. The authentication request information carries a user account and a first account password. For example, after the controller analyzes the detection authorization request packet to obtain a UDP data packet, the controller may continue to analyze the UDP data packet to obtain information such as a terminal identifier of the user terminal, a user terminal IP, a VTR port, and a first account password, and then send authentication request information carrying the user account and the first account password to the AAA authentication server.
And S23, receiving the identity permission passing information sent by the AAA authentication server.
In specific implementation, after a user opens an account in Customer Relationship Management (CRM), the CRM may send a user account and a second account password of the user to the AAA server for pre-storing. And after the user orders the corresponding package through the CRM, the CRM can determine the service attribute corresponding to the package ordered by the user, and then sends the service attribute corresponding to the user account to the AAA authentication server for pre-storing. For example, a user subscribes to a cloud Attached Storage (NAS) service, the service attribute allocated to the user by the CRM is a cloud NAS, then the cloud NAS is sent to the AAA authentication server, and the user account of the user is stored in correspondence to the cloud NAS by the AAA authentication server.
Of course, in specific implementation, the service attribute may also include other information such as a rate.
In specific implementation, the identity authorization passing information is sent by the AAA authentication server after the user passes the identity authentication and the tunnel access authorization authentication based on the authentication request information. For example, after receiving the authentication request information, the AAA authentication server may compare the first account password with a second account password corresponding to a pre-stored user account based on the authentication request information, and determine whether the user has a VXLAN tunnel access authority based on a service attribute corresponding to the pre-stored user account, for example, if the service attribute corresponding to the user account includes a cloud resource service (e.g., a cloud NAS service), the AAA authentication server may determine that the user has the VXLAN tunnel access authority.
In specific implementation, after the AAA authentication server determines that the first account password is the same as the second account password and that the user has the VXLAN tunnel access right, it may be determined that the user passes the identity authentication and the tunnel access right authentication, and at this time, identity right passing information may be sent to the controller, so as to indicate that the user passes the identity authentication and has the VXLAN tunnel access right. Or, after the AAA authentication server determines that the first account password is different from the second account password or that the user does not have VXLAN tunnel access right, it may be determined that the user does not pass identity authentication or does not pass tunnel access right authentication, and the AAA authentication server may discard the authentication request information.
In the invention, the identity authentication is carried out on the VTI through the cooperation of the controller and the AAA authentication server, and compared with the condition that the association with the account number cannot be realized in the traditional VXLAN management mode, the method can meet the requirement of the personalized rate configuration of the client.
S24, determining that the VTI has VXLAN tunnel access authority through the information based on the identity authority, opening a service port applying for access for the VTI, and returning an authentication result and a communication token to the VTI.
In specific implementation, the controller may determine that the user passes the identity authentication and has the VXLAN tunnel access right based on receiving the identity right passing information sent by the AAA, thereby determining that the VTI has the VXLAN tunnel access right. It can be understood that the VTI only has VXLAN tunnel access right under the condition that the user passes identity authentication and has VXLAN tunnel access right.
In particular implementations, the controller may designate a free port of the VTI as a service port for accessing the VXLAN tunnel and include the returned authentication result and the communication token for the service port to the VTI.
In specific implementation, after receiving the authentication result and the communication token sent by the controller, the VTI may send a tunnel establishment request message to the controller based on the communication token.
S25, after receiving a tunnel establishment request message sent by the VTI based on the communication token, sending tunnel parameters to the VTI and sending a tunnel establishment preparation instruction to the VTR so that the VTI and the VTR respectively open a tunnel connection service to an opposite terminal IP address to carry out VXLAN tunnel establishment negotiation and complete VXLAN tunnel establishment.
In a specific implementation, the identity authorization pass message may include a Remote Authentication Dial In User Service (RADIUS) message. The controller may obtain the tunnel parameters based on the attribute values of the RADIUS messages.
In particular implementations, the tunnel parameters may include, but are not limited to, a VXLAN tunnel target IP, a tunnel password, a VXLAN network identifier VNI, and a tunnel bandwidth.
In a specific implementation, after receiving the tunnel parameter, the VTI may open VXLAN service to the IP address of the VTR based on the tunnel parameter, for example, open VXLAN service to the IP address of the VTR through the service port. After receiving the tunnel establishment preparation instruction, the VTR may open VXLAN services to the IP address of the VTI based on the tunnel establishment preparation instruction, for example, the tunnel establishment preparation instruction may carry the IP address of the VTI, and after receiving the tunnel establishment preparation instruction, the VTR may open VXLAN services to the IP address of the VTI. At this point, the VTI and VRT may perform VXLAN tunnel establishment negotiation. After the VTI and the VRT finish the establishment of the VXLAN tunnel, the two-layer local area network communication between the user terminal and the server can be realized.
As can be seen from the above description, in the present invention, the identity authentication is performed on the VTI through the cooperation of the controller and the AAA authentication server, so as to satisfy the requirement for configuring the personalized rate of the customer compared to the conventional VXLAN management mode that the association with the account is not realized, and to control the IP addresses of the VTI and the VTR to be dynamically opened through the controller, so as to satisfy the requirement that the VXLAN tunnel needs to configure the IP addresses of both tunnel endpoints in advance.
Based on the same inventive concept, the present invention further provides a device for establishing a VXLAN tunnel, as shown in fig. 3, the device 30 for establishing a VXLAN tunnel may include:
a receiving unit 31, configured to receive a detection authorization request message sent by a VTI, where the VTI is a VTEP connected to a user terminal, and the detection authorization request message is a UDP message;
an authentication unit 32, configured to authenticate the probe authorization request packet;
a sending unit 33, configured to send authentication request information to the AAA authentication server after the probe authorization request packet passes authentication;
the receiving unit 31 is further configured to receive identity permission passing information sent by the AAA authentication server, where the identity permission passing information is sent after the AAA authentication server determines that the user passes identity authentication and tunnel access permission authentication based on the authentication request information;
the authentication unit 32 is further configured to determine that the VTI has a VXLAN tunnel access right through the information based on the identity right, and open a service port applying for accessing the VXLAN tunnel for the VTI;
the sending unit 33 is further configured to return an authentication result and a communication token to the VTI, where the authentication result includes a service port;
a sending unit 33, configured to send a tunnel parameter to the VTI after the receiving unit 31 receives the tunnel establishment request message sent by the VTI based on the communication token, and send a tunnel establishment preparation instruction to the VTR, so that the VTI and the VTR respectively perform VXLAN tunnel establishment negotiation to the opposite-end IP address open tunnel connection service, and complete VXLAN tunnel establishment; the VTR is a VTEP connected with the server.
In one possible design, the probe authorization request message includes a first probe key and a UDP packet, where the UDP packet includes: the detection authorization method comprises the steps that a terminal identifier of a user terminal, a client IP, a VTR port and a first account password are obtained, a first detection secret key is obtained by VTI through calculation through a preset algorithm based on a shared secret key, a user account, a timestamp and a controller IP, and the first detection secret key is stored in the first 16 bytes of a detection authorization request message.
In one possible design, the authentication unit 32 is specifically configured to: acquiring a first detection secret key based on the detection authorization request message; acquiring a stored second detection key list, wherein the second detection key list contains second detection keys of all users in the current time period; and if the first detection key is determined to be located in the second detection key list, determining that the detection authorization request message passes the authentication.
In one possible design, the authentication unit 32 is further configured to: analyzing the detection authorization request message to obtain a UDP data packet; the UDP packet is recorded as the last valid authorized packet received.
In one possible design, the authentication request information carries a user account and a first account password; the receiving unit 31 is specifically configured to: comparing the first account password with a second account password corresponding to a pre-stored user account through an AAA authentication server based on authentication request information, and judging whether the user has VXLAN tunnel access authority or not based on the service attribute corresponding to the pre-stored user account; and receiving identity permission passing information sent by the AAA authentication server after the AAA authentication server determines that the first account password is the same as the second account password and the user has VXLAN tunnel access permission.
In one possible design, the authentication unit 32 is specifically configured to: based on the identity permission passing information, determining that the user passes identity authentication and has VXLAN tunnel access permission, and determining that the VTI has the VXLAN tunnel access permission; appointing an idle port of the VTI as a service port;
the sending unit 33 is specifically configured to: and returning the authentication result and the communication token to the VTI.
In one possible design, the identity pass information comprises a RADIUS message; the authentication unit 32 is further configured to: and acquiring tunnel parameters based on the attribute value of the RADIUS message, wherein the tunnel parameters comprise a VXLAN tunnel target IP, a tunnel password, a VXLAN network identifier VNI and a tunnel bandwidth.
The VXLAN tunnel establishment device 30 of the present invention and the VXLAN tunnel establishment method shown in fig. 2 are based on the same idea, and through the foregoing detailed description of the VXLAN tunnel establishment method, those skilled in the art can clearly understand the implementation process of the VXLAN tunnel establishment device 30 in the present embodiment, so for brevity of the description, detailed description is omitted here.
Based on the same inventive concept, the present invention further provides a device for establishing a VXLAN tunnel, as shown in fig. 4, the device 40 for establishing a VXLAN tunnel may include: at least one memory 31 and at least one processor 42. Wherein:
the at least one memory 41 is used to store one or more programs.
The method of establishing a VXLAN tunnel described above in fig. 2 is implemented when one or more programs are executed by at least one processor 42.
The VXLAN tunnel establishing means 40 may further optionally include a communication interface for communicating with external devices and data interactive transmission.
It should be noted that the memory 41 may include a high-speed RAM memory, and may also include a nonvolatile memory (nonvolatile memory), such as at least one disk memory.
In a specific implementation process, if the memory 41, the processor 42 and the communication interface are integrated on a chip, the memory 41, the processor 42 and the communication interface may complete mutual communication through an internal interface. If the memory 41, the processor 42 and the communication interface are implemented independently, the memory 41, the processor 42 and the communication interface may be connected to each other through a bus and perform communication with each other.
Based on the same inventive concept, the present invention also provides a computer-readable storage medium, which can store at least one program, and when the at least one program is executed by a processor, the VXLAN tunnel establishment method shown in fig. 2 is implemented.
It should be understood that the computer-readable storage medium is any data storage device that can store data or programs which can thereafter be read by a computer system. Examples of computer-readable storage media include: read-only memory, random access memory, CD-ROM, HDD, DVD, magnetic tape, optical data storage devices, and the like.
The computer readable storage medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.
Program code embodied on a computer readable storage medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, radio Frequency (RF), etc., or any suitable combination of the foregoing.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention.

Claims (10)

1. A method for establishing a VXLAN tunnel, comprising:
receiving a detection authorization request message sent by a VTI (virtual tunnel initiative) of a virtual tunnel initiator, wherein the VTI is a VTEP (virtual tunnel terminal) connected with a user terminal, and the detection authorization request message is a UDP (user data protocol) message;
authenticating the detection authorization request message, and sending authentication request information to an AAA authentication server after the detection authorization request message passes the authentication;
receiving identity permission passing information sent by the AAA authentication service, wherein the identity permission passing information is sent after the AAA authentication server determines that a user passes identity authentication and tunnel access permission authentication based on the authentication request information;
determining that the VTI has VXLAN tunnel access authority through the information based on the identity authority, opening a service port applying for accessing a VXLAN tunnel for the VTI, and returning an authentication result and a communication token to the VTI, wherein the authentication result comprises the service port;
after receiving a tunnel establishment request message sent by the VTI based on the communication token, sending tunnel parameters to the VTI and sending a tunnel establishment preparation instruction to a virtual tunnel receiving end VTR so that the VTI and the VTR respectively open a tunnel connection service to an opposite end IP address to carry out VXLAN tunnel establishment negotiation and complete VXLAN tunnel establishment; the VTR is a VTEP connected with the server.
2. The method of claim 1, wherein the probe authorization request message includes a first probe key and a UDP packet, the UDP packet including: the detection authorization method comprises a terminal identification of a user terminal, a client IP, a VTR port and a first account password, wherein the first detection secret key is obtained by the VTI through calculation by a preset algorithm based on a shared secret key, a user account, a timestamp and a controller IP, and is stored in the first 16 bytes of the detection authorization request message.
3. The method of claim 2, wherein authenticating the probe authorization request message comprises:
obtaining the first detection secret key based on the detection authorization request message;
acquiring a stored second detection key list, wherein the second detection key list contains second detection keys of all users in the current time period;
and if the first detection secret key is determined to be located in the second detection secret key list, determining that the detection authorization request message passes authentication.
4. The method of claim 3, wherein after determining that the probe authorization request message is authenticated, the method further comprises:
analyzing the detection authorization request message to obtain the UDP data packet;
and recording the UDP data packet as the last valid authorized data packet received.
5. The method of claim 2, wherein the authentication request information carries the user account and the first account password; receiving the identity permission passing information sent by the AAA authentication server, wherein the identity permission passing information comprises:
comparing the first account password with a prestored second account password corresponding to the user account through the AAA authentication server based on the authentication request information, and judging whether the user has VXLAN tunnel access authority or not based on prestored service attributes corresponding to the user account;
and receiving the identity permission passing information which is sent after the AAA authentication server determines that the first account password is the same as the second account password and the user has VXLAN tunnel access permission.
6. The method of claim 5, wherein determining that the VTI has VXLAN tunnel access rights based on the identity rights passing information, opening a service port for the VTI to apply for access to a VXLAN tunnel, and returning an authentication result and a communication token to the VTI comprises:
based on the identity permission passing information, determining that the user passes identity authentication and has VXLAN tunnel access permission, and determining that the VTI has the VXLAN tunnel access permission;
and designating one free port of the VTI as the service port, and returning an authentication result and a communication token to the VTI.
7. The method of claim 5, wherein the identity pass information comprises a RADIUS message; before sending the tunnel parameters to the VTI, the method further comprises:
and acquiring the tunnel parameters based on the attribute value of the RADIUS message, wherein the tunnel parameters comprise a VXLAN tunnel target IP, a tunnel password, a VXLAN network identifier VNI and a tunnel bandwidth.
8. An apparatus for establishing a VXLAN tunnel, comprising:
a receiving unit, configured to receive a detection authorization request packet sent by a VTI, where the VTI is a VTEP connected to a user terminal, and the detection authorization request packet is a UDP packet;
the authentication unit is used for authenticating the detection authorization request message;
a sending unit, configured to send authentication request information to an AAA authentication server after the probe authorization request packet passes authentication;
the receiving unit is further configured to receive identity permission passing information sent by the AAA authentication server, where the identity permission passing information is sent after the AAA authentication server determines that the user passes identity authentication and tunnel access permission authentication based on the authentication request information;
the authentication unit is further used for determining that the VTI has VXLAN tunnel access authority through the information based on the identity authority, and opening a service port applying for accessing the VXLAN tunnel for the VTI;
the sending unit is further configured to return an authentication result and a communication token to the VTI, where the authentication result includes the service port;
the sending unit is configured to send a tunnel parameter to the VTI and send a tunnel establishment preparation instruction to the VTR after the receiving unit receives the tunnel establishment request packet sent by the VTI based on the communication token, so that the VTI and the VTR perform a VXLAN tunnel establishment negotiation to an opposite-end IP address open tunnel connection service respectively to complete VXLAN tunnel establishment; the VTR is a VTEP connected with the server.
9. A network system, comprising: VTI, VTR, AAA authentication server and controller, VTI is VTE connected with user terminal, VTR is VTEP connected with server; wherein the content of the first and second substances,
the VTI is used for sending a detection authorization request message to the controller, wherein the detection authorization request message is a User Data Protocol (UDP) message;
the controller is used for authenticating the detection authorization request message and sending authentication request information to the AAA authentication server after the detection authorization request message passes the authentication;
the AAA authentication server is used for carrying out identity authentication and tunnel access authority authentication on the user based on the authentication request information, and sending identity authority passing information to the controller after determining that the user passes the identity authentication and the tunnel access authority authentication;
the controller is further configured to open a service port applying for accessing a VXLAN tunnel for the VTI after determining that the VTI has the VXLAN tunnel access permission based on the identity permission passing information, and then return an authentication result and a communication token to the VTI, where the authentication result includes the service port;
the VTI is further used for sending a tunnel establishment request message to the controller based on the communication token;
the controller is further configured to receive the tunnel establishment request packet, send a tunnel parameter to the VTI based on the tunnel establishment request packet, and send a tunnel establishment preparation instruction to the VTR;
the VTI is further configured to open a tunnel connection service to the IP address of the VTR based on the tunnel parameter, and perform VXLAN tunnel establishment negotiation with the VTR to complete establishment of a VXLAN tunnel;
and the VTR is used for opening a tunnel connection service to the IP address of the VTI based on the tunnel establishment preparation instruction, and carrying out VXLAN tunnel establishment negotiation with the VTI so as to complete the establishment of the VXLAN tunnel.
10. A computer-readable storage medium characterized in that the computer-readable storage medium stores at least one program; the at least one program, when executed by a processor, performs the method of any of claims 1-7.
CN202210984909.XA 2022-08-17 2022-08-17 VXLAN tunnel establishment method, device, network system and storage medium Active CN115065576B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210984909.XA CN115065576B (en) 2022-08-17 2022-08-17 VXLAN tunnel establishment method, device, network system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210984909.XA CN115065576B (en) 2022-08-17 2022-08-17 VXLAN tunnel establishment method, device, network system and storage medium

Publications (2)

Publication Number Publication Date
CN115065576A CN115065576A (en) 2022-09-16
CN115065576B true CN115065576B (en) 2022-11-04

Family

ID=83208335

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210984909.XA Active CN115065576B (en) 2022-08-17 2022-08-17 VXLAN tunnel establishment method, device, network system and storage medium

Country Status (1)

Country Link
CN (1) CN115065576B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103259736A (en) * 2013-05-24 2013-08-21 杭州华三通信技术有限公司 Tunnel building method and network equipment
CN107147580A (en) * 2017-06-23 2017-09-08 北京佰才邦技术有限公司 The method and communication system of a kind of tunnel building
CN107404470A (en) * 2016-05-20 2017-11-28 新华三技术有限公司 Connection control method and device
CN107493297A (en) * 2017-09-08 2017-12-19 安徽皖通邮电股份有限公司 A kind of method of VxLAN tunnels access authentication
CN107733764A (en) * 2016-08-11 2018-02-23 中国电信股份有限公司 Method for building up, system and the relevant device in virtual expansible LAN tunnel
CN108306807A (en) * 2018-02-28 2018-07-20 新华三技术有限公司 Management method of opening an account and device
CN111669309A (en) * 2019-03-05 2020-09-15 华为技术有限公司 VxLAN establishing method, wireless controller and switch
CN112187611A (en) * 2020-09-30 2021-01-05 瑞斯康达科技发展股份有限公司 Method, storage medium and device for establishing service tunnel
CN113037684A (en) * 2019-12-24 2021-06-25 中国电信股份有限公司 VxLan tunnel authentication method, device and system and gateway
CN113645174A (en) * 2020-04-27 2021-11-12 华为技术有限公司 VXLAN access authentication method and VTEP device
CN114143283A (en) * 2021-11-26 2022-03-04 迈普通信技术股份有限公司 Tunnel self-adaptive configuration method and device, center-end equipment and communication system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220029917A1 (en) * 2020-07-22 2022-01-27 CAST AI Group, Inc. Executing workloads across multiple cloud service providers

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103259736A (en) * 2013-05-24 2013-08-21 杭州华三通信技术有限公司 Tunnel building method and network equipment
CN107404470A (en) * 2016-05-20 2017-11-28 新华三技术有限公司 Connection control method and device
CN107733764A (en) * 2016-08-11 2018-02-23 中国电信股份有限公司 Method for building up, system and the relevant device in virtual expansible LAN tunnel
CN107147580A (en) * 2017-06-23 2017-09-08 北京佰才邦技术有限公司 The method and communication system of a kind of tunnel building
CN107493297A (en) * 2017-09-08 2017-12-19 安徽皖通邮电股份有限公司 A kind of method of VxLAN tunnels access authentication
CN108306807A (en) * 2018-02-28 2018-07-20 新华三技术有限公司 Management method of opening an account and device
CN111669309A (en) * 2019-03-05 2020-09-15 华为技术有限公司 VxLAN establishing method, wireless controller and switch
CN113037684A (en) * 2019-12-24 2021-06-25 中国电信股份有限公司 VxLan tunnel authentication method, device and system and gateway
CN113645174A (en) * 2020-04-27 2021-11-12 华为技术有限公司 VXLAN access authentication method and VTEP device
CN112187611A (en) * 2020-09-30 2021-01-05 瑞斯康达科技发展股份有限公司 Method, storage medium and device for establishing service tunnel
CN114143283A (en) * 2021-11-26 2022-03-04 迈普通信技术股份有限公司 Tunnel self-adaptive configuration method and device, center-end equipment and communication system

Also Published As

Publication number Publication date
CN115065576A (en) 2022-09-16

Similar Documents

Publication Publication Date Title
CN107493280B (en) User authentication method, intelligent gateway and authentication server
US20200004946A1 (en) Secretless and secure authentication of network resources
CN107181720B (en) Software Defined Networking (SDN) secure communication method and device
CN101986598B (en) Authentication method, server and system
CN109067937B (en) Terminal access control method, device, equipment, system and storage medium
WO2019062666A1 (en) System, method, and apparatus for securely accessing internal network
KR20220156970A (en) Processing electronic tokens
US20170289159A1 (en) Security support for free wi-fi and sponsored connectivity for paid wi-fi
CN110719265B (en) Method, device and equipment for realizing network security communication
WO2018120913A1 (en) Certificate acquisition method, authentication method and network device
EP2706717A1 (en) Method and devices for registering a client to a server
CN109831311A (en) A kind of server validation method, system, user terminal and readable storage medium storing program for executing
WO2019134494A1 (en) Verification information processing method, communication device, service platform, and storage medium
CN115603932A (en) Access control method, access control system and related equipment
CN109936847A (en) Shared method for network access, system and its equipment
EP4351086A1 (en) Access control method, access control system and related device
CN106302425B (en) Communication method between nodes of virtualization system and virtualization system thereof
TW201417542A (en) Virtual network building system, virtual network building method, small terminal, and authentication server
US10277713B2 (en) Role-based access to shared resources
KR20170054260A (en) Method and apparatus for secure access of a service via customer premise equipment
CN109561431A (en) The WLAN access control system and method identified based on more password identity
CN115065576B (en) VXLAN tunnel establishment method, device, network system and storage medium
CN114915534A (en) Network deployment architecture facing trust enhancement and network access method thereof
CN115499177A (en) Cloud desktop access method, zero-trust gateway, cloud desktop client and server
JP6488001B2 (en) Method for unblocking an external computer system in a computer network infrastructure, a distributed computer network having such a computer network infrastructure, and a computer program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant