CN100596069C - Automatic configuration system and method of IPSec safety tactis in domestic gateway - Google Patents
Automatic configuration system and method of IPSec safety tactis in domestic gateway Download PDFInfo
- Publication number
- CN100596069C CN100596069C CN200610109663A CN200610109663A CN100596069C CN 100596069 C CN100596069 C CN 100596069C CN 200610109663 A CN200610109663 A CN 200610109663A CN 200610109663 A CN200610109663 A CN 200610109663A CN 100596069 C CN100596069 C CN 100596069C
- Authority
- CN
- China
- Prior art keywords
- ipsec
- security
- parameter
- strategy
- home gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
After a user subscribes service, firstly generating corresponding IPSec safe policy by IPSec safe policy server in policy database or policy directory mode according to operating conditions and/or client's requirements, where safe policy parameters in the safe policy are defined according to parameters of the invention; then, building connection with IPSec safe policy agent module and transferringthe produced safe policy parameters and following provisions of TR-069 between IPSec safe policy server module and IPSec safe policy agent module to manage and control IPSec safe policy between ASC and home gateway and issuing related information to the home gateway and finally loading IPSec safe policy in the home gateway by the IPSec safe policy agent module so as to achieve purpose of automatic configuration.
Description
Technical field
The present invention relates to the data communication field that the IP network technology is a core, particularly based on the configuration of the security strategy of IPSec.
Background technology
Along with the rapid expansion of internet scale, the continuous growth of network information resource and number of users, the problem of network security becomes more and more important, but is a weak link safely in the internet is used at present always.IPSec (Internet protocol security) is a network security protocol, for IP network communication provides transparent security service, can protect the IP security data packet, and effectively resists network attack, keeps ease for use simultaneously.Home gateway is as the visual plant of broadband internet network; polytype terminal in the home network is connected on the Internet; operator can provide with home gateway as the safety entrance point; to the escape way between operation system and the opposite end home gateway, realize unified and controllable authentication, data integrity protection and data privacy protection based on IPSec.
The problem of existence is at present: because ipsec protocol management itself and control are comparatively complicated, when operator's deployment is professional based on ipsec security, how to provide automatic ipsec security service deployment and managerial ability with most important.
In the ipsec security frame structure, present stage is mainly realized management and control for ipsec protocol by the policy system of IETF (the Internet engineering duty group) definition, in this policy system specific definition security policy information model and security strategy distribution and control protocol.Mainly there is the problem of following two aspects in this system:
(1) information model aspect, this model is based on OO security policy information model, it mainly is the information representation of equipment oriented and network level, limited in one's ability for expression professional and that use, simultaneously vendor equipment is limited in one's ability to this model supports, and there is the problem of aspect such as inconsistent in the definition of different vendor;
(2) strategy distribution aspect, security strategy distribution protocol around SNMP (Simple Network Management Protocol) or COPS (general opening strategy business) foundation, mainly be in order to solve the problem of network configuration automation, the MIB (management information bank) or PIB (policy information base) information that are closely related by direct access and setting and equipment realize for Network Management and control, this method can not effectively shield the otherness of lower floor's network and equipment for upper-layer service and application, be not suitable for complicated safety service reciprocal process based on Client simultaneously, particularly in management such as business configuration, synchronous based on request-response modes, passive working method (Synchronized Passive Mode) and asynchronous based on order-notification mode, active mode (Asynchronized Positive Mode) often has same importance.But the management agreement that is based on SNMP can not satisfy the requirement of working method more flexibly in this respect.
Therefore, when disposing safety management system based on IPSec around home gateway for operator, IETF security strategy system manages and mutual working method aspect with support active and passive multiple business aspect the description of safety service attribute in support, can not satisfy the demand.
TR-069 is that its full name is " a CPE wide area network management agreement " by the technical specification of DSL (digital subscriber line) forum exploitation.It provides general framework and the agreement that home network device in the next generation network is managed configuration, is used for from network side equipment such as the gateway of home network, router, set-top box being carried out the remote centralized management.In the broadband IP network environment that with the home gateway is core, realize the Internet and business configuration management information between home gateway and the Automatic Configuration Server (ACS-Automatic Configuration Server) by TR-069 in the DSL forum.Its networking structure as shown in Figure 1, by BRAS (Broadband Remote Access Server) and DSLAM (DSLAM) by the broadband access network interconnection, interactive information between Automatic Configuration Server ACS home gateway is issued to home gateway automatically with service configuration information.
Use the TR-069 agreement that CPE (ustomer premises access equipment) equipment is configured, comparatively speaking mainly contain the improvement of the following aspects with SNMP/MIB:
(1) configuration management of client device has covered network level and service layer, and the configuration that complicated business in the terminal system is used is brought in the unified configuration management framework;
(2) TR-069 bottom bearing protocol adopts the SOAP (Simple Object Access Protocol) based on HTTP (HTML (Hypertext Markup Language)), message and call method adopt RPC (remote procedure call), therefore utilize the descriptive power of soap message coding enhancing, and guarantee the fail safe of management agreement by carrying SSL/TLS (SSL/transport layer security) of lower floor or http authentication summary for service attribute;
(3) employing is similar to the method for bibliographic structure and the descriptive power that attribute definition strengthens different vendor's equipment, different service types etc., improves the extensibility of management system.
But do not relate to content aspect the ipsec security at TR-069, it does not define parameter and the configuration information template of relevant IPSec, operator can't realize automatic deployment based on the ipsec security strategy based on current TR-069, therefore will use the TR-069 mode to dispose ipsec security strategy (configuration of IP Sec relevant parameter) automatically on home gateway for example and need be improved on the basis at TR-069.
Summary of the invention
The purpose of this invention is to provide a kind of method and system based on TR-069 automatic configuration of IP Sec security strategy in home gateway.
The present invention is primarily aimed at home network environment, has proposed a kind of by the management control protocol between expansion home gateway and the Automatic Configuration Server, the new method of disposing the ipsec security strategy automatically.This method is exactly: CPE such as home gateway obtain the configuration parameter of security strategy by communicating by letter with an Automatic Configuration Server on the network, load this parameter then in this locality, thereby reach the purpose of automatic configuration of IP Sec security strategy.This communication process is that what to adopt is the mode of TR-069 definition.
Native system and method are by introducing management and the control that security strategy mechanism realizes IPSec between ACS and the CPE such as safety service strategic server and home gateway.
According to the present invention, a kind of method based on TR-069 automatic configuration of IP Sec security strategy in home gateway is provided, described method comprises: as required, produce the ipsec security strategy by Automatic Configuration Server access strategy database, wherein the configuration parameter in the ipsec security strategy is that the ipsec user who follows the parameter-definition standard expanded definition of TR-069 holds the device security parameter; By communicating by letter of ustomer premises access equipment and Automatic Configuration Server, obtain the configuration parameter of ipsec security strategy from Automatic Configuration Server; And load the ipsec security policing parameter that obtains, thereby realize the automatic configuration in home gateway of ipsec security strategy at the family gateway local.
According to the present invention, a kind of system based on TR-069 automatic configuration of IP Sec security strategy in home gateway is provided, described system comprises: the ipsec security strategic server module of expanding in the Automatic Configuration Server, be used for as required, the access strategy database is to produce the ipsec security strategy, and wherein the configuration parameter in the ipsec security strategy is that the ipsec user who follows the parameter-definition standard expanded definition of TR-069 holds the device security parameter; The ipsec security policy agent module of expanding in the ustomer premises access equipment is used for and ipsec security strategic server module communication, obtains the configuration parameter of ipsec security strategy from ipsec security strategic server module; And home gateway, be used for loading the ipsec security policing parameter that obtains in this locality, thereby realize the automatic configuration in home gateway of ipsec security strategy by ipsec security policy agent module.
According to following detailed of the present invention also in conjunction with the accompanying drawings, above-mentioned purpose, feature, aspect and the advantage with other of the present invention will become more obvious.
Description of drawings
Fig. 1 illustrates the networking structure figure among the current TR-069;
Fig. 2 illustrate meet the TR-069 frame structure according to security policy manager of the present invention system;
The home gateway that Fig. 3 illustrates according to the embodiment of the invention connects the static IP Sec security policy manager control flow that starts;
The server end that Fig. 4 illustrates according to the embodiment of the invention connects the static IP Sec security policy manager control flow that starts;
The home gateway that Fig. 5 illustrates according to the embodiment of the invention connects the dynamic IP Sec security policy manager control flow that starts;
The server end that Fig. 6 illustrates according to the embodiment of the invention connects the dynamic IP Sec security policy manager control flow that starts.
Embodiment
Below, the home gateway security policy parameters that defines on the TR-069 basis according to the present invention is at first described.
According to the present invention, follow the parameter-definition standard of TR-069, TR-069APPENDIX B CPE PARAMETER for example, expanded definition IPSEC CPE security parameter, this part parameter expansion ranges equipment and operation relevant parameter part, parameter for example may be defined as " X_ChinaTelecom-COM-CN IPSec ", wherein mainly comprises 4 part parameters:
(1) IPSec: be the ipsec security top object, comprising version number;
(2) IPSec.PeerIdentification: network layer communication peer-entities sign, be the parameter of communication entity one-port layer, comprising the parameter of network layers such as source IP address, purpose IP address, source port number, destination slogan, transport layer protocol and ip-layer flow direction;
(3) IPSec.IKENegotiation:IPSec ike negotiation procedure parameter comprises the parameter of using in the ike negotiations such as IKE (INTERNET cipher key change) negotiation mode, cryptographic algorithm, hash algorithm, verification algorithm and IKE life cycle;
(4) IPSec.IPSecNegotiation:IPSec parameter-negotiation procedure comprises the parameter of using in the IPSec negotiations such as protected mode, opposite end, tunnel gateway address, ESP (ESP) integral algorithm, ESP cryptographic algorithm and SA (security association) life cycle.
The above-mentioned concrete parameter that relates to the expansion of IPSEC CPE can be for example as shown in the table:
| The parameter name | Type | Readable | Can write | Describe |
| IPSec | Object | R | The ipsec security top object | |
| Version | String(16) | R | The ipsec security version information | |
| IPSec.PeerIdenntification | Object | R | W | Network layer communication peer-entities sign |
| SourceIPAddress | String | R | W | Source IP address |
| DestIPAddress | String | R | W | Purpose IP address |
| SourcePort | String | R | W | Source port number |
| DestPort | String | R | W | The destination slogan |
| TransportProtocol | String | R | W | Transport layer protocol |
| Direction | String | R | W | The ip-layer flow direction is divided into " Outbound " and " Inbound " |
| IPSec.IKENegotiation | Object | R | W | IPSec ike negotiation process |
| ExchangeMode | String(16) | R | W | The ike negotiation mode is divided into two kinds of patterns of Main, Aggressive |
| CipherAlg | String(16) | R | W | Cryptographic algorithm can be DES, 3DES, AES |
| HashAlg | String(16) | R | W | Hash algorithm can be HMAC-MD5, SHA-1 |
| AuthAlg | String(16) | R | W | Verification algorithm can be PSK, X.509 |
| IKEMaxLifetime | String(16) | R | W | The IKE life cycle |
| IPSec.IPSecNegotiation | Object | R | The ipsec parameter negotiations process | |
| ProtectionMode | String(16) | R | W | Protected mode can be one of Tunnel, two kinds of patterns of Transport |
| PeerGateway | String | R | W | Opposite end, tunnel gateway address |
| ESPIntegrity | String(16) | R | W | The ESP integral algorithm |
| ESPCipher | String(16) | R | W | The ESP cryptographic algorithm |
| SALifetime | String(16) | R | W | The SA life cycle |
The parameter-definition that it will be appreciated by those skilled in the art that the above-mentioned IPSEC of relating to CPE only is exemplary, but not is used to limit the present invention, should not think that promptly the parameter that relates to IPSEC CPE only is confined to above-mentioned definition.According to reality operation situation and needs, above-mentioned parameter can make amendment and change.
2 descriptions meet the system configuration of the security policy manager system of TR-069 frame structure with reference to the accompanying drawings.
Fig. 2 is the security policy manager system schematic that increases the configuration of IPSec relevant parameter under the TR-069 framework.From the angle of security strategy, this system is divided into 4 layers.Security policy manager is used 10 and is placed on the ACS, and CPE 40 is final deployment points of security strategy.Except that application 10 of ACS/ security policy manager and CPE 40, the centre also comprises security strategy service control layer 20 and security strategy network control layer 30.Wherein, ACS/ security policy manager application 10 comprises the ACS business configuration administration module 11 that is used for the management of ACS business configuration and is used for the security strategy application module 12 that security policy manager is used.Policy database/the bibliographic structure 22 that on security strategy service control layer 20, comprises ipsec security strategic server module I PSPSM 21 and safety service strategy thereof.As required, ipsec security strategic server module I PSPSM 21 is by read/write policy database and bibliographic structure 22, and generation will be configured to the security strategy in the home gateway 42.Security strategy network control layer 30 is responsible for transmitting security strategy, for example SOAP/HTTP/HTTPs (HTTP security protocol) by certain protocol mode.And the CPE 40 that comprises home gateway 42 is the receiving station and the final deployment point of security strategy.At CPE 40 these one decks, ipsec security policy agent module I PSPAM 41 and IPSPSM 21 realize the information interaction of IPSec tactical management and control, and realize that the ipsec security strategy loads in this locality of for example home gateway 42.
Method by the TR-069 definition comprises that the CPE 40 of home gateway can order attribute according to safety service, obtains corresponding security strategy by the SOAP/HTTP/HTTPs agreement from ACS, and the security strategy of finishing in this locality loads.
2 main logical functional entity is described with reference to the accompanying drawings.
According to the present invention, support ipsec security tactical management and control by the functional module of expanding in original ACS and the home gateway.The functional module of expansion mainly comprises: the ipsec security strategic server module I PSPSM (IPSec Policy ServerModule) 21 that expands on ACS; The ipsec security policy agent module I PSPAM that on home gateway, expands (IPSec Policy Agent Module) 41.Follow the regulation of TR-069 between IPSPSM 21 and the IPSPAM 41, realize the management and the control of ipsec security strategy between ACS and the home gateway, the final loading that in home gateway 42, realizes the ipsec security strategy.
Specifically describe ipsec security strategic server module (IPSPSM) 21 below.
IPSPSM 21 is functional modules expanding on ACS, and its major function is: the requirement according to for example service operation and/or customer service order by access strategy database and bibliographic structure 22, produces corresponding ipsec security strategy.Security strategy realizes that in the mode of policy database or Policy Directories wherein security policy parameters is followed above-mentioned parameter-definition.In addition, by the mode of for example SOAP/HTTP/HTTPs, and 41 security policy parameters that connect and transmit generation of IPSPAM.IPSPSM 21 can realize with variety of ways such as software, hardware, firmware, circuit, and is not limited to any specific concrete physical structure.
IPSPSM 21 back-level server ends start to start two kinds with home gateway and are connected the mode of foundation.The connection of IPSPSM server end is started for example to send to home gateway 42 by ACS and is called RPC Connection Req uest Notification realization in the HTTP GET methods.Home gateway connects to start for example to be realized by calling RPCInform Request to ACS transmission HTTP POST.
Next, ipsec security policy agent module (IPSPAM) 41 will be described.
IPSPAM 41 is modules expanding on the home gateway, its major function is: the information interactive process of being responsible for realizing with IPSPSM 21 IPSec tactical management and control, reception from IPSPSM 21 with ipsec security policy-related (noun) security parameter, and, realize that the ipsec security strategy loads in this locality based on the security parameter that receives.IPSPAM 41 can realize with variety of ways such as software, hardware, firmware, circuit, and is not limited to any specific concrete physical structure.
IPSPAM supports two kinds of working methods, promptly supports on the one hand the security strategy of user and the defined static state of service operation to load, and the static security strategy can connect to start to be connected to start with home gateway by server end to be realized; Can support the security strategy of user security service dynamic to load on the other hand.
Specifically describe management and control flow between ACS/IPSPSM and the home gateway hereinafter with reference to accompanying drawing 3-6.
Management and control have 2 kinds of execution modes between ACS/IPSPSM and the home gateway: static IP Sec security strategy execution mode and dynamic IP Sec security strategy execution mode.Every kind of mode comprises server end again and connects to start to be connected with home gateway and start.
Static IP Sec security strategy execution mode
The security strategy of formulating when static IP Sec security strategy is applicable to user subscribes service, for example user's secure tunnel between from the family to the company etc.; The required safety service that provides in the Operator Specific Service operation also is provided on the other hand.Static IP Sec security strategy can be by the mode that the home gateway connection is started or the server end connection is started, the download of realization gateway/IPSPAM security strategy from ACS/IPSPSM to family and local the loading, two kinds connect the flexibility that originating mode has strengthened management and control.3-4 describes this dual mode with reference to the accompanying drawings.
A. the home gateway connection is started
Fig. 3 has represented that static IP Sec security policy manager connects the control flows that starts from home gateway, wherein the parameter of Chuan Diing " X_ChinaTelecom-COM-CN_IPSec " that for example define for the present invention.
At steps A .1, home gateway 42 utilizes defined ACS address (for example, InternetGatewayDevice.Manage-mentServer.URL) to be opened to the connection of ACS.At steps A .2, SSL sets up the safety connection between home gateway 42 and the ACS.At steps A .3, home gateway 42 sends the connection that RPC Inform Request is established to ACS by HTTP POST, this Inform message is used to notify ACS/IPSPSM home gateway 42 ready, and waits for the SOAP-IPSecPolicy request of accepting from ACS/IPSPSM.At steps A .4, ACS/IPSPSM sends SOAP request message to the gateway/IPSPAM of family by HTTPResponse, when confirming home gateway 42 ipsec protocol of initialization for the first time stacks, send the IPSec policy object to family's gateway 42 by the AddObject method.At steps A .5, after home gateway/IPSPAM equipment is finished the loading of local ipsec protocol stack, by HTTP POST response AddObject notice ACS/IPSPSM security strategy loading result.
B. the server end connection is started
Fig. 4 has represented that static IP Sec security policy manager connects the control flow that starts from ACS/IPSPSM.This mode requires home gateway to possess overall routable address, with the difference of preceding a kind of mode except that be connected be initiate from server, also need a step verification process.
Specify as follows:
In step B.1, ACS/IPSPSM utilizes HTTP GET to be established to the connection request of home gateway/IPSPAM, and it is that home gateway possesses overall routable address (InternetGatewayDevice.ManagementServer.ConnectRequestURL) that server end connects the prerequisite that starts.In step B.2, ACS/IPSPSM requires to adopt for example digest authentication to the HTTP GET between the gateway/IPSPAM of family, and home gateway must be made a summary to ACS and be carried out subsequently action after the authentication successful execution.In step B.3, home gateway/IPSPAM is established to the connection of ACS/IPSPSM on the basis of successful execution authentication.Then execution in step B.4~B.7, step is the steps A .2 of implementation and Fig. 3~A.5 identical B.4~B.7.In step B.4, SSL sets up the safety connection between home gateway 42 and the ACS.In step B.5, home gateway 42 sends the connection that RPC InformRequest is established to ACS by HTTP POST, this Inform message is used to notify ACS/IPSPSM home gateway 42 ready, and waits for the SOAP-IPSecPolicy request of accepting from ACS/IPSPSM.In step B.6, ACS/IPSPSM sends SOAP request message to the gateway/IPSPAM of family by HTTPResponse, when confirming home gateway 42 ipsec protocol of initialization for the first time stacks, send the IPSec policy object to family's gateway 42 by the AddObject method.In step B.7, after home gateway/IPSPAM equipment is finished the loading of local ipsec protocol stack, by HTTP POST response AddObject notice ACS/IPSPSM security strategy loading result.
Dynamic IP Sec security strategy execution mode
After execution static IP Sec security strategy issues process, can also use dynamical fashion that security strategy is made amendment.Dynamic IP Sec security strategy is when ipsec security parameter generation dynamic change, dynamically notifies home gateway/IPSPAM to on-the-fly modify the ipsec security policing parameter by ACS/IPSPSM, changes the safety behavior of ipsec protocol stack; Receive when coming from terminal equipment dynamic IP Sec security request as the gateway/IPSPAM of family on the one hand in addition, can pass through dynamic IP Sec security strategy execution mode, notice ACS/IPSPSM dynamic download meets the security strategy of order security protocol requirement.Dynamic security strategy mode is had relatively high expectations for home gateway/IPSPAM, and the automatic ipsec security that has increased between terminal equipment and the home gateway/IPSPAM consults ability, needs by other standards standard in addition.
Dynamic IP Sec security strategy execution mode prerequisite be between ACS/IPSPSM and home gateway/IPSPAM successful execution cross static IP Sec security strategy process one time.The same with static process, also be divided into home gateway and connect and to start or server end connects the dual mode that starts.Its execution flow process and static IP Sec security strategy implementation process are similar, and difference is that carrying out RPC SetParameterValue by HTTP Response on-the-fly modifies the ipsec security policing parameter.5-6 describes dynamic IP Sec security strategy execution mode with reference to the accompanying drawings.
Fig. 5 has represented that dynamic IP Sec security policy manager connects the control flow that starts from home gateway.Compare with Fig. 3 of static mode, C.1-C.3 the steps A .1-A.3 with Fig. 3 is identical for the step of dynamic IP Sec security policy manager from the control flow that the home gateway connection is started, therefore, do not repeat them here, its difference only be dynamic IP Sec security policy manager from home gateway connect the control flow start step C.4-C.5 with Fig. 3 A.4 and A.5 different.C.4 and C.5, SetParameterValue rather than AddObject have been used in step.Specifically, in step C.4, ACS/IPSPSM sends SOAPrequest message to the gateway/IPSPAM of family by HTTP Response, sends the IPSec policy object to family's gateway 42 by the SetParameterValue method.In step C.5, after home gateway/IPSPAM equipment is finished the loading of local ipsec protocol stack, by HTTP POST response SetParameterValue notice ACS/IPSPSM security strategy loading result.
Fig. 6 has represented that dynamic IP Sec security policy manager connects the control flow that starts from ACS/IPSPSM, compare with Fig. 5 of static mode, D.1-D.5 the step with Fig. 5 is B.1-B.5 identical for the step of dynamic IP Sec security policy manager from the control flow that the ACS/IPSPSM connection is started, therefore, do not repeat them here, its difference only be dynamic IP Sec security policy manager from ACS/IPSPSM connect the control flow start D.6 with D.7 with Fig. 5 B.6 and B.7 different.D.6 and used SetParameterValue rather than AddObject D.7.Specifically, in step B.6, ACS/IPSPSM sends SOAP request message to the gateway/IPSPAM of family by HTTP Response, sends the IPSec policy object to family's gateway 42 by the SetParameterValue method.In step B.7, after home gateway/IPSPAM equipment is finished the loading of local ipsec protocol stack, by HTTP POST response SetParameterValue notice ACS/IPSPSM security strategy loading result.
Therefore, according to the present invention, support ipsec security tactical management and control by the functional module of expanding in original ACS and the home gateway.Promptly expansion ipsec security strategic server module I PSPSM 21 on ACS expands ipsec security policy agent module I PSPAM 41 on home gateway.
After the user subscribes service, earlier by the IPSPSM module according to operation situation and/or customer requirement, produce corresponding ipsec security strategy, its mode by policy database or Policy Directories realizes that wherein the security policy parameters in the security strategy is followed above-mentioned parameter-definition.Then, connect with the IPSPAM intermodule and transmit the security policy parameters of generation, between IPSPSM module and IPSPAM module, follow the regulation of TR-069, realize the management and the control of ipsec security strategy between ACS and the home gateway, relevant information is issued on the home gateway, and finally in home gateway, realize the loading of ipsec security strategy, thereby reach the purpose of automatic configuration by the IPSPAM module.
Though detailed description of the present invention is at example embodiment, to those skilled in the art, various modification and the replacement form of these embodiment all can be imagined.Therefore, all modification and replacement forms in the clear and definite protection range of the present invention of claims have been contained in the present invention.
Claims (44)
1, a kind of method based on TR-069 automatic configuration of IP Sec security strategy in home gateway, described method comprises:
As required, produce the ipsec security strategy by Automatic Configuration Server access strategy database, wherein the configuration parameter in the ipsec security strategy is that the ipsec user who follows the parameter-definition standard expanded definition of TR-069 holds the device security parameter;
By communicating by letter of ustomer premises access equipment and Automatic Configuration Server, obtain the configuration parameter of ipsec security strategy from Automatic Configuration Server; And
Load the ipsec security policing parameter that obtains at family's gateway local, thereby realize the automatic configuration in home gateway of ipsec security strategy.
2. be to carry out according to the process of claim 1 wherein that the access strategy database produces the ipsec security strategy by the ipsec security strategic server module of expanding in the Automatic Configuration Server.
3. according to the method for claim 2, wherein the configuration parameter that obtains the ipsec security strategy from Automatic Configuration Server of communicating by letter by ustomer premises access equipment and Automatic Configuration Server is to carry out by the ipsec security policy agent module of expanding the ustomer premises access equipment.
4. according to the method for claim 3, wherein between ipsec security strategic server module and ipsec security policy agent module, transmit the configuration parameter of security strategy by SOAP.
5. according to the method for claim 4, wherein producing the ipsec security strategy by ipsec security strategic server module accesses policy database is to carry out according to user's service order or according to the required safety service that provides in the Operator Specific Service operation.
6. according to the method for claim 5, wherein the ipsec security policing parameter is that server end connects the static IP Sec security strategy configuration of starting in the automatic configuration of home gateway.
7. according to the method for claim 5, wherein the ipsec security policing parameter is that home gateway connects the static IP Sec security strategy configuration of starting in the automatic configuration of home gateway.
8. according to the method for claim 6, wherein ipsec security strategic server module sends SOAP request message to ipsec security policy agent module by HTTP Response, when confirming home gateway initialization for the first time ipsec protocol stack, send the IPSec strategy to family's gateway by the AddObject method.
9. according to the method for claim 7, described Automatic Configuration Server is adopted the summary authentication comprising home gateway.
10. according to the method for claim 6, also comprise:
After server end connects the static IP Sec security strategy configuration start,, dynamically notify ipsec security policy agent module to on-the-fly modify the ipsec security policing parameter by ipsec security strategic server module if during ipsec security parameter generation dynamic change.
11. the method according to claim 6 also comprises:
After server end connects the static IP Sec security strategy configuration of starting, when ipsec security policy agent module receives when coming from ustomer premises access equipment dynamic IP Sec security request, notice ipsec security strategic server module dynamic download meets orders the security strategy that security protocol requires.
12. the method according to claim 7 also comprises:
After home gateway connects the static IP Sec security strategy configuration start,, dynamically notify ipsec security policy agent module to on-the-fly modify the ipsec security policing parameter by ipsec security strategic server module if during ipsec security parameter generation dynamic change.
13. the method according to claim 7 also comprises:
After home gateway connects the static IP Sec security strategy configuration of starting, when ipsec security policy agent module receives when coming from ustomer premises access equipment dynamic IP Sec security request, notice ipsec security strategic server module dynamic download meets orders the security strategy that security protocol requires.
14. according to the method for claim 10, wherein on-the-fly modifying the ipsec security policing parameter is that the server end connection is started.
15. according to the method for claim 11, wherein dynamic download meets that to order security strategy that security protocol requires be that server end connects and starts.
16. according to the method for claim 12, wherein on-the-fly modifying the ipsec security policing parameter is that the server end connection is started.
17. according to the method for claim 13, wherein dynamic download meets that to order security strategy that security protocol requires be that server end connects and starts.
18. according to the method for claim 10, wherein on-the-fly modifying the ipsec security policing parameter is that the home gateway connection is started.
19. according to the method for claim 11, wherein dynamic download meets that to order security strategy that security protocol requires be that home gateway connects and starts.
20. according to the method for claim 12, wherein on-the-fly modifying the ipsec security policing parameter is that the home gateway connection is started.
21. according to the method for claim 13, wherein dynamic download meets that to order security strategy that security protocol requires be that home gateway connects and starts.
22. arbitrary method according to claim 10-21, wherein ipsec security strategic server module sends SOAP request message to ipsec security policy agent module by HTTP Response, sends the IPSec strategy to family's gateway by the SetParameterValue method.
23. according to the process of claim 1 wherein that predefined configuration parameter comprises one of following parameter at least: ipsec security top object parameter I PSec, network layer communication peer-entities identification parameter IPSec.PeerIdentification, IPSec ike negotiation procedure parameter IPSec.IKENegotiation and parameter-negotiation procedure parameter I PSec.IPSecNegotiation.
24. method according to claim 23, wherein IPSec.PeerIdentification is the parameter of communication entity one-port layer, and it comprises in the parameter of network layer of source IP address, purpose IP address, source port number, destination slogan, transport layer protocol and ip-layer flow direction at least one.
25. according to the method for claim 23, wherein IPSec.IKENegotiation comprises at least one in ike negotiation mode, cryptographic algorithm, hash algorithm, verification algorithm and the IKE life cycle as the parameter of using in the ike negotiation.
26. according to the method for claim 23, wherein IPSec.IPSecNegotiation comprises at least one in protected mode, opposite end, tunnel gateway address, ESP integral algorithm, ESP cryptographic algorithm and the SA life cycle of the parameter of using in consulting as IPSec.
27, a kind of system based on TR-069 automatic configuration of IP Sec security strategy in home gateway, described system comprises:
The ipsec security strategic server module of expanding in the Automatic Configuration Server, be used for as required, the access strategy database is to produce the ipsec security strategy, and wherein the configuration parameter in the ipsec security strategy is that the ipsec user who follows the parameter-definition standard expanded definition of TR-069 holds the device security parameter;
The ipsec security policy agent module of expanding in the ustomer premises access equipment is used for and ipsec security strategic server module communication, obtains the configuration parameter of ipsec security strategy from ipsec security strategic server module; And
Home gateway is used for loading the ipsec security policing parameter that obtains in this locality by ipsec security policy agent module, thereby realizes the automatic configuration in home gateway of ipsec security strategy.
28., wherein between ipsec security strategic server module and ipsec security policy agent module, transmit the configuration parameter of security strategy by SOAP according to the system of claim 27.
29. according to the system of claim 27, wherein predefined configuration parameter comprises one of following parameter at least: ipsec security top object parameter I PSec, network layer communication peer-entities identification parameter IPSec.PeerIdentification, IPSec ike negotiation procedure parameter IPSec.IKENegotiation and parameter-negotiation procedure parameter I PSec.IPSecNegotiation.
30. system according to claim 29, wherein IPSec.PeerIdentification is the parameter of communication entity one-port layer, and it comprises in the parameter of network layer of source IP address, purpose IP address, source port number, destination slogan, transport layer protocol and ip-layer flow direction at least one.
31. according to the system of claim 29, wherein IPSec.IKENegotiation comprises at least one in ike negotiation mode, cryptographic algorithm, hash algorithm, verification algorithm and the IKE life cycle as the parameter of using in the ike negotiation.
32. according to the system of claim 29, wherein IPSec.IPSecNegotiation comprises at least one in protected mode, opposite end, tunnel gateway address, ESP integral algorithm, ESP cryptographic algorithm and the SA life cycle of the parameter of using in consulting as IPSec.
33. according to the system of claim 28, wherein producing the ipsec security strategy by ipsec security strategic server module accesses policy database is to carry out according to user's service order or according to the required safety service that provides in the Operator Specific Service operation.
34. according to the system of claim 33, wherein the ipsec security policing parameter is that server end connects the static IP Sec security strategy configuration of starting in the automatic configuration of home gateway.
35. according to the system of claim 33, wherein the ipsec security policing parameter is that home gateway connects the static IP Sec security strategy configuration of starting in the automatic configuration of home gateway.
36. system according to claim 34, wherein ipsec security strategic server module sends SOAP request message to ipsec security policy agent module by HTTP Response, when confirming home gateway initialization for the first time ipsec protocol stack, send the IPSec strategy to family's gateway by the AddObiect method.
37. according to the system of claim 35, wherein home gateway adopts the summary authentication to described Automatic Configuration Server.
38. system according to claim 34, wherein after the configuration of static IP Sec security strategy, if during ipsec security parameter generation dynamic change, ipsec security strategic server module dynamically notifies ipsec security policy agent module to on-the-fly modify the ipsec security policing parameter.
39. system according to claim 34, wherein after the configuration of static IP Sec security strategy, when ipsec security policy agent module receives when coming from ustomer premises access equipment dynamic IP Sec security request, notice ipsec security strategic server module dynamic download meets orders the security strategy that security protocol requires.
40. according to the system of claim 38, wherein on-the-fly modifying the ipsec security policing parameter is that the server end connection is started.
41. according to the system of claim 39, wherein dynamic download meets that to order security strategy that security protocol requires be that server end connects and starts.
42. according to the system of claim 38, wherein on-the-fly modifying the ipsec security policing parameter is that the home gateway connection is started.
43. according to the system of claim 39, wherein dynamic download meets that to order security strategy that security protocol requires be that home gateway connects and starts.
44. arbitrary system according to claim 38-43, wherein ipsec security strategic server module sends SOAP request message to ipsec security policy agent module by HTTP Response, sends the IPSec strategy to family's gateway by the SetParameterValue method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610109663A CN100596069C (en) | 2006-08-15 | 2006-08-15 | Automatic configuration system and method of IPSec safety tactis in domestic gateway |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610109663A CN100596069C (en) | 2006-08-15 | 2006-08-15 | Automatic configuration system and method of IPSec safety tactis in domestic gateway |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1905452A CN1905452A (en) | 2007-01-31 |
| CN100596069C true CN100596069C (en) | 2010-03-24 |
Family
ID=37674589
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200610109663A Active CN100596069C (en) | 2006-08-15 | 2006-08-15 | Automatic configuration system and method of IPSec safety tactis in domestic gateway |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100596069C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2458784A1 (en) * | 2010-05-26 | 2012-05-30 | ZTE Corporation | Method and system for managing home gateway digital certifications |
Families Citing this family (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101369950B (en) * | 2007-08-13 | 2011-09-28 | 康佳集团股份有限公司 | Communication method between digital houses |
| CN101123534B (en) * | 2007-09-29 | 2010-09-01 | 华中科技大学 | Network policy architecture for legal monitoring system and its policy processing method |
| CN101437223B (en) * | 2007-11-16 | 2011-11-02 | 华为技术有限公司 | Access method, system and apparatus for household base station |
| CN101222453B (en) * | 2008-01-22 | 2014-07-02 | 中兴通讯股份有限公司 | Household gateway policy control method and system |
| CN101262368B (en) * | 2008-03-17 | 2012-03-28 | 中兴通讯股份有限公司 | Method and device for connection and configuration in home gateway routing mode |
| CN101557301B (en) * | 2008-04-09 | 2012-04-04 | 华为技术有限公司 | Method for acquiring management function information, and communication system and related devices thereof |
| CN101631105A (en) * | 2008-07-18 | 2010-01-20 | 华为技术有限公司 | Method, device and system for configuration application |
| CN101674578B (en) * | 2008-09-12 | 2012-09-26 | 中兴通讯股份有限公司 | Method and system for safely accessing femtocell into network |
| EP2194688A1 (en) * | 2008-12-02 | 2010-06-09 | Alcatel, Lucent | A module and associated method for TR-069 object management |
| CN101656961B (en) * | 2009-09-01 | 2012-07-18 | 中兴通讯股份有限公司 | Method and system for accessing mobile IP service of CDMA2000 system |
| CN102013998B (en) * | 2010-11-30 | 2012-10-10 | 广东星海数字家庭产业技术研究院有限公司 | Tr-069 protocol-based management method for realizing home network |
| CN102075927A (en) * | 2011-01-11 | 2011-05-25 | 中国联合网络通信集团有限公司 | Security configuration method and system for wireless network equipment |
| CN104468519B (en) * | 2014-11-12 | 2017-10-27 | 成都卫士通信息产业股份有限公司 | A kind of embedded electric power security protection terminal encryption device |
| CN106254204A (en) * | 2016-09-28 | 2016-12-21 | 乐视控股(北京)有限公司 | The collocation method of the Ipsec tunnel vital stage under cloud environment and device |
| WO2020034378A1 (en) * | 2018-10-12 | 2020-02-20 | Zte Corporation | Location reporting for mobile devices |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1719813A (en) * | 2004-07-09 | 2006-01-11 | 威达电股份有限公司 | Safety gateway with SSL protection function and method |
| CN1770769A (en) * | 2004-10-14 | 2006-05-10 | 微软公司 | System and methods for providing network quarantine using ipsec |
| CN1780244A (en) * | 2004-11-18 | 2006-05-31 | 中兴通讯股份有限公司 | Safety access method based on dynamic host configuration arrangment and network gate verification |
| CN1801791A (en) * | 2004-12-16 | 2006-07-12 | 法国电信公司 | Method for operating a local computer network connected to a remote private network by an IPSEC tunnel, software module and ipsec gateway |
-
2006
- 2006-08-15 CN CN200610109663A patent/CN100596069C/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1719813A (en) * | 2004-07-09 | 2006-01-11 | 威达电股份有限公司 | Safety gateway with SSL protection function and method |
| CN1770769A (en) * | 2004-10-14 | 2006-05-10 | 微软公司 | System and methods for providing network quarantine using ipsec |
| CN1780244A (en) * | 2004-11-18 | 2006-05-31 | 中兴通讯股份有限公司 | Safety access method based on dynamic host configuration arrangment and network gate verification |
| CN1801791A (en) * | 2004-12-16 | 2006-07-12 | 法国电信公司 | Method for operating a local computer network connected to a remote private network by an IPSEC tunnel, software module and ipsec gateway |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2458784A1 (en) * | 2010-05-26 | 2012-05-30 | ZTE Corporation | Method and system for managing home gateway digital certifications |
| EP2458784A4 (en) * | 2010-05-26 | 2013-02-20 | Zte Corp | Method and system for managing home gateway digital certifications |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1905452A (en) | 2007-01-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100596069C (en) | Automatic configuration system and method of IPSec safety tactis in domestic gateway | |
| JP5537560B2 (en) | Module for managing TR-069 objects and associated methods | |
| EP2961132B1 (en) | Subscriber management using a restful interface | |
| CN101022340B (en) | Intelligent control method for realizing city Ethernet exchanger switch-in security | |
| CN106254386B (en) | A kind of information processing method and name mapping server | |
| CN101695022B (en) | Management method and device for service quality | |
| CN102761494B (en) | A kind of ike negotiation processing method and device | |
| CN103166909B (en) | The cut-in method of a kind of Virtual Networking System, device and system | |
| CN108964985B (en) | Method for managing virtual client terminal equipment using protocol message | |
| WO2020010767A1 (en) | Alliance-based unified trust anchor system for whole network, and construction method | |
| US9825759B2 (en) | Secure service management in a communication network | |
| Sharp et al. | Discussion paper: an analysis of the ‘new IP’proposal to the ITU-T | |
| CN101197708B (en) | Net element automatic discovering and configuring method | |
| CN101388796B (en) | Information sending processing method, communication equipment and communication system | |
| Forbacha et al. | Design and Implementation of a Secure Virtual Private Network Over an Open Network (Internet) | |
| CN101599834A (en) | A kind of identification and deployment and a kind of management equipment | |
| CN100477609C (en) | Method for implementing dedicated network access | |
| CN101515860B (en) | Method and system for remotely managing customer premises equipment | |
| Cisco | Glossary | |
| CN113709741A (en) | Authentication access system of local area network | |
| CN1486013A (en) | Method for network access user authentication | |
| CN115150199B (en) | Database operation and maintenance client account management and control method, system, equipment and medium | |
| Li et al. | Assessment and application of network access control technologies | |
| CN114143113A (en) | Safety tracing device suitable for IPv6/IPv4 access service | |
| CN101409703B (en) | Method for discovering network middle/remote terminal server by terminal equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |