CN102006298A - Method and device for realizing load sharing of access gateway - Google Patents

Method and device for realizing load sharing of access gateway Download PDF

Info

Publication number
CN102006298A
CN102006298A CN2010105625716A CN201010562571A CN102006298A CN 102006298 A CN102006298 A CN 102006298A CN 2010105625716 A CN2010105625716 A CN 2010105625716A CN 201010562571 A CN201010562571 A CN 201010562571A CN 102006298 A CN102006298 A CN 102006298A
Authority
CN
China
Prior art keywords
service processing
processing module
user terminal
cookie information
sign
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2010105625716A
Other languages
Chinese (zh)
Inventor
梁汉立
李岩
章国梁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2010105625716A priority Critical patent/CN102006298A/en
Publication of CN102006298A publication Critical patent/CN102006298A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention provides a method and device for realizing load sharing of an access gateway. The method of the invention comprises the following steps: receiving an internet protocol security (IPsec) tunnel authentication request message comprising cache COOKIE information transmitted by a user terminal; determining a service processing module to be distributed by the user terminal according to the COOKIE information, and transmitting the IPsec tunnel authentication request message to the service processing module; and returning an IPsec tunnel authentication response message constructed by the service processing module to the user terminal, wherein the IPsec tunnel authentication response message comprises the identification of the service processing module distributed by the user terminal. By the method and device provided by the embodiment of the invention, the access gateway can realize uniform load sharing.

Description

IAD is realized the method and apparatus of load sharing
Technical field
The present invention relates to network field, relate in particular to the method and apparatus that a kind of IAD is realized load sharing.
Background technology
At present, IPsec (IP safety) two ends, tunnel provide privacy, integrality, access control and data source authentication service by sharing key to IP (Internet Protocol, the agreement that interconnects between the network are called for short net association) message.Sharing the foundation of key can set up by hand, and also mode is set up automatically through consultation.In RFC2407, RFC2408 and RFC2409, defined a kind of key agreement mechanism---IKE (Internet Key Exchange, the Internet Key Exchange) agreement.
According to the IKE agreement, initial mutual (INITIAL) set up IKE_SA (internet cryptographic key exchanging safety alliance) and first CHILD_SA (sub-Security Association), i.e. IPsec SA (ipsec security alliance), and process is as shown in Figure 1.It is made up of four message: preceding two message are that IKE_SA_INIT (tunnel authentication) is mutual, be mainly used in consulted encryption algorithm, exchange nonce (random number) is worth and finish D-H (Diffie-Hellman, the kerria not-Hull is graceful) cipher key change, thereby calculate to generate the follow-up mutual key material that is used to encrypt with integrity verification; Two message in back are that IKE_SA_AUTH (tunnel authentication) is mutual, be used to verify preceding two message, exchange identity information and certificate (optional), adopt wildcard or digital signature mode to carry out authentication simultaneously, thereby set up IKE_SA and first CHILD_SA.
At present, IKE, ESP (Encapsulating Security Payload, Encapsulating Security Payload) and the used key material of AH (AuthenticationHeader, authentication header) security association are to have what the restriction of certain hour restriction and protected data.In case SA (Security Association, Security Association) is expired, must stop using.Continue if desired to connect, both sides can consult to set up a new SA.Replacing expired SA with the SA that rebulids is exactly herein heavily negotiation.Usually, specific implementation should heavily be consulted CHILD_SA on an IKE_SA basis that has existed, and deletes old CHILD_SA; Also can consult an IKE_SA, and to inherit all serve as the CHILD_SA that create on the basis with old IKE_SA, take over control, and delete old IKE_SA that new SA set up before old SA is because of expired can not the use to all message with equity side one lifting of communicating by letter.
The inventor states in the protocol procedures in realization and finds, when existing IAD had the multi-service processing module, IAD also can't be distributed to the tunnel authentication message of different UEs uniformly the corresponding service processing module and realize load sharing.
Summary of the invention
The embodiment of the invention provides a kind of IAD to realize the method and apparatus of load sharing, to solve in distributed system, when UE initiates first attached, IAD can't be realized uniform load sharing, UE initiates the tunnel when heavily consulting, and IAD can't be distributed to UE the last time and adhere to problem on the Service Processing Module at place.
On the one hand, the embodiment of the invention provides a kind of IAD to realize the method for load sharing, and described method comprises:
Receive the IPsec that comprises COOKIE (buffer memory) information (net association safety) the tunnel authentication request message that user terminal sends;
Determine the Service Processing Module that user terminal will be distributed according to described COOKIE information, described tunnel authentication request message is sent to described Service Processing Module;
Return the IPsec tunnel authentication answer message that described Service Processing Module makes up to described user terminal, comprise the sign of the Service Processing Module that described user terminal is distributed in the described IPsec tunnel authentication answer message.
On the other hand, the embodiment of the invention provides a kind of IAD, and described IAD comprises:
Receiving element is used to receive the IPsec that comprises COOKIE (buffer memory) information (net association safety) the tunnel authentication request message that user terminal sends;
Dispatching Unit is used for determining the Service Processing Module that user terminal will be distributed according to described COOKIE information, and described tunnel authentication request message is sent to described Service Processing Module;
Transmitting element is used for returning the IPsec tunnel authentication answer message that described Service Processing Module makes up to described user terminal, comprises the sign of the Service Processing Module that described user terminal is distributed in the described IPsec tunnel authentication answer message.
On the one hand, the embodiment of the invention also provides a kind of user terminal again, and described user terminal comprises:
Generation unit is used for when the sign of Service Processing Module is arranged, and uses the sign of described Service Processing Module to generate COOKIE information, when not having the sign of Service Processing Module, uses the non-safe correlated identities of distributivity to generate COOKIE information;
Transmitting element is used for sending the IPsec tunnel authentication request message that comprises described COOKIE information to IAD, so that described IAD is distributed to the corresponding service processing module with described user terminal;
Receiving element is used to receive the IPsec tunnel authentication answer message that described Service Processing Module that described IAD returns makes up, and comprises the sign of the Service Processing Module that described user terminal is distributed in the described IPsec tunnel authentication answer message.
The method and apparatus that provides by the embodiment of the invention, in distributed system, increase COOKIE information in user's the IKE tunnel negotiation message, with the foundation of this COOKIE information as the Service Processing Module distribution, so, when UE initiates first attached, IAD can be realized uniform load sharing, and initiates the tunnel when heavily consulting at UE, and IAD can be distributed to UE the last time and adhere on the Service Processing Module at place.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, does not constitute limitation of the invention.In the accompanying drawings:
The flow chart of Fig. 1 when at present carrying out initially alternately according to IKE agreement UE and IAD;
Fig. 2 is the application scenarios schematic diagram of the method for the embodiment of the invention;
Fig. 3 is the method flow diagram of one embodiment of the invention;
Fig. 4 is the method flow diagram of another embodiment of the present invention;
Fig. 5 is the interaction diagrams of the execution mode of Fig. 4 embodiment;
Fig. 6 is the interaction diagrams of the another one execution mode of Fig. 4 embodiment;
Fig. 7 is the IAD composition frame chart of the embodiment of the invention;
Fig. 8 is that the subscriber equipment of the embodiment of the invention is formed block diagram.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention is clearer,, the embodiment of the invention is described in further details below in conjunction with embodiment and accompanying drawing.At this, illustrative examples of the present invention and explanation thereof are used to explain the present invention, but not as a limitation of the invention.
IAD under the IKE agreement that Fig. 2 provides for the embodiment of the invention is realized the schematic diagram of application scenarios of the method for load sharing, please refer to Fig. 2, include user terminal 21 and IAD 22 in this application scenarios, wherein, IAD 22 comprises a distribution of services administration module 221 and a plurality of Service Processing Module 222, in the present embodiment, comprise that with IAD 22 two Service Processing Modules 222 are that example describes.
A kind of IAD that Fig. 3 provides for the embodiment of the invention is realized the flow chart of the method for load sharing, please refer to Fig. 3, and this method comprises:
Step 301: receive the IPsec tunnel authentication request message that comprises COOKIE information that user terminal sends;
Step 302: determine the Service Processing Module that user terminal will be distributed according to described COOKIE information, described tunnel authentication request message is sent to described Service Processing Module;
Step 303: return the IPsec tunnel authentication answer message that described Service Processing Module makes up to described user terminal, comprise the sign of the Service Processing Module that described user terminal is distributed in the described IPsec tunnel authentication answer message.
The method that provides by the embodiment of the invention, in distributed system, increase COOKIE information in user's the IKE tunnel negotiation message, with the foundation that this COOKIE information is distributed as Service Processing Module, like this, when UE initiated first attached, IAD can be realized uniform load sharing; When UE initiates the tunnel when heavily consulting, IAD can be distributed to this UE the last time and adhere on the Service Processing Module at place.
A kind of IAD that Fig. 4 provides for the embodiment of the invention is realized the flow chart of the method for load sharing, please refer to Fig. 4, and this method comprises:
Step 401: receive the IPsec tunnel authentication request message that comprises COOKIE information that user terminal 21 sends;
In the present embodiment, user terminal 21 at first sends IPsec tunnel authentication (IKE_SA_INIT) request message to IAD 22, in this IKE_SA_INIT message, carry the COOKIE information that user terminal generates, so that IAD is these user terminal 21 distribution service processing modules according to this COOKIE information.
In one embodiment, user terminal uses the sign of this Service Processing Module to generate this COOKIE information when the sign of Service Processing Module is arranged, then this COOKIE information sign that is Service Processing Module; When not having the sign of Service Processing Module, use the non-safe correlated identities of distributivity to generate this COOKIE information, then this COOKIE information is the non-safe correlated identities of this distributivity.
The non-safe correlated identities of the distributivity here is low and do not participate in the sign of security algorithm for repeating probability of use, wherein the distributivity sign that refers to different user has very little probability collision, selects same Service Processing Module to cause load balancing to realize when so just having avoided a lot of users initially to insert; Non-safety is relevant to refer to this and identifies computings such as not participating user authentication, data encryption and/or integrity protection, has so just avoided using plaintext to transmit the potential safety hazard that this sign may occur.
Wherein, the non-safe correlated identities of distributivity can be IMEI (International Mobile Equipment Identity, the International Mobile Equipment Identity sign indicating number), it also can be a non-security parameter of user terminal 21 structures, for example construct based on the Mac address of UE, can also be the random number of continuous equally distributed random number generator output, present embodiment not with this as restriction.
Wherein, IMEI is the international equipment identification code that moves, and it forms " electronics string number " by 15 bit digital, corresponding one by one with every mobile phone, because IMEI does not represent the user who uses mobile phone, thus can not participate in authentication and coupling of safety-relevant processes based on the user, so there is not safety issue.In addition, the IMEI of each mobile phone is different, has guaranteed equally can not collide.
In the present embodiment, can carry above-mentioned COOKIE information by the head session identification cell of multiplexing IKE_SA_INI request message, for example IMEI is converted to BCD (Binary-Coded Decimal, binary-decimal code) behind the sign indicating number, leaves in the session identification cell of answer party of IKE_SA_INI request message; Also can carry above-mentioned COOKIE information by the expansion cell of this IKE_SA_INI request message.
Step 402: determine the Service Processing Module 222 that user terminal 21 will be distributed according to above COOKIE information, and above IPsec tunnel authentication request message is sent to the Service Processing Module of above distribution;
In the present embodiment, the distribution of services administration module 221 of IAD 22 gets access to the COOKIE information of this user terminal 21 from the IKE_SA_INI request message that user terminal 21 sends, can be according to this COOKIE information, this user terminal 21 is distributed to corresponding service processing module 222, also promptly determine the Service Processing Module 222 that this user terminal 21 will be distributed, again IPsec tunnel authentication request message is sent to this Service Processing Module of determining 222 according to this COOKIE information.
Wherein, if comprise the sign of Service Processing Module in the COOKIE information, can determine that the Service Processing Module that user terminal 21 will be distributed is the sign corresponding service processing module of this Service Processing Module, then this step can send to the tunnel authentication request message this Service Processing Module sign corresponding service processing module processing.
Wherein, if do not comprise the sign of Service Processing Module in the COOKIE information, can determine the Service Processing Module that this user terminal will be distributed according to load balancing, then this step can send to the tunnel authentication request message Service Processing Module processing that load balancing is determined.
In one embodiment, can utilize hash algorithm to carry out the distribution of Service Processing Module 222, for example, with of the input of this COOKIE information as hash algorithm, the Service Processing Module 222 that utilizes this hash algorithm to calculate to distribute, again IPsec tunnel authentication request message is sent to the Service Processing Module that calculates and handle, thereby realize distribution uniformly.
In another embodiment, can carry out the distribution of Service Processing Module 222 by the method for dynamically sharing, dynamically sharing here is by the load condition of a plurality of Service Processing Modules 222 being carried out the distribution of user terminal.For example, obtain the current separately loading condition of all Service Processing Modules earlier, the Service Processing Module that the Service Processing Module that present load is minimum will be distributed as described user terminal sends to this IPsec tunnel authentication request message the minimum Service Processing Module of present load again and handles.
Step 403: return the IPsec tunnel authentication answer message that Service Processing Module 222 makes up to user terminal, include the sign of the Service Processing Module that user terminal is distributed in this IPsec tunnel authentication answer message.
In the present embodiment, the sign of the Service Processing Module that is distributed of this user terminal can be carried by the answer party Security Parameter Index of IPsec tunnel authentication answer message.
For example, after the distribution of services administration module 221 of IAD is distributed to some Service Processing Modules 222 with user terminal 21, this Service Processing Module 222 can distribute the answer party Security Parameter Index SPI (Security Parameter Index) of the sign that comprises this Service Processing Module 222 for this user terminal, so that distribution of services administration module 221 returns to this user terminal by IPsec tunnel authentication answer message with this answer party Security Parameter Index.Wherein, distribution of services administration module 221 can also be safeguarded the mapping relations of the Service Processing Module 222 at this Security Parameter Index and this user terminal 21 places.
In the present embodiment, when UE authenticates for the first time, when also being first attached, IAD does not also distribute the corresponding service processing module for it, then UE can utilize the non-safe correlated identities of distributivity to generate COOKIE information, send to IAD by IPsec tunnel authentication request message, so that IAD is its distribution service processing module according to this COOKIE information, and the sign of the Service Processing Module that will distribute in returning to the IPsec tunnel authentication answer message of UE sends to UE.When UE carries out the tunnel when heavily consulting, can utilize IAD is the sign generation COOKIE information of the Service Processing Module of its distribution, when sending to IAD by IPsec tunnel authentication request message once more, IAD can be distributed to the last time with this UE and adhere on the Service Processing Module at place.
Still carry and be example with the sign of this Service Processing Module answer party Security Parameter Index by IPsec tunnel authentication answer message, in the present embodiment, after distribution of services administration module 221 distributes Service Processing Module 222 for user terminal 21 answer party Security Parameter Index returns to user terminal 21 by the tunnel authentication answer message, user terminal can carry this answer party Security Parameter Index follow-up in tunnel authentication (IKE_SA_AUTH) request message that IAD 22 sends, so that IAD 22 is according to this answer party Security Parameter Index, thereby find the Service Processing Module of mapping to realize correct distribution.
The method that provides by the embodiment of the invention, in distributed system, increase COOKIE information in user's the IKE tunnel negotiation message, with the foundation that this COOKIE information is distributed as Service Processing Module, like this, when UE initiated first attached, IAD can be realized uniform load sharing; When UE initiates the tunnel when heavily consulting, IAD can be distributed to this UE the last time and adhere on the Service Processing Module at place.
Fig. 5 is the method according to present embodiment, in the UE first attached process, and the interaction diagrams of UE and IAD, in the present embodiment, still comprising two Service Processing Modules with IAD is example, please refer to Fig. 5, this flow process comprises:
Step 501:UE initiates to adhere to for the first time by the IKE_SA_INIT request message, carries the COOKIE information of this UE in IKE_SA_INIT message;
Step 502: the distribution of services administration module is distributed to Service Processing Module 1 according to the COOKIE information of this UE with this UE;
Step 503: the distribution of services administration module obtains Service Processing Module 1 and is the answer party Security Parameter Index that this UE distributes, and comprises the sign of Service Processing Module 1 in this answer party Security Parameter Index;
Step 504: the distribution of services administration module is safeguarded the mapping relations of this answer party Security Parameter Index and UE place Service Processing Module 1;
Step 505: the distribution of services administration module returns to UE with this answer party Security Parameter Index that comprises the sign of Service Processing Module 1 in returning to the IKE_SA_INIT response message of UE.
Method by present embodiment, UE is during first attached, the distribution of services administration module of IAD obtains the COOKIE information of UE from the IKE_SA_INIT request message that UE sends, COOKIE information with this UE is distributed to Service Processing Module 1 as parameter with this UE, follow-up business processing module 1 is distributed the answer party Security Parameter Index of the sign with Service Processing Module 1, and the distribution of services administration module sends to UE by the IKE_SA_INIT response message with this answer party Security Parameter Index.UE can carry this answer party Security Parameter Index to IAD in follow-up tunnel authentication request message, so that the distribution of services administration module of IAD is distributed in view of the above.Like this, during the first attached of UE in, can guarantee that all request messages correctly are distributed to same Service Processing Module, have realized load sharing function.
Fig. 6 is the method according to present embodiment, and UE carries out the tunnel heavily in the negotiations process, the interaction diagrams of UE and IAD, and in the present embodiment, still comprising two Service Processing Modules with IAD is example, please refer to Fig. 6, this flow process comprises:
Step 601:UE initiates the tunnel by the IKE_SA_INIT request message and heavily consults, and carries the COOKIE information of this UE in IKE_SA_INIT message;
Step 602: the distribution of services administration module is distributed to this UE according to the COOKIE information of this UE the Service Processing Module 1 at first attached place;
Step 603: the distribution of services administration module obtains Service Processing Module 1 and is the answer party Security Parameter Index that this UE distributes, and comprises the sign of Service Processing Module 1 in this answer party Security Parameter Index;
Step 604: the distribution of services administration module is safeguarded the mapping relations of this answer party Security Parameter Index and UE place Service Processing Module 1;
Step 605: the distribution of services administration module returns to UE with this answer party Security Parameter Index that comprises the sign of Service Processing Module 1 in returning to the IKE_SA_INIT response message of UE.
Method by present embodiment, when UE heavily consults in the tunnel, the distribution of services administration module of IAD obtains the COOKIE information of UE from the IKE_SA_INIT message that UE sends, be distributed to the Service Processing Module 1 at UE first attached place as parameter with the COOKIE information of this UE, Service Processing Module 1 finds former session, and identifying is heavily to consult scene.Like this, the state before the UE is continued, usertracking and monitoring before for example continuing.
The method that provides by the embodiment of the invention is initiated the tunnel when heavily consulting at UE, and IAD can be distributed to UE the last time and adhere on the Service Processing Module 1 at place.According to this method, operator can be according to the identify label configuration black and white lists of UE, and the Service Processing Module of IAD disposes according to this, just can carry out access control in article one message of UE first attached.Because Service Processing Module identifies the identify label of UE, does not need buffered message, the message of receiving can the real-time report maintenance console, thereby realizes real-time usertracking and monitoring function.
The composition frame chart of a kind of IAD that Fig. 7 provides for the embodiment of the invention please refer to Fig. 7, and this IAD comprises: receiving element 71, Dispatching Unit 72 and transmitting element 73, wherein:
Receiving element 71 is used to receive the IPsec tunnel authentication request message that comprises COOKIE information that user terminal sends.
Wherein, the COOKIE information in the IPsec tunnel authentication request message that receives of receiving element 71 is the sign of Service Processing Module or the non-safe correlated identities of distributivity.The non-safe correlated identities of described distributivity is the random number of International Mobile Equipment Identity sign indicating number IMEI or continuous equally distributed random number generator output.
Wherein, the COOKIE information that the session identification cell of the head of the described IPsec tunnel authentication request message that receiving element 71 receives carries described user terminal, perhaps the expansion cell of the described IPsec tunnel authentication request message that receives of the receiving element 71 COOKIE information of carrying described user terminal.
Dispatching Unit 72 is used for determining the Service Processing Module that user terminal will be distributed according to described COOKIE information, described tunnel authentication request message is sent to described Service Processing Module.
Wherein, if comprise the sign of Service Processing Module in the COOKIE information, then Dispatching Unit 72 determines that the Service Processing Module that user terminal will be distributed is this Service Processing Module sign corresponding service processing module; If do not comprise the Service Processing Module sign in the COOKIE information, then Dispatching Unit 72 is determined the Service Processing Module that user terminal will be distributed according to load balancing.
Wherein, if do not comprise the Service Processing Module sign in the COOKIE information, then Dispatching Unit 72 specifically is used for utilizing this hash algorithm to calculate the Service Processing Module that described user terminal will be distributed the input of COOKIE information as hash algorithm; Perhaps, this Dispatching Unit 72 specifically is used to obtain the current responsible situation of all Service Processing Modules, the Service Processing Module that the Service Processing Module that present load is minimum will be distributed as user terminal.
Transmitting element 73 is used for returning the IPsec tunnel authentication answer message that described Service Processing Module makes up to described user terminal, comprises the sign of the Service Processing Module that described user terminal is distributed in the described IPsec tunnel authentication answer message.
Each part of the device of the embodiment of the invention is respectively applied for each step that realizes method embodiment illustrated in fig. 3, because in the embodiment shown in fig. 3, each step is had been described in detail, and does not repeat them here.
IAD by the embodiment of the invention, in distributed system, increase COOKIE information in user's the IKE tunnel negotiation message, with the foundation of this COOKIE information as the Service Processing Module distribution, so, when UE initiates first attached, IAD can be realized uniform load sharing, and initiates the tunnel when heavily consulting at UE, and IAD can be distributed to UE the last time and adhere on the Service Processing Module at place.
The composition frame chart of a kind of user terminal that Fig. 8 provides for the embodiment of the invention please refer to Fig. 8, and this user terminal comprises:
Generation unit 81 is used for when the sign of Service Processing Module is arranged, and uses the sign of this Service Processing Module to generate COOKIE information, when not having the sign of Service Processing Module, uses the non-safe correlated identities of distributivity to generate COOKIE information;
Transmitting element 82 is used for sending the net that comprises this COOKIE information to IAD and assists safe IPsec tunnel authentication request message, so that this IAD is distributed to the corresponding service processing module with this user terminal;
Receiving element 83 is used to receive the IPsec tunnel authentication answer message that Service Processing Module that this IAD returns makes up, and comprises the sign of the Service Processing Module that user terminal is distributed in this IPsec tunnel authentication answer message.
Wherein, the non-safe correlated identities of distributivity is the random number of International Mobile Equipment Identity sign indicating number IMEI or continuous equally distributed random number generator output.
Wherein, this COOKIE information is carried by the session identification cell of the head of IPsec tunnel authentication request message, and perhaps the expansion cell by IPsec tunnel authentication request message carries.
User terminal by the embodiment of the invention, in distributed system, increase COOKIE information in user's the IKE tunnel negotiation message, make IAD with the foundation of this COOKIE information as the Service Processing Module distribution, so, when UE initiates first attached, IAD can be realized uniform load sharing, and initiates the tunnel when heavily consulting at UE, and IAD can be distributed to UE the last time and adhere on the Service Processing Module at place.
The method of describing in conjunction with embodiment disclosed herein or the step of algorithm can directly use the software module of hardware, processor execution, and perhaps the combination of the two is implemented.Software module can place the storage medium of any other form known in random asccess memory (RAM), internal memory, read-only memory (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or the technical field.
Above-described specific embodiment; purpose of the present invention, technical scheme and beneficial effect are further described; institute is understood that; the above only is specific embodiments of the invention; and be not intended to limit the scope of the invention; within the spirit and principles in the present invention all, any modification of being made, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (13)

1. an IAD is realized the method for load sharing, it is characterized in that described method comprises:
The net that comprises buffer memory COOKIE information that receives the user terminal transmission is assisted safe IPsec tunnel authentication request message;
Determine the Service Processing Module that user terminal will be distributed according to described COOKIE information, described IPsec tunnel authentication request message is sent to described Service Processing Module;
Return the IPsec tunnel authentication answer message that described Service Processing Module makes up to described user terminal, comprise the sign of the Service Processing Module that described user terminal is distributed in the described IPsec tunnel authentication answer message.
2. method according to claim 1 is characterized in that, determines the Service Processing Module that user terminal will be distributed according to described COOKIE information, comprising:
If comprise the sign of Service Processing Module in the described COOKIE information, determine that then the Service Processing Module that described user terminal will be distributed is described Service Processing Module sign corresponding service processing module;
If do not comprise the Service Processing Module sign in the described COOKIE information, then determine the Service Processing Module that described user terminal will be distributed according to load balancing.
3. method according to claim 2 is characterized in that, describedly determines the Service Processing Module that described user terminal will be distributed according to load balancing, is specially:
With of the input of described COOKIE information, utilize described hash algorithm to calculate the Service Processing Module that described user terminal will be distributed as hash algorithm; Perhaps
Obtain the present load situation of all Service Processing Modules, the Service Processing Module that the Service Processing Module that present load is minimum will be distributed as described user terminal.
4. method according to claim 1 is characterized in that, described COOKIE information is carried by the session identification cell of the head of described IPsec tunnel authentication request message, and perhaps the expansion cell by described IPsec tunnel authentication request message carries.
5. method according to claim 1 is characterized in that, the sign of the Service Processing Module that described user terminal is distributed is carried by the answer party Security Parameter Index of described IPsec tunnel authentication answer message.
6. method according to claim 1 is characterized in that, before the IPsec tunnel authentication request message that comprises COOKIE information that described reception user terminal sends, described method also comprises:
Described user terminal uses the sign of described Service Processing Module to generate described COOKIE information when the sign of Service Processing Module is arranged, and when not having the sign of Service Processing Module, uses the non-safe correlated identities of distributivity to generate described COOKIE information.
7. method according to claim 6 is characterized in that, the non-safe correlated identities of described distributivity is low and do not participate in the sign of security algorithm for repeating probability of use, and described security algorithm comprises authentification of user, data encryption and/or integrity protection.
8. method according to claim 6 is characterized in that, the non-safe correlated identities of described distributivity is the random number of International Mobile Equipment Identity sign indicating number IMEI or continuous equally distributed random number generator output.
9. an IAD is characterized in that, described IAD comprises:
Receiving element is used to receive the IPsec tunnel authentication request message that comprises COOKIE information that user terminal sends;
Dispatching Unit is used for determining the Service Processing Module that user terminal will be distributed according to described COOKIE information, and described tunnel authentication request message is sent to described Service Processing Module;
Transmitting element is used for returning the IPsec tunnel authentication answer message that described Service Processing Module makes up to described user terminal, comprises the sign of the Service Processing Module that described user terminal is distributed in the described IPsec tunnel authentication answer message.
10. IAD according to claim 9, it is characterized in that, if comprise the sign of Service Processing Module in the described COOKIE information, then described Dispatching Unit determines that the Service Processing Module that described user terminal will be distributed is described Service Processing Module sign corresponding service processing module; If do not comprise the Service Processing Module sign in the described COOKIE information, then described Dispatching Unit is determined the Service Processing Module that described user terminal will be distributed according to load balancing.
11. IAD according to claim 10, it is characterized in that, if do not comprise the Service Processing Module sign in the described COOKIE information, then described Dispatching Unit specifically is used for utilizing described hash algorithm to calculate the Service Processing Module that described user terminal will be distributed the input of described COOKIE information as hash algorithm; Perhaps, described Dispatching Unit specifically is used to obtain the present load situation of all Service Processing Modules, the Service Processing Module that the Service Processing Module that present load is minimum will be distributed as described user terminal.
12. IAD according to claim 9, it is characterized in that, the non-safe correlated identities that is designated distributivity of the Service Processing Module that the COOKIE information in the described IPsec tunnel authentication request message that described receiving element receives comprises, the non-safe correlated identities of described distributivity are the random number of International Mobile Equipment Identity sign indicating number IMEI or continuous equally distributed random number generator output.
13. a user terminal is characterized in that, described user terminal comprises:
Generation unit is used for when the sign of Service Processing Module is arranged, and uses the sign of described Service Processing Module to generate COOKIE information, when not having the sign of Service Processing Module, uses the non-safe correlated identities of distributivity to generate COOKIE information;
Transmitting element is used for sending the net that comprises described COOKIE information to IAD and assists safe IPsec tunnel authentication request message, so that described IAD is distributed to the corresponding service processing module with described user terminal;
Receiving element is used to receive the IPsec tunnel authentication answer message that described Service Processing Module that described IAD returns makes up, and comprises the sign of the Service Processing Module that described user terminal is distributed in the described IPsec tunnel authentication answer message.
CN2010105625716A 2010-11-26 2010-11-26 Method and device for realizing load sharing of access gateway Pending CN102006298A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010105625716A CN102006298A (en) 2010-11-26 2010-11-26 Method and device for realizing load sharing of access gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010105625716A CN102006298A (en) 2010-11-26 2010-11-26 Method and device for realizing load sharing of access gateway

Publications (1)

Publication Number Publication Date
CN102006298A true CN102006298A (en) 2011-04-06

Family

ID=43813369

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010105625716A Pending CN102006298A (en) 2010-11-26 2010-11-26 Method and device for realizing load sharing of access gateway

Country Status (1)

Country Link
CN (1) CN102006298A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012163016A1 (en) * 2011-10-21 2012-12-06 华为技术有限公司 Method, media server and terminal device for identifying service request type
CN103780654A (en) * 2012-10-24 2014-05-07 华为技术有限公司 Business request processing method, user terminal, business router and network system
CN103841195A (en) * 2014-03-06 2014-06-04 杭州华三通信技术有限公司 Cross-service continuity implementation method and equipment
CN106230925A (en) * 2016-07-28 2016-12-14 杭州华三通信技术有限公司 A kind of access control method and device
WO2018046017A1 (en) * 2016-09-12 2018-03-15 中国移动通信有限公司研究院 Information processing method, device, electronic equipment and computer storage medium
CN109639553A (en) * 2018-12-25 2019-04-16 杭州迪普科技股份有限公司 IPSec machinery of consultation and device

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003107624A1 (en) * 2002-06-13 2003-12-24 Nvidia Corporation Method and apparatus for enhanced security for communication over a network
CN1217553C (en) * 2001-11-14 2005-08-31 中兴通讯股份有限公司 Short message original calling control gateway
CN1949764A (en) * 2005-10-10 2007-04-18 中兴通讯股份有限公司 Coupled load sharing method based on stream control transmission protocol in soft exchange network
CN101197664A (en) * 2008-01-03 2008-06-11 杭州华三通信技术有限公司 Method, system and device for key management protocol negotiation
CN101316205A (en) * 2007-05-28 2008-12-03 华为技术有限公司 Method for triggering safety tunnel establishment and device thereof
CN101330723A (en) * 2007-06-19 2008-12-24 华为技术有限公司 Method and system for establishing tunnel in evolution network
CN101351019A (en) * 2007-07-20 2009-01-21 华为技术有限公司 Access gateway, terminal as well as method and system for establishing data connection
CN100479561C (en) * 2006-02-17 2009-04-15 中兴通讯股份有限公司 Paging controller selecting method for broadband wireless access system
JP4351123B2 (en) * 2004-08-24 2009-10-28 株式会社日立コミュニケーションテクノロジー User identifier management method, mobile IP agent, and home agent

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1217553C (en) * 2001-11-14 2005-08-31 中兴通讯股份有限公司 Short message original calling control gateway
WO2003107624A1 (en) * 2002-06-13 2003-12-24 Nvidia Corporation Method and apparatus for enhanced security for communication over a network
JP4351123B2 (en) * 2004-08-24 2009-10-28 株式会社日立コミュニケーションテクノロジー User identifier management method, mobile IP agent, and home agent
CN1949764A (en) * 2005-10-10 2007-04-18 中兴通讯股份有限公司 Coupled load sharing method based on stream control transmission protocol in soft exchange network
CN100479561C (en) * 2006-02-17 2009-04-15 中兴通讯股份有限公司 Paging controller selecting method for broadband wireless access system
CN101316205A (en) * 2007-05-28 2008-12-03 华为技术有限公司 Method for triggering safety tunnel establishment and device thereof
CN101330723A (en) * 2007-06-19 2008-12-24 华为技术有限公司 Method and system for establishing tunnel in evolution network
CN101351019A (en) * 2007-07-20 2009-01-21 华为技术有限公司 Access gateway, terminal as well as method and system for establishing data connection
CN101197664A (en) * 2008-01-03 2008-06-11 杭州华三通信技术有限公司 Method, system and device for key management protocol negotiation

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
周敬利,李岩,余胜生,胡熠峰: "《OpenBSD下基于IPSec协议的VPN研究与设计》", 《计算机应用》 *

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012163016A1 (en) * 2011-10-21 2012-12-06 华为技术有限公司 Method, media server and terminal device for identifying service request type
CN103181140A (en) * 2011-10-21 2013-06-26 华为技术有限公司 Method, media server and terminal device for identifying service request type
CN103181140B (en) * 2011-10-21 2016-09-14 华为技术有限公司 Identify the method for service request type, media server and terminal unit
US9882794B2 (en) 2011-10-21 2018-01-30 Huawei Technologies Co., Ltd. Method, media type server and terminal device for identifying service request type
CN103780654A (en) * 2012-10-24 2014-05-07 华为技术有限公司 Business request processing method, user terminal, business router and network system
CN103780654B (en) * 2012-10-24 2018-05-18 华为技术有限公司 Service request processing method, user terminal, business router and network system
CN103841195A (en) * 2014-03-06 2014-06-04 杭州华三通信技术有限公司 Cross-service continuity implementation method and equipment
CN103841195B (en) * 2014-03-06 2017-05-10 杭州华三通信技术有限公司 Cross-service continuity implementation method and equipment
CN106230925A (en) * 2016-07-28 2016-12-14 杭州华三通信技术有限公司 A kind of access control method and device
WO2018046017A1 (en) * 2016-09-12 2018-03-15 中国移动通信有限公司研究院 Information processing method, device, electronic equipment and computer storage medium
CN109639553A (en) * 2018-12-25 2019-04-16 杭州迪普科技股份有限公司 IPSec machinery of consultation and device
CN109639553B (en) * 2018-12-25 2021-04-27 杭州迪普科技股份有限公司 IPSec (Internet protocol Security) negotiation method and device

Similar Documents

Publication Publication Date Title
CN108650227B (en) Handshaking method and system based on datagram secure transmission protocol
US20190068591A1 (en) Key Distribution And Authentication Method And System, And Apparatus
WO2017185999A1 (en) Method, apparatus and system for encryption key distribution and authentication
US7269730B2 (en) Method and apparatus for providing peer authentication for an internet key exchange
CN102547688B (en) Virtual-dedicated-channel-based establishment method for high-credibility mobile security communication channel
Xu et al. Attacks on PKM protocols of IEEE 802.16 and its later versions
CN107919956A (en) End-to-end method for protecting under a kind of internet of things oriented cloud environment
CN101242274B (en) Method for guaranteeing non-duplicate message SN and preventing from re-play attack and mobile terminal
CN111970699B (en) Terminal WIFI login authentication method and system based on IPK
CN102111273B (en) Pre-sharing-based secure data transmission method for electric load management system
CN103095696A (en) Identity authentication and key agreement method suitable for electricity consumption information collection system
CN104754581A (en) Public key password system based LTE wireless network security certification system
CN110011795A (en) Symmetric group cryptographic key negotiation method based on block chain
CN101969638A (en) Method for protecting international mobile subscriber identity (IMSI) in mobile communication
CN113497778A (en) Data transmission method and device
WO2020220903A1 (en) Communication method and apparatus
CN101600204A (en) A kind of document transmission method and system
CN102006298A (en) Method and device for realizing load sharing of access gateway
CN1770681A (en) Conversation key safety distributing method under wireless environment
CN103118363A (en) Method, system, terminal device and platform device of secret information transmission
CN105577377A (en) Identity-based authentication method and identity-based authentication system with secret key negotiation
CN104753937A (en) SIP (System In Package)-based security certificate registering method
Zhou et al. A hybrid authentication protocol for LTE/LTE-A network
CN118540165A (en) Quantum security enhancement method for national security IPSec VPN protocol
CN107104888B (en) Safe instant messaging method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20110406