Summary of the invention
The present invention aims to provide a kind of method that realizes the Internet (IP) Lawful Interception, and it gives network access equipment through expansion existing communication agreement to carry management of monitor information, is carried out Lawful Interception and is transmitted the Content of Communication that monitoring obtains to the Lawful Interception facility by it.
Another object of the present invention provides at least two kinds of transmission methods that are used to realize the management of monitor information of IP Lawful Interception.
Another purpose of the present invention provides the equipment that is used for auxiliary Lawful Interception in the communication network, comprising certificate server, Dynamic Host Configuration Protocol server and communication network access device.
Through the application of method of the present invention and equipment, to overcome the deficiency of prior art.
The present invention provides a kind of method that realizes internet lawful interception, and this method comprises the steps: that a) the Lawful Interception facility is to the management of monitor information of network insertion management equipment configuration needs monitoring; B) the network insertion management equipment passes to the network access equipment that the targeted customer belongs to management of monitor information when the targeted customer carries out network access authentication or network resource request; C) network access equipment is implemented to monitor and transmit the Content of Communication that monitoring obtains to the Lawful Interception facility to the targeted customer according to said management of monitor information.
In addition, the present invention provides a kind of transmission method of management of monitor information, and the method comprising the steps of: a1) expansion remote authentication dial-in user service (RADIUS) agreement defines new protocol option so that carry management of monitor information; B1), targeted customer's access network management of monitor information is inserted corresponding response message when carrying out access authentication through the radius protocol after the above-mentioned expansion.
The present invention also provides the transmission method of another kind of management of monitor information, and this method comprises: a2) extended dynamic host configuration (DHCP) agreement defines new protocol option so that carry management of monitor information; B2) when targeted customer's access network carries out network resource request, management of monitor information is inserted corresponding response message through the DHCP agreement after the above-mentioned expansion.
In addition, the present invention also provides certificate server, Dynamic Host Configuration Protocol server and the communication network access device that is used for auxiliary Lawful Interception in a kind of communication network.
The certificate server that is used for auxiliary Lawful Interception in a kind of communication network of the present invention comprises: one monitors processing unit: receive the management of monitor information from the Lawful Interception facility; One authenticate device: when the targeted customer carries out authentication request, pairing management of monitor information is inserted the radius protocol packet of an appointment and sent to targeted customer's communication network access device.
Be used for the Dynamic Host Configuration Protocol server of auxiliary legal prison in a kind of communication network of the present invention, comprise: one monitors processing unit: receive targeted customer and the management of monitor information monitored from the needs of Lawful Interception facility; One DHCP protocol processes device: when the targeted customer carries out network resource request, said management of monitor information is inserted the DHCP protocol data bag of appointment and sent to the targeted customer.
Be used for the network access equipment of auxiliary legal prison in a kind of communication network of the present invention, comprise: a receiving system: receive from the specific protocol packet that comprises management of monitor information of network insertion management equipment and extract entrained management of monitor information; One monitoring device: the destination host Content of Communication is monitored and transmit to be monitored the Content of Communication that obtains to the Lawful Interception facility according to said management of monitor information.
The present invention has following beneficial effect:
1) the present invention can support static Lawful Interception and dynamic Lawful Interception effectively, overcomes inexactness and dynamic in setting up communication session.
2) the present invention can simply expand standard DHCP agreement commonly used and radius protocol etc., is easy to realize and dispose; Only need are simply revised the partial function of existing equipment and are upgraded in implementation process.Do not need the certain protocol mode to carry out snoop transaction management information between Lawful Interception facility and the network access equipment, monitor relevent information and communicate by letter and handle.
3) the present invention realizes the centralized management of management of monitor information, is beneficial to the security risk that reduces management of monitor information, reduces management of monitor information security management cost.
Embodiment
Below in conjunction with accompanying drawing, preferred implementation of the present invention is carried out detailed explanation.
Fig. 3 A is IP network legal interception system structure embodiment one provided by the present invention.It comprises user terminal 31, network access equipment 32, certificate server 34, Lawful Interception facility 33 (specifically can comprise Lawful Interception management equipment LIAF and law compulsion watch-dog LEMF).Wherein, said user terminal 31 is controlled by the user as the relevant device that the user is used for communicating; Said network access equipment 32; The connection device that is used to connect user terminal and leads to other networks; It is provided by Network Access Provider (NAP); Direct and user terminal links; According to its technology that adopts and configuration, can carry out data decryptor and monitored data is provided in physical layer, data link layer, network layer through its inner inside monitor function (IIF) to Lawful Interception facility 33, certificate server 34 is as one of network insertion management equipment; General link to each other with network access equipment, be used for providing before the user access network resource and legitimacy discriminating, the service authority of this user identity distinguished etc. through corresponding expansion remote authentication dial-in user service (RADIUS) protocol interface.
Like Fig. 3 A step S1; Lawful Interception facility 33 through its management information interface to 34 configurations of network insertion management equipment certificate server need that the management of monitor information of monitoring, management of monitor information can comprise that the targeted customer identifies, the address of Lawful Interception facility and port information.
As scheme step S2 ', when certificate server 34 carries out network access authentication or network resource request targeted customer 31, management of monitor information is passed to the network access equipment 33 at targeted customer 22 places; Certificate server 34 can adopt the advanced radius agreement that aforementioned management of monitor information is passed to the network access equipment at targeted customer place, or can further through RADIUS dynamic authentication Extended Protocol management of monitor information be passed to the network access equipment at targeted customer place.The back also will combine Fig. 4 that certificate server and corresponding management of monitor information transmitting methods are further described.
As scheme step S3; Network insertion management equipment certificate server 34 will further send to Lawful Interception facility 33 owing to the monitoring incident that this targeted customer's access network is produced, the network access equipment that for example this targeted customer inserted, the Internet resources relevant with authentication, call duration time etc.Also can aforementioned monitoring incident further be sent to Lawful Interception facility 33 (like figure step S3 ' signal) by this network access equipment 32.
As scheme step S5, network access equipment 32 is monitored targeted customer's 31 implementation contents according to said management of monitor information and is transmitted the resulting Lawful Interception content of monitoring to Lawful Interception facility 33.
Fig. 4 is certificate server structure embodiment provided by the present invention, and it comprises monitors processing unit 41, authenticate device 42, wherein:
Monitor the management of monitor information that processing unit 41 receives from the Lawful Interception facility, management of monitor information can comprise that the targeted customer identifies, the address of Lawful Interception facility and port information; A kind of typical monitoring processing unit 41 structures comprise processing unit 411 and corresponding data logger 412 thereof.
When authenticate device 42 carries out authentication request the targeted customer, pairing management of monitor information is inserted the radius protocol packet of an appointment and sent to targeted customer's communication network access device; A kind of typical authenticate device 421 structures comprise authentication apparatus 421 and corresponding data logger 422 thereof.
Here; Authentication apparatus 421 can the advanced radius agreement, the new protocol option of definition is so that carry management of monitor information; When targeted customer's access network carries out access authentication, through the radius protocol after the above-mentioned expansion management of monitor information is inserted corresponding response message, said authenticate device is further through inserting the access network device that successful back message using sends to said management of monitor information the targeted customer.Typically insert successful back message using (Access-Accept) through the back at one at authenticating user identification and insert said management of monitor information, implementation can combine RFC2865 protocol specifications such as " Remote Authentication Dial In UserService (RADIUS) " to describe in detail.
In addition, authentication apparatus 421 can pass through advanced radius dynamic authentication Extended Protocol, defines new protocol option so that carry management of monitor information.In the practical application; If targeted customer's session is set up, the Lawful Interception facility is obviously not enough through aforementioned manner issue management of monitor information; Processing unit 411 is necessary after receiving management of monitor information; Its data query record sheet 422 finds that the targeted customer sets up through authentication and session; Its direct triggering authentication processing unit 421 is through advanced radius dynamic authentication Extended Protocol; Management of monitor information is inserted the access network device that corresponding protocol message sends to the targeted customer, and implementation can combine RFC3576 protocol specifications such as " Dynamic Authorization Extensions toRemote Authentication Dial In User Service " to describe in detail.
Monitor processing unit 41 and also will further send to Lawful Interception facility 33, the network access equipment that for example this targeted customer inserted, the network of relation resource of being distributed, call duration time etc. owing to the monitoring incident that this targeted customer's access network is produced.
Fig. 3 B is IP network legal interception system structure embodiment two provided by the present invention, and it comprises user terminal 31, network access equipment 32, Dynamic Host Configuration Protocol server 35, Lawful Interception facility 33 (specifically can comprise Lawful Interception management equipment LIAF and law compulsion watch-dog LEMF).Wherein, said user terminal 31 is controlled by the user as the relevant device that the user is used for communicating; Said network access equipment 32; The connection device that is used to connect user terminal and leads to other networks; It is provided by Network Access Provider (NAP); Direct and user terminal links, and according to its technology that adopts and configuration, can carry out data decryptor and to Lawful Interception facility 33 monitored data is provided in physical layer, data link layer, network layer through its inner inside monitor function (IIF); Dynamic Host Configuration Protocol server 35 as one of network insertion management equipment, generally provides the network parameter configuration management of this user network access-in resource before the user access network resource etc. through the DHCP agreement, for example IP address dynamic assignment etc.
Like Fig. 3 B step S1; Lawful Interception facility 33 through its management information interface to 35 configurations of network insertion management equipment Dynamic Host Configuration Protocol server need that the management of monitor information of monitoring, management of monitor information can comprise that the targeted customer identifies, the address of Lawful Interception facility and port information.
As scheme step S2 ", when Dynamic Host Configuration Protocol server 35 carries out the network insertion resource request targeted customer 31, management of monitor information is passed to the network access equipment 33 at targeted customer 22 places; Dynamic Host Configuration Protocol server 35 can adopt expansion DHCP agreement that aforementioned management of monitor information is passed to the network access equipment 32 at targeted customer place, or can further reconfigure the network access equipment 32 that Extended Protocol message passes to management of monitor information at the targeted customer place through DHCP.The back will combine Fig. 5 that Dynamic Host Configuration Protocol server and corresponding management of monitor information transmitting methods are further described.
As scheme step S3; Network insertion management equipment Dynamic Host Configuration Protocol server 35 can further send to Lawful Interception facility 33 with the monitoring incident that is produced owing to this targeted customer's access network, the network access equipment that for example this targeted customer inserted, the network of relation resource of being distributed, call duration time etc.Also can aforementioned monitoring incident further be sent to Lawful Interception facility 33 (like figure step S3 ' signal) by this network access equipment 32.
As scheme step S5, network access equipment 32 is monitored targeted customer's 31 implementation contents according to said management of monitor information and is transmitted the resulting Lawful Interception content of monitoring to Lawful Interception facility 33.
Fig. 5 is Dynamic Host Configuration Protocol server structure embodiment provided by the present invention, and it comprises monitors processing unit 51, DHCP protocol processes device 52, wherein:
Monitor the management of monitor information that processing unit 51 receives from the Lawful Interception facility, management of monitor information can comprise that the targeted customer identifies, the address of Lawful Interception facility and port information; A kind of typical receiving system 51 structure example comprise processing unit 511 and corresponding data logger 512 thereof.
DHCP protocol processes device 52 when the targeted customer carries out network resource request, said management of monitor information inserted the DHCP protocol data bag of appointment and send to the targeted customer the communication network access device; A kind of typical authenticate device 521 structure example comprise DHCP protocol processes device 521 and corresponding data logger 522 thereof.
Here; DHCP protocol processes device 521 can be expanded the DHCP agreement, define new protocol option so that carry management of monitor information, and the DHCP agreement after for example expanding is with the new sub-option at DHCP agreement option 82, or the appointment option in the DHCP agreement inserts said management of monitor information; Carry out network resource request at targeted customer's access network; For example during IP address assignment, through the DHCP protocol option after the above-mentioned expansion management of monitor information is inserted corresponding response message, typically; Dynamic Host Configuration Protocol server is after receiving the DHCP REQUEST of client; Can send DHCPACK response to client, confirming the formally effective of an IP lease, this response message generally includes one and rents all other configuration informations that time limit and client are asked; We can be chosen in and insert said management of monitor information in this DHCPACK message, and implementation can combine RFC2131 protocol specifications such as " Dynamic Host ConfigurationProtocol " to describe in detail.
In addition, DHCP protocol processes device 521 can reconfigure Extended Protocol through expansion DHCP and carry management of monitor information.In the practical application; If targeted customer's session is set up, the Lawful Interception facility is obviously not enough through aforementioned manner issue management of monitor information; Processing unit 511 is necessary after receiving management of monitor information; The 522 discovery targeted customer sessions of its data query record sheet are set up; Its direct DHCP of triggering protocol processes device 521 reconfigures Extended Protocol through DHCP management of monitor information is inserted the access network device that the pairing DHCP FORCERENEW of targeted customer message sends to the targeted customer, and implementation can combine RFC3203 protocol specifications such as " DHCP Reconfigure Extension " to describe in detail.
Monitor processing unit 51 and also can the monitoring incident that produced owing to this targeted customer's access network further be sent to Lawful Interception facility 33, the network access equipment that for example this targeted customer inserted, the network of relation resource of being distributed, call duration time etc.
Fig. 6 is network access equipment structure embodiment provided by the present invention, and it comprises a receiving system 61, a monitoring device 62, wherein:
Receiving system 61; Reception is from the specific protocol packet that comprises management of monitor information of network insertion management equipment; Typical network insertion management equipment such as certificate server, Dynamic Host Configuration Protocol server; Here receiving system is through realizing the interface protocol processing unit to corresponding access management product, and for example RADIUS client unit 611, DHCP protocol processing unit 612 receive from the specific protocol packet aforementioned network access management product, that comprise management of monitor information and to management of monitor information entrained in the specific protocol packet and extract.
Said RADIUS client unit 611, it receives from specific radius protocol message certificate server, that comprise management of monitor information.Can also further receive the particular extension RADIUS dynamic authentication Extended Protocol message that comprises management of monitor information.Can the access success back message using (Access-Accept) from network side be filtered, it is the affirmation message to client user's authentication, and we can extract the management of monitor information of inserting in this DHCPACK message according to set mode.
Said DHCP protocol processing unit 612, it receives from DHCP protocol message Dynamic Host Configuration Protocol server, that comprise management of monitor information.Can also further receive the particular extension DHCP that comprises management of monitor information and reconfigure Extended Protocol message.Can the DHCPACK response message from network side be filtered; This message is that client is confirmed the formally effective of an IP lease; Generally include one and rent all other configuration informations that time limit and client are asked, we can extract the management of monitor information of inserting in this DHCPACK message according to set mode.
For the network security factor is considered, after the management of monitor information in 61 couples of specific RADIUS that received of receiving system, the DHCP protocol data bag is extracted, be transmitted to corresponding targeted customer again after needing further management of monitor information wherein to be peeled off.
Monitoring device (IIF) 62 is monitored the destination host Content of Communication according to said management of monitor information and is transmitted monitoring resulting Content of Communication (HI3) to the Lawful Interception facility; Describe like preamble, enough information such as management of monitor information comprises that the targeted customer identifies, the address of Lawful Interception facility and port information are to provide 62 couples of targeted customers of monitoring device to position to monitor and monitored result is offered target Lawful Interception facility.
Monitoring device (IIF) 62 also can further send to Lawful Interception facility 33 with the monitoring incident that is produced owing to this targeted customer's access network, the network access equipment that for example this targeted customer inserted, the network of relation resource of being distributed, call duration time etc.
Although above-mentioned being illustrated as the invention provides some embodiment; Be not to be used for limiting protection scope of the present invention; The professional in present technique field can carry out various modifications to embodiment under the prerequisite that does not depart from the scope of the present invention with spirit, this modification all belongs in the scope of the present invention.