CN101304328A - Multicast authentication method, authentication equipment and multicast authentication server - Google Patents

Multicast authentication method, authentication equipment and multicast authentication server Download PDF

Info

Publication number
CN101304328A
CN101304328A CNA2008101163937A CN200810116393A CN101304328A CN 101304328 A CN101304328 A CN 101304328A CN A2008101163937 A CNA2008101163937 A CN A2008101163937A CN 200810116393 A CN200810116393 A CN 200810116393A CN 101304328 A CN101304328 A CN 101304328A
Authority
CN
China
Prior art keywords
multicast
data message
authentication
source address
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2008101163937A
Other languages
Chinese (zh)
Inventor
郭振华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CNA2008101163937A priority Critical patent/CN101304328A/en
Publication of CN101304328A publication Critical patent/CN101304328A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a multicast authentication method, authentication equipment and a multicast authentication server; wherein, the method comprises the following steps: after receiving data messages from a multicast source, the authentication equipment sends the source address information carried in the data messages to the multicast authentication server which is used for certifying the source address information; if the authentication equipment receives the authentication passing notice returned from the multicast authentication server, a multicast forwarding table is established based on the data messages, and the multicast forwarding table is also used for transmitting the data messages; if the authentication equipment receives the authentication failure notice, the data messages are discarded. By adopting the method, equipment and the server of the invention, the network bandwidth can be saved and the security of network can be improved.

Description

The method of multicast authentication, authenticating device and multicast authentication server
Technical field
The present invention relates to multicasting technology, particularly a kind of method of multicast authentication, authenticating device and multicast authentication server.
Background technology
Multicasting technology is that a kind of effective solution single-point sends the technology that multiple spot receives problem, adopt a multicast address to identify the user that all have same requirements, multicast source can send to corresponding user as long as send datagram to this multicast address, and does not need all to send a identical data message for respectively each user.Multicasting technology is widely used in fields such as Web TV (IPTV), network flow-medium and video conferences.
Yet, in the prior art, any multicast source can send multicast data message in the realization of multicasting technology in network, switching equipment in the network is all created multicast forward table at the multicast data message of any multicast source that receives, and transmits multicast data message according to this multicast forward table in network.That is to say, do not have any multicast authentication technology at multicast source at present, this is easy to cause illegal multicast source to send multicast data message in network, causes the waste of the network bandwidth, perhaps be subjected to of the attack of illegal multicast source, bring unsafe factor to network to network.
Summary of the invention
In view of this, the invention provides a kind of method, authenticating device and multicast authentication server of multicast authentication, so that the fail safe of conserve network bandwidth and raising network.
A kind of method of multicast authentication, this method comprises:
Authenticating device sends to multicast authentication server with the source address information of carrying in this data message after receiving data message from multicast source, for this multicast authentication server this source address information is authenticated;
If authenticating device receives authentication that described multicast authentication server returns by notice, then create multicast forward table, and utilize this multicast forward table to transmit this data message at this data message; If authenticating device receives the authentication failure notification that described multicast authentication server returns, then abandon this data message.
A kind of authenticating device, this authenticating device comprises: receiving element, information extraction unit and message process unit;
Described receiving element is used to receive the data message from multicast source, and this data message is offered information extraction unit, receives authentication by notice or authentication failure notification;
Described information extraction unit is used to extract the source address information of the data message that described receiving element receives, and this source address information is sent to multicast authentication server;
Message process unit is used for creating multicast forward table at this data message, and utilizing this multicast forward table to transmit described data message when described receiving element receives authentication by notice; When described receiving element receives authentication failure notification, abandon described data message.
A kind of multicast authentication server, this multicast authentication server comprises: information receiving unit, authentication ' unit and notice transmitting element;
Described information receiving unit is used to receive the source address information of the data message that authenticating device sends;
Described authentication ' unit is used for described source address information is authenticated;
Described notice transmitting element is used for sending authentication by notice to described authenticating device when the authentication of authentication ' unit is passed through, when the authentification failure of described authentication ' unit, to described authenticating device transmission authentication failure notification.
As can be seen from the above technical solutions, in method and apparatus provided by the invention, after authenticating device receives data message from multicast source, the source address information of carrying in this data message is sent to multicast authentication server, this source address information is authenticated for this multicast authentication server; If authenticating device receives authentication that this multicast authentication server returns by notice, then create multicast forward table, and utilize this multicast forward table to transmit this data message at this data message; If authenticating device receives the authentication failure notification that described multicast authentication server returns, then abandon this data message.That is to say, a kind of concrete technical scheme is provided, can the multicast packet that multicast source provides be authenticated based on source address, promptly authenticate at multicast source, make and in network, transmit, stop the data message that does not send in network, to be transmitted, saved the network bandwidth that illegal multicast source takies by the illegal multicast source that authenticates by the data message of authentication, and can stop of the attack of illegal multicast source, thereby improve internet security to network.
Description of drawings
The detailed method flow chart that Fig. 1 provides for the embodiment of the invention;
A kind of network architecture diagram that Fig. 2 provides for the embodiment of the invention;
The system construction drawing that Fig. 3 provides for the embodiment of the invention.
Embodiment
In order to make the purpose, technical solutions and advantages of the present invention clearer, describe the present invention below in conjunction with the drawings and specific embodiments.
Method provided by the invention mainly comprises: authenticating device sends to multicast authentication server with the source address information of carrying in this data message after receiving data message from multicast source, for this multicast authentication server this source address information is authenticated; Authenticating device receive authentication that this certificate server returns by notice after, create multicast forward table at this data message, and utilize this multicast forward table to transmit this data message, if after receiving the authentication failure notification that this certificate server returns, abandon this data message.
Below said method is described in detail, the detailed method flow chart that Fig. 1 provides for the embodiment of the invention, as shown in Figure 1, this method can may further comprise the steps:
Step 101: in advance authenticating device is configured, based on all or part of port arrangement Access Control List (ACL) (ACL, Access Control List).
This step is the process to the authentication of authenticating device multicast enabled, is that authenticating device is carried out global configuration based on whole port arrangement ACL, based on part port arrangement ACL authenticating device is carried out local configuration.
Step 102: after authenticating device receives data message from multicast source, utilize the ACL that receives port arrangement that this data message uses to judge whether this data message is multicast data message, if, execution in step 104, otherwise, execution in step 103.
The multicast address information that can comprise setting in the step 101 among the ACL of configuration, all multicast address in the network can be set in advance in ACL, after receiving data message from multicast source, whether the destination address of judging this data message is in the ACL for the port arrangement that receives this data message, if, illustrate that then this data message is a multicast data message, otherwise, illustrate that this data message is not a multicast data message.Do not dispose ACL if receive the port of this data message, then according to this data message of flow processing of the prior art.
Wherein, the multicast address information of setting can be multicast ip address information, at this moment, receive data message after, judge that the purpose IP address (DIP) of carrying in this data message is whether in ACL; Perhaps, the multicast address information of setting also can be multicast mac address information, at this moment, receive data message after, judge that the target MAC (Media Access Control) address (DMAC) that carries in this data message is whether in ACL; Perhaps, the multicast address information of setting also can be the combination of multicast ip address information and multicast mac address information, at this moment, receive data message after, whether the combination of judging the DIP that carries in this data message and DMAC in ACL.
Step 103: according to this data message of flow processing of the prior art, process ends.
If the data message that receives is not a multicast message, then do not adopt method of the present invention that this data message is authenticated, transmit or abandon this data message according to mode of the prior art and get final product.
Step 104: the combination that authenticating device is judged the source address of carrying in this data message and destination address whether in the multicast source authentication table, if then execution in step 109, otherwise, execution in step 105.
Stored in the multicast source authentication table by the source address of authentication and the combination of destination address, if the combination of source address of carrying in the data message and destination address Already in the multicast source authentication table, illustrates then that data message that this multicast source sends is by authentication; If the combination of source address of carrying in the data message and destination address is not present in the multicast source authentication table, then need this data message that this multicast source sends is authenticated.
Step 105: authenticating device sends to multicast authentication server with the source address information of this data message, after multicast authentication server receives this source address information, whether the source address of judging this data message is legal multicast source address, if, then execution in step 106, otherwise, execution in step 110.
Set in advance legal multicast source address in this multicast authentication server, receive data message after, at first obtain the source address of this data message, judge whether this source address is legal multicast source address.
Wherein, the legal multicast source address of setting can be the IP address of multicast source, at this moment, receive data message after, judge whether the source IP address (SIP) that carries in this data message is legal multicast source IP address; Perhaps, the legal multicast source address of setting also can be the MAC Address of multicast source, at this moment, receive data message after, judge whether the source MAC (SMAC) that carries in this data message is legal multicast source MAC Address; Perhaps, the legal multicast source address that is provided with also can be the IP address of multicast source and the combination of MAC Address, at this moment, receive data message after, judge whether the combination of the SIP that carries in this data message and SMAC is legal multicast source IP address and MAC Address combination.
Step 106: multicast authentication server judges whether this data message is User Datagram Protoco (UDP) (UDP) message, if then execution in step 107, otherwise, execution in step 110.
This step is not necessary, if carry out this step, then authenticating device also needs the attribute information of this data message is offered multicast authentication server in step 105.
Because multicast data message might be the UDP message, perhaps transmission control protocol (TCP) message etc. can only be controlled the UDP message.In addition, the execution sequence of this step 106 and step 105 does not have fixed constraints, can judge at first whether this data message is the UDP message yet, judges then whether the source address of this data message is legal multicast source address.In addition, also can be in multicast authentication server the legal port of pre-configured UDP message, after multicast authentication server confirms that this data message is the UDP message, can also judge whether this port information that carries is legal port further according to the port information that carries in the UDP message, if, then confirm to authenticate to pass through, execution in step 107, otherwise, confirm authentification failure, execution in step 110.
Perhaps, whether this data message is that the judgement of UDP message also can be carried out by authenticating device, promptly judge this data message whether be multicast data message before or afterwards, judge whether this data message is the UDP message, if continue to carry out subsequent step, otherwise, abandon this data message.Equally, also can be in certificate server the legal port of pre-configured UDP message, after authenticating device confirms that this data message is the UDP message, can also be further according to the port information that carries in the UDP message, judge whether this port information that carries is legal port, if continue to carry out subsequent step, otherwise, abandon this data message.
In execution in step 106 and after judging that this data message is the UDP message, can think that this data message is by authentication; Certainly, whether yet execution in step 106 is not promptly judged for the UDP message the data message, when step 105 judges that the source address of this data message is legal multicast source address, promptly thinks this data message by authentication, directly execution in step 107.
Step 107: multicast authentication server passes through notice to the authenticating device return authentication.
Step 108: authenticating device receives authentication by after notifying, and the source address of this data message and the combination of destination address is stored in the multicast source authentication table, and creates the multicast forward table of this data message.
Source address in the source address in the multicast source authentication table and the combination of destination address can be SIP or SMAC, and destination address can be DIP or DMAC.
Can comprise the combination of port information of source IP address, purpose IP address and the use of this data message in the multicast forward table of creating.
In addition, the multicast source authentication table be for authenticating device next time receive that this multicast source sends have the data message of same source and destination address the time, can avoid repeating authentication, i.e. the effect of step 104.If but do not set up the multicast source authentication table, the data message that sends at this multicast source would all authenticate, and can realize goal of the invention of the present invention equally.
Step 109: authenticating device utilizes the multicast forward table of this data message this data message to be transmitted process ends.
Step 110: multicast authentication server is to authenticating device return authentication failure notification.
Step 111: after authenticating device receives authentication failure notification, abandon this data message, process ends.
Wherein, above-mentioned authenticating device can be the three-layer switching equipment in the network.
In addition, at above-mentioned multicast authentication server in the process that the data message is authenticated, can also be further the destination address of this data message be authenticated, promptly preestablish legal multicast address, when the destination address of further determining this data message is legal multicast address, think that just this data message is by authenticating.
Method for a more clear understanding of the present invention, below for a specific example, said method is described, with the network architecture shown in Figure 2 is example, in Fig. 2, switch 1 and switch 2 are three-tier switch, can be authenticating device, be that authenticating device is an example with switch 1 in the present embodiment, multicast authentication server and switch 2 are direct-connected, mutual between multicast authentication server and the authenticating device realize by switch 2, certainly, multicast authentication server also can be directly and switch 1 direct-connected.The data message that switch 1 receives from multicast source 1 and multicast source 2, the data message that multicast source 1 sends is a program 1, its SIP, SMAC and DIP are respectively sip1, smac1 and dip1, the data message that multicast source 2 sends is a program 2, and its SIP, SMAC and DIP are respectively sip2, smac2 and dip2.Wherein, pre-configured ACL is a global configuration on switch 1, and dip1 and dip2 all set in advance in ACL, and the legal multicast source address that is provided with in multicast authentication server is the combination of combination, sip2 and the mac0 of sip1 and mac1.
When multicast source 1 sends the data message of program 1 in the network architecture shown in Figure 2, switch 1 at first judges according to pre-configured ACL whether this data message is multicast data message, be specially: judge the destination address of this data message, promptly whether dip1 is in default ACL; Judged result is a multicast data message for this data message, and switch 1 is further determined still not to set up the multicast source authentication table at this multicast packet, is that sip1 and smac1 send to multicast authentication server by switch 2 with the source address of this data message; Multicast authentication server judges that the combination of sip1 and smac1 is legal multicast source address, and judges that further this data message is the UDP message, and at this moment, multicast authentication server sends authentication by notice to switch 1; Switch 1 receives this authentication by after notifying, the combination of sip1, smac1 and dip1 is kept in the multicast source authentication table, and set up the multicast forward table of this data message, comprise the port information that sip1, smac1, dip1 and this data message use in this multicast forward table, and transmit this data message according to this multicast forward table.When switch 1 is follow-up receive the data message of the program that carries sip1, smac1 and dip1 1 that this multicast source 1 sends after, owing to set up the multicast authentication table at this data message, what then switch 1 can directly utilize this data message transmits the forwarding data message.
When multicast source 2 sends the data message of program 2 in the network architecture shown in Figure 2, switch 1 at first judges according to pre-configured ACL whether this data message is multicast data message, be specially: judge the destination address of this data message, promptly whether dip2 is in default ACL; Judged result is a multicast data message for this data message, and switch 1 is further determined still not to set up the multicast source authentication table at this multicast packet, is that sip2 and smac2 send to multicast authentication server by switch 2 with the source address of this data message; Multicast authentication server is the combination of sip2 and smac0 according to default legal multicast source address, and the combination of determining sip2 and smac2 is not legal multicast source address, and at this moment, multicast authentication server sends authentication failure notification to switch 1; After switch 1 receives this authentication failure notification, abandon this data message, so this multicast message that multicast source 2 sends is illegal, can not transmit in network.
It more than is the description that method provided by the present invention is carried out, the system that the embodiment of the invention is provided is described in detail below, the system construction drawing that Fig. 3 provides for the embodiment of the invention, as shown in Figure 3, this system can comprise: authenticating device 300 and multicast authentication server 400.
Authenticating device 300, be used to receive data message from multicast source after, the source address information of carrying in this data message is sent to multicast authentication server 400; When receiving authentication that multicast authentication server 400 returns, create multicast forward table at this data message, and utilize this multicast forward table to transmit this data message by notice; Receive the authentication failure notification that multicast authentication server 400 returns, then abandon this data message.
Multicast authentication server 400 is used to receive the source address information that authenticating device 300 sends, and this source address information is authenticated, if authentication success, then send authentication by notice, if authentification failure then sends authentication failure notification to authenticating device 300 to authenticating device 300.
Wherein, authenticating device 300 can be directly to be connected with multicast authentication server 400, also can be indirect connection.Authenticating device 300 can be a three-layer switching equipment.
Wherein, authenticating device 300 can specifically comprise: receiving element 301, information extraction unit 302 and message process unit 303.
Receiving element 301 is used to receive the data message from multicast source, and this data message is offered information extraction unit 302, and the authentication that receiving group certificate server 400 sends is by notice or authentication failure notification.
Information extraction unit 302 is used to extract the source address information of the data message that receiving element receives, and this source address information is sent to multicast authentication server 400.
Message process unit 303 is used for creating multicast forward table at this data message when receiving element 301 receives authentication by notice, and utilizes this multicast forward table to transmit data message; When receiving element 301 receives authentication failure notification, abandon data message.
In addition, in order only to realize authentication at multicast data message, this authenticating device can also comprise: multicast message recognition unit 304, be used to utilize in advance ACL in the port arrangement of receiving data packets, judge whether the data message that receiving element 301 provides is multicast data message, if then this data message is offered information extraction unit 302, otherwise, trigger message process unit 303 this data message of flow processing according to prior art.
Message process unit 303 is after can also being used to be subjected to the triggering of multicast message recognition unit 304, according to the flow processing data message of prior art.
Wherein, above-mentioned information extraction unit 302 can comprise: information extraction subelement 3021, first judgment sub-unit 3022 and information send subelement 3023.
Information extraction subelement 3021 is used for extracting source address information and the destination address information that data message carries.
Whether first judgment sub-unit 3022, the combination that is used for judging source address information and destination address information if not, then send subelement 3023 to information and send exercise notice at the multicast source authentication table; If then send and search notice to message process unit 303.
Information sends subelement 3023, after being used to receive exercise notice, source address information is sent to multicast authentication server 400.
Message process unit 303, also be used to receive search notice after, search the multicast forward table of data message, and utilize this multicast forward table to transmit data message; Receiving authentication, the source address of data message and the combination of destination address are stored in the multicast source authentication table by after notifying.
In addition, information extraction unit 302 can also comprise: second judgment sub-unit 3024.
Information extraction subelement 3021 also is used to extract the attribute information of data message.
Second judgment sub-unit 3024, be used to receive the exercise notice that first judgment sub-unit 3022 sends, utilize whether attribute information judgment data message is the UDP message, if, the information that then this exercise notice sent to sends subelement 3023, otherwise, send discard notification to message process unit 303.
Message process unit 303 after also being used to receive discard notification, abandons data message.
Structure to multicast authentication server is described below, and multicast authentication server 400 can comprise: information receiving unit 401, authentication ' unit 402 and notice transmitting element 403.
Information receiving unit 401 is used to receive the source address information of the data message that authenticating device 300 sends.
Authentication ' unit 402 is used for source address information is authenticated.
Notice transmitting element 403 is used for sending authentication by notice to authenticating device 300 when the authentication of authentication ' unit 402 is passed through, when the authentification failure of authentication ' unit 402, to authenticating device 300 transmission authentication failure notifications.
Wherein, above-mentioned authentication ' unit 402 can comprise: first judgment sub-unit 4021 is used to judge whether source address information is the legal multicast source address of presetting, if then send authentication notification to second judgment sub-unit 4022; Otherwise, determine authentification failure.
Second judgment sub-unit 4022, after being used to receive authentication notification, whether the judgment data message is the UDP message, if, then determine authentication success, otherwise, determine authentification failure.
This second judgment sub-unit 4022 can also judge whether this port information that carries is the legal port of presetting further according to the port information that carries in the UDP message after confirming that this data message is the UDP message, if, then determine to authenticate to pass through, otherwise, determine authentification failure.
In addition, also can only comprise first judgment sub-unit in the authentication ' unit 402, when first judgment sub-unit confirms that source address information is the legal multicast source address of presetting, directly determine authentication success, when confirming that source address information is not the legal multicast source address of presetting, directly determine authentification failure.
By above description as can be seen, in method and apparatus provided by the invention, authenticating device sends to multicast authentication server with the source address information of carrying in this data message after receiving data message from multicast source, for this multicast authentication server this source address information is authenticated; If authenticating device receives authentication that this multicast authentication server returns by notice, then create multicast forward table, and utilize this multicast forward table to transmit this data message at this data message; If authenticating device receives the authentication failure notification that described multicast authentication server returns, then abandon this data message.That is to say, a kind of concrete technical scheme is provided, can the multicast packet that multicast source provides be authenticated based on source address, promptly authenticate at multicast source, make and in network, transmit, stop the data message that does not send in network, to be transmitted, saved the network bandwidth that illegal multicast source takies by the illegal multicast source that authenticates by the data message of authentication, and can stop of the attack of illegal multicast source, thereby improve internet security to network.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being made, is equal to replacement, improvement etc., all should be included within the scope of protection of the invention.

Claims (13)

1, a kind of method of multicast authentication is characterized in that, this method comprises:
Authenticating device sends to multicast authentication server with the source address information of carrying in this data message after receiving data message from multicast source, for this multicast authentication server this source address information is authenticated;
If authenticating device receives authentication that described multicast authentication server returns by notice, then create multicast forward table, and utilize this multicast forward table to transmit this data message at this data message; If authenticating device receives the authentication failure notification that described multicast authentication server returns, then abandon this data message.
2, method according to claim 1, it is characterized in that, also comprised before described source address information of carrying in this data message sends to multicast authentication server: described authenticating device utilization is in advance at the ACL of the port arrangement that receives described data message, judge whether described data message is multicast data message, if then continue to carry out the described step that the source address information of carrying in this data message is sent to multicast authentication server; Otherwise, according to the described data message of the flow processing of prior art.
3, method according to claim 2 is characterized in that, comprises the multicast address information in the network among the described ACL;
Judge whether described data message is that multicast data message specifically comprises: whether the destination address of judging described data message is in described ACL, if, determine that then this data message is a multicast data message, if not, determine that then this data message is not a multicast data message.
4, method according to claim 1, it is characterized in that, also comprised before described source address information of carrying in this data message sends to multicast authentication server: whether the combination of judging the source address of carrying in the described data message and destination address is in the multicast source authentication table, if not, then continue to carry out the described step that the source address information of carrying in this data message is sent to multicast authentication server, if, then search the multicast forward table of described data message, and utilize this multicast forward table to transmit described data message;
Authenticating device receives authentication that described multicast authentication server returns by also comprising after the notice: described authenticating device is stored in the source address of described data message and the combination of destination address in the multicast source authentication table.
5, method according to claim 1, it is characterized in that, described multicast authentication server authenticates specifically this source address information and comprises: described multicast authentication server judges whether described source address information is the legal multicast source address of presetting, if, then send authentication by notice to described authenticating device, otherwise, send authentication failure notification to described authenticating device.
6, method according to claim 5, it is characterized in that, the source address information of carrying in this data message also comprises before sending to multicast authentication server: described authenticating device judges whether the data message that receives is the UDP message, if, then continue to carry out the described step that the source address information of carrying in this data message is sent to multicast authentication server, otherwise, abandon described data message;
Perhaps, determine also to comprise after described source address information is the legal multicast source address of presetting at multicast authentication server: described multicast authentication server utilizes the attribute information of the data message of authenticating device transmission, judge whether described data message is the UDP message, if, then continue to carry out the described step that authenticates by notice that sends to authenticating device, otherwise, send authentication failure notification to described authenticating device.
7, according to the described method of the arbitrary claim of claim 1 to 6, it is characterized in that described source address is: source IP address, perhaps source MAC, the perhaps combination of source IP address and source MAC.
8, a kind of authenticating device is characterized in that, this authenticating device comprises: receiving element, information extraction unit and message process unit;
Described receiving element is used to receive the data message from multicast source, and this data message is offered information extraction unit, receives authentication by notice or authentication failure notification;
Described information extraction unit is used to extract the source address information of the data message that described receiving element receives, and this source address information is sent to multicast authentication server;
Message process unit is used for creating multicast forward table at this data message, and utilizing this multicast forward table to transmit described data message when described receiving element receives authentication by notice; When described receiving element receives authentication failure notification, abandon described data message.
9, authenticating device according to claim 8, it is characterized in that, this authenticating device also comprises: the multicast message recognition unit, be used to utilize in advance ACL in the port arrangement that receives described data message, judge whether the data message that described receiving element provides is multicast data message, if then this data message is offered described information extraction unit, otherwise, trigger described message process unit according to the described data message of the flow processing of prior art;
Described message process unit is after also being used to be subjected to the triggering of described multicast message recognition unit, according to the described data message of the flow processing of prior art.
10, authenticating device according to claim 8 is characterized in that, described information extraction unit specifically comprises: information extraction subelement, first judgment sub-unit and information send subelement;
Described information extraction subelement is used for extracting source address information and the destination address information that described data message carries;
Whether described first judgment sub-unit, the combination that is used for judging described source address information and destination address information if not, then send subelement to described information and send exercise notice at the multicast source authentication table; If then send and search notice to described message process unit;
Described information sends subelement, be used to receive described exercise notice after, described source address information is sent to multicast authentication server;
Described message process unit, also be used to receive described search notice after, search the multicast forward table of described data message, and utilize this multicast forward table to transmit described data message; Receiving described authentication, the source address of described data message and the combination of destination address are stored in the multicast source authentication table by after notifying.
11, authenticating device according to claim 8 is characterized in that, described information extraction unit also comprises: second judgment sub-unit;
Described information extraction subelement also is used to extract the attribute information of described data message;
Described second judgment sub-unit, be used to receive the exercise notice that described first judgment sub-unit sends, utilize described attribute information to judge whether described data message is the UDP message, if, then this exercise notice is sent to described information and send subelement, otherwise, send discard notification to described message process unit;
Described message process unit after also being used to receive discard notification, abandons described data message.
12, a kind of multicast authentication server is characterized in that, this multicast authentication server comprises: information receiving unit, authentication ' unit and notice transmitting element;
Described information receiving unit is used to receive the source address information of the data message that authenticating device sends;
Described authentication ' unit is used for described source address information is authenticated;
Described notice transmitting element is used for sending authentication by notice to described authenticating device when the authentication of authentication ' unit is passed through, when the authentification failure of described authentication ' unit, to described authenticating device transmission authentication failure notification.
13, multicast authentication server according to claim 12, it is characterized in that described authentication ' unit comprises: first judgment sub-unit is used to judge whether described source address information is the legal multicast source address of presetting, if then send authentication notification to described second judgment sub-unit; Otherwise, determine authentification failure;
Described second judgment sub-unit, be used to receive described authentication notification after, judge whether described data message is the UDP message, if, then determine authentication success, otherwise, determine authentification failure.
CNA2008101163937A 2008-07-09 2008-07-09 Multicast authentication method, authentication equipment and multicast authentication server Pending CN101304328A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNA2008101163937A CN101304328A (en) 2008-07-09 2008-07-09 Multicast authentication method, authentication equipment and multicast authentication server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNA2008101163937A CN101304328A (en) 2008-07-09 2008-07-09 Multicast authentication method, authentication equipment and multicast authentication server

Publications (1)

Publication Number Publication Date
CN101304328A true CN101304328A (en) 2008-11-12

Family

ID=40114054

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2008101163937A Pending CN101304328A (en) 2008-07-09 2008-07-09 Multicast authentication method, authentication equipment and multicast authentication server

Country Status (1)

Country Link
CN (1) CN101304328A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102325034A (en) * 2011-05-25 2012-01-18 太仓市同维电子有限公司 Packet-broadcasting controlling system and control method based on IGMP/MLD multicast control protocol
CN101557298B (en) * 2009-05-26 2012-04-18 杭州华三通信技术有限公司 Method and equipment for realizing multicast communication
CN104994328A (en) * 2015-07-03 2015-10-21 马岩 Conference content sharing method and system
CN106341737A (en) * 2016-08-18 2017-01-18 中央电视台 IP multicast stream processing method, switch set, server and system
CN109413082A (en) * 2018-11-12 2019-03-01 郑州云海信息技术有限公司 Message processing method and device in cloud computing system
CN113676495A (en) * 2021-10-21 2021-11-19 深圳鼎信通达股份有限公司 Device registration method, server, and storage medium
WO2024119915A1 (en) * 2022-12-08 2024-06-13 中兴通讯股份有限公司 Data transmission method and system, electronic device, and storage medium

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101557298B (en) * 2009-05-26 2012-04-18 杭州华三通信技术有限公司 Method and equipment for realizing multicast communication
CN102325034A (en) * 2011-05-25 2012-01-18 太仓市同维电子有限公司 Packet-broadcasting controlling system and control method based on IGMP/MLD multicast control protocol
CN102325034B (en) * 2011-05-25 2015-03-11 太仓市同维电子有限公司 IGMP/MLD (Internet Group Management Protocol/Multicast Listener Discovery) multicast control protocol-based multicast control system and control method
CN104994328A (en) * 2015-07-03 2015-10-21 马岩 Conference content sharing method and system
CN106341737A (en) * 2016-08-18 2017-01-18 中央电视台 IP multicast stream processing method, switch set, server and system
CN106341737B (en) * 2016-08-18 2020-05-19 中央电视台 IP multicast stream processing method, switch set, server and system
CN109413082A (en) * 2018-11-12 2019-03-01 郑州云海信息技术有限公司 Message processing method and device in cloud computing system
CN113676495A (en) * 2021-10-21 2021-11-19 深圳鼎信通达股份有限公司 Device registration method, server, and storage medium
CN113676495B (en) * 2021-10-21 2022-03-11 深圳鼎信通达股份有限公司 Device registration method, server, and storage medium
WO2024119915A1 (en) * 2022-12-08 2024-06-13 中兴通讯股份有限公司 Data transmission method and system, electronic device, and storage medium

Similar Documents

Publication Publication Date Title
US9131026B2 (en) Method and system for establishing media channel based on relay
US7472411B2 (en) Method for stateful firewall inspection of ICE messages
EP2229762B1 (en) Server apparatus
CN1938982B (en) Method and apparatus for preventing network attacks by authenticating internet control message protocol packets
CN101304328A (en) Multicast authentication method, authentication equipment and multicast authentication server
CN106301694B (en) Method and device for reducing retransmission times of data packet in reliable multicast transmission
US20060187912A1 (en) Method and apparatus for server-side NAT detection
US10027496B2 (en) Method for distributing identifiers of multicast sources
CN108574818B (en) Information display method and device and server
CN104601566B (en) authentication method and device
KR102520817B1 (en) A method of setting up a PTT group call in a wireless communication network
CN109561072B (en) Link detection method and system
CN102984031B (en) Method and device for allowing encoding equipment to be safely accessed to monitoring and control network
CN104426656A (en) Data transceiving method and system, and message processing method and device
US8769623B2 (en) Grouping multiple network addresses of a subscriber into a single communication session
US9237587B2 (en) Method and system for implementing group message service based on converged service system
WO2016041388A1 (en) Multicast security control method and device based on dns
JP4687611B2 (en) Multicast system and control method of multicast system
CN111147795B (en) Resource scheduling method, server, terminal, electronic device, and storage medium
JP4768547B2 (en) Authentication system for communication devices
JP4934393B2 (en) Session exchange method and apparatus in network communication
JP4554420B2 (en) Gateway device and program thereof
CN112291592A (en) Control plane protocol-based secure video communication method, device, equipment and medium
WO2014180415A1 (en) Media stream packet nat traversal method, mdu and iptv system
KR20080097542A (en) Preventing method for overlapping dhcp message generation in arp spoofig attack blocking system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Open date: 20081112