CN101656738B - Method and device for verifying terminal accessed to network - Google Patents
Method and device for verifying terminal accessed to network Download PDFInfo
- Publication number
- CN101656738B CN101656738B CN200910176044A CN200910176044A CN101656738B CN 101656738 B CN101656738 B CN 101656738B CN 200910176044 A CN200910176044 A CN 200910176044A CN 200910176044 A CN200910176044 A CN 200910176044A CN 101656738 B CN101656738 B CN 101656738B
- Authority
- CN
- China
- Prior art keywords
- terminal
- sign
- discriminating
- network
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The embodiment of the invention relates to a network communication technology, in particular to a method and a device for verifying a terminal accessed to the network, which are used for identifying a terminal accessed to the network in an illegal mode. The method comprises the following steps: receiving a PPP LCP Identification message of PPPoE from the terminal and then extracting an authentication identification from the PPP LCP Identification message; matching an authentication identification in a preset authentication identification list with the extracted authentication identification; and when the matching fails, determining that the terminal is the illegal terminal. The method can identify illegally-accessed terminals when the terminal is accessed to the network, thereby improving the security of the network.
Description
Technical field
The present invention relates to the network communications technology, particularly a kind of method and apparatus that the terminal of access network is verified.
Background technology
PPPoE (point to point protocal over Ethernet, the point-to-point connection protocol on the Ethernet) is a kind of more common consumer wideband access way at present.
The user adopts the mode of dialing to import username and password on main frame; Through ADSL (Asymmetrical Digital Subscriber Loop; Asymmetrical Digital Subscriber Line) inserts DSLAM (Data Subscriber Line Access Multiplexer; Digital subscriber line access multiplex), go up the authentication and accounting mandate at BRAS (Broadband Remo te Access Server, BAS Broadband Access Server) then.
At present, the positional information that user name, password and the user who imports through the user that PPPoE is inserted inserts judges whether the user of access is legal.Therefore as long as user name, password and user access point are correct, the user just can normally insert.Verification mode above adopt most of operation commercial city is verified the legitimacy that PPPoE inserts.
Existing operator can let the user of transacting business adopt the router dialing, hangs the mode of PC then down and shares online.
Router PPPoE dialing; Obtain the legal address that operator distributes; Different subsequently main frames can obtain the private net address that home gateway distributes on router, home gateway is NAT through the public network address that the own private net address that distributes and operator are distributed and is changed and reach shared purpose of surfing the Net.
Because the verification mode that PPPoE inserts is not rigorous, so much there is not the user of transacting business to dial through illegal router, following extension PC shares online.Because when the user dialled through illegal router, the positional information that the user name of input, password and user insert all was correct, be legal access so network side is difficult to which terminal of identification, which terminal is illegal access.
In sum, network side is difficult to the illegal terminal of inserting of identification at present.
Summary of the invention
The embodiment of the invention provides a kind of method and apparatus that the terminal of access network is verified, in order to the terminal of identification un-authorised access to network.
A kind of method that the terminal of access network is verified that the embodiment of the invention provides, this method comprises:
After service node SN receives the PPP LCPIdentifiaction message of Point-to-Point Protocol over Ethernet PPPoE of self terminal, from said PPP LCP Identifiaction message, extract and differentiate sign;
The said discriminating sign that SN identifies and extracts the discriminating in the predefined discriminating identification list is mated;
When the coupling failure, confirm that this terminal is illegal terminal.
A kind of system that the terminal of access network is verified that the embodiment of the invention provides, this system comprises:
The terminal is used to send the PPP LCPIdentifiaction message that comprises the Point-to-Point Protocol over Ethernet PPPoE that differentiates sign;
Network equipment; After being used to receive PPP LCP Identifiaction message; From said PPP LCPIdentifiaction message, extract and differentiate sign; Said discriminating sign to the discriminating in the predefined discriminating identification list identifies and extracts is mated, and when the coupling failure, confirms that this terminal is illegal terminal.
A kind of network equipment that the embodiment of the invention provides, this network measurement equipment comprises:
Extraction module, be used to receive the PPP LCPIdentifiaction message of Point-to-Point Protocol over Ethernet PPPoE of self terminal after, from said PPP LCP Identifiaction message, extract and differentiate sign;
Matching module is used for the discriminating sign of predefined discriminating identification list and the said discriminating sign that extracts are mated;
Processing module is used for when the coupling failure, confirming that this terminal is illegal terminal.
After embodiment of the invention SN receives the PPP LCPIdentifiaction message of Point-to-Point Protocol over Ethernet PPPoE of self terminal; From the PPP LCP Identifiaction message that comes self terminal that receives, extract and differentiate sign; Discriminating sign to the discriminating in the predefined discriminating identification list identifies and extracts is mated; And when the coupling failure, confirm that this terminal is illegal terminal.The embodiment of the invention can be when accessing terminal to network, and which just can be discerned is the illegal terminal of inserting, thereby improves internet security.
Description of drawings
The system configuration sketch map that Fig. 1 verifies the terminal of access network for the embodiment of the invention;
Fig. 2 is the structural representation of embodiment of the invention network equipment;
The method flow sketch map that Fig. 3 verifies the terminal of access network for the embodiment of the invention;
Fig. 4 only allows the method flow sketch map of computer dialing for the embodiment of the invention;
Fig. 5 only allows the method flow sketch map of Designated Router dialing for the embodiment of the invention.
Embodiment
The embodiment of the invention is at PPPoE (Point to Point Protocol over Ethernet; Point-to-Point Protocol over Ethernet) inserts PPP (the Point-to-Point Protocol set up in the protocol negotiation process from the PPPoE that comes self terminal that receives; Peer-peer protocol) LCP (Link Control Protocol; LCP) extracts the discriminating sign in Identifiaction (evaluation) message; Discriminating sign to the discriminating in the predefined discriminating identification list identifies and extracts is mated, and when the coupling failure, confirms that this terminal is illegal terminal.The embodiment of the invention can be when accessing terminal to network, and which just can be discerned is the illegal terminal of inserting, thereby improves internet security.
Below in conjunction with Figure of description the embodiment of the invention is described in further detail.
As shown in Figure 1, the system that the embodiment of the invention is verified the terminal of access network comprises: terminal 10 and network equipment 20.
Concrete, terminal 10 is inserted to set up to send in the protocol negotiation process at PPPoE and is comprised the PPP LCP Identifiaction message of differentiating sign.
Wherein, during the PPPoE subscriber dialing, set up meeting transmission PPPLCP Identifiaction message in the protocol negotiation process in the PPPoE access, different dialers differentiates that sign is also inequality.
For example in the information of the ppp protocol stack band of Microsoft, descriptive statement a: Message:MSRASV 5.0 (Microsoft Remote Access Service, the long-range access service of Microsoft) is arranged after this message packet capturing.
Wherein, MSRASV 5.0 differentiates sign.
Also can be different for different operating system of user ppp protocol stacks, the discriminating sign in the PPP LCP Identification message also is different.For example because operating system is different, the discriminating sign of the PPPoE dialing of router is just inequality with the discriminating sign of the ppp protocol stack of Microsoft.
Based on this, the discriminating that allows to insert can be set in predefined discriminating identification list identify, such as the discriminating sign of microsoft operation system, the discriminating sign of legal router etc.
In the practical implementation process, differentiate that the discriminating sign in the identification list can be set as required, and can upgrade as required, such as increasing, delete the discriminating sign of differentiating in the identification list.
In order further to improve internet security, terminal 10 can be encrypted differentiating sign according to predefined key, and the sign of the discriminating after will encrypting places PPP LCP Identifiaction message;
Accordingly, network equipment 20 extracts to be differentiated after the sign, deciphers the discriminating sign after obtaining deciphering according to predefined key.
Such as; 10 usefulness predefined PKI in terminal is encrypted differentiating sign; And the discriminating after will encrypting sign places PPP LCP Identifiaction message, and network equipment 20 can be deciphered according to predefined private key, behind successful decryption, is mating checking.
Differentiate that sign can be the character string after a string encryption, can carry out sending through PPP LCP Identification message after the md5 encryption to a string character string (for example chinamobile) such as terminal 10 (can be the dialer or the router of operator's appointment);
Such as can only showing that this terminal is illegal interruption, still allow this accessing terminal to network; Also can directly refuse this accessing terminal to network; Can also both show that this terminal is illegal terminal, refused this accessing terminal to network again.
Need to prove that the mode that embodiment of the invention ciphertext is encrypted is not limited to MD5, anyly can all be suitable for the embodiment of the invention differentiating the mode that sign is encrypted.
Wherein, the terminal 10 of the embodiment of the invention can be dialer (such as the legal home gateway of dialer software, the operator of subscriber's main station), router of operator's appointment etc.The network equipment 20 of the embodiment of the invention can be SN (Service Node; Service node) equipment is such as BRAS (BroadbandRemote Access Server, BAS Broadband Access Server), SR (ServiceRouter; Business router), can also be the new equipment of network side.
As shown in Figure 2, embodiment of the invention network equipment comprises: extraction module 200, matching module 210 and processing module 220.
Wherein, the discriminating that allows to insert can be set in predefined discriminating identification list identify, such as the discriminating sign of microsoft operation system, the discriminating sign of legal router etc.
In the practical implementation process, differentiate that the discriminating sign in the identification list can be set as required, and also can upgrade as required, such as increasing, delete the discriminating sign of differentiating in the identification list.
Differentiate that sign can be also can be ciphertext expressly, ciphertext is compared expressly can further improve internet security.
If ciphertext, the terminal can be encrypted differentiating sign according to predefined key, and the sign of the discriminating after will encrypting places PPP LCP Identifiaction message;
Accordingly, extraction module 200 extracts to be differentiated after the sign, deciphers the discriminating sign after obtaining deciphering according to predefined key.
Wherein, whether matching module 210 is checked from predefined discriminating identification list has the identical discriminating sign of discriminating sign that extracts with extraction module 200, if having, then confirm to mate successfully; Otherwise, confirm the coupling failure.
Preferable, processing module 220 can also be after definite terminal be illegal terminal, the discriminating sign of correspondence is placed differentiate the sign blacklist list, supplies inquiry to use.
As shown in Figure 3, the method that the embodiment of the invention is verified the terminal of access network comprises the following steps:
After step 301, RN receive the PPP LCP Identifiaction message of PPPoE of self terminal, from PPP LCP Identifiaction message, extract and differentiate sign.
The discriminating sign that step 302, RN identify and extract the discriminating in the predefined discriminating identification list is mated.
Can further include before the step 301:
The PPP LCP Identifiaction message that comprises the PPPoE that differentiates sign is sent at step 300, terminal.
Concrete, the terminal is inserted to set up to send in the protocol negotiation process at PPPoE and is comprised the PPPLCP Identifiaction message of differentiating sign.
In the step 300, during the PPPoE subscriber dialing, set up meeting transmission PPP LCP Identifiaction message in the protocol negotiation process in the PPPoE access, different dialers differentiates that sign is also inequality.
For example in the information of the ppp protocol stack band of Microsoft, descriptive statement a: Message:MSRASV 5.0 is arranged after this message packet capturing.
Wherein, MSRASV 5.0 differentiates sign.
Also can be different for different operating system of user ppp protocol stacks, the discriminating sign in the PPP LCP Identification message also is different.For example because operating system is different, the discriminating sign of the PPPoE dialing of router is just inequality with the discriminating sign of the ppp protocol stack of Microsoft.
Based on this, RN can be provided with the discriminating that allows to insert and identify in predefined discriminating identification list, such as the discriminating sign of microsoft operation system, the discriminating sign of legal router etc.
In the practical implementation process, differentiate that the discriminating sign in the identification list can be set as required, and can upgrade as required, such as increasing, delete the discriminating sign of differentiating in the identification list.
Differentiate that sign can be also can be ciphertext expressly, ciphertext is compared expressly can further improve internet security.
If ciphertext, in the step 300, the terminal can be encrypted differentiating sign according to predefined key, and the sign of the discriminating after will encrypting places PPP LCP Identifiaction message
Accordingly, in the step 301, RN extracts and differentiates after the sign, deciphers the discriminating sign after obtaining deciphering according to predefined key.
Such as; Encrypt differentiating sign with predefined PKI at the terminal; And the discriminating after will encrypting sign places PPP LCP Identifiaction message, can decipher according to predefined private key in the step 301, behind successful decryption, mating checking.
Differentiate that sign can be the character string (such as the Identification character string) after a string encryption, can carry out sending through PPP LCP Identification message after the md5 encryption to a string character string (for example chinamobile) such as terminal (can be the dialer or the router of operator's appointment);
RN deciphering back finds it is chinamobile in the step 301, then allows to insert, if be not chinamobile or deciphering failure after the deciphering, shows that then this terminal is illegal terminal and/or does not allow to insert.
Such as can only showing that this terminal is illegal interruption, still allow this accessing terminal to network; Also can directly refuse this accessing terminal to network; Can also both show that this terminal is illegal terminal, refused this accessing terminal to network again.
Need to prove that the mode that embodiment of the invention ciphertext is encrypted is not limited to MD5, anyly can all be suitable for the embodiment of the invention differentiating the mode that sign is encrypted.
In 302, RN checks the identical discriminating sign of discriminating sign that whether has and extract from predefined discriminating identification list, if having, then confirm to mate successfully; Otherwise, confirm the coupling failure.
Accordingly, RN can refuse this accessing terminal to network in the step 303 after definite this terminal is illegal terminal, stops illegal terminal access network sidelong glance thereby reach.
Preferable, RN can also be after definite terminal be illegal terminal, the discriminating sign of correspondence is placed differentiate the sign blacklist list, supplies inquiry to use.
RN confirms that this terminal is a legal terminal in the step 303 when mating successfully, and sets up protocol negotiation success back (being that user name, password and user access point are correct) in the PPPoE access, allows this accessing terminal to network.
Wherein, the executive agent of the embodiment of the invention can be a SN equipment, can also be the new equipment of network side.
As shown in Figure 4, the embodiment of the invention only allows the method for computer dialing to comprise the following steps:
SN equipment only allows to use the computer dial-up access of microsoft operation system.
Step 401, user prepare to reach the standard grade to land, and router begins to carry out the PPPoE dialing.
Step 402, SN equipment are analyzed PPP LCP Identification message when PPPoE dials, find that the discriminating sign in the message is not the identifier MSRASV 5.0 of microsoft operation system, not in differentiating identification list.
The access request of step 403, SN equipment refusing user's.
Step 404, user change and make computer and dial.
Step 405, SN equipment are analyzed PPP LCP Identification message when PPPoE dials, find to differentiate that sign is legal.
Step 406, SN equipment allow PPPoE user to insert and accessing network resources after user name, password and user access point are correct.
As shown in Figure 5, the embodiment of the invention only allows the method for Designated Router dialing to comprise the following steps:
SN equipment only allows to use the soho router dial-up access of operator's appointment, and soho router adopts fixed key to encrypt and differentiates sign.
Step 501, user prepare to reach the standard grade to land, and adopt illegal soho router to carry out the PPPoE dialing.
Step 502, SN equipment are analyzed PPP LCP Identification message when PPPoE dials, find to differentiate that sign is not in legal discriminating identification list after the employing secret key decryption.
The access request of step 503, SN equipment refusing user's.
Step 504, user change the soho router dialing of operator's appointment into, and this moment, soho router adopted the secret key encryption Identification of operator identifier.
Step 505, SN equipment are analyzed PPP LCP Identification message when PPPoE dials, find to differentiate that sign is legal sign after the employing secret key decryption.
Step 506, SN equipment allow PPPoE user to insert and accessing network resources after user name, password and user access point are correct.
From the foregoing description, can find out: after embodiment of the invention SN receives the PPP LCP Identifiaction message of PPPoE of self terminal, from PPP LCP Identifiaction message, extract and differentiate sign; Discriminating sign to the discriminating in the predefined discriminating identification list identifies and extracts is mated; When the coupling failure, confirm that this terminal is illegal terminal.
The embodiment of the invention can be when accessing terminal to network, and which just can be discerned is the illegal terminal of inserting, thereby improves internet security.
Further, because when accessing terminal to network, which just can be discerned is the illegal terminal of inserting, thereby can stop illegal terminal to be linked in the network, has reduced the difficulty of operator to network bandwidth management, has improved efficiency of managing.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, belong within the scope of claim of the present invention and equivalent technologies thereof if of the present invention these are revised with modification, then the present invention also is intended to comprise these changes and modification interior.
Claims (11)
1. the method that the terminal of access network is verified is characterized in that, this method comprises:
After service node SN receives the PPP LCP Identifiaction message of Point-to-Point Protocol over Ethernet PPPoE of self terminal, from said PPP LCP Identifiaction message, extract and differentiate sign;
The said discriminating sign that SN identifies and extracts the discriminating in the predefined discriminating identification list is mated;
When the coupling failure, confirm that this terminal is illegal terminal.
2. the method for claim 1 is characterized in that, the said discriminating sign that extracts is plaintext or ciphertext.
3. method as claimed in claim 2 is characterized in that, if the said discriminating sign that extracts is a ciphertext;
Said terminal also comprises before sending PPP LCP Identifiaction message:
Encrypt differentiating sign according to predefined key at said terminal, and the sign of the discriminating after will encrypting places PPP LCP Identifiaction message;
Said SN extracts and differentiates after the sign, also comprises before the sign of the discriminating in the predefined discriminating identification list and the said discriminating sign that extracts are mated:
SN deciphers according to predefined key, the discriminating sign after obtaining deciphering.
4. the method for claim 1 is characterized in that, said SN confirms that this terminal is that illegal terminal also comprises afterwards:
SN shows that this terminal is illegal terminal and/or refuses this accessing terminal to network.
5. the method for claim 1 is characterized in that, this method also comprises:
SN confirms that this terminal is a legal terminal when mating successfully, and after the protocol negotiation success is set up in the PPPoE access, allows this accessing terminal to network.
6. the system that the terminal of access network is verified is characterized in that, this system comprises:
The terminal is used to send the PPP LCP Identifiaction message that comprises the Point-to-Point Protocol over Ethernet PPPoE that differentiates sign;
Network equipment; After being used to receive PPP LCP Identifiaction message; From said PPP LCP Identifiaction message, extract and differentiate sign; Said discriminating sign to the discriminating in the predefined discriminating identification list identifies and extracts is mated, and when the coupling failure, confirms that this terminal is illegal terminal.
7. system as claimed in claim 6 is characterized in that, said terminal also is used for:
Encrypt differentiating sign according to predefined key, and the sign of the discriminating after will encrypting places PPP LCP Identifiaction message;
Said network equipment also is used for
After extracting the discriminating sign, decipher the discriminating sign after obtaining deciphering according to predefined key.
8. a network equipment is characterized in that, this network measurement equipment comprises:
Extraction module, be used to receive the PPP LCP Identifiaction message of Point-to-Point Protocol over Ethernet PPPoE of self terminal after, from said PPP LCP Identifiaction message, extract and differentiate sign;
Matching module is used for the discriminating sign of predefined discriminating identification list and the said discriminating sign that extracts are mated;
Processing module is used for when the coupling failure, confirming that this terminal is illegal terminal.
9. network equipment as claimed in claim 8 is characterized in that, said extraction module also is used for:
Extract and differentiate after the sign, decipher, the discriminating sign after obtaining deciphering according to predefined key.
10. network equipment as claimed in claim 8 is characterized in that, said processing module also is used for:
Confirm that this terminal is after the illegal terminal, shows that this terminal is illegal terminal and/or refuses this accessing terminal to network.
11. network equipment as claimed in claim 8 is characterized in that, said processing module also is used for:
When mating successfully, confirm that this terminal is a legal terminal, and after the protocol negotiation success is set up in the PPPoE access, allow this accessing terminal to network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910176044A CN101656738B (en) | 2009-09-22 | 2009-09-22 | Method and device for verifying terminal accessed to network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910176044A CN101656738B (en) | 2009-09-22 | 2009-09-22 | Method and device for verifying terminal accessed to network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101656738A CN101656738A (en) | 2010-02-24 |
| CN101656738B true CN101656738B (en) | 2012-10-03 |
Family
ID=41710825
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910176044A Active CN101656738B (en) | 2009-09-22 | 2009-09-22 | Method and device for verifying terminal accessed to network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101656738B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103701837B (en) * | 2012-09-27 | 2018-04-10 | 中兴通讯股份有限公司 | A kind of point-to-point protocol dial on demand method and home gateway |
| CN104518874A (en) * | 2013-09-26 | 2015-04-15 | 中兴通讯股份有限公司 | Network access control method and system |
| CN110784431A (en) * | 2018-07-30 | 2020-02-11 | 比亚迪股份有限公司 | Vehicle-mounted Ethernet secure access method, system, vehicle-mounted gateway and network equipment |
| CN111464837B (en) * | 2020-04-10 | 2021-04-02 | 杭州秋茶网络科技有限公司 | Video terminal access verification method and server of online live broadcast system |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1658587A (en) * | 2004-02-18 | 2005-08-24 | 日本电气株式会社 | VoIP wireless telephone system and method utilizing wireless LAN |
-
2009
- 2009-09-22 CN CN200910176044A patent/CN101656738B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1658587A (en) * | 2004-02-18 | 2005-08-24 | 日本电气株式会社 | VoIP wireless telephone system and method utilizing wireless LAN |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101656738A (en) | 2010-02-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1694454B (en) | Communication method and system between a terminal and at least a communication device | |
| US8537841B2 (en) | Connection support apparatus and gateway apparatus | |
| US7680878B2 (en) | Apparatus, method and computer software products for controlling a home terminal | |
| US8522315B2 (en) | Automatic configuration of client terminal in public hot spot | |
| JP4848052B2 (en) | Secret communication method using VPN, system thereof, program thereof, and recording medium of program | |
| US20100100951A1 (en) | Communication system and method | |
| US8274401B2 (en) | Secure data transfer in a communication system including portable meters | |
| CN104025542A (en) | Method for secured backup and restore of configuration data of end-user device, and device using the method | |
| JP5536628B2 (en) | Wireless LAN connection method, wireless LAN client, and wireless LAN access point | |
| KR20080104180A (en) | Sim based authentication | |
| CN1249637A (en) | Method for encryption of wireless communication in wireless system | |
| KR20060029047A (en) | Apparatus and method for authenticating user for network access in communication | |
| EP2291017A1 (en) | Method for network connection | |
| US9648650B2 (en) | Pairing of devices through separate networks | |
| CN109792601B (en) | Method and equipment for deleting eUICC configuration file | |
| CN101656738B (en) | Method and device for verifying terminal accessed to network | |
| US7562142B2 (en) | System and method for network connection | |
| CN114143788A (en) | Method and system for realizing authentication control of 5G private network based on MSISDN | |
| CN101800984A (en) | Method and server terminal for obtaining WAPI certification and WAPI authentication system | |
| CN101771684A (en) | Internet compuphone authentication method and service system thereof | |
| WO2011144129A2 (en) | Machine-card interlocking method, user identity model card and terminal | |
| CN115987583B (en) | Binding control method for base of intelligent device, base, intelligent device and storage medium | |
| EP1715690A1 (en) | Method of videophone data transmission | |
| JP3521837B2 (en) | Location information service system and method, and storage medium storing location information service program | |
| CN115278676A (en) | WAPI certificate application method, wireless terminal and certificate discriminator |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |