CN101060454A - Proxy access method, control network equipment and proxy access system - Google Patents
Proxy access method, control network equipment and proxy access system Download PDFInfo
- Publication number
- CN101060454A CN101060454A CN 200710103050 CN200710103050A CN101060454A CN 101060454 A CN101060454 A CN 101060454A CN 200710103050 CN200710103050 CN 200710103050 CN 200710103050 A CN200710103050 A CN 200710103050A CN 101060454 A CN101060454 A CN 101060454A
- Authority
- CN
- China
- Prior art keywords
- access
- terminal equipment
- network devices
- network device
- control network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The disclosed agent access method comprises: a network control device set between the initial end and objective end receives access request to transform protocol and modify the original address into self network address, and sends the access request to the accessed end. This invention ensures the interconnection between two ends efficiently.
Description
Technical field
The present invention relates to the network communications technology, relate in particular to and act on behalf of cut-in method and act on behalf of connecting system.
Background technology
The fast development of the network communications technology and computer technology makes people the terminal equipment that is dispersed in everywhere can be linked together, and forms diverse network, so that mutual exchange message.Terminal equipment in the supervising the network effectively also is provided with management equipment usually, and its terminal equipment of administering is carried out unified planning and scheduling etc.Owing to need the terminal equipment number of networking numerous, and only have a limited number of interface on the management equipment, therefore the intermediary network device of agency's effect has been set between management equipment and terminal equipment.At present the above-mentioned network system of being made up of management equipment, intermediary network device and terminal equipment is called and acts on behalf of connecting system.
Divide according to inserting originating end, act on behalf of connecting system and generally include management equipment and initiatively insert with terminal equipment and initiatively insert two types.In management equipment active access style, inserting originating end is management equipment, is access in end and comprises intermediary network device and terminal equipment; In terminal equipment active access style, insert originating end and comprise intermediary network device and terminal equipment, being access in end is management equipment.
Fig. 1 shows the initiatively structural representation of acting on behalf of connecting system of access style of existing management equipment.Referring to Fig. 1, the management equipment in this system is connected by the mode of compiling regulation such as (pad) common network protocol such as telnet (telnet), containment (ssh), telnet (rlogin) or grouping with intermediary network device; Each terminal equipment is connected on the corresponding port of intermediary network device by synchronous or asynchronous system.For guaranteeing the normal operation of this system, management equipment and intermediary network device are in advance by obtaining the other side's IP address alternately, activate being connected between management equipment and intermediary network device, and intermediary network device is also with each terminal equipment corresponding port information notification management equipment.Telnet, ssh, rlogin or pad mode are connected when adopting between management equipment and intermediary network device, when adopting asynchronous system to be connected between intermediary network device and the terminal equipment, this system be known as reverse telnet system, oppositely ssh system, oppositely rlogin system or reverse pad system.
This system is in access procedure, and the at first definite terminal equipment that will insert of management equipment then according to the IP address of intermediary network device and the port information of this terminal equipment, is linked on this port of intermediary network device.Like this, set up communication port between management equipment and a terminal equipment.After this, management equipment can be utilized common network protocol, and to the corresponding port of intermediary network device, intermediary network device is utilized synchronous or asynchronous mode again with transfer of data, gives terminal equipment with data forwarding; And terminal equipment also can utilize synchronous or asynchronous mode to send data on the intermediary network device this port, and intermediary network device utilizes common network protocol to give management equipment with data forwarding again.
Fig. 2 shows the initiatively structural representation of acting on behalf of connecting system of access style of prior terminal.Referring to Fig. 2, management equipment in this system is a front end processor, and be connected by Internet protocol (IP) network between front end processor and the intermediary network device, intermediary network device by such as synchronous or asynchronous system, IP network, dial mode or X.25 mode such as network connect.With among Fig. 1 to act on behalf of connecting system similar, also know the other side's IP address between front end processor here and the intermediary network device mutually.In access procedure, terminal equipment at first sends the request of access to intermediary network device, and request is linked on the front end processor; Determine that in intermediary network device this terminal equipment when inserting first, consults the corresponding terminal number of this terminal equipment with front end processor; After reaching an agreement with regard to terminal number, intermediary network device notice terminal equipment inserts successfully.After this, terminal equipment can send the data to intermediary network device, and intermediary network device is carried out data forwarding according to the IP address of front end processor, indicates the terminal number of this terminal equipment correspondence simultaneously, and front end processor is according to the source of the terminal number specified data that receives; Front end processor also can send the data to intermediary network device according to the IP address of intermediary network device, and indicates the terminal number of this data destination, and intermediary network device is given corresponding terminal equipment according to the terminal number that receives with data forwarding.
For the connecting system of acting on behalf of among above-mentioned Fig. 1 and Fig. 2, insert originating end and be access in the IP address that to know the other side between the end mutually, and use identical procotol, so that guarantee proper communication.In other words, management equipment and intermediary network device are among the wide area network, intermediary network device and terminal equipment are among the local area network (LAN), and the three carries out intercommunication according to same agreement.Yet in the situation of reality, many manufacturers are all according to oneself procotol license management equipment, intermediary network device and terminal equipment.So, when networking, if select the different equipment of procotol, then above-mentioned act on behalf of connecting system and can't realize normal communication, thereby cause the limitation of networking stronger.
Summary of the invention
In view of this, the invention provides a kind of cut-in method of acting on behalf of, the proper communication that can guarantee to insert originating end He be access in end.
Act on behalf of in the cut-in method of the present invention, control network devices is set inserting originating end and be access between the end, this method comprises:
Described control network devices receives and comes from the access request that inserts originating end, according to being access in the discernible procotol of end protocol conversion is carried out in this access request, and the source address modification that will insert request is the self networks address, sends to again and with described access request and is access in end.
Preferably, this method further comprises: described control network devices pre-determines and is access in the discernible procotol of end, and preserves;
Described basis is access in the discernible procotol of end and protocol conversion is carried out in this accesss request is: control network devices determines to insert the procotol of originating end use according to the access request that receives, the procotol of using at described access originating end can't be by described when being access in end identification, select the discernible procotol from the end of being preserved that is access in, described access request is converted to the form that meets selected procotol.
Wherein, described access originating end is a management equipment, and the described end that is access in comprises intermediary network device and terminal equipment,
Described control network devices receives and comes from before the access request that inserts originating end, further comprise: intermediary network device sends to described control network devices with terminal equipment information, and control network devices is at the corresponding relation of self setting up intermediary network device and terminal equipment;
Describedly will insert request and send to and be access in end and be: control network devices is determined the terminal equipment that will insert according to the access request that receives, corresponding relation according to described intermediary network device and terminal equipment, determine the intermediary network device of described this terminal equipment correspondence, and described access request sent to determined intermediary network device, the access request that intermediary network device will receive again is transmitted to this terminal equipment.
Wherein, described control network devices receives and comes from before the access request that inserts originating end, further comprises:
Control network devices offers management equipment with terminal equipment information, the terminal equipment that management equipment will insert according to described terminal equipment Information Selection, and send the access request carry the terminal equipment information that will insert to control network devices.
Wherein, described access originating end comprises intermediary network device and terminal equipment, and the described end that is access in is management equipment,
Described control network devices receives and comes from before the access request that inserts originating end, further comprise: intermediary network device sends to control network devices with terminal equipment information, control network devices is set up the corresponding relation of intermediary network device and terminal equipment, and terminal equipment information offered management equipment, management equipment is at the corresponding relation of self setting up terminal equipment and virtual unit;
Described will the access asks to send to be access in after the end, and further comprise: management equipment is determined the terminal equipment that initiation inserts according to the access request that receives, and described terminal equipment corresponding virtual equipment is placed running status.
Wherein, described intermediary network device sends to terminal equipment information before the described control network devices, further comprise: intermediary network device is determined the port of terminal equipment at self, according to determined port, be described terminal equipment distributing terminals sign, and with the terminal iidentification that distributed as described terminal equipment information.
Wherein, described terminal iidentification comprises: random number and the terminal equipment port numbers on intermediary network device; Perhaps, random number, the terminal equipment port numbers on intermediary network device and the medium access control mac address of intermediary network device.
Wherein, described intermediary network device sends to terminal equipment information before the described control network devices, further comprises: intermediary network device is determined the port of terminal equipment at self;
Describedly terminal equipment information is sent to control network devices be: terminal equipment number and the port on intermediary network device are sent to control network devices;
Before the described corresponding relation of setting up intermediary network device and terminal equipment, further comprise: control network devices is determined the listening port of terminal equipment at self, and with the listening port number terminal iidentification as described terminal equipment;
Terminal equipment information is offered management equipment is: the terminal iidentification of terminal equipment is offered management equipment.
Wherein, described terminal equipment information is sent to before the control network devices, further comprise: control network devices is carried out legitimate verification to the middle network equipment, and by checking the time, carries out described terminal equipment information to be sent to control network devices;
And/or, described terminal equipment information is offered before the management equipment, further comprise: control network devices is carried out legitimate verification to management equipment, and by checking the time, carries out described terminal equipment information to be offered management equipment.
Wherein, this method further comprises: when intermediary network device detects its own IP address and changes, the IP address after changing is sent to described control network devices, control network devices is upgraded the IP address of the intermediary network device of self record.
Wherein, this method further comprises: control network devices is according to the predetermined cycle, detect the connection status of described intermediary network device or terminal equipment, when definite described intermediary network device or terminal equipment are in when disconnecting connection status, delete the corresponding relation of described intermediary network device and terminal equipment.
Wherein, described will the access asks to send to be access in after the end, further comprise: control network devices receives and comes from the access response that is access in end, according to inserting the discernible procotol of originating end protocol conversion is carried out in this response, and the source address modification that will respond is the self networks address, will insert response again and send to the access originating end.
Wherein, the described network address is: the IP address of control network devices or mac address.
The present invention also provides a kind of control network devices, the proper communication that can guarantee to insert originating end He be access in end.
In control network devices of the present invention, comprising: communication module and control module, wherein,
Described communication module receives and comes from the access request that inserts originating end, and the request of should inserting sends to control module; Reception comes from the access request of control module, and should insert and ask to send to be access in end;
Described control module receives the access request that comes from communication module, according to being access in the discernible procotol of end protocol conversion is carried out in this access request, and will insert the request source address modification be the self networks address, more described access request is sent to communication module.
Wherein, described control network devices further comprises memory module, preserves the described network address that is access in discernible procotol of end and described control network devices;
Described control module further reads from memory module and is access in the discernible procotol of end, determine to insert the procotol that originating end uses according to the access request that receives, the procotol of using at described access originating end can't be by described when being access in end identification, select the discernible procotol from the end of being preserved that is access in, described access request is converted to the form that meets selected procotol, and from memory module, reads the network address of the described network equipment.
Wherein, described access originating end is a management equipment, and the described end that is access in comprises intermediary network device and terminal equipment; Perhaps described access originating end comprises intermediary network device and terminal equipment, and the described end that is access in is management equipment;
Described communication module further receives the terminal equipment information that comes from intermediary network device, intermediary network device information and the terminal equipment information that receives are sent to control module, reception comes from all terminal equipment information of control module, and the terminal equipment information that receives is sent to management equipment;
Described control module is set up the corresponding relation of intermediary network device information and terminal equipment information, and this corresponding relation is sent to memory module, and reads all terminal equipment information from memory module, and the terminal equipment information that reads is sent to communication module;
Described memory module is further preserved the corresponding relation of intermediary network device information and terminal equipment information.
Wherein, described control module is further used for determining the listening port of each terminal equipment correspondence on control network devices, and this listening port information as terminal equipment information, is set up the corresponding relation of intermediary network device information and terminal equipment information.
Wherein, described control network devices further comprises: authentication module, be used to receive access originating end that comes from communication module or the authorization information that is access in end, from memory module, read legal access originating end or be access in the end authorization information, according to authorization information that reads and the authorization information that receives, carry out legitimate verification to inserting originating end or being access in end, and will verify that the result sends to communication module;
Described communication module further receives and comes from the authorization information that inserts originating end or be access in end, the authorization information that receives is sent to authentication module, reception comes from the checking result of authentication module, and when this checking result shows by checking, be proved to be successful to inserting originating end or being access in to hold to indicate.
Wherein, described communication module further receives and comes from the access response that is access in end, should insert response and send to control module; Reception comes from the access response of control module, and should insert to respond and send to the access originating end;
Described control module receives the access response that comes from communication module, according to inserting the discernible procotol of originating end protocol conversion is carried out in this response, and the source address modification that will insert response is the self networks address, will insert to respond to send to communication module again.
The present invention also provides a kind of connecting system of acting on behalf of, the proper communication that can guarantee to insert originating end He be access in end.
Act on behalf of in the connecting system of the present invention, comprising: insert originating end, control network devices and be access in end, wherein,
Described access originating end will insert request and send to described control network devices;
Described control network devices is carried out protocol conversion according to inserting the discernible procotol of originating end to the access request that receives, and the source address modification that will insert in asking is the self networks address, more described access request is sent to the described end that is access in.
Wherein, described access originating end is a management equipment, and the described end that is access in comprises intermediary network device and terminal equipment, and perhaps described access originating end comprises intermediary network device and terminal equipment, and the described end that is access in is management equipment.
Use the present invention, the proper communication that can guarantee to insert originating end He be access in end.Particularly, the present invention has following beneficial effect:
1. among the present invention, control network devices is carried out protocol conversion to coming from the information that inserts originating end, make that coming from the information that inserts originating end can be discerned by being access in end, like this, eliminated the obstruct that inserts originating end and be access in the procotol that exists between the end, avoid to discern, thereby guaranteeing to insert originating end and be access in end to realize normally intercommunication smoothly because of the different information of bringing of procotol.
2. because control network devices has been carried out address transition to coming from the information that inserts originating end, the address information that inserts originating end remained in self and insert in the network between the originating end, thereby play buffer action between the end inserting originating end and be access in, reduced effectively and inserted originating end and the probability that the network address that is access in end is stolen, therefore can improve the fail safe that the agency inserts to a great extent.
3. in embodiments of the present invention, before intermediary network device and management equipment and control network devices connected, control network devices was verified the legitimacy of the middle network equipment and management equipment, when having only by checking, just allows to connect.Like this, attempt pretends to be the illegality equipment of intermediary network device or management equipment to connect with control network devices, thereby control network devices has shielded the rogue attacks that mails to intermediary network device and management equipment, further improves the fail safe that the agency inserts.
4. in the embodiment of the invention, whenever the IP address of intermediary network device changes, all can send the address update notification that carries new IP address and mac address to control network devices, control network devices is according to the address update notification that receives, find each bar record of this mac address correspondence, utilize new IP address replace these the record in the IP address.Like this, under the unfixed situation in the IP address of intermediary network device, control network devices can with the intermediary network device proper communication, management equipment also can be linked on the terminal equipment smoothly so.
5. the present invention is according to the port of terminal equipment on intermediary network device or control network devices, for terminal equipment is determined unique terminal iidentification, thereby make the differentiation of terminal equipment is broken away from the IP address of intermediary network device fully, thereby can guarantee further that intermediary network device has the normal access under the dynamic IP addressing situation.
Description of drawings
Fig. 1 is the structural representation of acting on behalf of connecting system of existing management equipment active access style.
Fig. 2 is the structural representation of acting on behalf of connecting system of prior terminal active access style.
Fig. 3 is for acting on behalf of the structural representation of connecting system in the embodiment of the invention 1.
Fig. 4 is for acting on behalf of the flow chart of cut-in method in the embodiment of the invention 1.
Fig. 5 is for acting on behalf of the structural representation of connecting system in the embodiment of the invention 1.
Fig. 6 is for acting on behalf of the another kind of structural representation of connecting system in the embodiment of the invention 1.
Fig. 7 is for acting on behalf of the flow chart of cut-in method in the embodiment of the invention 2.
Embodiment
For making purpose of the present invention, technical scheme clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, the present invention is described in further detail.
Basic thought of the present invention is, increase control network devices between the end inserting originating end and be access in, after this net control device receives and comes from the access request that inserts originating end, the conversion of procotol and the modification of source address are carried out in this access request, and the also amended access request of will change sends to and is access in end.For control network devices, can comprise communication module and control module.Wherein, communication module receives and comes from the access request that inserts originating end, and the request of should inserting sends to control module; Reception comes from the access request of control module, and should insert and ask to send to be access in end.Control module receives the access request that comes from communication module, according to being access in the discernible procotol of end protocol conversion is carried out in this access request, and will insert the request source address modification be the self networks address, more described access request is sent to communication module.
Among the present invention, when the access originating end was management equipment, the equipment of being access in comprised intermediary network device and terminal equipment; On the other hand, when the access originating end comprised intermediary network device and terminal equipment, the equipment of being access in was management equipment.Illustrate respectively that below by two embodiment two kinds of the above-mentioned basic thought of foundation are acted on behalf of connecting system.
Embodiment 1
Present embodiment is initiatively initiated the connecting system of acting on behalf of of access style at management equipment.Fig. 3 shows the structural representation of acting on behalf of connecting system in the present embodiment.Referring to Fig. 3, comprise in this system: management equipment, control network devices, intermediary network device and terminal equipment.Wherein management equipment and control network devices have fixed IP addresses; Management equipment indicates the Terminal Equipment Identifier that will insert when initiating to insert, control network devices is before the information with management equipment is transmitted to intermediary network device, with this information translation is the form of the procotol that can discern of intermediary network device and terminal equipment, and source IP address is revised as its own IP address.Like this, in the present embodiment except the proper communication that guarantees management equipment and intermediary network device and terminal equipment, management equipment only with the control network devices direct communication, and the number of control network devices is much smaller than the number of intermediary network device, therefore the probability that is stolen of the IP address of intermediary network device reduces greatly, thereby the fail safe of access procedure increases.
Present embodiment is when carrying out access, after control network devices receives the request of the access terminal equipment that comes from management equipment, according to being access in the discernible procotol of end protocol conversion is carried out in this access request, and the source IP address that will ask is revised as the self networks address, and the request that will insert again is transmitted to corresponding terminal equipment by intermediary network device.
Fig. 4 shows the flow chart of acting on behalf of cut-in method in the present embodiment.Referring to Fig. 4, this method comprises:
In step 401, intermediary network device is determined the port of terminal equipment at self, and according to determined port, is terminal equipment distributing terminals sign.
In acting on behalf of connecting system, each intermediary network device all links to each other with a plurality of terminal equipments by synchronous and asynchronous mode, and all corresponding terminal equipment of each the synchronous and asynchronous port on the intermediary network device.Like this, can be the unique terminal iidentification of terminal equipment distribution of correspondence according to the port on the intermediary network device.
In this step, can adopt the form of random number+port numbers, be each terminal equipment distributing terminals sign, for example: 32f32001, wherein the first five position is a random number, back three is this terminal equipment corresponding port number for port numbers.Certainly, also medium access control (mac) address of intermediary network device can be joined in the terminal iidentification, promptly adopt the form of 5 random number+12 intermediary network device mac address+3 bit ports number; 5 random numbers can also be increased, so that further improve the uniqueness of terminal iidentification, for example 32f320fcec232349972e98001 between intermediary network device mac address and port numbers.
Owing to need not to utilize the IP address of intermediary network device to come terminal equipment is identified in the present embodiment, therefore,, also can not hinder visit to terminal equipment even intermediary network device has dynamic IP address.
In step 402~404, intermediary network device utilizes predetermined cryptographic algorithm and key that the terminal iidentification of terminal equipment is encrypted, and the descriptor of encrypted result and terminal equipment is carried in the register requirement, send to control network devices, request is registered to terminal equipment on the control network devices; Control network devices is verified the middle network equipment according to the request that receives; After by checking, record terminal iidentification and corresponding descriptor, and indicate to intermediary network device and to succeed in registration.
Here, intermediary network device and control network devices are consulted the cryptographic algorithm and the key that use in the access procedure in advance., at first produced a transmission random number and determined the descriptor of each terminal equipment before control network devices is sent request in intermediary network device, this descriptor is information such as the position, function such as terminal equipment; Utilize predetermined cryptographic algorithm then, for example the md5 algorithm carries out cryptographic calculation to transmission random number, terminal iidentification and the key that is produced, and obtains ciphertext; Then again the terminal iidentification of terminal equipment, corresponding descriptor and ciphertext etc. are formed register requirement.The terminal iidentification and the descriptor that can comprise all terminal equipments that intermediary network device connects here in the register requirement also can comprise the terminal iidentification and the descriptor of section terminating equipment.
From foregoing description as seen, the register requirement of present embodiment can comprise following content: the reserved part of the terminal equipment descriptor of the terminal iidentification of 2 bytes, 2 bytes, the ciphertext of 2 bytes and 2 bytes, the checking that can comprise intermediary network device in the reserved part wherein identifies.Checking sign herein is that control network devices is allocated the legitimacy sign to each intermediary network device in advance, or the mac address of intermediary network device.The descriptor that certainly, also can not comprise terminal equipment in the register requirement here.
For control network devices, after receiving the register requirement that comes from intermediary network device, utilize predetermined cryptographic algorithm that the ciphertext that receives is decrypted computing, obtain key.When the key that writes down in the key that is obtained and the control network devices is identical, judge by checking, so the terminal iidentification of terminal equipment in the register requirement and descriptor and affiliated intermediary network device information are carried out record, and the notice intermediary network device succeeds in registration.In addition, when the key that writes down in key that obtains and the control network devices is inequality, judge, then notify the intermediary network device registration failure not by checking.
When the middle network equipment receives the registering result that expression succeeds in registration, show and set up being connected successfully between terminal equipment and the control network devices that promptly control network devices has been carried out early-stage preparations for follow-up access procedure.
In step 405~407, management equipment sends to control network devices and connects the request of foundation, request connects with control network devices, control network devices is verified management equipment according to the checking sign that receives, and show when being proved to be successful in the checking result, indicate to connect to management equipment and set up successfully.
In order to guarantee to set up being connected of safety between management equipment and the control appliance, management equipment is authorized according to checking and is chargeed (AAA) machine-processed registered in advance on control network devices in the present embodiment, and has the legal users name after finishing registration.Here management equipment can be carried its own user name in connecting the request of foundation, control network devices is obtained this user name from the request that receives, and search in the validated user name of self record, if there be the record consistent with the user name that receives, then decision verification success, and indicate to connect to management equipment and set up successfully; Otherwise, the decision verification failure.
The user name of management equipment can be the mac address of self herein.
And, above-mentioned step 401 to 404 and step 405 do not have inevitable sequencing between 407, operation that promptly can first execution in step 405 to 407, and then the operation of execution in step 401 to 404.
In step 408~409, control network devices offers management equipment with the descriptor of each terminal equipment, management equipment is selected the terminal equipment that will insert according to the descriptor that receives, and sends the request of accessing terminal that carries terminal equipment information to control network devices.
Successfully setting up under the situation about being connected between management equipment and control network devices, control network devices can will offer management equipment in the descriptor of the terminal equipment of self successfully registering by the form of menu.Management equipment can be selected the terminal equipment preparing to insert according to the descriptor that comprises in the menu, and with selected terminal equipment information notification control network devices.
Control network devices can further provide the terminal iidentification of each descriptor correspondence in the present embodiment when providing the descriptor of terminal equipment to management equipment.After terminal equipment was selected, management equipment can send to control network devices with the terminal iidentification of the terminal equipment chosen, so that control network devices is discerned.
Perhaps, control network devices directly sends to management equipment with the terminal iidentification of terminal equipment, and management equipment is selected in all terminal iidentifications that receive, and selected terminal iidentification is sent to control network devices.Terminal iidentification and descriptor can be referred to as terminal equipment information in the present embodiment.
Certainly, management equipment can also be carried on the management information that is ready for sending to terminal equipment in the request of accessing terminal, so that behind successful access terminal equipment, this terminal equipment is carried out corresponding operating or replied response according to this management information.
In step 410~411, control network devices is determined the terminal that management equipment will insert according to the request of accessing terminal that receives, according to being access in the discernible procotol of end protocol conversion is carried out in this request of accessing terminal, the source IP address of the request of accessing terminal is revised as the self networks address, and, will change the also amended request of accessing terminal and send to terminal equipment by intermediary network device.
In the present embodiment, record the terminal equipment relevant information on the control network devices, comprise descriptor, Terminal Equipment Identifier, the mac address of intermediary network device and the corresponding relation of IP address of terminal equipment; And the procotol that can discern of intermediary network device.When in the request of accessing terminal that management equipment is sent during the descriptor of carried terminal equipment, control network devices is determined the terminal iidentification of this descriptor correspondence and the IP address of affiliated intermediary network device according to the record of self; When in the request of accessing terminal that management equipment is sent during the terminal iidentification of carried terminal equipment, the IP address of intermediary network device under control network devices is determined according to this terminal iidentification.
After this, control network devices determines to insert the procotol that originating end uses according to the request of accessing terminal that receives, insert procotol that originating end uses can't be when being access in end identification by described, select the discernible procotol from the end of being preserved that is access in, the request of accessing terminal is converted to the form that meets selected procotol.
Know the IP address of management equipment in order to prevent the too much network equipment, here before carrying out protocol conversion, afterwards or simultaneously, control network devices is carried out the source address conversion to inserting terminal request, only there is the control network devices of minority to know the IP address of management equipment so in the network, therefore the illegality equipment probability that obtains this IP address reduces greatly, thereby management equipment possibility under attack also reduces greatly.
For intermediary network device, after receiving the request of accessing terminal that comes from control network devices, according to the definite synchronous and asynchronous port that is connected with this terminal equipment of the terminal iidentification that carries, and, the request of accessing terminal is sent to the terminal equipment that management equipment will insert by this port.
In step 412~414, terminal equipment will send to control network devices by intermediary network device corresponding to the access response of the request of accessing terminal; The source address modification that control network devices will insert response be its own IP address and be converted to the form of the discernible procotol of management equipment after, transmit to insert response to management equipment, indicate and insert successfully.
Here the control network devices purpose of carrying out address transition is, prevents the IP address of other device learns intermediary network device, thereby makes intermediary network device probability under attack reduce greatly.
In addition, in the request of accessing terminal, carry under the situation of management information, terminal equipment is according to this management information executable operations, for example: when management equipment is when requiring to improve or reduce the power of exporting to the power supply object as the terminal equipment of power supply unit, this terminal equipment is carried out corresponding operating, will show that then the feedback information of executed corresponding operating is carried in the access response; Perhaps, terminal equipment is determined the feedback information of management information correspondence, for example when management information be that this terminal equipment is defined as feedback information with running parameter when requiring terminal equipment to report the running parameter of self, and this feedback information be carried on insert in the response.
So far, finish access procedure in the present embodiment.After this, management equipment and terminal equipment can be realized the mutual of information by control network devices and intermediary network device, and in reciprocal process, control network devices is carried out the modification and the protocol conversion of source address earlier, and the information of carrying out is again transmitted.And, after successfully inserting, management equipment then can be selected corresponding terminal equipment according to the descriptor in the step 408 if will manage other-end equipment, and directly begin to carry out from step 409, and needn't be through the proof procedure of step 405 to step 407.
By foregoing description as seen, the source address modification that control network devices will come from the message of management equipment and intermediary network device in the present embodiment is its own IP address and according to the actual conditions of receiving terminal message is carried out protocol conversion.Adopt under the situation of different network protocol in management equipment and intermediary network device so, act on behalf of the proper communication that connecting system all can guarantee two ends in the present embodiment, thereby make operator when networking, can select to belong to the network equipment of each manufacturer according to the networking needs arbitrarily, and needn't consider the compatibility of procotol, therefore improved the flexibility and the choice of equipment leeway of networking.
On the other hand, can think, control network devices, intermediary network device and terminal equipment have been formed a local area network (LAN), any equipment outside the local area network (LAN) is merely able to detect the existence of control network devices, and can't find intermediary network device, thereby can't launch a offensive, so the intermediary network device security performance accesses effective assurance; On the other hand; control network devices is also isolated management equipment and other equipment; make the IP address of management equipment be protected, illegality equipment can't be known the address of management equipment and implement to attack, so the fail safe of management equipment also can be effectively guaranteed.
In addition, in intermediary network device when control network devices is initiated the terminal equipment register requirement, control network devices can be verified the legitimacy of the middle network equipment, attempt pretends to be the illegality equipment of intermediary network device to connect with control network devices, thereby control network devices has shielded the rogue attacks that mails to management equipment, further improves the fail safe of access procedure.
Equally, management equipment is when hope and control network devices connect, and control network devices verifies the legitimacy of management equipment, has only before this legal management equipment through registration successfully to connect.Like this, control network devices can shield the rogue attacks that mails to intermediary network device, thereby further improves the fail safe of access procedure.
Intermediary network device in the present embodiment can have dynamic IP address, in order to guarantee the proper communication of they and control network devices, whenever the IP address of intermediary network device changes, all can send the address update notification that carries new IP address and mac address to control network devices, control network devices is according to the address update notification that receives, find each bar record of this mac address correspondence, utilize new IP address replace these the record in the IP address.Like this, under the unfixed situation in the IP address of intermediary network device, control network devices can with the intermediary network device proper communication, management equipment also can be linked on the terminal equipment smoothly so.
In the present embodiment, whenever new terminal equipment and intermediary network device connect, all can carry out step 401 process to 404, control network devices refreshes the terminal equipment information of self preserving.And, control network devices regularly sends hello packet to intermediary network device, detect the connection status of intermediary network device and control network devices, if control network devices does not receive the hello message that intermediary network device is replied in the waiting time that sets in advance, judge that then this intermediary network device has disconnected connection, then the record relevant with this intermediary network device deleted from terminal equipment information.Similarly, control network devices also regularly sends hello packet by intermediary network device to terminal equipment, the connection status of sense terminals equipment.If control network devices does not receive the hello message that terminal equipment is replied in the waiting time that sets in advance, judge that then this terminal equipment has disconnected connection, then the record of this terminal equipment correspondence is deleted from terminal equipment information.When the common network protocol between management equipment, control network devices and intermediary network device was telnet, ssh or rlogin protocol, hello packet herein was keep-alive (keepalive) message that transmission control protocol (TCP) connects; When adopting the pad agreement, hello packet herein is to meet the X.25 keep-alive message of agreement.
To sum up, the management equipment in the present embodiment is after successfully connecting with control network devices, and the request control network devices allows to be linked into the terminal equipment that will manage.Control network devices receives the request that shows access terminal equipment that comes from management equipment, determine the intermediary network device of terminal equipment correspondence, with the source address modification of this request is the self networks address, and amended request is sent to determined intermediary network device.Intermediary network device receives the request that shows access terminal equipment that comes from control network devices, and the request that will receive sends to this terminal equipment.
Further, intermediary network device is determined the port of terminal equipment at self, according to determined port, is terminal equipment distributing terminals sign, determine the descriptor of terminal equipment correspondence, the terminal equipment information that terminal iidentification and descriptor are formed is kept among self.
Fig. 5 shows the structural representation of control network devices in the present embodiment.Referring to Fig. 5, this control network devices comprises: communication module, control module and memory module.Wherein, communication module receives the request that shows access terminal equipment that comes from management equipment, this request is sent to control module, receive the request that shows access terminal equipment and the intermediary network device information that come from control module, this request is sent to this intermediary network device.Control module receives the request that shows access terminal equipment that comes from communication module, the corresponding relation of reading terminal equipment and intermediary network device from memory module, determine the intermediary network device of this terminal equipment correspondence, this intermediary network device information is sent to communication module; And from memory module, read the network address and the discernible procotol of intermediary network device of control network devices, from the procotol that reads, select, the request that shows access terminal equipment that receives is converted to the form of selected procotol, with the source address modification of this request is the network address that reads, and will change and amended request send to communication module.Preserve the corresponding relation of terminal equipment and intermediary network device, the network address and the discernible procotol of intermediary network device of control network devices in the memory module.
Further, communication module receives the terminal equipment information that comes from intermediary network device, intermediary network device information and the terminal equipment information that receives are sent to control module, reception comes from all terminal equipment information of control module, and the terminal equipment information that receives is sent to management equipment; Control module is set up the corresponding relation of intermediary network device information and terminal equipment information, and this corresponding relation is sent to memory module, and reads all terminal equipment information from memory module, and the terminal equipment information that reads is sent to communication module.
In addition, the communication module in the present embodiment can also receive the access response that comes from intermediary network device, should insert response and send to control module, receives the access that comes from control module and responds, and should insert to respond and send to management equipment.Control module receives the access response that comes from communication module, and the source address modification that this access is responded is the network address of control network devices, and amended access response is sent to communication module.
Fig. 6 shows the another kind of structural representation of control network devices in the present embodiment.In the figure, control network devices also comprises authentication module except comprising communication module, control module and memory module.At this moment, authentication module receives the authorization information that comes from the access originating end of communication module or be access in end, from memory module, read legal access originating end or be access in the end authorization information, according to authorization information that reads and the authorization information that receives, carry out legitimate verification to inserting originating end or being access in end, and will verify that the result sends to communication module; Communication module receives and comes from the authorization information that inserts originating end or be access in end, the authorization information that receives is sent to authentication module, reception comes from the checking result of authentication module, and when this checking result shows by checking, is proved to be successful to inserting originating end or being access in to hold to indicate.
Specifically, the control module among Fig. 6 is identical with control module among Fig. 5; Memory module is also preserved the cryptographic algorithm and the key that set in advance except preserving the information identical with memory module among Fig. 5, and the information of legal management equipment.In addition, communication module receives the register requirement that comes from intermediary network device, the register requirement that receives is sent to authentication module, reception comes from the intermediary network device checking result of authentication module, and show by when checking in this checking result, to intermediary network device indicate be proved to be successful and with register requirement in intermediary network device information, terminal iidentification and the descriptor of carrying send to control module; And, this communication module also receives the connection that comes from management equipment and sets up request, the connection request of setting up that receives is sent to authentication module, reception comes from the management equipment checking result of authentication module, and when this checking result shows by checking, indicate connection to management equipment and set up successfully.Authentication module is used to receive the register requirement that comes from communication module, from this request, obtain ciphertext, reading encrypted algorithm and key from memory module, utilize this cryptographic algorithm that ciphertext is decrypted, obtain decrypted result, when this decrypted result is identical with the key that reads, intermediary network device is verified that the result is defined as should verifying by checking that the result sent to communication module; In addition, this authentication module also receives the connection that comes from communication module and sets up request, extract management facility information from this request, search and the consistent record of management equipment information that is extracted in the legal management equipment information of in memory module, preserving, when finding consistent the record, management equipment is verified that the result is defined as should verifying by checking that the result sent to communication module.
Embodiment 2
Present embodiment is initiatively initiated the connecting system of acting on behalf of of access style at terminal equipment.Present embodiment still can adopt the structure of acting on behalf of connecting system shown in Figure 3.Referring to Fig. 3, comprise in this system: management equipment, control network devices, intermediary network device and terminal equipment.Wherein management equipment and control network devices have fixed IP addresses; Terminal equipment at first initiate to insert by intermediary network device, and control network devices was the procotol that can discern of management equipment with this information translation and source IP address is revised as its own IP address before the information of transmitting from intermediary network device.Like this, present embodiment can either guarantee the proper communication of each equipment, and the fail safe that can improve access procedure again increases.
Correspondingly, present embodiment is when carrying out access, after control network devices receives the access request that comes from terminal equipment, according to the discernible procotol of management equipment protocol conversion is carried out in this access request, the source IP address of this request is revised as the self networks address, and will change and amended access request be transmitted to management equipment.Be example with the connecting system of acting on behalf of that is applied to banking below, the technical scheme in the present embodiment is described.
Fig. 7 shows the flow chart of acting on behalf of cut-in method in the present embodiment.Referring to Fig. 7, this method comprises:
In step 701~703, front end processor sends to control network devices and connects the request of foundation, request connects with control network devices, control network devices is verified front end processor according to the checking sign that receives, and show when being proved to be successful in the checking result, indicate to connect to front end processor and set up successfully.
In the present embodiment with front end processor as management equipment, and step 405 is identical to 407 operation among operation herein and the embodiment 1.
In step 704~705, intermediary network device is determined terminal equipment at oneself port on one's body, and sends register requirement, request registration intermediary network device to control network devices.
Generally, have synchronous and asynchronous port on the intermediary network device, terminal equipment is connected on the synchronous and asynchronous port of intermediary network device by synchronous and asynchronous cable.So here, intermediary network device is after having determined the synchronous and asynchronous port that each terminal equipment is connected with self, utilize predetermined cryptographic algorithm, the corresponding relation and the predetermined key of port numbers and terminal are carried out cryptographic calculation, and encrypted result is carried in the register requirement, send to control network devices, intermediary network device is registered in request on control network devices.
In step 706~708, control network devices is verified the middle network equipment, under situation by checking, determine the listening port of terminal equipment on control network devices, be terminal equipment distributing terminals sign, indicate to intermediary network device and to succeed in registration, and terminal iidentification is sent to front end processor.
In order to guarantee the legitimacy of intermediary network device, after control network devices receives the register requirement that comes from intermediary network device, therefrom read out encrypted result, utilize predetermined cryptographic algorithm to be decrypted computing, under the key that the obtains situation identical, judge that intermediary network device is by checking with the key of self preserving.Otherwise, if the key of preserving in the key that is obtained and the control network devices is different, then judge authentication failed to the middle network equipment, and process ends.
Under the situation by checking, control network devices is distributed to terminal equipment in man-to-man mode with the listening port of self, and for example: listening port 8000 ports are used to monitor terminal equipment 1, and this moment, listening port number was the terminal iidentification of this terminal equipment.In order to guarantee can to determine to arrive in the subsequent communications process path of each terminal equipment, control network devices is as embodiment 1, and the IP address and the mac address of terminal iidentification, affiliated intermediary network device recorded in the terminal equipment information record.Then, control network devices sends to front end processor with the terminal iidentification of each terminal equipment, and the source address of carrying the message of these information is the network address of this control network devices, for example IP address.
Intermediary network device also can be carried the descriptor of each terminal equipment in register requirement, control network devices is after determining terminal iidentification, by descriptor being added to the corresponding relation of setting up terminal iidentification and descriptor in the terminal equipment information record, and when front end processor sends terminal iidentification, with going up corresponding descriptor.
Above-mentioned steps 701 to 703 and step 704 do not have strict sequence requirement between 706, operation that promptly can first execution in step 704 to 706, and then the operation of execution in step 701 to 703.
In step 709, front end processor is set up the corresponding relation of terminal equipment and virtual unit.
In the present embodiment, have a plurality of application programs that are called as virtual unit in the front end processor in advance, these virtual units can be carried out identical operations with terminal equipment, promptly behind the information and executing corresponding virtual equipment that utilizes terminal equipment to transmit, can access the result identical with terminal equipment.Because front end processor is found the existence of terminal equipment first herein, front end processor is about to a virtual unit and distributes to this terminal equipment at the corresponding relation of self setting up terminal equipment and virtual unit so, so that realize the management to terminal equipment.Set up the corresponding relation of terminal equipment and virtual unit at front end processor after,, finishes by terminal equipment for inserting the early-stage preparations of being done.
Step 710 to 713 in, terminal equipment sends the request of inserting by intermediary network device to control network devices, request is linked into front end processor; Control network devices is carried out protocol conversion according to the discernible procotol of front end processor to the access request that receives, the source IP address of this access request is revised as its own IP address, determine the terminal iidentification of the terminal equipment that initiation inserts, this terminal iidentification is carried in the amended access request, listening port by the terminal equipment correspondence sends to front end processor; After front end processor receives the request of inserting, will insert ask in terminal iidentification corresponding virtual equipment place running status, accept the access request of this terminal equipment.
After control network devices receives the access request that comes from terminal equipment, find the terminal iidentification of this terminal equipment, determine listening port.And the source IP address that will mail to the access request of front end processor is revised as its own IP address, in order to avoid the extraneous IP address of knowing intermediary network device.
Control network devices is by linking to each other with front end processor such as agreements such as TCP, front end processor each listening port to control network devices under normal operating condition is monitored, after finding to transmit the request of access on certain listening port, can determine the terminal equipment of initiating to insert.Then, the terminal iidentification that front end processor is preserved self and the corresponding relation of virtual unit are searched, if find the record of the terminal iidentification correspondence of carrying in the request of access, then virtual unit are opened, so that receive information in the subsequent process, and carry out corresponding operating from this terminal equipment; If do not find corresponding record, then process ends.
In step 714~716, front end processor will send to control network devices corresponding to the access response of the request of accessing terminal; Control network devices is carried out protocol conversion according to the discernible procotol of intermediary network device to inserting response, and will insert the response source address modification be its own IP address after, transmit the access response by intermediary network device to terminal equipment, indicate and insert successfully.
Here the terminal iidentification preserved according to self of control network devices is determined the intermediary network device of this terminal equipment correspondence, and will revise source IP address and carry out the access response after the protocol conversion and send to this intermediary network device.For intermediary network device, receive the access response that comes from control network devices after, determine the synchronous and asynchronous port that is connected with this terminal equipment, and, respond the terminal equipment that sends to correspondence inserting by this port.Certainly, front end processor can also be carried on the management information that is ready for sending to terminal equipment in the access response, and this terminal equipment is carried out corresponding operating according to this management information.
So far, finish access procedure in the present embodiment.After this, front end processor and terminal equipment can be realized the mutual of information by control network devices and intermediary network device, and in reciprocal process, control network devices is carried out the modification of source address earlier, and the information of carrying out is again transmitted.
By foregoing description as seen, the message that control network devices will come from front end processor and intermediary network device in the present embodiment has carried out protocol conversion and has been its own IP address with the source address modification of this message.Can think that the communication failure of having avoided front end processor and intermediary network device to adopt different network protocol and having caused is operated in protocol conversion, has guaranteed normally carrying out of access procedure; And control network devices, intermediary network device and terminal equipment have been formed a local area network (LAN), any equipment outside the local area network (LAN) is merely able to detect the existence of control network devices, and can't find intermediary network device, thereby can't launch a offensive, so the intermediary network device security performance accesses effective assurance; On the other hand, control network devices is also isolated front end processor and other equipment, makes the IP address of front end processor receive protection, and illegality equipment can't be known the address of front end processor and implement to attack, so the fail safe of front end processor also can be effectively guaranteed.
Similar to embodiment 1, when front end processor and intermediary network device request and control network devices connected, control network devices started the legitimate verification operation in the present embodiment.Make attempt pretend to be the illegality equipment of intermediary network device to connect on the one hand, thereby Control Network has shielded the rogue attacks that mails to front end processor with control network devices; On the other hand, have only before this can successfully connect, thereby can shield the rogue attacks that mails to intermediary network device through the legal front end processor of registering.Can further improve the fail safe of access procedure like this.
Intermediary network device in the present embodiment also can be as embodiment 1, whenever the IP address changes, all can send the address update notification that carries new IP address and mac address to control network devices, control network devices is according to the address update notification that receives, in terminal equipment information record, find each bar record of this mac address correspondence, utilize new IP address to replace IP address in these records.Like this, under the unfixed situation in the IP address of intermediary network device, control network devices can with the intermediary network device proper communication, terminal equipment also can be linked on the front end processor smoothly so.
Certainly, control network devices also regularly sends hello packet to intermediary network device and terminal equipment in the present embodiment, detects their connection status.
To sum up, the terminal equipment in the present embodiment allows to be linked into management equipment by intermediary network device request control network devices after successfully connecting with control network devices.Control network devices receives the request that shows access management product that comes from terminal equipment, according to the discernible procotol of management equipment protocol conversion is carried out in this access request, with the source address modification of this request is the self networks address, and amended request is sent to management equipment.Intermediary network device receives the request that shows access management product that comes from terminal equipment, and the request that will receive sends to control network devices.
Further, control network devices is determined the listening port of terminal equipment in self correspondence, according to determined listening port, is terminal equipment distributing terminals sign, determines the descriptor of terminal equipment correspondence, and terminal iidentification and descriptor are kept among self.
Present embodiment still can adopt the structural representation of control network devices shown in Figure 5.Referring to Fig. 5, the control network devices in the present embodiment comprises: communication module, control module and memory module.Wherein, communication module receives the request that shows access management product that comes from intermediary network device, and this request is sent to control module, receives the request that shows access management product that comes from control module, and this request is sent to management equipment.Control module receives the request that shows access management product that comes from communication module, from memory module, read the network address of control network devices, according to the discernible procotol of management equipment protocol conversion is carried out in the request that shows access management product that will receive, and the source address modification that will ask is the network address that reads, and will change and amended request sends to communication module.Preserve the network address and the discernible procotol of management equipment of control network devices in the memory module.
In addition, also preserve the corresponding relation of terminal equipment information and intermediary network device in the memory module in the present embodiment.Communication module receives the terminal equipment information that comes from control module, and the terminal equipment information that receives is sent to front end processor.Control module is determined the listening port of each terminal equipment correspondence on control network devices, with this listening port information as terminal equipment information, set up the corresponding relation of intermediary network device information and terminal equipment information, this corresponding relation is sent to memory module, and from memory module, read all terminal equipment information, the terminal equipment information that reads is sent to communication module.
In addition, communication module can also receive the access response that comes from management equipment, should insert response and send to control module, receives the access response and the intermediary network device information that come from control module, should insert response and send to intermediary network device.Correspondingly, control module receives the access response that comes from communication module, from this access response, obtain Terminal Equipment Identifier, from memory module, read the network address of control network devices, the intermediary network device information of this Terminal Equipment Identifier correspondence and the discernible procotol of intermediary network device, the form that response is converted to the discernible procotol of intermediary network device will be inserted, and the source address modification that will insert response is the network address of the control network devices that reads, will change also amended access response and intermediary network device information again and send to communication module.
Present embodiment also comprises another kind of control network devices, and the structure of this control network devices is identical with the control network devices shown in Fig. 6.Referring to Fig. 6, this control network devices also comprises authentication module except comprising communication module, control module and memory module.Each module is identical with basic function among the embodiment 1, just when carrying out concrete operations, has a little difference.
Specifically, memory module is also preserved the cryptographic algorithm and the key that set in advance in the present embodiment except preserving the information identical with memory module among present embodiment Fig. 5, and the information of legal management equipment.Communication module also receives the register requirement that comes from intermediary network device, the register requirement that receives is sent to authentication module, reception comes from the intermediary network device checking result of authentication module, show by when checking in this checking result, to intermediary network device indicate succeed in registration and with register requirement in the intermediary network device information and the terminal equipment information of carrying send to control module; And, this communication module also receives the connection that comes from management equipment and sets up request, the connection request of setting up that receives is sent to authentication module, reception comes from the management equipment checking result of authentication module, and when this checking result shows by checking, indicate connection to management equipment and set up successfully.Authentication module is used to receive the register requirement that comes from communication module, from this request, obtain ciphertext, reading encrypted algorithm and key from memory module, utilize this cryptographic algorithm that ciphertext is decrypted, obtain decrypted result, when this decrypted result is identical with the key that reads, intermediary network device is verified that the result is defined as should verifying by checking that the result sent to communication module; In addition, this authentication module also receives the connection that comes from communication module and sets up request, extract management facility information from this request, search and the consistent record of management equipment information that is extracted in the legal management equipment information of in memory module, preserving, when finding consistent the record, management equipment is verified that the result is defined as should verifying by checking that the result sent to communication module.
The foregoing description 1 can adopt the mode among the embodiment 2 to be terminal equipment distributing terminals sign, so in access procedure, utilize the step 401 of step 704 to 707 alternate figures 4 to 404 similarly, embodiment 2 also can adopt the mode of embodiment 1 to be terminal equipment distributing terminals sign, so in access procedure, utilize the step 704 of step 401 to 404 alternate figures 7 to 707.Under two kinds of above-mentioned situations, step 704 to 707 and step 405 do not have strict order between 407.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being made, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (21)
1, a kind of cut-in method of acting on behalf of is characterized in that, control network devices is set inserting originating end and be access between the end, and this method comprises:
Described control network devices receives and comes from the access request that inserts originating end, according to being access in the discernible procotol of end protocol conversion is carried out in this access request, and will insert the request source address modification be the self networks address, described access request is sent to be access in end again.
2, the method for claim 1 is characterized in that, this method further comprises: described control network devices pre-determines and is access in the discernible procotol of end, and preserves;
Described basis is access in the discernible procotol of end and protocol conversion is carried out in this accesss request is: control network devices determines to insert the procotol of originating end use according to the access request that receives, the procotol of using at described access originating end can't be by described when being access in end identification, select the discernible procotol from the end of being preserved that is access in, described access request is converted to the form that meets selected procotol.
3, the method for claim 1 is characterized in that, described access originating end is a management equipment, and the described end that is access in comprises intermediary network device and terminal equipment,
Described control network devices receives and comes from before the access request that inserts originating end, further comprise: intermediary network device sends to described control network devices with terminal equipment information, and control network devices is at the corresponding relation of self setting up intermediary network device and terminal equipment;
Describedly will insert request and send to and be access in end and be: control network devices is determined the terminal equipment that will insert according to the access request that receives, corresponding relation according to described intermediary network device and terminal equipment, determine the intermediary network device of described this terminal equipment correspondence, and described access request sent to determined intermediary network device, the access request that intermediary network device will receive again is transmitted to this terminal equipment.
4, method as claimed in claim 3 is characterized in that, described control network devices receives and comes from before the access request that inserts originating end, further comprises:
Control network devices offers management equipment with terminal equipment information, the terminal equipment that management equipment will insert according to described terminal equipment Information Selection, and send the access request carry the terminal equipment information that will insert to control network devices.
5, the method for claim 1 is characterized in that, described access originating end comprises intermediary network device and terminal equipment, and the described end that is access in is management equipment,
Described control network devices receives and comes from before the access request that inserts originating end, further comprise: intermediary network device sends to control network devices with terminal equipment information, control network devices is set up the corresponding relation of intermediary network device and terminal equipment, and terminal equipment information offered management equipment, management equipment is at the corresponding relation of self setting up terminal equipment and virtual unit;
Described will the access asks to send to be access in after the end, and further comprise: management equipment is determined the terminal equipment that initiation inserts according to the access request that receives, and described terminal equipment corresponding virtual equipment is placed running status.
6, as claim 3 or 5 described methods, it is characterized in that, described intermediary network device sends to terminal equipment information before the described control network devices, further comprise: intermediary network device is determined the port of terminal equipment at self, according to determined port, be described terminal equipment distributing terminals sign, and with the terminal iidentification that distributed as described terminal equipment information.
7, method as claimed in claim 6 is characterized in that, described terminal iidentification comprises: random number and the terminal equipment port numbers on intermediary network device; Perhaps, random number, the terminal equipment port numbers on intermediary network device and the medium access control mac address of intermediary network device.
8, as claim 3 or 5 described methods, it is characterized in that described intermediary network device sends to terminal equipment information before the described control network devices, further comprises: intermediary network device is determined the port of terminal equipment at self;
Describedly terminal equipment information is sent to control network devices be: terminal equipment number and the port on intermediary network device are sent to control network devices;
Before the described corresponding relation of setting up intermediary network device and terminal equipment, further comprise: control network devices is determined the listening port of terminal equipment at self, and with the listening port number terminal iidentification as described terminal equipment;
Terminal equipment information is offered management equipment is: the terminal iidentification of terminal equipment is offered management equipment.
9, as claim 4 or 5 described methods, it is characterized in that, described terminal equipment information is sent to before the control network devices, further comprise: control network devices is carried out legitimate verification to the middle network equipment, and by when checking, carry out described terminal equipment information is sent to control network devices;
And/or, described terminal equipment information is offered before the management equipment, further comprise: control network devices is carried out legitimate verification to management equipment, and by checking the time, carries out described terminal equipment information to be offered management equipment.
10, as claim 3 or 5 described methods, it is characterized in that, this method further comprises: when intermediary network device detects its own IP address and changes, IP address after changing is sent to described control network devices, and control network devices is upgraded the IP address of the intermediary network device of self record.
11, as claim 3 or 5 described methods, it is characterized in that, this method further comprises: control network devices is according to the predetermined cycle, detect the connection status of described intermediary network device or terminal equipment, when definite described intermediary network device or terminal equipment are in when disconnecting connection status, delete the corresponding relation of described intermediary network device and terminal equipment.
12, the method for claim 1, it is characterized in that, described will the access asks to send to be access in after the end, further comprise: control network devices receives and comes from the access response that is access in end, according to inserting the discernible procotol of originating end protocol conversion is carried out in this response, and the source address modification that will respond is the self networks address, will insert response again and send to the access originating end.
13, as claim 1 or 12 described methods, it is characterized in that the described network address is: the IP address of control network devices or mac address.
14, a kind of control network devices is characterized in that, this equipment comprises: communication module and control module, wherein,
Described communication module receives and comes from the access request that inserts originating end, and the request of should inserting sends to control module; Reception comes from the access request of control module, and should insert and ask to send to be access in end;
Described control module receives the access request that comes from communication module, according to being access in the discernible procotol of end protocol conversion is carried out in this access request, and will insert the request source address modification be the self networks address, more described access request is sent to communication module.
15, control network devices as claimed in claim 14 is characterized in that, described control network devices further comprises memory module, preserves the described network address that is access in discernible procotol of end and described control network devices;
Described control module further reads from memory module and is access in the discernible procotol of end, determine to insert the procotol that originating end uses according to the access request that receives, the procotol of using at described access originating end can't be by described when being access in end identification, select the discernible procotol from the end of being preserved that is access in, described access request is converted to the form that meets selected procotol, and from memory module, reads the network address of the described network equipment.
16, control network devices as claimed in claim 15 is characterized in that, described access originating end is a management equipment, and the described end that is access in comprises intermediary network device and terminal equipment; Perhaps described access originating end comprises intermediary network device and terminal equipment, and the described end that is access in is management equipment;
Described communication module further receives the terminal equipment information that comes from intermediary network device, intermediary network device information and the terminal equipment information that receives are sent to control module, reception comes from all terminal equipment information of control module, and the terminal equipment information that receives is sent to management equipment;
Described control module is set up the corresponding relation of intermediary network device information and terminal equipment information, and this corresponding relation is sent to memory module, and reads all terminal equipment information from memory module, and the terminal equipment information that reads is sent to communication module;
Described memory module is further preserved the corresponding relation of intermediary network device information and terminal equipment information.
17, control network devices as claimed in claim 16, it is characterized in that, described control module is further used for determining the listening port of each terminal equipment correspondence on control network devices, this listening port information as terminal equipment information, is set up the corresponding relation of intermediary network device information and terminal equipment information.
18, control network devices as claimed in claim 15, it is characterized in that, described control network devices further comprises: authentication module, be used to receive access originating end that comes from communication module or the authorization information that is access in end, from memory module, read legal access originating end or be access in the end authorization information, according to authorization information that reads and the authorization information that receives, carry out legitimate verification to inserting originating end or being access in end, and will verify that the result sends to communication module;
Described communication module further receives and comes from the authorization information that inserts originating end or be access in end, the authorization information that receives is sent to authentication module, reception comes from the checking result of authentication module, and when this checking result shows by checking, be proved to be successful to inserting originating end or being access in to hold to indicate.
As any described control network devices in the claim 14 to 18, it is characterized in that 19, described communication module further receives and comes from the access response that is access in end, should insert response and send to control module; Reception comes from the access response of control module, and should insert to respond and send to the access originating end;
Described control module receives the access response that comes from communication module, according to inserting the discernible procotol of originating end protocol conversion is carried out in this response, and the source address modification that will insert response is the self networks address, will insert to respond to send to communication module again.
20, a kind of connecting system of acting on behalf of is characterized in that, comprising: insert originating end, control network devices and be access in end, wherein,
Described access originating end will insert request and send to described control network devices;
Described control network devices is carried out protocol conversion according to inserting the discernible procotol of originating end to the access request that receives, and the source address modification that will insert in asking is the self networks address, more described access request is sent to the described end that is access in.
21, system as claimed in claim 20, it is characterized in that described access originating end is a management equipment, the described end that is access in comprises intermediary network device and terminal equipment, perhaps described access originating end comprises intermediary network device and terminal equipment, and the described end that is access in is management equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007101030502A CN100574237C (en) | 2007-05-16 | 2007-05-16 | Act on behalf of cut-in method, control network devices and act on behalf of connecting system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007101030502A CN100574237C (en) | 2007-05-16 | 2007-05-16 | Act on behalf of cut-in method, control network devices and act on behalf of connecting system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101060454A true CN101060454A (en) | 2007-10-24 |
| CN100574237C CN100574237C (en) | 2009-12-23 |
Family
ID=38866357
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2007101030502A Expired - Fee Related CN100574237C (en) | 2007-05-16 | 2007-05-16 | Act on behalf of cut-in method, control network devices and act on behalf of connecting system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100574237C (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103166960A (en) * | 2013-03-01 | 2013-06-19 | 北京神州绿盟信息安全科技股份有限公司 | Access control method and access control device |
| CN103650457A (en) * | 2013-06-26 | 2014-03-19 | 华为技术有限公司 | Detection method, device and terminal device of share access |
| CN103685587A (en) * | 2012-09-07 | 2014-03-26 | 深圳市腾讯计算机系统有限公司 | Method and device for assigning MAC (Media Access Control) address |
| CN104038401A (en) * | 2013-03-08 | 2014-09-10 | 国际商业机器公司 | Interoperability for distributed overlay virtual environments |
| CN105610786A (en) * | 2014-11-14 | 2016-05-25 | 三星电子株式会社 | Method and apparatus for registering a device for use |
| CN105843804A (en) * | 2015-01-12 | 2016-08-10 | 镇裕贸易股份有限公司 | After-sale customer service management system |
| CN106302035A (en) * | 2015-05-26 | 2017-01-04 | 美的集团股份有限公司 | The communication means of appliance system and appliance system |
| US9602307B2 (en) | 2013-03-14 | 2017-03-21 | International Business Machines Corporation | Tagging virtual overlay packets in a virtual networking system |
| CN107241565A (en) * | 2017-05-02 | 2017-10-10 | 苏州科达科技股份有限公司 | Multimedia conference system and its means of communication |
| CN107707534A (en) * | 2017-09-22 | 2018-02-16 | 深圳市盛路物联通讯技术有限公司 | A kind of data forwarding method and device |
| CN107809348A (en) * | 2017-09-19 | 2018-03-16 | 广西电网有限责任公司电力科学研究院 | Towards the SOT state of termination monitoring method of power network big data distributed system |
| US9923732B2 (en) | 2013-03-12 | 2018-03-20 | International Business Machines Corporation | Virtual gateways and implicit routing in distributed overlay virtual environments |
| CN108900503A (en) * | 2018-06-27 | 2018-11-27 | 努比亚技术有限公司 | Data communications method, communication processing equipment, terminal and readable storage medium storing program for executing |
-
2007
- 2007-05-16 CN CNB2007101030502A patent/CN100574237C/en not_active Expired - Fee Related
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103685587B (en) * | 2012-09-07 | 2018-07-17 | 深圳市腾讯计算机系统有限公司 | The method and device of allocation medium access control MAC address |
| CN103685587A (en) * | 2012-09-07 | 2014-03-26 | 深圳市腾讯计算机系统有限公司 | Method and device for assigning MAC (Media Access Control) address |
| CN103166960A (en) * | 2013-03-01 | 2013-06-19 | 北京神州绿盟信息安全科技股份有限公司 | Access control method and access control device |
| US9749145B2 (en) | 2013-03-08 | 2017-08-29 | International Business Machines Corporation | Interoperability for distributed overlay virtual environment |
| CN104038401B (en) * | 2013-03-08 | 2017-05-10 | 国际商业机器公司 | Method and system for interoperability for distributed overlay virtual environments |
| CN104038401A (en) * | 2013-03-08 | 2014-09-10 | 国际商业机器公司 | Interoperability for distributed overlay virtual environments |
| US10541836B2 (en) | 2013-03-12 | 2020-01-21 | International Business Machines Corporation | Virtual gateways and implicit routing in distributed overlay virtual environments |
| US9923732B2 (en) | 2013-03-12 | 2018-03-20 | International Business Machines Corporation | Virtual gateways and implicit routing in distributed overlay virtual environments |
| US9602307B2 (en) | 2013-03-14 | 2017-03-21 | International Business Machines Corporation | Tagging virtual overlay packets in a virtual networking system |
| WO2014205703A1 (en) * | 2013-06-26 | 2014-12-31 | 华为技术有限公司 | Method and device for detecting shared access, and terminal device |
| CN103650457A (en) * | 2013-06-26 | 2014-03-19 | 华为技术有限公司 | Detection method, device and terminal device of share access |
| CN105610786B (en) * | 2014-11-14 | 2021-03-23 | 三星电子株式会社 | Method and apparatus for registering device to be used |
| CN105610786A (en) * | 2014-11-14 | 2016-05-25 | 三星电子株式会社 | Method and apparatus for registering a device for use |
| US10757096B2 (en) | 2014-11-14 | 2020-08-25 | Samsung Electronics Co., Ltd | Method and apparatus for registering a device for use |
| CN105843804A (en) * | 2015-01-12 | 2016-08-10 | 镇裕贸易股份有限公司 | After-sale customer service management system |
| CN106302035A (en) * | 2015-05-26 | 2017-01-04 | 美的集团股份有限公司 | The communication means of appliance system and appliance system |
| CN106302035B (en) * | 2015-05-26 | 2019-11-29 | 美的集团股份有限公司 | The communication means and appliance system of appliance system |
| CN107241565A (en) * | 2017-05-02 | 2017-10-10 | 苏州科达科技股份有限公司 | Multimedia conference system and its means of communication |
| CN107241565B (en) * | 2017-05-02 | 2020-03-31 | 苏州科达科技股份有限公司 | Multimedia conference system and communication method thereof |
| CN107809348A (en) * | 2017-09-19 | 2018-03-16 | 广西电网有限责任公司电力科学研究院 | Towards the SOT state of termination monitoring method of power network big data distributed system |
| CN107809348B (en) * | 2017-09-19 | 2021-04-20 | 广西电网有限责任公司电力科学研究院 | Terminal state monitoring method for power grid big data distributed system |
| CN107707534A (en) * | 2017-09-22 | 2018-02-16 | 深圳市盛路物联通讯技术有限公司 | A kind of data forwarding method and device |
| CN108900503A (en) * | 2018-06-27 | 2018-11-27 | 努比亚技术有限公司 | Data communications method, communication processing equipment, terminal and readable storage medium storing program for executing |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100574237C (en) | 2009-12-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101060454A (en) | Proxy access method, control network equipment and proxy access system | |
| JP6550179B2 (en) | Dynamic VPN Address Allocation | |
| US11425202B2 (en) | Session processing method and device | |
| JP6976411B2 (en) | Network access methods and devices as well as network devices | |
| US11317340B2 (en) | Method and device for enabling access of an unconfigured device to a network hotspot device | |
| US8418242B2 (en) | Method, system, and device for negotiating SA on IPv6 network | |
| CN1992585A (en) | Method and apparatus for secure communication between user facility and internal network | |
| CN110800331A (en) | Network verification method, related equipment and system | |
| CN1929398A (en) | Security setting method in wireless communication network, storage medium, network system and client device | |
| CN1722661A (en) | Verification System, network line concentrator, authentication method and authentication procedure | |
| JP2008518533A (en) | Method and system for transparently authenticating mobile users and accessing web services | |
| CN1879382A (en) | Method, apparatus and program for establishing encrypted communication channel between apparatuses | |
| CN1855926A (en) | Method and system for contributing DHCP addresses safely | |
| CN1918887A (en) | Method and system for proxy-based secure end-to-end tcp/ip communications | |
| US20080267395A1 (en) | Apparatus and method for encrypted communication processing | |
| CN1941695A (en) | Method and system for generating and distributing key during initial access network process | |
| CN101039181A (en) | Method for preventing service function entity of general authentication framework from attack | |
| CN1540944A (en) | Network insertion system | |
| CN116471586A (en) | Data processing method, device and readable storage medium | |
| CN1790985A (en) | Method for realizing synchronous identification between different identification control equipments | |
| CN1571409A (en) | A method of safety authentication between media gateway and media gateway controller | |
| CN1901478A (en) | Network managing method based on SNMP | |
| US8646066B2 (en) | Security protocol control apparatus and security protocol control method | |
| CN1767493A (en) | System and method for realizing VOIP service crossing LAN | |
| CN1728636A (en) | Method of the attestion at client end |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou science and Technology Industrial Park, high tech Industrial Development Zone, Zhejiang Province, No. six and road, No. 310 Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20091223 Termination date: 20200516 |