CN101340367A - Safe channel establishing method and apparatus - Google Patents
Safe channel establishing method and apparatus Download PDFInfo
- Publication number
- CN101340367A CN101340367A CNA2008101138210A CN200810113821A CN101340367A CN 101340367 A CN101340367 A CN 101340367A CN A2008101138210 A CNA2008101138210 A CN A2008101138210A CN 200810113821 A CN200810113821 A CN 200810113821A CN 101340367 A CN101340367 A CN 101340367A
- Authority
- CN
- China
- Prior art keywords
- message
- escape way
- information
- address
- way information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a method for establishing a safety passage and a device thereof, the safety passage information is added in a message special database; when the received message information is matched with the safety passage information, the message is permitted to pass a port. The proposal provided by the embodiment of the invention can conveniently deal with the special circumstance in 802.1x security authentication mechanism, and the special data flow which does not need authentication is allowed to access network; and flexible configuration can be carried out aiming at different special data flows. According to application need, various special data flow passages can be also configured conveniently, for example, the access server downloads the authentication client, on-line authority of special users can be controlled conveniently, on-line authentication manual is placed in the visiting server, and the like, or a special data passage is opened up for use by the special users in special circumstances.
Description
Technical field
The present invention relates to the computer network communication technology field, relate in particular to a kind of safe channel establishing method and device.
Background technology
The IEEE802.1x consensus standard is (the Institute of Electrical andElectronic Engineers of IEEE, abbreviation IEEE) in the local area network (LAN) of 802 committees formulation (Local Area Network the is called for short LAN) standard.For a LAN who has disposed the 802.1x authentication, when user's (as PC etc.) when being linked among the LAN, need authenticate by 802.1x, the user through authentication can't not be linked among the LAN.
Along with the user carries out the 802.1x authentication, can set up a message characteristic database that is used for the detection messages legitimacy on the access switch; This database is made of a series of feature clauses and subclauses, and each feature clauses and subclauses comprises matching content and two parts of coupling action, moves and passes through for permit represents to allow message, move for deny represent to block message by and it is abandoned.
The IEEE802.1x agreement is widely used in the network user's the access authentication, and its typical applied topology as shown in Figure 1.Verification process is as follows:
The user opens user terminal (individual PC) afterwards, carries out the 802.1x authentication according to following steps:
1) at first open client software and carry out 802.1x authentication, the 802.1x client by message and switch and certificate server (Radius server) alternately;
2) the access layer equipment switch is received and after user's the authentication request this request is transmitted to certificate server;
3) if authentication is passed through, certificate server sends to switch with authentication result, and switch is transmitted to PC with authentication result, opens PC and extraneous path simultaneously;
4) PC can accesses network by authentication.
Here, the switch ports themselves of the PC first line of a couplet is controlled mouthful, and just, this port must could pass through by the user of 802.1x authentication, and uncontrolled mouthful to be switch link to each other with upper layer device mouthful, allow all messages to pass through.
Switch all possesses the address learning ability, why switch can directly send packet to destination node, rather than with broadcast mode all nodes are sent packet as hub, the technology of most critical is exactly that switch can be discerned the MAC Address of Network Card that is connected in the node on the network, and they are put into a place that is called mac address table.This mac address table is deposited in the buffer memory of switch, and remember these addresses, so when needs when destination address sends data, switch just can be searched the node location of this MAC Address in mac address table, directly the node to this position sends then.Switch is that the mode by address learning strengthens this address table function, mode of learning is as follows: (1) receives a packet from certain port when switch, it reads the source MAC in the packet header earlier, and which port it is connected on regard to the machine of knowing source MAC like this; (2) remove to read target MAC (Media Access Control) address in the packet header again, and in address table, search corresponding ports; (3) as having and this target MAC (Media Access Control) address corresponding port in the table, packet is directly copied on this port; (4) then packet is broadcast on all of the port as can not find corresponding ports in the table, when the purpose machine is responded source machine, it is corresponding with which port that switch can be learnt a target MAC (Media Access Control) address again, with regard to no longer needing all of the port broadcasted when transmitting data next time.Constantly this process of circulation can be learnt for the mac address information of the whole network, and switch comes to this and sets up and safeguard its address table.
And under the environment of 802.1x authentication, in order to control the user capture of certain port, can adopt the mode of closing address learning, when switch ports themselves is closed address learning, (validated user is by after the authentication of 802.1x to remove the protocol massages of 802.1x and validated user message, can be on port force to add static address), the processing policy of all the other disabled users' (being unauthenticated user) message be do not transmit, learned addresses and do not deliver to switch software and handle not.
Certificate server cooperates with the authenticator in verification process, for the user provides authentication service.Certificate server has been preserved user name and password, and corresponding authorization message, and a station server can provide authentication service to many authenticators, so just can realize the centralized management to the user.Certificate server also is in charge of the account data of sending from the authenticator.
The downward access user terminal of access layer equipment is opened after the 802.1x function on access layer equipment, has only the user's data stream by authentication could pass through access-layer switch, ability accesses network.The authorization function of 802.1x also is widely used on this basis, can use which service by authorized user, the authority of control validated user, the spendable bandwidth of control user.The most frequently used authorization is to issue fixed IP addresses to the user in authentification of user, the IP address assignment of whole like this network just can focus on unified configuration on the certificate server, and bound MAC and IP address that each user uses, avoided users from modifying IP addresses privately to cause the situation of IP address conflict in the network.
But, also have some problems in the above-mentioned application.At some in particular cases, unverified data flow need be gone accesses network by switch, but these data flow but have been blocked, because the address learning of this moment is closed.For example, some keepers or superuser also are connected on below the switch of having opened 802.1x, and they need not by the just direct accesses network of authentication; Also has a kind of situation, be exactly when a large amount of domestic consumers do not authenticate, network manager wishes that they can remove to visit a special network segment, a special server so that obtain the IP address, or visit antivirus server and carry out virus base upgrading etc., design originally just can not be satisfied this demand.
Safe access control (Access Control, be called for short ACL) can not satisfy the demands, because when the study of controlled port address is closed, security acl allows the message that passes through also owing to controlled ports is not transmitted, learned addresses and do not deliver to the reason that switch software handles and be dropped not.In the processing logic process that message is transmitted, the processing of address learning is prior to the control of security acl.Simultaneously, because security acl carries default behavior, after user configuration, can add and refuse filtering item that all messages pass through (IP-based is exactly to refuse all IP messages, if priority is higher than the message characteristic database of 802.1x, can make the authentication of 802.1x still can't visit respective resources so by the user.
Summary of the invention
The embodiment of the invention provides a kind of safe channel establishing method and device, in order to allow not by safety detection but the data flow that needs to set accesses network is passed through port.
A kind of safe channel establishing method, this method comprises:
In the message characteristic database, add escape way information;
When receiving message information and mate described escape way information, allow described message to pass through port.
A kind of escape way apparatus for establishing, this device comprise that escape way sets up unit and matching unit, wherein,
Described escape way is set up the unit, is used for adding escape way information at the message characteristic database;
Described matching unit is used for the reception message information is mated described escape way information, when receiving message information and mate described escape way information, allows described message to pass through port.
The embodiment of the invention is by adding escape way information in the message particular database; When receiving message information and mate described escape way information, allow described message to pass through port.The scheme that the embodiment of the invention provides can be handled the special circumstances in the 802.1x security authentication mechanism easily, and the special data that allows not need to authenticate flows accesses network; And can dispose flexibly at different special data stream.Further, can dispose various special data circulation roads easily according to application need, for example, access server is downloaded Authentication Client, is controlled the network access authentication guide placed on special user's the access authority, access server etc. easily, or opens up data path and use to the special user under special situation.
Description of drawings
Fig. 1 is a prior art IEEE802.1x protocol authentication schematic network structure;
Fig. 2 is the main realization principle flow chart of the embodiment of the invention;
Fig. 3 is an IEEE802.1x protocol authentication message characteristic database structure schematic diagram;
The IEEE802.1x protocol authentication message characteristic database structure schematic diagram of the adding escape way information that Fig. 4 provides for the embodiment of the invention;
Fig. 5 is one of structural representation of embodiment of the invention generator;
Fig. 6 be embodiment of the invention generator structural representation two.
Embodiment
The embodiment of the invention provides a data path on the basis that functions such as 802.1x are used, so that not by safety detection but need the data flow of accesses network can pass through switch ports themselves.
The escape way of indication of the present invention, be under the applied environment of 802.1x authentication, make and unauthenticated or authenticate that unsanctioned domestic consumer can visit particular network resource (server etc.) or the superuser that need not to authenticate can be visited the arbitrary network resource just allow the message of unauthenticated to arrive the particular network zone or the network equipment by switch.
The superuser of embodiment of the invention indication is meant network manager or some special users, and in the network of having enabled 802.1x, these superusers need not be the addressable network resource by authentication.The ad hoc network of embodiment of the invention indication is meant fixedly any network equipment or any one network of IP sign of having by network manager's appointment.The message characteristic database allows the data flow of visit ad hoc network to pass through switch.
Be explained in detail to the main realization principle of embodiment of the invention technical scheme, embodiment and to the beneficial effect that should be able to reach below in conjunction with each accompanying drawing.
As shown in Figure 2, the main realization principle process of the embodiment of the invention 1 is as follows:
Step 11 adds escape way information in the message characteristic database.
Safe channel establishing method that the embodiment of the invention provides and device are based in the 802.1x Verification System.In the 802.1x verification process, exchange opportunity is user's sip1+smac1 (the ip address, source of sip1 representative of consumer 1, the mac address, source of smac1 representative of consumer 1, down together) information is bundled on the port that directly or indirectly links to each other with user terminal, will add this user's static mac address simultaneously to port.That is to say, the IP message that enters switch from this port all can carry out content-based inspection, check that earlier whether this user's smac is arranged is smac1 in address table, the IP message that reexamines smac and be smac1 has only as its sip and could pass through during for sip1, and sip is that the IP message of sip1 could pass through switch when having only its smac address to be smac1.
Along with multi-user's authentication, under this port of switch, will set up a message characteristic database, as shown in Figure 3, and wherein, feature clauses and subclauses that action is the pass (permit) in all corresponding message characteristic database of each user.
Escape way information is joined message in the property data base, as one or more record of message characteristic database.Each bar info class of in the content of escape way information and the message characteristic database other seemingly comprises the information such as source IP address, purpose IP address, source MAC and/or target MAC (Media Access Control) address that allow the described user terminal of message that passes through.
In the present embodiment, escape way information can be positioned at the top of message characteristic database, and each message that receives preferentially mates escape way information.
Step 12 when receiving message information and mate described escape way information, allows described message to pass through port.
Message is after the port that links to each other with user terminal enters switch, exchange opportunity goes out smac, dmac, the features such as sip, dip of each message according to its contents extraction, go to search one by one the feature clauses and subclauses of message property data base on the switch then according to these features, if content match certain bar feature and its strategy for permit then allow to pass through, if its strategy for refusal (deny) message be dropped.
When message information coupling escape way information, use source IP address, purpose IP address, source MAC and/or target MAC (Media Access Control) address in the message information, mate source IP address, purpose IP address, source MAC and/or the target MAC (Media Access Control) address of permission by message in the escape way information respectively, if can mate, then allow message to pass through switch ports themselves, thereby arriving the predefined network area or the network equipment, also is ad hoc network; Otherwise, continue the out of Memory in the matching message property data base.
The ad hoc network here (network area or the network equipment) is predefined, the network manager according to demand, set different ad hoc networks respectively, in order at different special users, for example, can open a part of Internet resources, be addressable when the user does not obtain authentication or the download user Authentication Client; The user can be when the network arrearage, still can access queries arrearage information.
Especially, escape way information can be divided into superuser information and ad hoc network information.Superuser is that those do not need to authenticate is the user of addressable all-network resource, certainly, and the subnetwork resource that also can only allow the superuser visit to set.Ad hoc network information is used to mate those unverified user's messages, can set ad hoc network and give these user captures.
As shown in Figure 4, for having added the schematic diagram of escape way information in the message characteristic database, escape way information wherein is divided into two kinds of superuser and ad hoc networks.Add the feature clauses and subclauses meet special rules in the message characteristic database of creating in the 802.1x verification process, these feature clauses and subclauses are arranged on the feature clauses and subclauses that verification process creates, and preferentially play a role to guarantee it.After opening escape way on the controlled ports, escape way can be announced the 802.1x module and open controlled mouthful address learning ability, do not use the address learning ability to block unauthenticated user, the message characteristic database is unified to be handled and use, like this, the resource that unauthenticated user just only can the access security channel opener.Message as long as meet these matching characteristic items, so just allows such message to pass through after flowing into switch, so just can reach the permission superuser and not authenticate and can surf the Net, allow unauthenticated user to visit ad hoc network to carry out purpose such as software upgrading.Among Fig. 4, these two strategies of Permit special user and Permit ad hoc network have been increased in message characteristic database foremost, allow the special user need not authentication and get final product normal accesses network resource, guarantee that simultaneously domestic consumer when unverified, only can visit the ad hoc network resource.
After having increased escape way, the model of the application of 802.1x authentication can be as follows: user terminal connects after the network, carries out 802.1x authentication or accesses network according to following steps:
The user is by escape way, and the Internet resources of access open can be understood the relevant configuration/information of online, and download Authentication Client, and perhaps the user can be when the network arrearage, still can access queries arrearage information;
If the user is authorized to accesses network, to open client software so and carry out the 802.1x authentication, the 802.1x client is by message and switch and Radius server interaction;
The access layer equipment switch is received and after user's the authentication request this request is transmitted to certificate server;
Server sends to switch with authentication result, and switch is transmitted to PC with authentication result, opens PC and extraneous path simultaneously;
The user is by authentication, normally accesses network.
Accordingly, as shown in Figure 5, the embodiment of the invention also provides a kind of escape way apparatus for establishing, comprises that escape way sets up unit 21 and matching unit 22, and is specific as follows:
Escape way is set up unit 21, is used for adding escape way information at the message characteristic database;
In the present embodiment, escape way information can be positioned at the top of message characteristic database, and each message that receives preferentially mates escape way information.Escape way information is joined message in the property data base, as one or more record of message characteristic database.Each bar info class of in the content of escape way information and the message characteristic database other seemingly comprises the information such as source IP address, purpose IP address, source MAC and/or target MAC (Media Access Control) address that allow the described user terminal of message that passes through.
Matching unit 22 is used for the reception message information is mated described escape way information, when receiving message information and mate described escape way information, allows described message to pass through port.
Message is after the port that links to each other with user terminal enters switch, exchange opportunity goes out smac, dmac, the features such as sip, dip of each message according to its contents extraction, go to search one by one the feature clauses and subclauses of message property data base on the switch then according to these features, if content match certain bar feature and its strategy for permit then allow to pass through, if its strategy for refusal (deny) message be dropped.
Preferably, as shown in Figure 6, said apparatus further comprises escape way setup unit 23, is used to set escape way information.Matching unit 22 allows message to mail to the ad hoc network of setting by port after message information mates corresponding escape way information.
The network manager sets different ad hoc networks respectively according to demand, in order at different special users, for example, can open a part of Internet resources, is addressable when the user does not obtain authentication or the download user Authentication Client; The user can be when the network arrearage, still can access queries arrearage information.
Especially, escape way information can be divided into superuser information and ad hoc network information.Superuser is that those do not need to authenticate is the user of addressable all-network resource, certainly, and the subnetwork resource that also can only allow the superuser visit to set.Ad hoc network information is used to mate those unverified domestic consumer's messages, can set ad hoc network and give these user captures.
The scheme that the embodiment of the invention provides can be handled the special circumstances in the 802.1x security authentication mechanism easily, and the special data that allows not need to authenticate flows accesses network; And can dispose flexibly at different special data stream.Further, can dispose various special data circulation roads easily according to application need, for example, access server is downloaded Authentication Client, is controlled the network access authentication guide placed on special user's the access authority, access server etc. easily, or opens up data path and use to the special user under special situation.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (9)
1, a kind of safe channel establishing method is characterized in that, this method comprises:
In the message characteristic database, add escape way information;
When receiving message information and mate described escape way information, allow described message to pass through port.
2, the method for claim 1 is characterized in that, described escape way information comprises source IP address and/or the purpose IP address that allows by message;
Described reception message information mates described escape way information, comprises the source IP address and/or the purpose IP address that will receive message, mates source IP address and/or the purpose IP address of permission by message in the described escape way information respectively.
3, method as claimed in claim 1 or 2 is characterized in that, described escape way information comprises source MAC and/or the target MAC (Media Access Control) address that allows by message;
Described reception message information mates described escape way information, comprises the source MAC and/or the target MAC (Media Access Control) address that will receive message, mates source MAC and/or the target MAC (Media Access Control) address of permission by message in the described escape way information respectively.
4, method as claimed in claim 3 is characterized in that, this method further comprises:
Described escape way information is for preestablishing, and adjusts as required.
5, the method for claim 1 is characterized in that, the described message of described permission comprises by port:
Allow the affiliated user of described message by the predefined ad hoc network of port access.
6, the method for claim 1 is characterized in that, comprising:
Described escape way information comprises superuser information and/or ad hoc network information.
7, as claim 1,2,4~6 arbitrary described methods, it is characterized in that, comprising:
Described escape way information is positioned at the top of described message characteristic database, the described escape way information of the preferential coupling of the described message information that receives.
8, a kind of escape way apparatus for establishing is characterized in that, this device comprises that escape way sets up unit and matching unit, wherein,
Described escape way is set up the unit, is used for adding escape way information at the message characteristic database;
Described matching unit is used for the reception message information is mated described escape way information, when receiving message information and mate described escape way information, allows described message to pass through port.
9, device as claimed in claim 8 is characterized in that, described device further comprises the escape way setup unit, is used for setting and the described escape way information of adjustment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101138210A CN101340367A (en) | 2008-05-30 | 2008-05-30 | Safe channel establishing method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101138210A CN101340367A (en) | 2008-05-30 | 2008-05-30 | Safe channel establishing method and apparatus |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101340367A true CN101340367A (en) | 2009-01-07 |
Family
ID=40214324
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008101138210A Pending CN101340367A (en) | 2008-05-30 | 2008-05-30 | Safe channel establishing method and apparatus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101340367A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101714992A (en) * | 2009-12-28 | 2010-05-26 | 北京星网锐捷网络技术有限公司 | Method, device for expanding and realizing safe data channel and network equipment |
| CN103457882A (en) * | 2013-08-29 | 2013-12-18 | 国家电网公司 | Intelligent substation secure access method |
-
2008
- 2008-05-30 CN CNA2008101138210A patent/CN101340367A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101714992A (en) * | 2009-12-28 | 2010-05-26 | 北京星网锐捷网络技术有限公司 | Method, device for expanding and realizing safe data channel and network equipment |
| CN103457882A (en) * | 2013-08-29 | 2013-12-18 | 国家电网公司 | Intelligent substation secure access method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101820344B (en) | AAA server, home network access method and system | |
| CN100437550C (en) | Ethernet confirming access method | |
| CN101022340B (en) | Intelligent control method for realizing city Ethernet exchanger switch-in security | |
| CN104335546B (en) | The method and apparatus that trust information is created for other application using neighbours' discovery | |
| CN100456739C (en) | Remote access vpn mediation method and mediation device | |
| EP1670205B1 (en) | Method and apparatuses for pre-authenticating a mobile user to multiple network nodes using a secure authentication advertisement protocol | |
| CN103621028B (en) | Control computer system, controller and the method for network access policies | |
| CN102437914B (en) | Method by utilizing telecommunication network to supply user identity label and user identity authentication to Internet service | |
| CN102469078B (en) | Method and system for accessing campus network to external network | |
| CN101414907B (en) | Method and system for accessing network based on user identification authorization | |
| CN101102188B (en) | A method and system for mobile access to VLAN | |
| CN101902482B (en) | Method and system for realizing terminal security admission control based on IPv6 (Internet Protocol Version 6) automatic configuration | |
| CN102480729A (en) | Method for preventing faked users and access point in radio access network | |
| CN1937499A (en) | Domainname-based unified identification mark and authentication method | |
| CN100438427C (en) | Network control method and equipment | |
| CN103563301A (en) | Incoming redirection mechanism on a reverse proxy | |
| JP2002118562A (en) | Lan which permits authentification rejected terminal to have access under specific conditions | |
| CN104468619B (en) | A kind of method and authentication gateway for realizing double stack web authentications | |
| TW202137735A (en) | Programmable switching device for network infrastructures | |
| CN102404346A (en) | Method and system for controlling access right of internet users | |
| CN100508524C (en) | System and method for certification and charge of network | |
| CN102035703A (en) | Family wireless network and implementation method thereof | |
| CN100471167C (en) | Method and apparatus for managing wireless access-in wide-band users | |
| CN110474922A (en) | A kind of communication means, PC system and access control router | |
| CN101166093A (en) | An authentication method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20090107 |