CN101572645A - Method for establishing tunnel and device thereof - Google Patents

Method for establishing tunnel and device thereof Download PDF

Info

Publication number
CN101572645A
CN101572645A CNA2009101478128A CN200910147812A CN101572645A CN 101572645 A CN101572645 A CN 101572645A CN A2009101478128 A CNA2009101478128 A CN A2009101478128A CN 200910147812 A CN200910147812 A CN 200910147812A CN 101572645 A CN101572645 A CN 101572645A
Authority
CN
China
Prior art keywords
branch node
centroid
node
sign indicating
indicating number
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2009101478128A
Other languages
Chinese (zh)
Inventor
徐庆伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CNA2009101478128A priority Critical patent/CN101572645A/en
Publication of CN101572645A publication Critical patent/CN101572645A/en
Pending legal-status Critical Current

Links

Images

Abstract

The invention discloses a method for establishing a tunnel. The method is applied to a system including a branch node and a central node. The method comprises the following steps: the central node receives a tunnel establishment request from the branch node; the central node sends an identity authentication request to the branch node, wherein, the identity authentication request contains an unique identification code; the branch node judge whether the unique identification code from the central node is valid, and if the judgment result proves the unique identification code is valid, the branch node sends an identity authentication response to the central node; and the central node receives the identity authentication response from the branch node, judges whether the identity authentication response is valid, and if the judgment result proves the identity authentication response is valid, the central node establishes a GRE tunnel with the branch node according to an IP addresses of the branch node. The method for establishing a tunnel helps prevent invalid nodes pretending to be the central node to forcibly establish the GRE tunnel with the branch node, and ensure data security of the branch node.

Description

Method and device that the tunnel is set up
Technical field
The present invention relates to communication technical field, relate in particular to method and device that a kind of tunnel is set up.
Background technology
VPN (Virtual Private Network, virtual private networks) is a kind of new technology that develops rapidly along with broad application of Internet, has realized making up on public network private dedicated network.VPN can and the bottom bearer network between keep resource independence, promptly certain VPN resource can not used by the network members of non-this VPN in the bearer network in the ordinary course of things, guarantee that the information of VPN inside is not subjected to outside invasion.
GRE (Generic Routing Encapsulation, generic route encapsulation) technology is a kind of realization technology of VPN.The GRE agreement is the layer 3 Tunnel protocol of VPN (Virtual Private Network, virtual private networks), provides vpn service by making up gre tunneling to the user.
Referring to Fig. 1, for adopting the VPN networking structure schematic diagram of GRE technology.Among Fig. 1, LAN (LocalArea Network is according to the territory net) A connects public network by node A; Local area network (LAN) B connects public network by Node B, and node A and Node B can be gateway or router device, the gre tunneling that node A and Node B are set up in public network, thus provide vpn service for the user of local area network (LAN) A and local area network (LAN) B.
In order to make up gre tunneling between node A and Node B, node A and Node B need dispose IP (Internet Protocol, the Internet Protocol) group of addresses of this gre tunneling respectively.For example, the IP address of node A is 192.10.1.10, and the IP address of Node B is 202.18.4.10.Then the node A IP group of addresses that need dispose this gre tunneling in this locality for (192.10.1.10,202.18.4.10), the IP group of addresses that Node B need dispose this gre tunneling in this locality for (202.18.4.10,192.10.1.10).The IP address that is positioned at the bracket front end is the IP address of source node, i.e. source IP address; The IP address that is positioned at the bracket rear end is the IP address of destination node, i.e. purpose IP address.When node A or Node B need send datagram by gre tunneling, then use the gre tunnel ip group of addresses of local configuration that the data message is encapsulated, the message after will encapsulating by gre tunneling then sends to peer node.
This shows, the node device at gre tunneling two ends need obtain the IP address of opposite equip., could set up gre tunneling with opposite equip., under normal conditions, the node device at gre tunneling two ends can obtain the IP address of other node device in the network automatically when deployment enters network, but, under some special networking modes, for example under HUB-SPOKE (star) networking mode, branch node enters the IP address that can obtain Centroid automatically behind the network, but Centroid can't obtain the IP address of branch node automatically, if this moment, branch node need be set up gre tunneling with Centroid, then need its own IP address is informed Centroid, thereby final and Centroid is set up gre tunneling.Propose in the prior art, branch node initiatively can send message information to Centroid, carries the IP address of branch node in the message information, and like this, Centroid just can have been known the IP address of branch node according to this message.In conjunction with PAP of the prior art (Password Authentication Protocol, password authentication protocol) authentication mechanism or CHAP (Challenge Handshake Authentication Protocol, the challenge-handshake agreement) authentication mechanism, Centroid can authenticate the identity of branch node after receiving the message of branch node, if authentication is passed through, Centroid just can be set up gre tunneling with branch node, thereby prevents the access of illegal branch node.But branch node but lacks the authentication means to Centroid, if not the method node intercepts the message information that branch node sends, may pretend to be Centroid to set up gre tunneling with branch node by force, thereby self safety of branch node is threatened.
Summary of the invention
Invention provides the method and apparatus of a kind of tunnel foundation, has guaranteed the data security of branch node.
The invention provides the method that a kind of tunnel is set up, be applied to comprise in the system of branch node and Centroid, said method comprising the steps of:
Described Centroid receives from the tunnel of described branch node and sets up request, and identity information and the IP address that comprises described branch node in the request set up in described tunnel;
Described Centroid generates the unique identification sign indicating number according to the identity information and the IP address of described branch node;
Described Centroid sends the ID authentication request that comprises described unique identification sign indicating number to described branch node, described branch node is judged the legitimacy of described Centroid according to described unique identification sign indicating number, if judged result is that described Centroid is legal, described branch node generates the authentication response according to described ID authentication request, and sends described authentication response to described Centroid;
Described Centroid judges according to described authentication response whether described branch node is legal, if judged result is that described branch node is legal, sets up gre tunneling according to the IP address and the described branch node of described branch node.
Wherein, described branch node is judged the legitimacy of described Centroid according to described unique identification sign indicating number and is comprised:
Described branch node uses with described Centroid and consults definite algorithm, identity information and IP address according to self generate the unique identification sign indicating number, the unique identification sign indicating number that self is generated compares with unique identification sign indicating number from described Centroid, if both are identical, judge that then described Centroid is legal, if both differences judge that then described Centroid is illegal.
Wherein, described Centroid or described branch node generate the unique identification sign indicating number according to following formula:
cookie=HASH(ID,IP-src,sharekey),
Wherein, cookie is the unique identification sign indicating number, and ID is the identity information of described branch node, and IP-src is the IP address of described branch node, and sharekey is the shared key between described Centroid and the described branch node.
Wherein, described ID authentication request is the PAP ID authentication request, and then described authentication response is to comprise the PAP authentication of the username and password of described branch node response,
Described Centroid is judged described branch node legal comprising whether according to described authentication response:
Described Centroid compares with the username and password that comprises in the described PAP authentication response with the legal users name and the password record of this locality, if the username and password that comprises in the described PAP authentication response meets local any validation record, judge that then described branch node is legal, if the username and password that comprises in the described PAP authentication response does not meet local any validation record, judge that then described branch node is illegal.
Wherein, described ID authentication request is the CHAP ID authentication request that comprises the CHAP challenge code, and then described authentication response responds for the CHAP authentication that comprises the chap authentication sign indicating number,
Described Centroid is judged described branch node legal comprising whether according to described authentication response:
Described Centroid generates the chap authentication sign indicating number according to described CHAP challenge code, then, to compare from the chap authentication sign indicating number of described branch node and the chap authentication sign indicating number that self generates, if both are identical, judge that then described branch node is legal, if both differences judge that then described branch node is illegal.
Wherein, if described branch node judges that described Centroid is illegal, stop setting up process with the gre tunneling of described Centroid.
Wherein, if described Centroid judges that described branch node is illegal, stop setting up process with the gre tunneling of described branch node.
The invention provides a kind of node device, be applied to comprise in the system of Centroid and branch node, comprising:
Request unit is used for when described node device serves as described branch node, sends the tunnel to described Centroid and sets up request, and identity information and the IP address that comprises described branch node in the request set up in described tunnel;
Receiving element is used for when described node device serves as Centroid, receives from the tunnel of branch node and sets up request or authentication response; When described node device serves as branch node, receive the ID authentication request that comprises unique authentication code from Centroid;
The identification code generation unit is connected with described receiving element, is used for when described node device serves as Centroid, and the tunnel request of setting up that receives according to described receiving element generates described unique identification sign indicating number; When described node device serves as branch node, after described receiving element receives described ID authentication request, use with Centroid and consult definite algorithm, according to identity information and the IP address generation unique identification sign indicating number of self;
Judging unit, be connected respectively with described receiving element with described identification code generation unit, be used for when described node device serves as branch node, judge according to the unique identification sign indicating number that described identification code generation unit generates whether the unique identification sign indicating number of described receiving element reception is legal; When described node device serves as Centroid, judge whether the authentication response of described receiving element reception is legal;
Processing unit, be connected respectively with receiving element with described judging unit, be used for when described node device serves as Centroid,, set up gre tunneling according to the IP address and the described branch node of the branch node of described receiving element reception if the judged result of described judging unit is for being; When described node device served as branch node, if the judged result of described judging unit is for being, the ID authentication request that receives according to described receiving element generated the authentication response, and sent described authentication to described Centroid and respond.
Wherein, described processing unit also is used for when described node device serves as Centroid, if the judged result of described judging unit stops setting up process with the gre tunneling of described branch node for not; When described node device serves as branch node, if the judged result of described judging unit stops setting up process with the gre tunneling of described Centroid for not.
Wherein, described identification code generation unit specifically is used for generating the unique identification sign indicating number according to following formula:
cookie=HASH(ID,IP-src,sharekey),
Wherein, cookie is the unique identification sign indicating number, and ID is the identity information of branch node, and IP-src is the IP address of branch node, and sharekey is the shared key between Centroid and the branch node.
Wherein, described judging unit, specifically be used for when described node device serves as branch node, the unique identification sign indicating number that self is generated compares with unique identification sign indicating number from Centroid, if both are identical, it is legal then to judge from the unique identification sign indicating number of Centroid, if both differences are then judged from the unique identification sign indicating number of Centroid illegal.
Among the present invention, Centroid carries the unique identification sign indicating number according to the identity information of branch node and the generation of IP address in sending to the ID authentication request of branch node, branch node authenticates according to the identity of unique identification sign indicating number to Centroid, thereby prevented that illegal node from pretending to be Centroid to set up gre tunneling with branch node by force, guaranteed the data security of branch node.
Description of drawings
Fig. 1 is the VPN networking structure schematic diagram of a kind of GRE of employing technology in the prior art;
Fig. 2 is the method flow diagram that a kind of tunnel is set up among the present invention;
Fig. 3 is the method flow diagram that a kind of tunnel is set up among the present invention;
Fig. 4 is a kind of message load schematic among the present invention;
Fig. 5 is the method flow diagram that a kind of tunnel is set up among the present invention;
Fig. 6 is the method flow diagram that a kind of tunnel is set up among the present invention;
Fig. 7 is the structure chart of a kind of node device among the present invention.
Embodiment
The method that the present invention mainly provides a kind of tunnel to set up, main thought is: Centroid carries the unique identification sign indicating number according to the identity information of branch node and the generation of IP address in sending to the ID authentication request of branch node, branch node authenticates according to the identity of unique identification sign indicating number to Centroid, thereby prevented that illegal node from pretending to be Centroid to set up gre tunneling with branch node by force, guaranteed the data security of branch node.
The present invention proposes the method that a kind of tunnel is set up, be applied to comprise that described method may further comprise the steps as shown in Figure 2 in the system of branch node and Centroid:
Step 201, Centroid receive from the tunnel of described branch node and set up request, and IP address and the identity information that carries described branch node in the request set up in the tunnel.
Step 202, Centroid generates the unique identification sign indicating number according to the identity information and the IP address of branch node, and sends ID authentication request to branch node, comprises the unique identification sign indicating number in the ID authentication request.
Step 203, branch node judge to the legitimacy of Centroid that according to described unique identification sign indicating number if judged result is that Centroid is legal, branch node generates the authentication response according to ID authentication request, and sends the authentication response to Centroid.In addition, if branch node judges that Centroid is illegal, stop setting up process with the gre tunneling of Centroid.
Concrete, branch node can use with Centroid and consult definite algorithm, identity information and IP address according to self generate the unique identification sign indicating number, the unique identification sign indicating number that self is generated compares with unique identification sign indicating number from Centroid, if both are identical, judge that then Centroid is legal, if both differences judge that then Centroid is illegal.
Concrete, Centroid or branch node can generate the unique identification sign indicating number according to following formula:
cookie=HASH(ID,IP-src,sharekey),
Wherein, cookie is the unique identification sign indicating number, and ID is the identity information of branch node, and IP-src is the IP address of branch node, and sharekey is the shared key between Centroid and the branch node.
Step 204, Centroid judges according to the authentication response whether branch node is legal, if judged result is that branch node is legal, sets up gre tunneling according to the IP address and the branch node of branch node.In addition, if Centroid judges that branch node is illegal, stop setting up process with the gre tunneling of branch node.
Concrete, the present invention proposes the method that a kind of tunnel is set up, be applied to comprise that described method may further comprise the steps as shown in Figure 3 in the system of branch node and Centroid:
Step 301, branch node sends the tunnel to Centroid and sets up request.
Wherein, identity information and the IP address that needs to comprise branch node in the request set up in the tunnel.Concrete, the identity information of branch node can be the user name or the certificate number of branch node.
Concrete, the message load of request, ID authentication request and authentication response is set up in the tunnel among the present invention can be as shown in Figure 4.
In the message load shown in Figure 4, the type field has identified the type of message, and for example: the type field value is 1, and request message is set up in the expression tunnel; The type field value is 2, expression ID authentication request message; The type field value is 3, expression authentication response message.
If the type field value is 2, the value of Cookie field is the unique identification sign indicating number that Centroid generates, if the type field value is 1 or 3, the value of Cookie field can be default.
The value of Data field changes according to the type field value is different, if the type field value is 1, the value of Data field is the identity information of branch node, for example the user name of branch node or certificate number; If the type field value is 2, the value of Data field is an ID authentication request information, if Centroid adopts the pap authentication mode that branch node is authenticated, then Data field value is that username and password is asked for information, if Centroid adopts the chap authentication mode that branch node is authenticated, then Data field value is the CHAP challenge code; If the type field value is 3, the value of Data field is the authentication response message, if Centroid adopts the pap authentication mode that branch node is authenticated, then Data field value is for dividing the username and password of detail, if Centroid employing chap authentication mode authenticates branch node, then the chap authentication sign indicating number of Data field value branch node generation.
Step 302, Centroid generates the unique identification sign indicating number according to the identity information and the IP address of branch node.Concrete, Centroid need use the create-rule of setting to generate the unique identification sign indicating number, and is special, and the mode of Centroid generation unique identification sign indicating number need be identical with the mode of branch node generation unique identification sign indicating number in the subsequent step.
For example: Centroid can generate the unique identification sign indicating number in the following way:
(sharekey), wherein, cookie is the unique identification sign indicating number to cookie=HASH for ID, IP-src, and ID is the identity information of branch node, and IP-src is the IP address of branch node, and sharekey is the shared key between Centroid and the branch node.
Step 303, Centroid sends ID authentication request to branch node, comprises the unique identification sign indicating number that generates in the step 302 in the ID authentication request.
Step 304, whether branch node is judged legal from the unique identification sign indicating number of Centroid, if judged result is changeed step 305 for being, if judged result is changeed step 308 for not.
Concrete, branch node need generate the unique identification sign indicating number according to identity information and the IP address of self, the unique identification sign indicating number that self is generated compares with unique identification sign indicating number from Centroid, if both are identical, it is legal then to judge from the unique identification sign indicating number of Centroid, if both differences are then judged from the unique identification sign indicating number of Centroid illegal.
For example, (mode sharekey) generates the unique identification sign indicating number for ID, IP-src, and then branch node also needs to adopt cookie=HASH (mode sharekey) generates the unique identification sign indicating number for ID, IP-src if Centroid adopts cookie=HASH.
Because branch node and Centroid are adopted and are generated the unique identification sign indicating number in a like fashion, so be exactly the process of judging that Centroid is whether legal on the whether legal process nature of branch node unique identity sign indicating number.Judge promptly whether the Centroid that sends ID authentication request is the Centroid of self asking to set up with it gre tunneling.
Step 305, branch node generates the authentication response according to ID authentication request, and sends the authentication response to Centroid.
Whether step 306, Centroid are judged from the authentication response of branch node legal, if judged result is changeed step 307 for being, if judged result is changeed step 309 for not.
Step 307, Centroid is set up gre tunneling according to the IP address and the branch node of branch node.Flow process finishes.
Concrete, Centroid can be according to the IP address of branch node and its own IP address in the IP of local configuring GRE tunnel group of addresses.Then, Centroid can send gre tunneling to branch node and set up permission response, permits branch node and self sets up gre tunneling.Branch node can be according to the IP address of Centroid and its own IP address in the IP of local configuring GRE tunnel group of addresses after receiving that GRE sets up permission response.So far, the gre tunneling of branch node and Centroid is set up and is finished.
Step 308, the branch node refusal is set up gre tunneling with Centroid.Flow process finishes.
Concrete, branch node can send authentification failure message to Centroid, the session connection of disconnection and Centroid, and refusal is set up gre tunneling with Centroid.
Step 309, the Centroid refusal is set up gre tunneling with branch node.Flow process finishes.
Concrete, Centroid can send the tunnel to Centroid and set up failed message, the session connection of disconnection and branch node, and refusal is set up gre tunneling with branch node.
Concrete, the present invention proposes the method that a kind of tunnel is set up, be applied to comprise in the system of branch node and Centroid, the identity information of branch node is the user name of branch node, Centroid adopts the pap authentication mode that branch node is authenticated, described method may further comprise the steps as shown in Figure 5:
Step 501, branch node sends the tunnel to Centroid and sets up request, and user name and the IP address that needs to comprise branch node in the request set up in the tunnel.
Step 502, Centroid generates the unique identification sign indicating number according to the user name and the IP address of branch node.
Concrete, Centroid generates the unique identification sign indicating number in the following way:
(sharekey), wherein, cookie is the unique identification sign indicating number to cookie=HASH for user name, IP-src, and IP-src is the IP address of branch node, and sharekey is the shared key between Centroid and the branch node.
Step 503, Centroid send the PAP ID authentication request of carrying the unique identification sign indicating number to branch node.
Step 504, whether branch node is judged legal from the unique identification sign indicating number of Centroid, if judged result is changeed step 505 for being, if judged result is changeed step 509 for not.
Concrete, branch node also adopts cookie=HASH, and (mode sharekey) generates the unique identification sign indicating number for user name, IP-src.Afterwards, the unique identification sign indicating number that branch node need generate self compares with the unique identification sign indicating number from Centroid, if both are identical, it is legal then to judge from the unique identification sign indicating number of Centroid, if both differences are then judged from the unique identification sign indicating number of Centroid illegal.
Step 505, branch node generates PAP authentication response according to the PAP ID authentication request, and sends the authentication response to Centroid.
Concrete, need to comprise the username and password of branch node in the PAP authentication response.
Whether step 506, Centroid are judged from the PAP authentication response of branch node legal, if judged result is changeed step 507 for being, if judged result is changeed step 510 for not.
Concrete, Centroid can be at many legal users names of local record and password record, the every password that validation record comprises a user name and mates with this user name, Centroid will compare from the username and password of branch node and local record, if the username and password from branch node meets local any validation record, then Centroid judges that branch node is legal, if the username and password from branch node does not meet local any validation record, then Centroid judges that branch node is illegal.
Step 507, Centroid, and send gre tunneling to branch node and set up permission response in the IP of local configuring GRE tunnel group of addresses according to the IP address of branch node and its own IP address.
Step 508, branch node according to the IP address of Centroid and its own IP address in the IP of local configuring GRE tunnel group of addresses.The gre tunneling of branch node and Centroid is set up and is finished.Flow process finishes.
Step 509, the branch node refusal is set up gre tunneling with Centroid.Flow process finishes.
Step 510, the Centroid refusal is set up gre tunneling with branch node.Flow process finishes.
Concrete, the present invention proposes the method that a kind of tunnel is set up, be applied to comprise in the system of branch node and Centroid, the identity information of branch node is the certificate number of branch node, Centroid adopts the chap authentication mode that branch node is authenticated, described method may further comprise the steps as shown in Figure 6:
Step 601, branch node sends the tunnel to Centroid and sets up request, and certificate number and the IP address that needs to comprise branch node in the request set up in the tunnel.
Step 602, Centroid generates the unique identification sign indicating number according to the certificate number and the IP address of branch node.
Concrete, Centroid generates the unique identification sign indicating number in the following way:
(sharekey), wherein, cookie is the unique identification sign indicating number to cookie=HASH for certificate number, IP-src, and IP-src is the IP address of branch node, and sharekey is the shared key between Centroid and the branch node.
Step 603, Centroid sends the CHAP ID authentication request of carrying the unique identification sign indicating number to branch node, also carries the CHAP challenge code that Centroid generates at random in this chap authentication request.
Step 604, whether branch node is judged legal from the unique identification sign indicating number of Centroid, if judged result is changeed step 605 for being, if judged result is changeed step 609 for not.
Concrete, branch node also adopts cookie=HASH, and (mode sharekey) generates the unique identification sign indicating number for certificate number, IP-src.Afterwards, the unique identification sign indicating number that branch node need generate self compares with the unique identification sign indicating number from Centroid, if both are identical, it is legal then to judge from the unique identification sign indicating number of Centroid, if both differences are then judged from the unique identification sign indicating number of Centroid illegal.
Step 605, branch node generates CHAP authentication response according to the CHAP ID authentication request, and sends the authentication response to Centroid.
Concrete, branch node at first needs to generate the chap authentication sign indicating number according to the CHAP challenge code, and the algorithm that generates the chap authentication sign indicating number needs to hold consultation with Centroid in advance, and the algorithm that adopts both sides to consult to determine generates the chap authentication sign indicating number.
Whether step 606, Centroid are judged from the CHAP authentication response of branch node legal, if judged result is changeed step 607 for being, if judged result is changeed step 610 for not.
Concrete, Centroid at first adopts the algorithm of consulting to determine with branch node to generate the chap authentication sign indicating number according to generating the CHAP challenge code in the step 603, then, to compare from the chap authentication sign indicating number of branch node and the chap authentication sign indicating number that self generates, if both are identical, it is legal then to judge from the CHAP authentication response of branch node, if both differences are then judged from the CHAP authentication response of branch node illegal.
Step 607, Centroid, and send gre tunneling to branch node and set up permission response in the IP of local configuring GRE tunnel group of addresses according to the IP address of branch node and its own IP address.
Step 608, branch node according to the IP address of Centroid and its own IP address in the IP of local configuring GRE tunnel group of addresses.The gre tunneling of branch node and Centroid is set up and is finished.Flow process finishes.
Step 609, the branch node refusal is set up gre tunneling with Centroid.Flow process finishes.
Step 610, the Centroid refusal is set up gre tunneling with branch node.Flow process finishes.
The invention provides a kind of node device, be applied to comprise in the system of Centroid and branch node, as shown in Figure 7, comprise request unit 701, receiving element 702, identification code generation unit 703, judging unit 704, processing unit 705, wherein,
Request unit 701 is used for when node device serves as branch node, sends the tunnel to Centroid and sets up request, and identity information and the IP address that comprises branch node in the request set up in the tunnel.
Receiving element 702 is used for when node device serves as Centroid, receives from the tunnel of branch node and sets up request or authentication response; When node device serves as branch node, receive the ID authentication request that comprises unique authentication code from Centroid.
Identification code generation unit 703 is connected with receiving element 702, is used for when node device serves as Centroid, and the tunnel request of setting up that receives according to receiving element 702 generates the unique identification sign indicating number; When node device serves as branch node, after receiving element 702 receives ID authentication request, use with Centroid and consult definite algorithm, according to identity information and the IP address generation unique identification sign indicating number of self.Concrete, identification code generation unit 703, be used for generating the unique identification sign indicating number: cookie=HASH (ID according to following formula, IP-src, sharekey), wherein, cookie is the unique identification sign indicating number, ID is the identity information of branch node, and IP-src is the IP address of branch node, and sharekey is the shared key between Centroid and the branch node.
Judging unit 704, be connected respectively with receiving element 702 with identification code generation unit 703, be used for when node device serves as branch node, judge according to the unique identification sign indicating number that identification code generation unit 703 generates whether the unique identification sign indicating number of receiving element 702 receptions is legal; When node device serves as Centroid, judge whether the authentication response of receiving element 702 receptions is legal.Concrete, judging unit 704, be used for when described node device serves as branch node, the unique identification sign indicating number that self is generated compares with unique identification sign indicating number from Centroid, if both are identical, it is legal then to judge from the unique identification sign indicating number of Centroid, if both differences are then judged from the unique identification sign indicating number of Centroid illegal.
Processing unit 705, be connected respectively with receiving element 702 with judging unit 704, be used for when node device serves as Centroid, if the judged result of judging unit 704 is for being, the IP address and the branch node of the branch node that receives according to receiving element 702 are set up gre tunneling, if the judged result of judging unit 704 stops setting up process with the gre tunneling of branch node for not; When node device serves as branch node, if the judged result of judging unit 704 is for being, the ID authentication request that receives according to receiving element 702 generates the authentication response, and to Centroid transmission authentication response, if the judged result of judging unit 704 stops setting up process with the gre tunneling of Centroid for not.
Among the present invention, Centroid carries the unique identification sign indicating number according to the identity information of branch node and the generation of IP address in sending to the ID authentication request of branch node, branch node authenticates according to the identity of unique identification sign indicating number to Centroid, thereby prevented that illegal node from pretending to be Centroid to set up gre tunneling with branch node by force, guaranteed the data security of branch node.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware, but the former is better execution mode under a lot of situation.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product is stored in the storage medium, comprise that some instructions are with so that a computer equipment (can be a personal computer, server, perhaps network equipment etc.) carry out method of the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, module in the accompanying drawing or flow process might not be that enforcement the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device among the present invention can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of the foregoing description can be merged into a module, also can further split into a plurality of submodules.
More than disclosed only be several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.

Claims (11)

1, a kind of method of tunnel foundation is applied to comprise in the system of branch node and Centroid, it is characterized in that, said method comprising the steps of:
Described Centroid receives from the tunnel of described branch node and sets up request, and identity information and the IP address that comprises described branch node in the request set up in described tunnel;
Described Centroid generates the unique identification sign indicating number according to the identity information and the IP address of described branch node;
Described Centroid sends the ID authentication request that comprises described unique identification sign indicating number to described branch node, described branch node is judged the legitimacy of described Centroid according to described unique identification sign indicating number, if judged result is that described Centroid is legal, described branch node generates the authentication response according to described ID authentication request, and sends described authentication response to described Centroid;
Described Centroid judges according to described authentication response whether described branch node is legal, if judged result is that described branch node is legal, sets up gre tunneling according to the IP address and the described branch node of described branch node.
2, the method for claim 1 is characterized in that, described branch node is judged the legitimacy of described Centroid according to described unique identification sign indicating number and comprised:
Described branch node uses with described Centroid and consults definite algorithm, identity information and IP address according to self generate the unique identification sign indicating number, the unique identification sign indicating number that self is generated compares with unique identification sign indicating number from described Centroid, if both are identical, judge that then described Centroid is legal, if both differences judge that then described Centroid is illegal.
3, method as claimed in claim 2 is characterized in that,
Described Centroid or described branch node generate the unique identification sign indicating number according to following formula:
cookie=HASH(ID,IP-src,sharekey),
Wherein, cookie is the unique identification sign indicating number, and ID is the identity information of described branch node, and IP-src is the IP address of described branch node, and sharekey is the shared key between described Centroid and the described branch node.
4, the method for claim 1 is characterized in that, described ID authentication request is the PAP ID authentication request, and then described authentication response is to comprise the PAP authentication of the username and password of described branch node response,
Described Centroid is judged described branch node legal comprising whether according to described authentication response:
Described Centroid compares with the username and password that comprises in the described PAP authentication response with the legal users name and the password record of this locality, if the username and password that comprises in the described PAP authentication response meets local any validation record, judge that then described branch node is legal, if the username and password that comprises in the described PAP authentication response does not meet local any validation record, judge that then described branch node is illegal.
5, the method for claim 1 is characterized in that, described ID authentication request is the CHAP ID authentication request that comprises the CHAP challenge code, and then described authentication response responds for the CHAP authentication that comprises the chap authentication sign indicating number,
Described Centroid is judged described branch node legal comprising whether according to described authentication response:
Described Centroid generates the chap authentication sign indicating number according to described CHAP challenge code, then, to compare from the chap authentication sign indicating number of described branch node and the chap authentication sign indicating number that self generates, if both are identical, judge that then described branch node is legal, if both differences judge that then described branch node is illegal.
6, the method for claim 1 is characterized in that,
If described branch node judges that described Centroid is illegal, stop setting up process with the gre tunneling of described Centroid.
7, the method for claim 1 is characterized in that,
If described Centroid judges that described branch node is illegal, stop setting up process with the gre tunneling of described branch node.
8, a kind of node device is applied to comprise in the system of Centroid and branch node, it is characterized in that, comprising:
Request unit is used for when described node device serves as described branch node, sends the tunnel to described Centroid and sets up request, and identity information and the IP address that comprises described branch node in the request set up in described tunnel;
Receiving element is used for when described node device serves as Centroid, receives from the tunnel of branch node and sets up request or authentication response; When described node device serves as branch node, receive the ID authentication request that comprises unique authentication code from Centroid;
The identification code generation unit is connected with described receiving element, is used for when described node device serves as Centroid, and the tunnel request of setting up that receives according to described receiving element generates described unique identification sign indicating number; When described node device serves as branch node, after described receiving element receives described ID authentication request, use with Centroid and consult definite algorithm, according to identity information and the IP address generation unique identification sign indicating number of self;
Judging unit, be connected respectively with described receiving element with described identification code generation unit, be used for when described node device serves as branch node, judge according to the unique identification sign indicating number that described identification code generation unit generates whether the unique identification sign indicating number of described receiving element reception is legal; When described node device serves as Centroid, judge whether the authentication response of described receiving element reception is legal;
Processing unit, be connected respectively with receiving element with described judging unit, be used for when described node device serves as Centroid,, set up gre tunneling according to the IP address and the described branch node of the branch node of described receiving element reception if the judged result of described judging unit is for being; When described node device served as branch node, if the judged result of described judging unit is for being, the ID authentication request that receives according to described receiving element generated the authentication response, and sent described authentication to described Centroid and respond.
9, node device as claimed in claim 8 is characterized in that,
Described processing unit also is used for when described node device serves as Centroid, if the judged result of described judging unit stops setting up process with the gre tunneling of described branch node for not; When described node device serves as branch node, if the judged result of described judging unit stops setting up process with the gre tunneling of described Centroid for not.
10, node device as claimed in claim 8 is characterized in that,
Described identification code generation unit specifically is used for generating the unique identification sign indicating number according to following formula:
cookie=HASH(ID,IP-src,sharekey),
Wherein, cookie is the unique identification sign indicating number, and ID is the identity information of branch node, and IP-src is the IP address of branch node, and sharekey is the shared key between Centroid and the branch node.
11, node device as claimed in claim 8 is characterized in that,
Described judging unit, specifically be used for when described node device serves as branch node, the unique identification sign indicating number that self is generated compares with unique identification sign indicating number from Centroid, if both are identical, it is legal then to judge from the unique identification sign indicating number of Centroid, if both differences are then judged from the unique identification sign indicating number of Centroid illegal.
CNA2009101478128A 2009-06-12 2009-06-12 Method for establishing tunnel and device thereof Pending CN101572645A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNA2009101478128A CN101572645A (en) 2009-06-12 2009-06-12 Method for establishing tunnel and device thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNA2009101478128A CN101572645A (en) 2009-06-12 2009-06-12 Method for establishing tunnel and device thereof

Publications (1)

Publication Number Publication Date
CN101572645A true CN101572645A (en) 2009-11-04

Family

ID=41231884

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2009101478128A Pending CN101572645A (en) 2009-06-12 2009-06-12 Method for establishing tunnel and device thereof

Country Status (1)

Country Link
CN (1) CN101572645A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104780535A (en) * 2014-01-14 2015-07-15 中兴通讯股份有限公司 Method and device for authenticating safe center node in multi-terminal cooperative process
CN104852848A (en) * 2015-04-20 2015-08-19 杭州华三通信技术有限公司 Data transmission method and device
WO2017016473A1 (en) * 2015-07-30 2017-02-02 华为技术有限公司 Tunnel detection method, apparatus, and system
CN106453246A (en) * 2016-08-30 2017-02-22 北京小米移动软件有限公司 Equipment identity information distribution method, device and system
CN113630276A (en) * 2021-08-16 2021-11-09 迈普通信技术股份有限公司 Main/standby switching control method and device and DVPN network system
CN114257543A (en) * 2022-03-01 2022-03-29 北京翼辉信息技术有限公司 Message forwarding method and device, storage medium and computing equipment

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015106509A1 (en) * 2014-01-14 2015-07-23 中兴通讯股份有限公司 Method and device for authenticating security central node in multi-terminal cooperation
CN104780535A (en) * 2014-01-14 2015-07-15 中兴通讯股份有限公司 Method and device for authenticating safe center node in multi-terminal cooperative process
CN104852848B (en) * 2015-04-20 2019-04-09 新华三技术有限公司 A kind of method and apparatus of data transmission
CN104852848A (en) * 2015-04-20 2015-08-19 杭州华三通信技术有限公司 Data transmission method and device
WO2017016473A1 (en) * 2015-07-30 2017-02-02 华为技术有限公司 Tunnel detection method, apparatus, and system
CN106713057B (en) * 2015-07-30 2019-11-29 华为技术有限公司 For carrying out the method, apparatus and system of Tunnel testing
CN106713057A (en) * 2015-07-30 2017-05-24 华为技术有限公司 Method for performing tunnel detection and device and system thereof
CN106453246B (en) * 2016-08-30 2018-06-08 北京小米移动软件有限公司 Equipment identity information distribution method, device and system
CN106453246A (en) * 2016-08-30 2017-02-22 北京小米移动软件有限公司 Equipment identity information distribution method, device and system
CN113630276A (en) * 2021-08-16 2021-11-09 迈普通信技术股份有限公司 Main/standby switching control method and device and DVPN network system
CN113630276B (en) * 2021-08-16 2024-04-09 迈普通信技术股份有限公司 Main-standby switching control method and device and DVPN network system
CN114257543A (en) * 2022-03-01 2022-03-29 北京翼辉信息技术有限公司 Message forwarding method and device, storage medium and computing equipment
CN114257543B (en) * 2022-03-01 2022-07-01 北京翼辉信息技术有限公司 Message forwarding method and device, storage medium and computing equipment

Similar Documents

Publication Publication Date Title
US9015855B2 (en) Secure tunneling platform system and method
CN101369893B (en) Method for local area network access authentication of casual user
CN103155512B (en) System and method for providing secure access to service
CN100594476C (en) Method and apparatus for realizing network access control based on port
CN101414907B (en) Method and system for accessing network based on user identification authorization
US9912673B2 (en) Method and device for secure network access
WO2017181894A1 (en) Method and system for connecting virtual private network by terminal, and related device
US20060234678A1 (en) Method and system for managing data traffic in wireless networks
CN101695022B (en) Management method and device for service quality
JP2009508403A (en) Dynamic network connection based on compliance
WO2020174121A1 (en) Inter-mobile network communication authorization
EP1604536A2 (en) Method and system for establishing a connection via an access network
WO2008019615A1 (en) The method, device and system for access authenticating
WO2006024969A1 (en) Wireless local area network authentication method
WO2014117525A1 (en) Method and device for handling authentication of static user terminal
CN101572645A (en) Method for establishing tunnel and device thereof
WO2010094244A1 (en) Method, device and system for performing access authentication
WO2013056619A1 (en) Method, idp, sp and system for identity federation
US20040236947A1 (en) System and method for providing end to end authentication in a network environment
Hauser et al. Establishing a session database for SDN using 802.1 X and multiple authentication resources
CN101562526B (en) Method, system and equipment for data interaction
CN116017429A (en) 5G network encryption networking method, system, device and storage medium
Cisco Easy VPN Server
JP5982706B2 (en) Secure tunneling platform system and method
CN101742507B (en) System and method for accessing Web application site for WAPI terminal

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Open date: 20091104