WO2009103227A1 - Method, device and system for sending initial configuration message to access point device - Google Patents

Method, device and system for sending initial configuration message to access point device Download PDF

Info

Publication number
WO2009103227A1
WO2009103227A1 PCT/CN2009/070397 CN2009070397W WO2009103227A1 WO 2009103227 A1 WO2009103227 A1 WO 2009103227A1 CN 2009070397 W CN2009070397 W CN 2009070397W WO 2009103227 A1 WO2009103227 A1 WO 2009103227A1
Authority
WO
WIPO (PCT)
Prior art keywords
access point
point device
address information
security gateway
configuration information
Prior art date
Application number
PCT/CN2009/070397
Other languages
French (fr)
Chinese (zh)
Inventor
何纲
聂爽
韩少伟
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2009103227A1 publication Critical patent/WO2009103227A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • H04W24/02Arrangements for optimising operational condition
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption

Abstract

A method for sending the initial configuration message to the access point device involves receiving the obtaining request for the initial configuration message of the access point device through the encrypted channel, and obtaining the initial configuration message of the access point device, which includes the address information of the home security gateway, according to the obtaining request, and sending the initial configuration message of the access point device through the encrypted channel. The method is applied to a network device and a network system.

Description

下发接入点设备初始配置信息的方法、 装置及系统 技术领域  Method, device and system for delivering initial configuration information of access point device
本发明实施例涉及通信领域, 特别是涉及一种下发接入点设备初始配置 信息的方法、 装置及系统。 背景技术  The embodiments of the present invention relate to the field of communications, and in particular, to a method, device, and system for delivering initial configuration information of an access point device. Background technique
通信业发展到 3G为人们规划出美好的前景,也为未来的通信定出较高的 标准。 为了改善网络覆盖的问题, 3G运营商早期釆用宏基站解决室内覆盖, 但釆用宏基站解决室内覆盖, 站点获取困难, 覆盖具有盲目性, 投资效率低。 为解决该技术缺陷, 人们选用通用移动通信系统无线接入点设备 (Universa 1 Mobile Telecommunications System Access Point , 简称 UMTS AP)系统, 用以改善对家庭、 小型办公区等区域的无线宽网覆盖。  The development of the communications industry to 3G has set a good prospect for people and set a high standard for future communications. In order to improve the problem of network coverage, 3G operators used macro base stations to solve indoor coverage in the early days, but used macro base stations to solve indoor coverage, site acquisition difficulties, coverage blindness, and low investment efficiency. In order to solve this technical defect, a universal mobile communication system (Universal 1 Mobile Telecommunications System Access Point, UMTS AP) system is selected to improve wireless wide network coverage in areas such as homes and small office areas.
UMTS AP系统可通过开放的标准 3G核心网接口, 方便地实现了与包括固 定网络和移动网络等现有网络的无缝对接。 在 UMTS AP系统中, AP主要集成 了基站(NobeB)和无线网络控制器(Radio Network Control, 简称 RNC ) 的功能; AP接入网关(AP Gateway, 简称 AG )主要实现对 AP的控制和管理 以及向其他网元的路由的功能。 通常用户只需增加一个 AP, 将 AP接入到现 有家庭宽带设备(如: ADSL MODEM )上, 通过宽带接入网络或公共网 (Inte met )连接到通用移动通信系统( UMTS )核心网络的 AG, AG支持标准的 UMT S IuCS、 IuPS等接口, 通过 AG与现有的通用移动通信系统(Universal Mob ile Telecommunications System , 简称 UMTS)核心网络连接, 即可实现 3 G UMTS的接入应用。  The UMTS AP system easily interfaces seamlessly with existing networks, including fixed and mobile networks, through an open, standard 3G core network interface. In the UMTS AP system, the AP mainly integrates the functions of the base station (NobeB) and the radio network controller (RNC); the AP access gateway (AP Gateway) mainly implements the control and management of the AP and The function of routing to other network elements. Usually, users only need to add one AP, connect the AP to the existing home broadband equipment (such as ADSL MODEM), and connect to the universal mobile communication system (UMTS) core network through the broadband access network or the public network (Inte met). AG, AG supports standard UMT S IuCS, IuPS and other interfaces. By connecting the core network with the existing Universal Mobility Telecommunications System (UMTS) network, the 3G UMTS access application can be realized.
在 UMTS AP系统中, AP可通过自启动实现 3G UMTS的方便接入。 整个接 入过程, 用户只需将 AP通电而无需其它干预, AP启动时需要的配置参数和 发起业务时需要的配置参数等配置信息可做到自动配置, 实现即插即用 (P 1 ug and P lay )功能。 图 1为现有技术下发接入点设备初始配置信息的系统结 构图。 如图 1所示, AP通电后, 通过公共网接口 (如: Ab接口) , 向部署在 UMTS核心网内的专用服务器或系统终端设备(如: AP Home Reg i s ter , AHR ) 发起查询接入设备初始配置(AP BOOT )信息的请求; 专用服务器或系统终端 设备接收到该请求后, 向 AP发送 AP初始配置信息; AP接收 AP初始配置信 息, 根据 AP初始配置信息完成自动配置, 并发起正常的业务流程。 发明人在 实现本发明过程中, 发现 AP获取 AP初始配置信息的现有技术至少存在以下 缺陷: In the UMTS AP system, the AP can realize convenient access of 3G UMTS through self-starting. Throughout the access process, the user only needs to power on the AP without additional intervention, and the configuration parameters required for the AP to start up and Configuration information such as configuration parameters required to initiate a service can be automatically configured to implement Plug and Play (P 1 ug and P lay ) functions. FIG. 1 is a system structural diagram of initial configuration information of an access point device in the prior art. As shown in Figure 1, after the AP is powered on, it initiates query access to a dedicated server or system terminal device (such as AP Home Regiver, AHR) deployed in the UMTS core network through a public network interface (such as the Ab interface). The request of the device initial configuration (AP BOOT) information; after receiving the request, the dedicated server or the system terminal device sends the initial configuration information of the AP to the AP; the AP receives the initial configuration information of the AP, completes the automatic configuration according to the initial configuration information of the AP, and initiates the normal configuration. Business process. In the process of implementing the present invention, the inventor has found that the prior art that the AP acquires the initial configuration information of the AP has at least the following defects:
1、存有 AP的 AP初始配置信息的专用服务器或系统终端设备部署在 UMT 1. Dedicated server or system terminal device with AP initial configuration information of AP is deployed in UMT
S 核心网内, 由于这些设备的前端设有的防火墙(F i rewa l l )安全防护性能 较低, AP通过公共网接口从公共网接入 UMTS核心网, 使得专用服务器或系 统终端设备很容易受到攻击, 敏感核心数据存在被窃取的危险, 可能造成系 统业务的中断。 In the S core network, because the firewall (F i rewa ll ) provided at the front end of these devices has low security protection performance, the AP accesses the UMTS core network from the public network through the public network interface, making the dedicated server or system terminal device vulnerable to Attacks, sensitive core data is in danger of being stolen, which may cause disruption of system services.
2、 AP 与专用服务器或系统终端设备之间无认证或进行简单的用户名和 密码认证, 专用服务器或系统终端设备艮容易受到攻击或破解, 从而可能造 成非法用户接入 UMTS核心网, 造成网络安全隐患。  2. There is no authentication or simple username and password authentication between the AP and the dedicated server or system terminal device. The dedicated server or system terminal device is vulnerable to attack or crack, which may cause illegal users to access the UMTS core network, resulting in network security. Hidden dangers.
3、 AP 与专用服务器或系统终端设备之间的交互信息通过明文传输, 信 息容易被窃取或篡改。  3. The interaction information between the AP and the dedicated server or system terminal device is transmitted in plain text, and the information is easily stolen or tampered with.
因此, 在 AP实现完全自动配置、 方便接入 USTM网时, AP获取 AP初始 配置信息时的网络安全问题不容忽视, 迫切需要一种更为安全的 AP处理 AP 初始配置信息的方法。 发明内容  Therefore, when the AP is fully configured and connected to the USTM network, the network security problem when the AP obtains the initial configuration information of the AP cannot be ignored. A more secure method for the AP to process the AP initial configuration information is urgently needed. Summary of the invention
本发明实施例提供一种下发接入点设备初始配置信息的方法、 装置及系 统, 用以保障接入点设备初始配置信息在公共网传输中的安全性, 有利于实 现接入点设备安全自启动的技术效果。 The embodiments of the present invention provide a method, a device, and a system for delivering initial configuration information of an access point device, which are used to ensure the security of the initial configuration information of the access point device in the public network transmission, which is beneficial to the implementation. The technical effect of the safe and self-starting of the access point device.
本发明实施例第一方面提供了一种下发接入点设备初始配置信息的方 法, 包括:  The first aspect of the embodiments of the present invention provides a method for delivering initial configuration information of an access point device, including:
通过加密通道接收来自接入点设备的初始配置信息获取请求;  Receiving an initial configuration information acquisition request from an access point device through an encrypted channel;
根据该获取请求, 获取包括归属安全网关地址信息的接入点设备初始配 置信息;  Obtaining initial configuration information of the access point device including the home security gateway address information according to the obtaining request;
通过所述加密通道向所述接入点设备发送该接入点设备初始配置信息。 本发明第一方面实施例下发接入点设备初始配置信息的方法中, 通过加 密通道传输接入点设备初始配置 P BOOT )信息获取请求, 获取的接入点设 备初始配置信息通过加密通道进行下发, 从而降低了接入点设备初始配置信 息在公共网传输过程中被窃取或篡改的风险, 增强了接入点设备初始配置信 息的安全性和可靠性, 相应的接入点设备根据接收到的可靠的接入点设备初 始配置信息进行自动配置, 提高了接入点设备自启动的安全性。  The access point device initial configuration information is sent to the access point device through the encrypted channel. In the method for transmitting the initial configuration information of the access point device in the first embodiment of the present invention, the PBOOT information acquisition request is initially transmitted through the encrypted channel, and the initial configuration information of the obtained access point device is performed through the encrypted channel. The risk of the initial configuration information of the access point device being stolen or falsified during the transmission process of the public network is reduced, and the security and reliability of the initial configuration information of the access point device are enhanced, and the corresponding access point device is received according to the The initial configuration information of the reliable access point device is automatically configured, which improves the security of the self-starting of the access point device.
本发明实施例第二方面提供了一种网络系统, 包括: 接入点设备、 安全 网关和初始功能服务器, 其中:  A second aspect of the embodiments of the present invention provides a network system, including: an access point device, a security gateway, and an initial function server, where:
接入点设备, 用于与预置的安全网关地址信息相应的安全网关建立加密 通道, 通过该加密通道, 接收来自所述初始功能服务器的相应的接入点设备 初始配置信息;  The access point device is configured to establish, by the security gateway corresponding to the preset security gateway address information, an encryption channel, and receive, by using the encrypted channel, initial configuration information of the corresponding access point device from the initial function server;
安全网关, 用于与所述接入点设备建立加密通道;  a security gateway, configured to establish an encrypted channel with the access point device;
初始功能服务器, 用于接收来自接入点设备的初始配置信息获取请求; 根据该获取请求, 获取包括归属安全网关地址信息的接入点设备初始配置信 息; 通过所述加密通道向所述接入点设备发送该接入点设备初始配置信息。  An initial function server, configured to receive an initial configuration information acquisition request from the access point device, and obtain, according to the obtaining request, initial configuration information of the access point device including the home security gateway address information; and accessing the access through the encrypted channel The point device sends the initial configuration information of the access point device.
本发明第二方面实施例网络系统中,在初始功能服务器前设置安全网关, 通过在接入点设备中预置与该接入点设备初始配置信息存放路径相关的安全 网关地址信息和初始功能服务器地址信息, 利用网络架构已有的接入点设备 和安全网关之间的加密通道, 进行接入点设备初始配置信息获取请求及相应 的接入点设备初始配置信息的传输, 从而降低了接入点设备初始配置信息在 公共网传输过程中被窃取或篡改的风险, 增强了接入点设备初始配置信息的 安全性和可靠性, 相应的接入点设备根据接收到的可靠的接入点设备初始配 置信息进行自动配置, 提高了接入点设备自启动的安全性; 此外, 由于该系 统利用既有网络架构已有的接入点设备与安全网关之间的加密通道实现接入 点设备的安全自启动, 因此, 降低了整网的成本及开发量。 In the network system of the second aspect of the present invention, a security gateway is set in front of the initial function server, and the security gateway address information and the initial function server related to the initial configuration information storage path of the access point device are preset in the access point device. The address information is obtained by using an encryption channel between the existing access point device and the security gateway of the network architecture to obtain an initial configuration information acquisition request of the access point device and corresponding The transmission of the initial configuration information of the access point device reduces the risk that the initial configuration information of the access point device is stolen or falsified during the transmission process of the public network, and enhances the security and reliability of the initial configuration information of the access point device. The corresponding access point device automatically configures according to the received initial configuration information of the reliable access point device, thereby improving the security of the self-starting of the access point device; and, because the system utilizes the existing access of the existing network architecture The encrypted channel between the point device and the security gateway realizes the safe self-starting of the access point device, thereby reducing the cost and development amount of the entire network.
本发明实施例第三方面提供了一种网络装置, 包括:  A third aspect of the embodiments of the present invention provides a network device, including:
接收模块, 用于通过加密通道接收来自接入点设备的初始配置信息获取 请求;  a receiving module, configured to receive an initial configuration information acquisition request from an access point device by using an encrypted channel;
获取模块, 用于根据该获取请求, 获取包括归属安全网关地址信息的接 入点设备初始配置信息;  And an obtaining module, configured to acquire, according to the obtaining request, initial configuration information of the access point device including the home security gateway address information;
下发模块, 用于通过该加密通道向所述接入点设备发送该接入点设备初 始配置信息。  And a sending module, configured to send, by using the encrypted channel, the access point device initial configuration information to the access point device.
本发明第三方面实施例网络装置中, 接收模块通过加密通道传输接入点 设备初始配置信息获取请求, 获取模块获取的接入点设备初始配置信息通过 下发模块经该加密通道进行下发, 从而降低了接入点设备初始配置信息在公 共网传输过程中被窃取或篡改的风险, 增强了接入点设备初始配置信息的安 全性和可靠性, 相应的接入点设备根据接收到的可靠的接入点设备初始配置 信息进行自动配置, 提高了接入点设备自启动的安全性。  In the network device of the third aspect of the present invention, the receiving module transmits the initial configuration information acquisition request of the access point device through the encrypted channel, and the initial configuration information of the access point device acquired by the obtaining module is delivered by the sending module through the encrypted channel, Therefore, the risk that the initial configuration information of the access point device is stolen or falsified during the transmission process of the public network is reduced, and the security and reliability of the initial configuration information of the access point device are enhanced, and the corresponding access point device is reliable according to the received information. The initial configuration information of the access point device is automatically configured, which improves the security of the self-starting of the access point device.
本发明实施例第四方面提供了一种接入点设备, 包括:  A fourth aspect of the embodiments of the present invention provides an access point device, including:
设置模块, 用于预置安全网关地址信息和初始功能服务器地址信息; 请求模块, 用于与预置的所述安全网关地址信息相应的安全网关建立加 密通道, 通过该加密通道, 向预置的所述初始功能服务器地址信息相应的初 始功能服务器发送接入点设备配置信息获取请求;  a setting module, configured to preset security gateway address information and initial function server address information; and a requesting module, configured to establish an encryption channel with a security gateway corresponding to the preset security gateway address information, and use the encrypted channel to preset The initial function server corresponding to the initial function server address information sends an access point device configuration information acquisition request;
启动模块, 用于通过所述加密通道接收来自所述初始功能服务器的接入 点设备初始配置信息, 根据所述接入点设备初始配置信息包含的归属安全网 关地址信息, 向相应的归属安全网关发起业务流程。 a startup module, configured to receive, by using the encrypted channel, initial configuration information of an access point device from the initial function server, and a home safety network included according to initial configuration information of the access point device The address information is closed, and the business process is initiated to the corresponding home security gateway.
本发明第四方面实施例接入点设备中, 通过设置模块预设安全网关地址 信息和初始功能服务器地址信息, 通过请求模块与相应的安全网关建立加密 通道, 通过加密通道传输接入点设备初始配置信息获取请求以及相应的接入 点设备初始配置信息, 从而降低了接入点设备初始配置信息在公共网传输过 程中被窃取或篡改的风险, 增强了接入点设备初始配置信息的安全性和可靠 性, 启动模块根据接收到的可靠的接入点设备初始配置信息进行自动配置, 提高了接入点设备自启动的安全性。 附图说明  In the access point device of the fourth aspect of the present invention, the security gateway address information and the initial function server address information are preset by the setting module, the encryption channel is established by the requesting module and the corresponding security gateway, and the access point device is initially transmitted through the encrypted channel. The configuration information acquisition request and the corresponding initial configuration information of the access point device are reduced, thereby reducing the risk that the initial configuration information of the access point device is stolen or falsified during the transmission process of the public network, and enhancing the security of the initial configuration information of the access point device. And reliability, the startup module automatically configures according to the received initial configuration information of the reliable access point device, thereby improving the security of the self-starting of the access point device. DRAWINGS
为了更清楚地说明本发明实施例的技术方案, 下面将对实施例描述中所 需要使用的附图作简单地介绍, 显而易见地, 下面描述中的附图仅仅是本发 明的一些实施例, 对于本领域普通技术人员来讲, 在不付出创造性劳动的前 提下, 还可以根据这些附图获得其他的附图。  In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present invention, Those skilled in the art can also obtain other drawings based on these drawings without paying any creative work.
图 1为现有技术下发接入点设备初始配置信息的系统结构图;  1 is a system structural diagram of initial configuration information of an access point device in the prior art;
图 2为本发明下发接入点设备初始配置信息的方法第一实施例流程图; 图 3a为本发明下发接入点设备初始配置信息的方法第二实施例流程图; 图 3b为本发明下发接入点设备初始配置信息的方法第二实施例信令图; 图 4a为本发明下发接入点设备初始配置信息的方法第三实施例流程图; 图 4b为本发明下发接入点设备初始配置信息的方法第三实施例信令图; 图 5为本发明网络系统第一实施例结构图;  2 is a flowchart of a first embodiment of a method for transmitting initial configuration information of an access point device according to the present invention; FIG. 3a is a flowchart of a second embodiment of a method for transmitting initial configuration information of an access point device according to the present invention; The method for initiating the initial configuration information of the access point device is described in the second embodiment. FIG. 4 is a flowchart of the third embodiment of the method for the initial configuration information of the access point device according to the present invention; The method for the initial configuration information of the access point device is the third embodiment signaling diagram; FIG. 5 is a structural diagram of the first embodiment of the network system according to the present invention;
图 6为本发明网络系统第二实施例结构图;  6 is a structural diagram of a second embodiment of a network system according to the present invention;
图 7为本发明网络系统第三实施例结构图;  7 is a structural diagram of a third embodiment of a network system according to the present invention;
图 8为本发明网络系统第四实施例结构图;  8 is a structural diagram of a fourth embodiment of a network system according to the present invention;
图 9为本发明网络装置实施例结构图;  9 is a structural diagram of an embodiment of a network device according to the present invention;
图 1 0为本发明接入点设备实施例结构图。 具体实施方式 FIG. 10 is a structural diagram of an embodiment of an access point device according to the present invention. detailed description
为使本发明实施例的目的、 技术方案和优点更加清楚, 下面将结合本发 明实施例中的附图, 对本发明实施例中的技术方案进行清楚、 完整地描述, 显然, 所描述的实施例是本发明一部分实施例, 而不是全部的实施例。 基于 本发明中的实施例, 本领域普通技术人员在没有作出创造性劳动前提下所获 得的所有其他实施例, 都属于本发明保护的范围。  The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is a partial embodiment of the invention, and not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明实施例可以应用在固定网络、 移动网络、 移动固定移动融合网络 中。  The embodiments of the present invention can be applied to a fixed network, a mobile network, and a mobile fixed mobile convergence network.
移动网络类型包括: 全球移动通信系统(Global System for Mobile C ommunications, 简称 GSM) 、 宽带码分多址( Wideband-Code Divis ion Mul tiple Access, 简称 WCDMA) 、 时分同步码分多址接入(Time Division-Sync hronized Code Division Multiple Access, 简称 TD-SCDMA)、 码分多址 (C ode-Division Multiple Access, 简称 CDMA) 、 全球微波互联接入 (Worldw ide Interoperability for Microwave Access, 简称 WIMAX) 、 无线局域网 (Wireless Local Area Network, 简称 WLAN) 、 长期演进 (Long Term Evo lution, 简称 LTE)等。  Mobile network types include: Global System for Mobile Communications (GSM), Wideband-Code Dimension Mul Tiple Access (WCDMA), Time Division Synchronous Code Division Multiple Access (Time) Division-Sync hronized Code Division Multiple Access (TD-SCDMA), Code Division Multiple Access (CDMA), WorldWide Interoperability for Microwave Access (WIMAX), Wireless LAN (Wireless Local Area Network, WLAN for short), Long Term Evo lution (LTE), etc.
本发明实施例的接入点设备可以是基站, 基站类型包括: GSM宏基站、 微型基站 Pico、 UMTS AP, WiMAX Femto基站、 WiMAX宏基站等。  The access point device in the embodiment of the present invention may be a base station, and the base station type includes: a GSM macro base station, a micro base station Pico, a UMTS AP, a WiMAX Femto base station, a WiMAX macro base station, and the like.
本发明实施例应用在固定网络时, 接入点设备可以是机顶盒、 路由器、 交换机、 数字用户线路接入复用器(DSLAM)等。  When the embodiment of the present invention is applied to a fixed network, the access point device may be a set top box, a router, a switch, a digital subscriber line access multiplexer (DSLAM), or the like.
下面通过附图和实施例, 对本发明实施例的技术方案做进一步的详细描 述。  The technical solutions of the embodiments of the present invention are further described in detail below with reference to the accompanying drawings and embodiments.
图 2为本发明下发接入点设备初始配置信息的方法第一实施例流程图。如 图 2所示, 本实施例包括:  2 is a flowchart of a first embodiment of a method for delivering initial configuration information of an access point device according to the present invention. As shown in FIG. 2, this embodiment includes:
步骤 21、 通过加密通道接收来自接入点设备(Access Point, 简称 AP) 的初始配置信息获取请求。 步骤 22、 根据该获取请求, 获取包括归属安全网关地址信息的接入点设 备初始配置信息。 Step 21: Receive an initial configuration information acquisition request from an access point device (AP) through an encrypted channel. Step 22: Acquire initial configuration information of the access point device including the home security gateway address information according to the obtaining request.
步骤 23、 通过所述加密通道向所述接入点设备发送该接入点设备初始配 置信息。  Step 23: Send the initial configuration information of the access point device to the access point device by using the encrypted channel.
本发明实施例方法可以根据实际需要对各个步骤顺序进行调整。  The method of the embodiment of the present invention can adjust the sequence of each step according to actual needs.
本实施例通过加密通道传输接入点设备初始配置 ( AP BOOT )信息获取请 求, 获取的 AP初始配置信息通过加密通道进行下发, 从而降低了 AP初始配 置信息在公共网传输过程中被窃取或篡改的风险,增强了 AP初始配置信息的 安全性和可靠性,相应的接入点设备根据接收到的可靠的 AP初始配置信息进 行自动配置, 提高了接入点设备自启动的安全性。  In this embodiment, the initial configuration (AP BOOT) information acquisition request of the access point device is transmitted through the encrypted channel, and the obtained initial AP configuration information is sent through the encrypted channel, thereby reducing the initial configuration information of the AP being stolen during the public network transmission process. The risk of tampering enhances the security and reliability of the initial configuration information of the AP. The corresponding access point device automatically configures according to the received initial configuration information of the AP, which improves the security of the self-starting of the access point device.
图 3a为本发明下发接入点设备初始配置信息的方法第二实施例流程图。 图 3b为本发明下发接入点设备初始配置信息的方法第二实施例信令图。如图 3 a和 3b所示, 本实施例包括:  FIG. 3a is a flowchart of a second embodiment of a method for delivering initial configuration information of an access point device according to the present invention. FIG. 3b is a signaling diagram of a second embodiment of a method for delivering initial configuration information of an access point device according to the present invention. As shown in Figures 3a and 3b, this embodiment includes:
步骤 31、 在 AP中预置并存储安全网关(Secur i ty Ga teway, 简称 SeGW ) I P地址信息和初始功能服务器(AP Boot ing Func t ion, 简称 ABF ) IP地址信息; 步骤 32、 AP与预置的 SeGW IP地址信息相应的 SeGW建立加密通道; 步骤 33、 AP通过步骤 12中建立的加密通道, 向与预置的 ABF IP地址信息 相应的 ABF发送 AP初始配置信息获取请求;  Step 31: Pre-set and store the IP address information of the security gateway (SeGW) and the IP address information of the initial function server (APB) in the AP; Step 32, AP and pre- The SeGW corresponding to the SeGW IP address information is used to establish an encryption channel. Step 33: The AP sends an AP initial configuration information acquisition request to the ABF corresponding to the preset ABF IP address information by using the encrypted channel established in step 12;
步骤 34、 初始功能服务器(ABF )根据 AP初始配置信息获取请求中包含的 AP身份标识, 向归属服务器(AP Home Reg i s ter , 简称 AHR )查询并获取相应 的 AP初始配置信息, 该 AP初始配置信息中包含归属安全网关(Serv ing SeGW ) IP地址信息; 其中, AP身份标识可具体包括 AP的身份信息 (ID信息) 、 位置 信息、 IP地址信息或其他用于标识 AP身份的信息;  Step 34: The initial function server (ABF) queries and acquires the corresponding initial configuration information of the AP according to the AP identity identifier included in the initial configuration information acquisition request of the AP, and the AP initial configuration information. The information includes the home security gateway (Serv ing SeGW) IP address information; wherein, the AP identity identifier may specifically include the identity information (ID information) of the AP, the location information, the IP address information, or other information used to identify the identity of the AP;
步骤 35、 ABF通过步骤 12中建立的加密通道, 向 AP发送所获取到的包含归 属安全网关 IP地址信息的 AP初始配置信息;  Step 35: The ABF sends the obtained initial configuration information of the AP including the IP address information of the home security gateway to the AP through the encrypted channel established in step 12;
步骤 36、 AP接收 AP初始配置信息并保存, 释放步骤 12中建立的加密通道; 步骤 37、 AP根据该 AP初始配置信息中包含的归属安全网关 IP地址信息, 向与该归属安全网关 IP地址信息相应的归属安全网关建立新的归属加密通 道, 发起正常业务流程。 Step 36: The AP receives the AP initial configuration information and saves, and releases the encrypted channel established in step 12; Step 37: The AP establishes a new home encryption channel to the home security gateway corresponding to the home security gateway IP address information according to the home security gateway IP address information included in the AP initial configuration information, and initiates a normal service flow.
本实施例步骤 32中, 加密通道可釆用多种传输加密技术进行建立, 例如: 釆用虚拟专用网 (Virtual Private Network, 简称 VPN)技术, 包括 IPSec VPN, 安全套接层协议层( Secure Sockets Layer, 简称 SSL) VPN等; 点对点 Pi½协议 ( Point To Point Tunnel Protocol, 简称 PPTP)技术; 第二层转 发协议(Layer 2 Forwarding, 简称 L2F)技术; 第二层隧道协议( Layer 2 Tunnel Protocol, 简称 2TP)技术; 通用路由封装( Genera 1 Routing Enc apsulation, 简称 GRE )技术或其他传输加密技术。 总之, 本发明实施例中加 密通道的建立可以有多种实现的方式。  In step 32 of the embodiment, the encryption channel can be established by using multiple transmission encryption technologies, for example: Virtual Private Network (VPN) technology, including IPSec VPN, Secure Sockets Layer (Secure Sockets Layer) , referred to as SSL) VPN; Point to Point Tunnel Protocol (PPTP) technology; Layer 2 Forwarding (L2F) technology; Layer 2 Tunnel Protocol (2TP) Technology; Genera 1 Routing Enc apsulation (GRE) technology or other transport encryption technology. In summary, the establishment of the encrypted channel in the embodiment of the present invention may be implemented in various ways.
本实施例通过在 AP中预置并存储 SeGW的 IP地址信息和 ABF的 IP地址信息, 在 AP与 SeGW之间建立加密通道,通过该加密通道实现 AP BOOT获取请求的发送 以及相应的 AP初始配置信息的下发, 从而降低了 AP初始配置信息在公共网传 输过程中被窃取或篡改的风险, 增强了 AP初始配置信息的安全性和可靠性, A P根据接收到的可靠的 AP初始配置信息进行自动配置,提高了接入点设备自启 动的安全性; 由于 AP初始配置信息获取请求及 AP初始配置信息在公共网中都 是通过加密的方式进行传输, 因此有利于保障 AHR上的敏感信息的安全, 也有 利于保障其他 AP能够从 AHR上获取相应的 AP初始配置信息,从而保障业务的顺 利运行。  In this embodiment, the IP address information of the SeGW and the IP address information of the ABF are preset and stored in the AP, and an encryption channel is established between the AP and the SeGW, and the AP BOOT acquisition request is sent and the corresponding AP initial configuration is implemented through the encrypted channel. The information is delivered, which reduces the risk of the AP's initial configuration information being stolen or falsified during the transmission of the public network. The security and reliability of the initial configuration information of the AP are enhanced. The AP performs the reliable AP initial configuration information. Automatic configuration improves the security of the access point device. Since the AP initial configuration information acquisition request and the AP initial configuration information are transmitted in the public network through encryption, it is beneficial to protect sensitive information on the AHR. Security is also beneficial to ensure that other APs can obtain corresponding AP initial configuration information from the AHR, thus ensuring smooth operation of the service.
本发明实施例方法可以根据实际需要对各个步骤顺序进行调整。  The method of the embodiment of the present invention can adjust the sequence of each step according to actual needs.
在本实施例技术方案的基础上, 如果向 AP下发的 AP初始配置信息中包含 的归属安全网关 IP地址信息与 AP预置的 SeGW IP地址信息相同, 则不需要释 放 AP与 SeGW之间的加密通道, 直接通过该加密通道向 SeGW发起业务流程。 此 夕卜, 在本实施例技术方案的基础上, ABF向 AP下发的 AP初始配置信息中可包含 多个归属安全网关 IP地址信息, AP可选取其中一个归属安全网关 IP地址信 息相应的归属安全网关作为当前归属安全网关, 向该当前归属安全网关发起 业务流程。 如果当前归属安全网关未做出响应, AP可选取 AP初始配置信息中 的下一个归属安全网关 IP地址信息相应的归属安全网关,直到有一个归属安 全网关做出响应。如果 AP初始配置信息中包含的所有归属安全网关 IP地址信 息相应的归属安全网关都没有作出响应, AP可通过本实施例技术方案向 SeGW 重新建立加密通道, 发起 AP BOOT获取请求。 因此, 在本实施例技术方案的基 础上, ABF配送 AP初始配置信息的方式非常灵活, AP寻址的方式也非常的灵活, 能够适应多种各种 AP自启动方式的需求。 On the basis of the technical solution of the embodiment, if the IP address information of the home security gateway included in the AP initial configuration information sent to the AP is the same as the information of the SeGW IP address preset by the AP, the AP and the SeGW need not be released. The encrypted channel directly initiates a business process to the SeGW through the encrypted channel. In addition, on the basis of the technical solution of the embodiment, the AP initial configuration information sent by the ABF to the AP may include multiple home security gateway IP address information, and the AP may select one of the home security gateway IP address letters. As the current home security gateway, the corresponding home security gateway initiates a service flow to the current home security gateway. If the current home security gateway does not respond, the AP may select the corresponding home security gateway of the next home security gateway IP address information in the initial configuration information of the AP until a home security gateway responds. If the home security gateway corresponding to the home security gateway IP address information included in the AP initial configuration information does not respond, the AP may re-establish an encryption channel to the SeGW by using the technical solution in this embodiment to initiate an AP BOOT acquisition request. Therefore, on the basis of the technical solution of the embodiment, the manner in which the ABF distributes the initial configuration information of the AP is very flexible, and the AP addressing mode is also very flexible, and can adapt to the requirements of various AP self-starting modes.
图 4a为本发明下发接入点设备初始配置信息的方法第三实施例流程图。 图 4b为本发明下发接入点设备初始配置信息的方法第三实施例信令图。 本实 施例中, 公共网域名服务器(Interne t DNS ) 即为本发明实施例的第一域名 服务器; 通用移动核心网域名服务器(简称 UMTS DNS ) 即为本发明实施例的 第二域名服务器。 如图 4a和 4b所示, 本实施例包括:  FIG. 4a is a flowchart of a third embodiment of a method for delivering initial configuration information of an access point device according to the present invention. FIG. 4b is a signaling diagram of a third embodiment of a method for delivering initial configuration information of an access point device according to the present invention. In this embodiment, the public domain name server (Interne t DNS) is the first domain name server in the embodiment of the present invention; the universal mobile core network domain name server (UMTS DNS) is the second domain name server in the embodiment of the present invention. As shown in Figures 4a and 4b, this embodiment includes:
步骤 41、 在 AP中预置并存储 SeGW全域名 ( Fu l ly Qua l i f ied Doma in Nam e , 简称 FQDN )地址信息和 ABF的 FQDN地址信息;  Step 41: Pre-set and store the address information of the SeGW full domain name (FQDN) and the FQDN address information of the ABF in the AP.
步骤 42、 AP向公共网域名服务器查询与预置的 SeGW FQDN地址信息相应的 SeGW IP地址信息;  Step 42: The AP queries the public network domain name server for the SeGW IP address information corresponding to the preset SeGW FQDN address information.
步骤 43、 AP与预置的 SeGW IP地址信息相应的 SeGW建立加密通道, 在建立 加密通道协商时, AP通过该加密通道向 SeGW获取 UMTS域名服务器的地址信息; 步骤 44、 AP通过步骤 23中建立的加密通道, 根据 UMTS域名服务器地址信 息,向相应的 UMTS域名服务器查询 ABF FQDN地址信息相应的 ABF IP地址信息; 步骤 45、 AP通过步骤 23中建立的加密通道, 向与预置的 ABF IP地址信息 相应的 ABF发送 AP初始配置信息获取请求;  Step 43: The AP establishes an encryption channel with the SeGW corresponding to the preset SeGW IP address information. When the encryption channel is established, the AP obtains the address information of the UMTS domain name server from the SeGW through the encrypted channel. Step 44: The AP is established in step 23. The encrypted channel, according to the UMTS domain name server address information, queries the corresponding UMTS domain name server for the corresponding ABF IP address information of the ABF FQDN address information; Step 45, the AP passes the encrypted channel established in step 23, and the preset ABF IP address The ABF corresponding to the information sends an AP initial configuration information acquisition request;
步骤 46、 ABF根据 AP初始配置信息获取请求中包含的 AP身份标识, 向 AHR 查询相应的 AP初始配置信息, 该 AP初始配置信息中包含归属安全网关地址信 息; 其中, AP身份标识可具体包括 AP的身份信息 (ID信息) 、 位置信息、 IP 地址信息或其他用于标识 AP身份的信息; Step 46: The ABF obtains the AP initial configuration information according to the AP initial configuration information acquisition request, and queries the AHR for the corresponding AP initial configuration information, where the AP initial configuration information includes the home security gateway address information, where the AP identity identifier may specifically include the AP. Identity information (ID information), location information, IP Address information or other information used to identify the identity of the AP;
步骤 47、 ABF通过步骤 23中建立的加密通道, 向 AP发送包含归属安全网关 地址信息的 AP初始配置信息;  Step 47: The ABF sends the AP initial configuration information including the home security gateway address information to the AP by using the encrypted channel established in step 23;
步骤 48、 AP接收 AP初始配置信息并保存, 释放步骤 43中建立的加密通道; 步骤 49、 AP根据该 AP初始配置信息中包含的归属安全网关地址信息, 向 与该归属安全网关地址信息相应的归属安全网关建立新的归属加密通道, 发 起正常业务流程。  Step 48: The AP receives the AP initial configuration information and saves, and releases the encrypted channel established in step 43. Step 49: The AP according to the home security gateway address information included in the AP initial configuration information, and corresponding to the home security gateway address information. The home security gateway establishes a new home encryption channel and initiates a normal business process.
本实施例进一步考虑了当 SeGW或 ABF的 I P地址信息发生变化时, 如果 AP 中预置的 S eGW或 ABF的原 I P地址信息未得到及时更新的情形下, AP获取 AP初始 配置信息并实现自启动的方法。 在该情形下, AP可能由于 SeGW IP地址信息错 误无法建立正确的加密通道, 或者, AP发送的 AP初始配置信息获取请求中包 含了错误的 ABF IP地址信息, 而难以获取相应的 AP初始配置信息, 导致 AP的 自启动失败。 本实施例中, 通过 AP预置 SeGW 的 FQDN地址信息和 ABF的 FQDN地 址信息, SeGW 的 FQDN地址信息通过 Interne t DNS获取相应的 SeGW 的 IP地址 信息, ABF的 FQDN地址信息通过 UMTS DNS获取相应的 ABF的 IP地址信息, 即使 S eGW 的 IP地址信息或 ABF的 IP地址信息发生变化, AP也能通过 SeGW或 ABF的 FQ DN地址信息获取变化后的 SeGW或 ABF的 IP地址信息,保证能够获取 AP初始配置 信息, 从而为 AP顺利完成自启动提供保障。  The embodiment further considers that when the IP address information of the SeGW or the ABF is changed, if the original IP address information of the preset S eGW or the ABF in the AP is not updated in time, the AP obtains the initial configuration information of the AP and implements the self. The method of starting. In this case, the AP may not be able to establish the correct encryption channel due to the error of the SeGW IP address information, or the AP initial configuration information acquisition request sent by the AP contains the incorrect ABF IP address information, and it is difficult to obtain the corresponding AP initial configuration information. , causing the AP's self-starting to fail. In this embodiment, the FQDN address information of the SeGW and the FQDN address information of the ABF are preset by the AP, and the FQDN address information of the SeGW is obtained by using the Interne t DNS to obtain the IP address information of the corresponding SeGW, and the FQDN address information of the ABF is obtained through the UMTS DNS. The IP address information of the ABF, even if the IP address information of the S eGW or the IP address information of the ABF changes, the AP can obtain the IP address information of the changed SeGW or ABF through the FQ DN address information of the SeGW or the ABF to ensure that the AP can obtain the AP. Initial configuration information, which provides guarantee for the AP to successfully complete self-starting.
本实施还通过在 AP与 SeGW之间建立加密通道, 通过该加密通道实现 AP B 00T获取请求的发送以及相应的 AP初始配置信息的下发,从而降低了 AP初始配 置信息在公共网传输过程中被窃取或篡改的风险, 增强了 AP初始配置信息的 安全性和可靠性, AP根据接收到的可靠的 AP初始配置信息进行自动配置, 提 高了接入点设备自启动的安全性; 由于 AP初始配置信息获取请求及 AP初始配 置信息在公共网中都是通过加密的方式进行传输, 因此有利于保障 AHR上的敏 感信息的安全, 也有利于保障其他 AP能够从 AHR上获取相应的 AP初始配置信 息, 从而保障业务的顺利运行。 本发明第二方面实施例还提供了一种网络系统。图 5为本发明网络系统第 一实施例结构图。 该网络系统第一实施例包括: 接入点设备 1 0、 安全网关 20 和初始功能服务器 30。 The implementation of the AP establishes an encrypted channel between the AP and the SeGW, and the AP B 00T acquisition request is sent through the encrypted channel, and the initial configuration information of the AP is delivered, thereby reducing the initial configuration information of the AP in the public network transmission process. The risk of being stolen or tampering enhances the security and reliability of the AP's initial configuration information. The AP automatically configures the received AP's initial configuration information to improve the security of the access point device. The configuration information acquisition request and the AP initial configuration information are transmitted in the public network through encryption. Therefore, it is beneficial to ensure the security of the sensitive information on the AHR, and also to ensure that other APs can obtain the corresponding AP initial configuration from the AHR. Information to ensure the smooth operation of the business. A second aspect of the present invention also provides a network system. FIG. 5 is a structural diagram of a first embodiment of a network system according to the present invention. The first embodiment of the network system includes: an access point device 10, a security gateway 20, and an initial function server 30.
接入点设备 1 0 用于与预置的安全网关地址信息相应的安全网关建立加 密通道, 通过该加密通道, 接收来自所述初始功能服务器的相应的接入点设 备初始配置信息。  The access point device 1 0 is configured to establish an encrypted channel with the security gateway corresponding to the preset security gateway address information, and receive the initial configuration information of the corresponding access point device from the initial function server through the encrypted channel.
安全网关 20用于与接入点设备 1 0建立加密通道。  The security gateway 20 is configured to establish an encrypted channel with the access point device 10.
初始功能服务器 30用于接收来自接入点设备 1 0的初始配置信息获取请 求; 根据该获取请求, 获取包括归属安全网关地址信息的接入点设备初始配 置信息; 通过所述加密通道向接入点设备 1 0 发送该接入点设备初始配置信 息。  The initial function server 30 is configured to receive an initial configuration information acquisition request from the access point device 10; obtain, according to the acquisition request, initial configuration information of the access point device including the home security gateway address information; and access to the access channel through the encrypted channel Point device 10 sends the initial configuration information of the access point device.
本发明实施例系统的各个单元可以集成于一个装置, 也可以分布于多个 装置。 上述单元可以合并为一个单元, 也可以进一步拆分成多个子单元。  The various units of the system of the embodiments of the present invention may be integrated into one device or distributed among a plurality of devices. The above units may be combined into one unit, or may be further split into a plurality of subunits.
本实施例可以在初始功能服务器前设置安全网关, 通过在接入点设备中 预置与接入点设备初始配置信息存放路径相关的安全网关地址信息和初始功 能服务器地址信息, 利用网络架构已有的接入点设备和安全网关之间的加密 通道, 进行接入点设备初始配置信息获取请求及相应的接入点设备初始配置 信息的传输, 从而降低了接入点设备初始配置信息在公共网传输过程中被窃 取或篡改的风险, 增强了接入点设备初始配置信息的安全性和可靠性, 相应 的接入点设备根据接收到的可靠的接入点设备初始配置信息进行自动配置, 提高了接入点设备自启动的安全性。  In this embodiment, the security gateway may be set in front of the initial function server, and the security gateway address information and the initial function server address information related to the initial configuration information storage path of the access point device are preset in the access point device, and the network architecture is used. The encryption channel between the access point device and the security gateway performs the initial configuration information acquisition request of the access point device and the corresponding initial configuration information of the access point device, thereby reducing the initial configuration information of the access point device in the public network. The risk of being stolen or tampered during transmission enhances the security and reliability of the initial configuration information of the access point device. The corresponding access point device automatically configures according to the received initial configuration information of the reliable access point device. The security of the access point device self-starting.
图 6为本发明网络系统第二实施例结构图。本实施例与本发明网络系统第 一实施例的区别在于, 本实施例还包括归属服务器 40 , 如图 6所示。  6 is a structural diagram of a second embodiment of a network system according to the present invention. The difference between this embodiment and the first embodiment of the network system of the present invention is that the embodiment further includes a home server 40, as shown in FIG. 6.
归属服务器 40用于存储所述接入点设备初始配置信息。  The home server 40 is configured to store the initial configuration information of the access point device.
相应的, 初始功能服务器 30还用于根据来自接入点设备 1 0的初始配置信 息获取请求,从归属服务器 40获取接入点设备 1 0的接入点设备初始配置信息, 通过该加密通道下发该接入点设备初始配置信息。 Correspondingly, the initial function server 30 is further configured to acquire the initial configuration information of the access point device of the access point device 10 from the home server 40 according to the initial configuration information acquisition request from the access point device 10, The initial configuration information of the access point device is delivered through the encrypted channel.
在此技术方案的基础上, 接入点设备 10可具体包括设置模块 1 01、请求模 块 102和启动模块 103; 初始功能服务器 30具体可以包括接收模块 301、 获取模 块 302和下发模块 303。  On the basis of this technical solution, the access point device 10 may specifically include a setting module 101, a requesting module 102, and a starting module 103. The initial function server 30 may specifically include a receiving module 301, an obtaining module 302, and a sending module 303.
设置模块 1 01用于设置与存储接入点设备初始配置信息路径相应的 SeGW 地址信息和 ABF地址信息。  The setting module 1 01 is configured to set SeGW address information and ABF address information corresponding to the initial configuration information path of the storage access point device.
请求模块 1 02用于与设置模块 101预置的 SeGW地址信息相应的 SeGW建立加 密通道, 通过该加密通道, 与设置模块 1 01预置的 ABF地址信息相应的 ABF发送 接入点设备初始配置信息获取请求;  The requesting module 102 is configured to establish an encrypted channel by the SeGW corresponding to the SeGW address information preset by the setting module 101, and send the initial configuration information of the access point device by using the ABF corresponding to the ABF address information preset by the setting module 101. Get the request;
启动模块 103用于通过请求模块 102建立的加密通道接收包含有归属安全 网关 地址信息的接入点设备初始配置信息,根据该归属安全网关 地址信息, 向相应的归属安全网关发起业务流程。  The startup module 103 is configured to receive the initial configuration information of the access point device that includes the home security gateway address information through the encrypted channel established by the requesting module 102, and initiate a service flow to the corresponding home security gateway according to the home security gateway address information.
接收模块 301用于通过安全网关 20与接入点设备 1 0之间建立的加密通道, 接收来自接入点设备 10的接入点设备初始配置信息获取请求。  The receiving module 301 is configured to receive an access point device initial configuration information acquisition request from the access point device 10 through an encrypted channel established between the security gateway 20 and the access point device 10.
获取模块 302用于根据接收模块 301接收的获取请求, 向归属服务器 40获 取包括归属安全网关地址信息的接入点设备初始配置信息。  The obtaining module 302 is configured to obtain, from the home server 40, the access point device initial configuration information including the home security gateway address information according to the obtaining request received by the receiving module 301.
下发模块 303用于通过该加密通道下发获取模块 302获取的包含归属安全 网关地址信息的该接入点设备初始配置信息。  The sending module 303 is configured to deliver, by using the encrypted channel, the initial configuration information of the access point device that includes the home security gateway address information acquired by the obtaining module 302.
关于初始功能服务器本身的设备形态和部署方式可以非常的灵活, 初始 功能服务器可以是独立的设备, 也可以是功能集成的集成设备, 例如: 可根 据实际组网的需要, 在全网部署多个初始功能服务器独立设备, 保证初始功 能服务器的可靠性和部署的灵活性; 或者, 将初始功能服务器与认证、 授权、 计费服务器 ( Authent i ca t i oru Author i za t ion and Account ing Server ; 简 称 3A服务器) 集成为一体; 或者, 由于网内有多个 AG , 可以将 AG和初始功能 服务器功能集成后进行网络的灵活部署等。 此外, 本领域技术人员也可根据 实际组网的需要选择合适的初始功能服务器设备形态及部署方式。 需要说明 的是, 本实施例中, 初始功能服务器和归属服务器可为二个独立设备分别部 署, 或者, 初始功能服务器的功能和归属服务器的功能也可集成在一个设备 中进行集中部署。 The device configuration and deployment mode of the initial function server can be very flexible. The initial function server can be a stand-alone device or a functional integrated device. For example, you can deploy multiple networks on the entire network according to the actual networking requirements. The initial function server independent device guarantees the reliability and deployment flexibility of the initial function server; or, the initial function server and the authentication, authorization, and accounting server (Authent i ca ti oru Author i za t ion and Account ing Server ; 3A server) integration; or, because there are multiple AGs in the network, the AG and the initial function server functions can be integrated for flexible deployment of the network. In addition, a person skilled in the art can also select an appropriate initial function server device configuration and deployment mode according to the needs of the actual networking. Need to explain In this embodiment, the initial function server and the home server may be separately deployed for two independent devices, or the functions of the initial function server and the functions of the home server may be integrated into one device for centralized deployment.
本实施例通过在接入点设备中预置与该接入点设备初始配置信息存放路 径相关的安全网关地址信息和初始功能服务器地址信息, 利用网络架构已有 的接入点设备和安全网关之间的加密通道, 进行接入点设备初始配置信息获 取请求及相应的接入点设备初始配置信息的传输, 从而降低了接入点设备初 始配置信息在公共网传输过程中被窃取或篡改的风险, 增强了接入点设备初 始配置信息的安全性和可靠性, 相应的接入点设备根据接收到的可靠的接入 点设备初始配置信息进行自动配置, 提高了接入点设备自启动的安全性; 由 于接入点设备初始配置信息获取请求及接入点设备初始配置信息在网络中都 是通过加密的方式进行传输, 因此有利于保障归属服务器上的敏感信息的安 全, 也有利于保障其他 AP能够从归属服务器上获取相应的接入点设备初始配 置信息, 从而保障业务的顺利运行; 此外, 由于该系统利用既有网络架构已 有的接入点设备与安全网关之间的加密通道实现接入点设备的安全自启动, 因此, 降低了整网的成本及开发量。  In this embodiment, the security gateway address information and the initial function server address information related to the initial configuration information storage path of the access point device are preset in the access point device, and the existing access point device and the security gateway of the network architecture are utilized. The encryption channel between the access point device performs the initial configuration information acquisition request of the access point device and the corresponding initial configuration information of the access point device, thereby reducing the risk of the initial configuration information of the access point device being stolen or tampered with during the transmission process of the public network. The security and reliability of the initial configuration information of the access point device are enhanced, and the corresponding access point device automatically configures according to the received initial configuration information of the access point device, thereby improving the self-starting security of the access point device. Because the access point device initial configuration information acquisition request and the initial configuration information of the access point device are transmitted in the network through encryption, it is beneficial to ensure the security of sensitive information on the home server, and is also beneficial to protect other The AP can obtain the corresponding access point device initial from the home server. Set the information to ensure the smooth running of the service; in addition, because the system utilizes the encrypted channel between the existing access point device and the security gateway of the existing network architecture to realize the secure self-starting of the access point device, the overall operation is reduced. The cost and development of the network.
图 7为本发明网络系统第三实施例结构图。 如图 7所示, 本实施例与本发 明网络系统第一实施例的区别在于, 本实施例中, 设置模块具体为第一设置 模块 1011 ; 启动模块 103具体包括接收单元 1 031、 比较单元 1032和启动单元 1 033。  FIG. 7 is a structural diagram of a third embodiment of a network system according to the present invention. As shown in FIG. 7, the difference between the embodiment and the first embodiment of the network system of the present invention is that, in this embodiment, the setting module is specifically the first setting module 1011; the starting module 103 specifically includes the receiving unit 1 031 and the comparing unit 1032. And start unit 1 033.
第一设置模块 1011用于设置安全网关 20的 IP地址信息和初始功能服务器 30的 IP地址信息。  The first setting module 1011 is configured to set the IP address information of the security gateway 20 and the IP address information of the initial function server 30.
接收单元 1031用于通过请求模块 102与安全网关 20之间的加密通道,接收 初始功能服务器 30发送的包含归属安全网关地址信息的接入点设备初始配置 信息;  The receiving unit 1031 is configured to receive the initial configuration information of the access point device that includes the home security gateway address information sent by the initial function server 30 by using the encrypted channel between the requesting module 102 and the security gateway 20;
比较单元 1032用于比较接收单元 1 031接收的接入点设备初始配置信息中 的归属安全网关地址信息与第一设置模块 1 01 1预置的安全网关 20的地址信息 是否相同, 如果相同, 不释放请求模块 102与安全网关 20之间的加密通道; 如 果不相同, 则释放请求模块 102与安全网关 20之间的加密通道。 The comparing unit 1032 is configured to compare the initial configuration information of the access point device received by the receiving unit 1 031. Whether the home security gateway address information is the same as the address information of the security gateway 20 preset by the first setting module 101, and if not, the encrypted channel between the request module 102 and the security gateway 20 is not released; if not, the release is released. An encrypted channel between the request module 102 and the security gateway 20.
启动单元 1033用于根据接收单元 1 031接收到接入点设备初始配置信息中 包含的归属安全网关地址信息, 向相应的归属安全网关发起业务流程。 启动 单元 1033在发起业务流程,如果比较单元 1032已释放了请求模块 102与安全网 关 20之间的加密通道, 则建立与相应的归属安全网关新的归属加密通道, 通 过该归属加密通道发起业务流程; 如果比较单元 1 032未释放了请求模块 1 02 与安全网关 20之间的加密通道, 则通过该加密通道发起业务流程。  The initiating unit 1033 is configured to initiate a service flow to the corresponding home security gateway according to the home security gateway address information included in the initial configuration information of the access point device received by the receiving unit 1 031. The initiating unit 1033 initiates a service flow. If the comparison unit 1032 has released the encrypted channel between the requesting module 102 and the security gateway 20, a new home encryption channel is established with the corresponding home security gateway, and the service flow is initiated through the home encryption channel. If the comparison unit 1 032 does not release the encrypted channel between the request module 102 and the security gateway 20, the business process is initiated through the encrypted channel.
本发明实施例的各个单元可以集成于一体, 也可以分离部署。 上述单元 可以合并为一个单元, 也可以进一步拆分成多个子单元。  The various units of the embodiments of the present invention may be integrated or may be deployed separately. The above units may be combined into one unit, or may be further split into a plurality of subunits.
本实施例通过在接入点设备的第一设置模块中预置与该接入点设备初始 配置信息存放路径相关的安全网关的 I P地址信息和初始功能服务器的 I P地址 信息, 请求模块和安全网关之间建立加密通道, 通过加密通道进行接入点设 备初始配置信息获取请求及相应的接入点设备初始配置信息的传输, 从而降 低了接入点设备初始配置信息在公共网传输过程中被窃取或篡改的风险, 增 强了接入点设备初始配置信息的安全性和可靠性, 相应的接入点设备根据接 收到的可靠的接入点设备初始配置信息进行自动配置, 提高了接入点设备自 启动的安全性。 当启动模块的接收单元接收到接入点设备初始配置信息后, 通过比较单元比较接收单元接收到相应的接入点设备初始配置信息中的归属 安全网关地址信息与预置的安全网关 IP地址信息是否一致, 如果一致则可用 原有的加密通道发起业务流程, 从而使得接入设备的安全自启动的过程更为 快捷。  In this embodiment, the IP address information of the security gateway related to the initial configuration information storage path of the access point device and the IP address information of the initial function server are preset in the first setting module of the access point device, and the request module and the security gateway are requested. An encryption channel is established, and the initial configuration information acquisition request of the access point device and the initial configuration information of the corresponding access point device are transmitted through the encrypted channel, thereby reducing the initial configuration information of the access point device being stolen during the transmission process of the public network. Or the risk of tampering, enhances the security and reliability of the initial configuration information of the access point device, and the corresponding access point device automatically configures according to the received initial configuration information of the reliable access point device, thereby improving the access point device. Self-starting security. After receiving the initial configuration information of the access point device, the receiving unit of the startup module compares the home security gateway address information and the preset security gateway IP address information in the initial configuration information of the corresponding access point device by the comparing unit. Whether it is consistent or not, if the agreement is the same, the original encrypted channel can be used to initiate the service process, so that the security self-starting process of the access device is faster.
图 8为本发明网络系统第四实施例结构图。 如图 8所示, 本实施例与本发 明网络系统第一实施例的区别在于, 本实施例中, 还包括第一域名服务器 40、 第二域名服务器 50; 接入点设备 10中, 设置模块具体为第二设置模块 1 012 ; 请求模块 102具体包括第一查询单元 1021、 通道建立单元 1022、 第二查询单元 1023和请求单元 1024。 FIG. 8 is a structural diagram of a fourth embodiment of a network system according to the present invention. As shown in FIG. 8, the difference between this embodiment and the first embodiment of the network system of the present invention is that, in this embodiment, the first domain name server 40 and the second domain name server 50 are further included; in the access point device 10, the setting module is Specifically, the second setting module 1 012; The requesting module 102 specifically includes a first query unit 1021, a channel establishing unit 1022, a second query unit 1023, and a requesting unit 1024.
第一域名服务器 40用于将来自接入点设备 10的安全网关 20的全域名地址 信息转换成相应的安全网关 20的 I P地址信息后, 下发给接入点设备 10。  The first domain name server 40 is configured to convert the full domain name address information of the security gateway 20 from the access point device 10 into the IP address information of the corresponding security gateway 20, and then deliver the information to the access point device 10.
第二域名服务器 50用于将来自接入点设备 10的初始功能服务器 30的全域 名地址信息转换成相应的初始功能服务器 30的 IP地址信息后, 下发给接入点 设备 10。  The second domain name server 50 is configured to convert the global domain name information of the initial function server 30 from the access point device 10 into the IP address information of the corresponding initial function server 30, and then deliver the information to the access point device 10.
第二设置模块 1012用于设置安全网关 20的全域名地址信息和初始功能服 务器 30的全域名地址信息。  The second setting module 1012 is configured to set the full domain name address information of the security gateway 20 and the full domain name address information of the initial function server 30.
第一查询单元 1021用于向第一域名服务器 40查询第二设置模块 1012预设 的安全网关 20的全域名地址信息相应的安全网关 20的 I P地址信息。  The first query unit 1021 is configured to query the first domain name server 40 for the IP address information of the security gateway 20 corresponding to the full domain name address information of the security gateway 20 preset by the second setting module 1012.
通道建立单元 1022用于与安全网关 20的 IP地址信息相应的安全网关 20建 立力口密通道。  The channel establishing unit 1022 is configured to establish a power secret channel for the security gateway 20 corresponding to the IP address information of the security gateway 20.
第二查询单元 1023用于向第二域名服务器 50查询第二设置模块 1012预设 的初始功能服务器 30的全域名地址信息相应的初始功能服务器 30的 IP地址信 息。  The second query unit 1023 is configured to query the second domain name server 50 for the IP address information of the initial function server 30 corresponding to the full domain name address information of the initial function server 30 preset by the second setting module 1012.
请求单元 1024用于通过通道建立单元 1022建立的加密通道, 向与初始功 能服务器 30的 IP地址信息相应的初始功能服务器 30发送接入点设备初始配置 信息获取请求。  The requesting unit 1024 is configured to transmit an access point device initial configuration information acquisition request to the initial function server 30 corresponding to the IP address information of the initial function server 30 through the encrypted channel established by the channel establishing unit 1022.
本发明实施例的各个单元可以集成于一体, 也可以分离部署。 上述单元 可以合并为一个单元, 也可以进一步拆分成多个子单元。  The various units of the embodiments of the present invention may be integrated or may be deployed separately. The above units may be combined into one unit, or may be further split into a plurality of subunits.
本实施例通过在接入点设备的第二设置模块中预置与该接入点设备初始 配置信息存放路径相关的安全网关的 FQDN地址信息和初始功能服务器的 FQDN 地址信息,并分别向第一 DNS服务器和第二 DNS服务器查询相应的安全网关的 I P地址信息和初始功能服务器的 IP地址信息,请求单元和安全网关之间建立加 密通道, 通过加密通道进行接入点设备初始配置信息获取请求及相应的接入 点设备初始配置信息的传输, 从而降低了接入点设备初始配置信息在公共网 传输过程中被窃取或篡改的风险, 增强了接入点设备初始配置信息的安全性 和可靠性, 相应的接入点设备根据接收到的可靠的接入点设备初始配置信息 进行自动配置, 提高了接入点设备自启动的安全性; 由于本实施例是通过在 接入设备的第二设置模块中设置安全网关的 FQDN地址信息和初始功能服务器 的 FQDN地址信息, 使得即使安全网关的 IP地址信息或初始功能服务器的 IP地 址信息发生变化, AP也能通过安全网关或初始功能服务器的 FQDN地址信息获 取变化后的安全网关或初始功能服务器的 I P地址信息, 保证接入点设备能够 获取接入点设备初始配置信息, 从而为 AP顺利完成自启动提供保障。 In this embodiment, the FQDN address information of the security gateway related to the initial configuration information storage path of the access point device and the FQDN address information of the initial function server are preset in the second setting module of the access point device, and are respectively turned to the first The DNS server and the second DNS server query the IP address information of the corresponding security gateway and the IP address information of the initial function server, establish an encryption channel between the requesting unit and the security gateway, and perform an initial configuration information acquisition request of the access point device through the encrypted channel. Corresponding access The transmission of the initial configuration information of the device is reduced, thereby reducing the risk of the initial configuration information of the access point device being stolen or falsified during the transmission process of the public network, and enhancing the security and reliability of the initial configuration information of the access point device, and correspondingly The in-point device performs automatic configuration according to the received initial configuration information of the access point device, which improves the security of the self-starting of the access point device. This embodiment is implemented by setting the security in the second setting module of the access device. The FQDN address information of the gateway and the FQDN address information of the initial function server, so that even if the IP address information of the security gateway or the IP address information of the initial function server changes, the AP can obtain the change through the FQDN address information of the security gateway or the initial function server. The IP address information of the security gateway or the initial function server ensures that the access point device can obtain the initial configuration information of the access point device, thereby providing guarantee for the AP to successfully complete the self-starting.
图 9为本发明网络装置实施例结构图。 如图 9所示, 本实施例的网络装置 可以包括接收模块 301、 获取模块 302和下发模块 303。 其中:  FIG. 9 is a structural diagram of an embodiment of a network device according to the present invention. As shown in FIG. 9, the network device of this embodiment may include a receiving module 301, an obtaining module 302, and a sending module 303. among them:
接收模块 301用于通过加密通道接收来自接入点设备初始配置信息获取 请求。  The receiving module 301 is configured to receive an initial configuration information acquisition request from the access point device through the encrypted channel.
获取模块 302用于根据接收模块 301接收的获取请求, 获取包括归属安全 网关地址信息的接入点设备初始配置信息。  The obtaining module 302 is configured to obtain, according to the obtaining request received by the receiving module 301, initial configuration information of the access point device including the home security gateway address information.
下发模块 303用于通过该加密通道下发获取模块 302获取的包含归属安全 网关地址信息的该接入点设备的初始配置信息。  The sending module 303 is configured to send, by using the encrypted channel, the initial configuration information of the access point device that includes the home security gateway address information acquired by the obtaining module 302.
本实施例接收模块通过加密通道传输接入点设备初始配置信息获取请 求, 获取模块获取的接入点设备初始配置信息通过下发模块经该加密通道进 行下发, 从而降低了接入点设备初始配置信息在公共网传输过程中被窃取或 篡改的风险, 增强了接入点设备初始配置信息的安全性和可靠性, 相应的接 入点设备根据接收到的可靠的接入点设备初始配置信息进行自动配置, 提高 了接入点设备自启动的安全性; 由于接入点设备初始配置信息获取请求及接 入点设备初始配置信息在公共网中都是通过加密的方式进行传输, 因此有利 于保障归属服务器上的敏感信息的安全, 也有利于保障其他接入点设备能够 从归属服务器上获取相应的接入点设备初始配置信息, 从而保证业务的顺利 运行。 In this embodiment, the receiving module transmits the initial configuration information acquisition request of the access point device through the encrypted channel, and the initial configuration information of the access point device acquired by the obtaining module is sent by the sending module through the encrypted channel, thereby reducing the initiality of the access point device. The risk of the configuration information being stolen or tampered with during the transmission of the public network enhances the security and reliability of the initial configuration information of the access point device. The corresponding access point device according to the received initial configuration information of the reliable access point device. Automatic configuration improves the security of the self-starting of the access point device; since the initial configuration information acquisition request of the access point device and the initial configuration information of the access point device are transmitted in an encrypted manner in the public network, it is beneficial to Securing the sensitive information on the home server is also beneficial to ensure that other access point devices can obtain the initial configuration information of the corresponding access point device from the home server, thus ensuring smooth service. Run.
本发明实施例的各个单元可以集成于一体, 也可以分离部署。 上述单元 可以合并为一个单元, 也可以进一步拆分成多个子单元。  The various units of the embodiments of the present invention may be integrated or may be deployed separately. The above units may be combined into one unit, or may be further split into a plurality of subunits.
本实施例的网络装置的类型可以是一种初始功能服务器, 或者归属服务 器等。 关于本实施例在细化的网络架构中的应用, 可参见本发明网络系统第 二至第四实施例的文字描述, 以及附图 6-8的记载, 在此不再赘述。 本实施例 的接入点设备可以是无线接入设备, 如基站等。  The type of the network device of this embodiment may be an initial function server, or a home server or the like. For the application of the embodiment in the refinement of the network architecture, refer to the text descriptions of the second to fourth embodiments of the network system of the present invention, and the description of FIG. 6-8, and details are not described herein again. The access point device of this embodiment may be a wireless access device, such as a base station or the like.
图 1 0为本发明接入点设备实施例结构图。 如图 1 0所示, 本实施例接入点 设备自启动的实现装置包括设置模块 1 01、 请求模块 1 02和启动模块 1 03。  FIG. 10 is a structural diagram of an embodiment of an access point device according to the present invention. As shown in FIG. 10, the device for implementing the self-starting of the access point device in this embodiment includes a setting module 1 01, a requesting module 102, and a starting module 103.
设置模块 1 01用于设置与存储接入点设备初始配置信息路径相应的 SeGW 地址信息和 ABF地址信息。  The setting module 1 01 is configured to set SeGW address information and ABF address information corresponding to the initial configuration information path of the storage access point device.
请求模块 1 02用于与设置模块 1 01预置的 SeGW地址信息相应的 SeGW建立加 密通道, 通过该加密通道, 与设置模块 1 01预置的 ABF地址信息相应的 ABF发送 接入点设备初始配置信息获取请求。  The requesting module 102 is configured to establish an encrypted channel by the SeGW corresponding to the SeGW address information preset by the setting module 101, and the initial configuration of the ABF sending access point device corresponding to the ABF address information preset by the setting module 101 is performed through the encrypted channel. Information acquisition request.
启动模块 1 03用于通过请求模块 1 02建立的加密通道接收包含有归属安全 网关 地址信息的接入点设备初始配置信息,根据该归属安全网关 地址信息, 向相应的归属安全网关发起业务流程。  The startup module 1 is configured to receive the initial configuration information of the access point device that includes the home security gateway address information by using the encrypted channel established by the requesting module 102, and initiate a service flow to the corresponding home security gateway according to the home security gateway address information.
本实施例通过设置模块预设接入点设备初始配置信息存放路径相应的安 全网关地址信息和初始功能服务器地址信息, 通过请求模块与相应的安全网 关建立加密通道, 通过加密通道传输接入点设备初始配置信息获取请求以及 相应的接入点设备初始配置信息, 从而降低了接入点设备初始配置信息在公 共网传输过程中被窃取或篡改的风险, 增强了接入点设备初始配置信息的安 全性和可靠性, 启动模块根据接收到的可靠的接入点设备初始配置信息进行 自动配置, 提高了接入点设备自启动的安全性; 由于接入点设备初始配置信 息获取请求及接入点设备初始配置信息在公共网中都是通过加密的方式进行 传输, 因此有利于保障归属服务器上的敏感信息的安全, 也有利于保障其他 A P能够从归属服务器上获取相应的接入点设备初始配置信息,从而保障业务的 顺利运行。 In this embodiment, the security gateway address information and the initial function server address information corresponding to the initial configuration information storage path of the access point device are preset by the setting module, and the encryption channel is established by the requesting module and the corresponding security gateway, and the access point device is transmitted through the encrypted channel. The initial configuration information acquisition request and the corresponding initial configuration information of the access point device, thereby reducing the risk of the initial configuration information of the access point device being stolen or falsified during the transmission process of the public network, and enhancing the security of the initial configuration information of the access point device. Sexuality and reliability, the startup module automatically configures according to the received initial configuration information of the access point device, which improves the security of the self-starting of the access point device; the initial configuration information acquisition request and the access point of the access point device The initial configuration information of the device is transmitted in the public network through encryption. Therefore, it is beneficial to ensure the security of sensitive information on the home server, and it is also beneficial to protect other A. The P can obtain the initial configuration information of the corresponding access point device from the home server, thereby ensuring the smooth running of the service.
本发明实施例的各个单元可以集成于一体, 也可以分离部署。 上述单元 可以合并为一个单元, 也可以进一步拆分成多个子单元。  The various units of the embodiments of the present invention may be integrated or may be deployed separately. The above units may be combined into one unit, or may be further split into a plurality of subunits.
在通信领域, 特别是无线通信领域, 本实施例可具体为一种接入点设备。 关于本实施例功能模块的细化结构, 可参见本发明网络系统第二至第四实施 例的文字描述, 以及附图 6-8的记载, 在此不再赘述。  In the field of communications, especially in the field of wireless communications, this embodiment may be specifically an access point device. For the detailed structure of the functional modules of the present embodiment, reference may be made to the text descriptions of the second to fourth embodiments of the network system of the present invention, and the description of FIGS. 6-8, and details are not described herein again.
本领域普通技术人员可以理解: 实现上述方法实施例的全部或部分步骤 可以通过程序指令相关的硬件来完成, 前述的程序可以存储于一计算机可读 取存储介质中, 该程序在执行时, 执行包括上述方法实施例的步骤; 而前述 的存储介质包括: R0M、 RAM, 磁碟或者光盘等各种可以存储程序代码的介质。  A person skilled in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by using hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, and the program is executed when executed. The steps of the foregoing method embodiments are included; and the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.
最后应说明的是: 以上实施例仅用以说明本发明的技术方案, 而非对其 限制; 尽管参照前述实施例对本发明进行了详细的说明, 本领域的普通技术 人员应当理解: 其依然可以对前述实施例所记载的技术方案进行修改, 或者 对其中部分技术特征进行等同替换; 而这些修改或者替换, 并不使相应技术 方案的本质脱离本发明实施例技术方案的精神和范围。  It should be noted that the above embodiments are only for explaining the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art that: The technical solutions described in the foregoing embodiments are modified, or the equivalents of the technical features are replaced by the equivalents of the technical solutions of the embodiments of the present invention.

Claims

权 利 要 求 书 Claim
1、 一种下发接入点设备初始配置信息的方法, 其特征在于, 包括: 通过加密通道接收来自接入点设备的初始配置信息获取请求;  A method for delivering initial configuration information of an access point device, the method comprising: receiving an initial configuration information acquisition request from an access point device by using an encrypted channel;
根据该获取请求, 获取包括归属安全网关地址信息的接入点设备初始配 置信息;  Obtaining initial configuration information of the access point device including the home security gateway address information according to the obtaining request;
通过所述加密通道向所述接入点设备发送该接入点设备初始配置信息。 The access point device initial configuration information is sent to the access point device through the encrypted channel.
2、根据权利要求 1所述的下发接入点设备初始配置信息的方法, 其特征 在于, 获取包括归属安全网关地址信息的接入点设备初始配置信息包括: 初始功能服务器根据所述请求, 从存储有所述接入点设备初始配置信息 的归属服务器获取相应的接入点设备初始配置信息。 The method for the initial configuration information of the access point device according to claim 1, wherein the obtaining the initial configuration information of the access point device including the home security gateway address information comprises: the initial function server according to the request, Acquiring corresponding initial configuration information of the access point device from the home server storing the initial configuration information of the access point device.
3、根据权利要求 2所述的下发接入点设备初始配置信息的方法, 其特征 在于, 所述通过加密通道接收接入点设备初始配置信息获取请求之前, 还包 括:  The method for transmitting the initial configuration information of the access point device according to claim 2, wherein before the receiving the initial configuration information acquisition request of the access point device by using the encrypted channel, the method further includes:
接入点设备预置安全网关地址信息和初始功能服务器地址信息, 与预置 的所述安全网关地址信息相应的安全网关建立加密通道, 通过该加密通道, 向预置的所述初始功能服务器地址信息相应的初始功能服务器发送接入点设 备配置信息获取请求。  The access point device presets the security gateway address information and the initial function server address information, and the security gateway corresponding to the preset security gateway address information establishes an encryption channel, and the preset initial function server address is preset through the encrypted channel. The corresponding initial function server of the information sends an access point device configuration information acquisition request.
4、根据权利要求 3所述的下发接入点设备初始配置信息的方法, 其特征 在于, 所述地址信息包括: IP地址信息。  The method for delivering initial configuration information of an access point device according to claim 3, wherein the address information comprises: IP address information.
5、根据权利要求 3所述的下发接入点设备初始配置信息的方法, 其特征 在于, 所述地址信息包括: 全域名地址信息。  The method for delivering initial configuration information of an access point device according to claim 3, wherein the address information comprises: full domain address information.
6、根据权利要求 5所述的下发接入点设备初始配置信息的方法, 其特征 在于, 所述与预置的所述安全网关地址信息相应的安全网关建立加密通道之 前, 还包括:  The method for the initial configuration information of the access point device according to claim 5, wherein before the security gateway corresponding to the preset security gateway address information establishes an encryption channel, the method further includes:
将预置的所述安全网关全域名地址信息转换为初始安全网关 IP 地址信 息。 Converting the preset security gateway full domain name address information into initial security gateway IP address information.
7、根据权利要求 6所述的下发接入点设备初始配置信息的方法, 其特征 在于, 所述与预置的所述安全网关地址信息相应的安全网关建立加密通道之 后, 还包括: The method for the initial configuration information of the access point device according to claim 6, wherein after the security gateway corresponding to the preset security gateway address information establishes an encryption channel, the method further includes:
将预置的所述初始功能服务器全域名地址信息转换为初始功能服务器 I P 地址信息。  Converting the preset initial function server full domain name address information into initial function server IP address information.
8、 根据权利要求 1-7所述的任一下发接入点设备初始配置信息的方法, 其特征在于, 所述通过该加密通道下发接入点设备初始配置信息之后, 还包 括:  The method for the initial configuration of the access point device according to any one of the preceding claims, wherein after the initial configuration information of the access point device is delivered by the encrypted channel, the method further includes:
释放所述加密通道, 所述接入点设备向所述归属安全网关地址信息相应 的归属安全网关发起业务流程。  The encryption channel is released, and the access point device initiates a service flow to the home security gateway corresponding to the home security gateway address information.
9、根据权利要求 8所述的下发接入点设备初始配置信息的方法, 其特征 在于, 所述向归属安全网关发起业务流程之前, 还包括:  The method for delivering the initial configuration information of the access point device according to claim 8, wherein before the initiating the service flow to the home security gateway, the method further includes:
判断接收的所述归属安全网关地址信息与预置的所述安全网关地址信息 是否相同, 如果相同则通过所述加密通道, 向所述归属安全网关地址信息相 应的归属安全网关发起业务流程。  Determining whether the received home security gateway address information is the same as the preset security gateway address information. If they are the same, the service channel is initiated to the home security gateway corresponding to the home security gateway address information by using the encrypted channel.
10、 一种网络系统, 其特征在于, 包括: 接入点设备、 安全网关和初始 功能服务器, 其中:  10. A network system, comprising: an access point device, a security gateway, and an initial function server, wherein:
接入点设备, 用于与预置的安全网关地址信息相应的安全网关建立加密 通道, 通过该加密通道, 接收来自所述初始功能服务器的相应的接入点设备 初始配置信息;  The access point device is configured to establish, by the security gateway corresponding to the preset security gateway address information, an encryption channel, and receive, by using the encrypted channel, initial configuration information of the corresponding access point device from the initial function server;
安全网关, 用于与所述接入点设备建立加密通道;  a security gateway, configured to establish an encrypted channel with the access point device;
初始功能服务器, 用于接收来自接入点设备的初始配置信息获取请求; 根据该获取请求, 获取包括归属安全网关地址信息的接入点设备初始配置信 息; 通过所述加密通道向所述接入点设备发送该接入点设备初始配置信息。  An initial function server, configured to receive an initial configuration information acquisition request from the access point device, and obtain, according to the obtaining request, initial configuration information of the access point device including the home security gateway address information; and accessing the access through the encrypted channel The point device sends the initial configuration information of the access point device.
11、 根据权利要求 10所述的网络系统, 其特征在于, 还包括:  The network system according to claim 10, further comprising:
归属服务器, 用于存储所述接入点设备初始配置信息; 所述初始功能服务器还用于根据所述获取请求, 从所述归属服务器获取 所述接入点设备初始配置信息。 a home server, configured to store initial configuration information of the access point device; The initial function server is further configured to acquire the initial configuration information of the access point device from the home server according to the obtaining request.
12、 根据权利要求 11所述的网络系统, 其特征在于, 还包括: 第一域名服务器, 用于将来自所述接入点设备的安全网关全域名地址信 息转换成相应的安全网关 IP地址信息, 将转换后的安全网关 IP地址信息向 所述接入点设备发送。  The network system according to claim 11, further comprising: a first domain name server, configured to convert the security gateway full domain name address information from the access point device into a corresponding security gateway IP address information And transmitting the converted security gateway IP address information to the access point device.
13、 根据权利要求 11所述的网络系统, 其特征在于, 还包括: 第二域名服务器, 用于将来自所述接入点设备的初始功能服务器全域名 地址信息转换成相应的初始功能服务器 IP地址信息,将转换后的初始功能服 务器 IP地址信息向所述接入点设备发送。  The network system according to claim 11, further comprising: a second domain name server, configured to convert initial function server full domain name address information from the access point device into a corresponding initial function server IP The address information is sent to the access point device by the converted initial function server IP address information.
14、 一种网络装置, 其特征在于, 包括:  14. A network device, comprising:
接收模块, 用于通过加密通道接收来自接入点设备的初始配置信息获取 请求;  a receiving module, configured to receive an initial configuration information acquisition request from an access point device by using an encrypted channel;
获取模块, 用于根据该获取请求, 获取包括归属安全网关地址信息的接 入点设备初始配置信息;  And an obtaining module, configured to acquire, according to the obtaining request, initial configuration information of the access point device including the home security gateway address information;
下发模块, 用于通过该加密通道向所述接入点设备发送该接入点设备初 始配置信息。  And a sending module, configured to send, by using the encrypted channel, the access point device initial configuration information to the access point device.
15、 一种接入点设备, 其特征在于, 包括:  15. An access point device, comprising:
设置模块, 用于预置安全网关地址信息和初始功能服务器地址信息; 请求模块, 用于与预置的所述安全网关地址信息相应的安全网关建立加 密通道, 通过该加密通道, 向预置的所述初始功能服务器地址信息相应的初 始功能服务器发送接入点设备配置信息获取请求;  a setting module, configured to preset security gateway address information and initial function server address information; and a requesting module, configured to establish an encryption channel with a security gateway corresponding to the preset security gateway address information, and use the encrypted channel to preset The initial function server corresponding to the initial function server address information sends an access point device configuration information acquisition request;
启动模块, 用于通过所述加密通道接收来自所述初始功能服务器的接入 点设备初始配置信息, 根据所述接入点设备初始配置信息包含的归属安全网 关地址信息, 向相应的归属安全网关发起业务流程。  a startup module, configured to receive initial configuration information of the access point device from the initial function server by using the encrypted channel, and according to the home security gateway address information included in the initial configuration information of the access point device, to the corresponding home security gateway Initiate a business process.
16、 根据权利要求 15所述的接入点设备, 其特征在于, 所述设置模块为 第一设置模块, 用于设置安全网关 IP地址信息和初始功能服务器 IP地址信 息。 The access point device according to claim 15, wherein the setting module is The first setting module is configured to set security gateway IP address information and initial function server IP address information.
17、 根据权利要求 15所述的接入点设备, 其特征在于, 所述设置模块为 第二设置模块, 用于设置安全网关全域名地址信息和初始功能服务器全域名 地址信息。  The access point device according to claim 15, wherein the setting module is a second setting module, configured to set a security gateway full domain name address information and an initial function server full domain name address information.
18、 根据权利要求 17所述的接入点设备, 其特征在于, 所述请求模块包 括:  The access point device according to claim 17, wherein the requesting module comprises:
第一查询单元, 用于查询所述第二设置模块预设的安全网关全域名地址 信息相应的安全网关 IP地址信息;  a first query unit, configured to query a security gateway IP address information corresponding to the security gateway full domain name address information preset by the second setting module;
通道建立单元,用于与所述安全网关 IP地址信息相应的安全网关建立加 密通道;  a channel establishing unit, configured to establish an encrypted channel with a security gateway corresponding to the security gateway IP address information;
第二查询单元, 用于查询所述第二设置模块预设的初始功能服务器全域 名地址信息相应的初始功能服务器 IP地址信息;  a second query unit, configured to query an initial function server IP address information corresponding to the initial function server global domain name address information preset by the second setting module;
请求单元, 用于通过所述加密通道, 向与所述初始功能服务器 IP地址信 息相应的初始功能服务器发送接入点设备初始配置信息获取请求。  And a requesting unit, configured to send, by using the encrypted channel, an access point device initial configuration information acquisition request to an initial function server corresponding to the initial function server IP address information.
19、 根据权利要求 16-18所述的任一接入点设备, 其特征在于, 所述启 动模块包括:  The access point device according to any one of claims 16-18, wherein the starting module comprises:
接收单元, 用于通过所述加密通道接收包含归属安全网关地址信息的接 入点设备初始配置信息;  a receiving unit, configured to receive initial configuration information of the access point device including the home security gateway address information by using the encrypted channel;
比较单元, 用于当所述归属安全网关地址信息与预置的安全网关地址信 息不同时, 释放所述请求模块建立的加密通道;  a comparing unit, configured to release an encrypted channel established by the requesting module when the home security gateway address information is different from the preset security gateway address information;
启动单元, 用于根据所述接入点设备初始配置信息包含的归属安全网关 地址信息, 向相应的归属安全网关发起业务流程。  And an initiating unit, configured to initiate a service process to the corresponding home security gateway according to the home security gateway address information included in the initial configuration information of the access point device.
PCT/CN2009/070397 2008-02-21 2009-02-11 Method, device and system for sending initial configuration message to access point device WO2009103227A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNA2008100579451A CN101515881A (en) 2008-02-21 2008-02-21 Method, device and system for transmitting initial configuration information of access point equipment
CN200810057945.1 2008-02-21

Publications (1)

Publication Number Publication Date
WO2009103227A1 true WO2009103227A1 (en) 2009-08-27

Family

ID=40985066

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/070397 WO2009103227A1 (en) 2008-02-21 2009-02-11 Method, device and system for sending initial configuration message to access point device

Country Status (2)

Country Link
CN (1) CN101515881A (en)
WO (1) WO2009103227A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103634877A (en) * 2013-11-29 2014-03-12 福建星网锐捷网络有限公司 Management method for AP (access point) in AC (access controller)-free network and AP equipment
CN105392131A (en) * 2015-10-19 2016-03-09 上海斐讯数据通信技术有限公司 Device and method for configuring and managing wireless access point

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104185199B (en) * 2014-08-25 2017-12-05 大唐移动通信设备有限公司 A kind of base station self-starting and its control method and device
CN109510777B (en) * 2018-11-09 2022-02-22 迈普通信技术股份有限公司 Flow table arranging method and device and SDN controller
CN110166583A (en) * 2019-05-29 2019-08-23 京信通信系统(中国)有限公司 Small base station access method, device, equipment, system and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050163078A1 (en) * 2004-01-22 2005-07-28 Toshiba America Research, Inc. Mobility architecture using pre-authentication, pre-configuration and/or virtual soft-handoff
CN1848977A (en) * 2006-02-24 2006-10-18 华为技术有限公司 Method for insertion point obtaining insertion gateway address in mobile communication network
US20080039086A1 (en) * 2006-07-14 2008-02-14 Gallagher Michael D Generic Access to the Iu Interface

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050163078A1 (en) * 2004-01-22 2005-07-28 Toshiba America Research, Inc. Mobility architecture using pre-authentication, pre-configuration and/or virtual soft-handoff
CN1848977A (en) * 2006-02-24 2006-10-18 华为技术有限公司 Method for insertion point obtaining insertion gateway address in mobile communication network
US20080039086A1 (en) * 2006-07-14 2008-02-14 Gallagher Michael D Generic Access to the Iu Interface

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103634877A (en) * 2013-11-29 2014-03-12 福建星网锐捷网络有限公司 Management method for AP (access point) in AC (access controller)-free network and AP equipment
CN105392131A (en) * 2015-10-19 2016-03-09 上海斐讯数据通信技术有限公司 Device and method for configuring and managing wireless access point

Also Published As

Publication number Publication date
CN101515881A (en) 2009-08-26

Similar Documents

Publication Publication Date Title
US10326737B2 (en) Mobile hotspot managed by access controller
US8842830B2 (en) Method and apparatus for sending a key on a wireless local area network
CN106789527B (en) Private network access method and system
WO2005104597A1 (en) Improved subscriber authentication for unlicensed mobile access signaling
EP2643996A1 (en) Automatic remote access to ieee 802.11 networks
US20140302873A1 (en) Location verification in communication systems
US11871223B2 (en) Authentication method and apparatus and device
WO2010130174A1 (en) Method for enabling local access control and corresponding communication system
EP2496007A2 (en) Method and apparatus for provisioning of information in a cellular communication network
US20160065575A1 (en) Communication Managing Method and Communication System
WO2016004822A1 (en) Method and apparatus for network switching
WO2014048373A1 (en) Method and device for wireless information transmission
WO2009103227A1 (en) Method, device and system for sending initial configuration message to access point device
WO2012151905A1 (en) Method and device for network handover
CN104518874A (en) Network access control method and system
US9473934B2 (en) Wireless telecommunications network, and a method of authenticating a message
CN102883265B (en) The positional information method of sending and receiving of access user, equipment and system
WO2014201766A1 (en) Emergency communication method, mobile terminal, authentication server and wireless access point
KR101434750B1 (en) Geography-based pre-authentication for wlan data offloading in umts-wlan networks
WO2015042917A1 (en) Wireless secure access method, apparatus and system
WO2010124608A1 (en) Method for implementing emergency service and home base station thereof
WO2012174884A1 (en) Access control method and device, interface and security gateway
CN113498055B (en) Access control method and communication equipment
CN101827344A (en) Method and device for processing emergency call
WO2021253859A1 (en) Slice authentication method and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09712239

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09712239

Country of ref document: EP

Kind code of ref document: A1