CN102045313A - Method and system for controlling SILSN (Subscriber Identifier & Locator Separation Network) - Google Patents
Method and system for controlling SILSN (Subscriber Identifier & Locator Separation Network) Download PDFInfo
- Publication number
- CN102045313A CN102045313A CN2009102053267A CN200910205326A CN102045313A CN 102045313 A CN102045313 A CN 102045313A CN 2009102053267 A CN2009102053267 A CN 2009102053267A CN 200910205326 A CN200910205326 A CN 200910205326A CN 102045313 A CN102045313 A CN 102045313A
- Authority
- CN
- China
- Prior art keywords
- packet
- node
- network
- user
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/084—Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention relates to a method and system for controlling an SILSN (Subscriber Identifier & Locator Separation Network). The method comprises the following steps: a node for access control receives a data packet of a network node in the SILSN; the node acquires the destination address and destination port of the data packet; if the destination address and destination port are the address and port of a destination network element needing access control, the node acquires the source address and source port of the data packet; the node for access control searches the access authority corresponding to the source address and source port according to the acquired source address and source port of the data packet as well as the recorded corresponding relationship information among the source address, the source port and the network node access authority; and if the access authority corresponding to the source address and source port is searched, the node for access control controls the communication between the subscriber and the network node according to the authority. Through the invention, the security of the SILSN can be protected.
Description
Technical field
The present invention relates to communication technical field, relate to a kind of method and system of controlling network node in user capture identify label and the locator separation network under identify label and the locator separation network framework.
Background technology
Existing internet widely used transmission control protocol/procotol (Transmission Control Protocol/Internet Protocol, TCP/IP) the IP address has dual-use function in the agreement, both as the station location marker of communication terminal host network interface in network topology of network layer, again as the identify label of transport layer host network interface.Do not consider the situation that main frame moves at the beginning of the ICP/IP protocol design.But when main frame moved more and more generally, the semanteme overload defective of this IP address was obvious day by day.When the IP address of main frame changed, not only route will change, and the identify label of communication terminal main frame also changes, and can cause routing overhead more and more heavier like this, and the variation of host identification can cause using and the interruption that is connected.The purpose that identify label and position separation problem propose be for the semanteme overload and the routing overhead that solve the IP address serious, security problems, the dual-use function of IP address is separated, realize the support that the problems such as exchanging visit between the heterogeneous networks zone in routing overhead and the Next Generation Internet are dynamically heavily distributed, alleviated in mobility, many locals property, IP address.
Propose the network architecture that multiple identity is separated with the position at present, comprised HIP, identify label of all genus and locator separation network that LISP and Beijing Jiaotong University propose, this paper is that example is described with identify label and locator separation network framework.
For addressing the above problem, a kind of identify label and locator separation network framework that ZTE Corporation has proposed as shown in Figure 1, for convenience of description, hereinafter abbreviate this User Identity and locator separation network as SILSN (Subscriber Identifier ﹠amp; Locator Separation Network), conventional the Internet is abbreviated as LIN (legacy InternetNetwork).
In Fig. 1, this SILSN by the access service node (Access Service Node, ASN) and user terminal (User Equipment, UE), identity location register (Identification ﹠amp; LocationRegister, ILR), (Inter-working Service Node ISN) waits composition to Interworking gateway.Wherein ASN is used for realizing the access of user terminal, and bears functions such as charging and switching, and ILR bears user's Location Registration and identity recognition function, and ISN is used for and the traditional Internet intercommunication, and ISN and ASN also can unify setting physically.UE1 is traditional Internet user, and UE2 is the user of SILSN.The core net (also can be described as backbone network) that the network of network nodes such as ASN, ILR, ISN composition is called SILSN at this paper.
As shown in Figure 1, LIN network and SILSN core net coexistence in the communication system, when the user in the LIN network when outer net sends data, the final destination of the packet that sends according to user terminal UE1 among the LIN can be divided into following two types with the packet that UE1 sends:
First type is as LIN user capture SILSN user, as UE1->UE2, and promptly prevailing access mode;
This type data packets is the user who is sent to SILSN, and just the final destination is SILSN core net outside.In this case, network node in the core net only plays encapsulation and transmits, the actual content of resolution data bag not, therefore first kind of packet impacts except the performance to the core net of SILSN, can't cause obvious influence to the fail safe of core net node etc.;
Second type is the network node in the conventional the Internet LIN user capture SILSN core net, and just the final destination is the network node in the SILSN core net, as UE1->ASN2.This mode mainly is convenient telemanagement and diagnosis to the SILSN network, at the SILSN networking initial stage, the keeper of SILSN might be in SILSN Home Network overlay area, keeper as SILSN spends a holiday in the other places, if at this time SILSN breaks down, need remote diagnosis, test and control, just must come the SILSN core net node is conducted interviews by LIN;
Because the packet final destination that the SILSN administrator sends is the network node in the core net, network node not only will be resolved its content in the core net, also to handle accordingly according to content, as revise configuration, failure diagnosis, test and control etc., aforesaid operations is very big to the normal influence on system operation of SILSN network, in case being arranged, the malicious user among the LIN pretend to be the SILSN keeper that network is carried out malice control, to cause the network of SILSN and have a strong impact on, therefore must carry out strict authentication to LIN user, and according to the behavior pattern of user right limited subscriber.
For sake of convenience, hereinafter abbreviate the SILSN keeper as keeper, that is to say, the keeper who mentions herein is the keeper of SILSN, does not comprise other Network Management persons such as LIN.
Safety for protection SILSN core net; SILSN only provides user's intercommunication of user and the LIN of SILSN; and forbid network node in these core net of LIN user capture, as ASN, ILR, ISN, but also there is not the method for network node in a kind of LIN of avoiding user capture SILSN core net at present.
Summary of the invention
The embodiment of the invention provides a kind of method and system of controlling user capture identify label and locator separation network, can protect the safety of identify label and locator separation network.
In order to address the above problem, the invention provides a kind of method of controlling network node in user capture identify label and the locator separation network, it is characterized in that, comprising:
The node that is used for access control receives the packet of user capture identify label and locator separation network network node;
Obtain the destination address and the destination interface of described packet,, obtain the source address and the source port of described packet again if destination address and destination interface belong to the address and the port of the purpose network element of the control that need conduct interviews;
The node that is used for access control is searched the access rights of described source address and source port correspondence according to the correspondence relationship information of the described network node authority of source address, source port and visit of the source address of the described described packet that obtains and source port and record;
If find the access rights of described source address and source port correspondence, the node of described access control is communicated by letter according to the described user of described control of authority and described network node.
Further, described method also can have characteristics:
Described need conduct interviews control address and port be meant: one or more core net management nodes (CNMP) address of node and the port of configuration, and/or, the address of network node and port in the identify label of configuration and the locator separation network.
Further, described method also can have characteristics:
If do not find the source address and the source port of described packet in described open state table, the described node that is used for access control judges whether described packet is the network management request packet of predesignating again;
If meet, verify whether described user is the network manager;
If the network manager allows described user and described network node to communicate.
Further, described method also can have characteristics: comprise that also the described node that is used for access control abandons described packet under following arbitrary situation:
If the described node that is used for access control finds the access rights of the source address of described packet and source port and described source address and source port correspondence for open in the correspondence relationship information of record;
The described node that is used for access control is judged the non-network management request packet of predesignating of described packet;
The described node that is used for access control judges that described packet is the network management request packet of predesignating, but the non-network manager of described user is determined in checking.
Further, described method also can have characteristics:
If do not find the source address and the source port of described packet in described open state table, the described node that is used for access control judges whether described packet is the network management request packet of predesignating again;
If meet, verify whether described user is the network manager, when checking determined that described user is the network manager, the described node that is used for access control judged according to the addressable network node information of this network manager of configuration whether described user has the authority of the described network node of visit again;
If have the authority of the described network node of visit, allow described user and described network node to communicate, otherwise abandon described packet.
Further, described method also can have characteristics:
The node of described access control is according to described authority, when controlling the communicating by letter of described user and described network node, when open, allows described user and described network node to communicate in described authority, otherwise, abandon described packet.
Further, described method also can have characteristics:
When the total degree that abandons the packet with same source address and source port when the described node that is used for access control surpasses the frequency threshold value set in advance, add the source address and the source port of described packet to the open state table, and the access rights that dispose described source address and source port correspondence are shielding;
The described node that is used for access control receives that having corresponding access rights directly abandons after for the source address of shielding and the packet of source port.
Further, described method also can have characteristics: whether the described user's of described checking identity is that the network manager realizes in the following manner:
The described node that is used for access control sends keeper's identification request to the identity location register, carries described user's User Identity;
Receiving management person's authentication identification response comprises that described identity location register carries out authentication result according to the network manager's of configuration identify label to described User Identity in described keeper's authentication identification response;
According to the authentication result in described keeper's authentication identification response, determine whether described user is the network manager.
Further, described method also can have characteristics:
Include keeper's identifier in the described network management request packet, the described node that is used for access control is to extract wherein keeper's identifier from described network management request packet, send to described identity location register, described identity location register judges with keeper's identifier of receiving whether described user is the network manager according to keeper's identifier of configuration.
Further, described method also can have characteristics:
When definite described packet meets the network management request packet of predesignating, the described node that is used for access control also adds the source address and the source port of described packet to described open state table, and the access rights that dispose described source address and source port correspondence are for freezing.
Further, described method also can have characteristics:
As user as described in determining is the network manager, and the described node that is used for access control also is revised as opening with the source address of packet described in the described open state table and the access rights of source port correspondence.
Further, described method also can have characteristics:
As the non-network manager of user as described in determining, the described node that is used for access control comprises the source address of described packet and the record deletion of source port with described open state table.
Further, described method also can have characteristics: described user of described permission and described network node communicate in the following way and realize:
The described node that is used for access control obtains the cipher mode of described keeper's authentication response and described telex network;
Adopt described cipher mode to set up described network node and described user's communications.
Further, described method also can have characteristics: the described node that is used for access control is the combination of Interworking gateway and core net management node, and the perhaps described node that is used for access control is an Interworking gateway.
Correspondingly, a kind of identify label provided by the invention and locator separation network system comprise the node that is used for access control, and the equipment of described user capture control comprises:
Receiver module is used for receiving the packet of network node in conventional the Internet user capture identify label and the locator separation network;
Acquisition module, be used to obtain the destination address and the destination interface of described packet, as judge that destination address and destination interface belong to the address and the port of the purpose network element of the control that need conduct interviews, and obtain the source address and the source port of the packet of described receiver module reception again;
Search module, be used for searching the source address and the source port of described packet in the correspondence relationship information of the described network node authority of source address, source port and visit that writes down;
Control module, being used in the described module searches of searching is open to the source address of described packet and the access rights of source port and described source address and source port correspondence, allows described user and described network node to communicate.
Further, described system also can have characteristics: the described node that is used for access control also comprises:
First judge module is used for judging whether described packet is the network management request packet of predesignating when described open state table does not find the source address of described packet and source port again;
First authentication module is used for verifying whether described user is the network manager when described judge module is determined the described network management request packet of predesignating;
Described control module also is used for allowing described user and described network node to communicate when described authentication module checking is the network manager.
Further, described system also can have characteristics: the described node that is used for access control also comprises:
Second judge module, if be used for not finding at described open state table the source address and the source port of described packet, the described node that is used for access control judges whether described packet is the network management request packet of predesignating again;
Second authentication module, if meet, verify whether described user is the network manager, when checking determined that described user is the network manager, the described node that is used for access control judged according to the addressable network node information of this network manager of configuration whether described user has the authority of the described network node of visit again;
Described control module also is used for determining that at described authentication module described user has the authority of the described network node of visit, allows described user and described network node to communicate.
Further, described system also can have characteristics: described control module also is used for abandoning described packet under following arbitrary situation:
If it is not open finding the source address of described packet and the access rights of source port and described source address and source port correspondence in the correspondence relationship information of record;
Judge the non-network management request packet of predesignating of described packet;
Judge that the form of described packet meets the form of the network management request packet of predesignating, but the non-network manager of described user is determined in checking;
Judge that described packet is the network management request packet of predesignating, and verify and determine that described user is the network manager, but judge that described user does not have the authority of the described network node of visit.
Further, described system also can have characteristics:
The 4th configuration module, be used for when total degree that described control module abandons the packet with same source address and source port surpasses the frequency threshold value set in advance, add the source address and the source port of described packet to the open state table, and the access rights that dispose described source address and source port correspondence are shielding;
Discard module is used to receive that having corresponding access rights directly abandons after for the source address of shielding and the packet of source port.
Further, described system also can have characteristics, and described authentication module comprises:
Transmitting element is used for sending keeper's identification request to the identity location register, carries described user's User Identity;
Receiving element is used for receiving management person's authentication identification response, comprises that described identity location register carries out authentication result according to the network manager's of configuration identify label to described User Identity in described keeper's authentication identification response;
Determining unit is used for the authentication result according to described keeper's authentication identification response, determines whether described user is the network manager.
Further, described system also can have characteristics, and the described node that is used for access control also comprises:
First configuration module, be used for when described first judge module determines that described packet meets the network management request packet of predesignating, add the source address and the source port of described packet to described open state table, and the access rights that dispose described source address and source port correspondence are for freezing.
System according to claim 21, it is characterized in that in, the described node that is used for access control also comprises:
Second configuration module is used for when described first authentication module is determined described user for the network manager source address of packet described in the described open state table and the access rights of source port correspondence being revised as opening.
Further, described system also can have characteristics, and the described node that is used for access control also comprises:
The 3rd configuration module is used for when described authentication module is determined the non-network manager of described user, will comprise the source address of described packet and the record deletion of source port in the described open state table.
According to claim 15 or 16 described systems, it is characterized in that described control module also comprises:
Acquiring unit is used for obtaining the cipher mode of described keeper's authentication response and described telex network;
Set up the unit, the cipher mode that is used to adopt described acquiring unit to obtain is set up described network node and described user's communications.
Further, described system also can have characteristics:
Address and port that described acquisition module belongs to the purpose network element of the control that need conduct interviews as the destination address and the destination interface of packet as described in judging, be to judge the destination address of described packet and one or more core net management nodes (CNMP) address of node and the port whether destination interface disposes, and/or, the address of network node and port in the identify label of configuration and the locator separation network.
Adopt said method and system, solved the method for the NMS user visit SILSN core network element that is positioned at LIN, guaranteed the safety of core net.In one embodiment, LIN domestic consumer can also be realized being positioned at and SILSN core network element node can't be visited.In one embodiment, also can prevent to come from of the attack (by port controlling in ISN) of the interior domestic consumer of LIN to CNMP; And the encryption that can realize webmaster stream between UE1 and the CNMP transmits.In addition, all core net nodes only accept to come from the management packets of CNMP, help the safety of core network element management.
Description of drawings
Fig. 1 is the network diagram of two types the packet of LIN user capture SILSN under the SILSN network architecture in the prior art;
Fig. 2 is the network diagram of the Admin Access SILSN core network element of the SILSN that is arranged in LIN in the embodiment of the invention;
Fig. 3 is based on the network architecture schematic diagram of the further refinement of CNMP in the embodiment of the invention;
Fig. 4 is a method sequential chart of controlling network node in user capture identify label and the locator separation network among the embodiment one;
Fig. 5 is a middle method flow diagram of controlling network node in user capture identify label and the locator separation network among the embodiment two;
The structural representation that is used for the node of access control in a kind of identify label that Fig. 6 provides for the embodiment of the invention and the locator separation network system;
Fig. 7 is for being used for another structural representation of the node of access control in embodiment illustrated in fig. 6;
Fig. 8 is the structural representation of middle authentication module embodiment illustrated in fig. 6;
Fig. 9 is for being used for another structural representation of the node of access control in embodiment illustrated in fig. 7;
Figure 10 is for being used for another structural representation of the node of access control in embodiment illustrated in fig. 9;
Figure 11 is the structural representation of middle control module embodiment illustrated in fig. 6.
Embodiment
Describe the specific embodiment of the present invention in detail below in conjunction with accompanying drawing.
In the SILSN network, ISN plays the effect of SILSN network and LIN network interworking, when the user in user in the LIN network and the SILSN core net visits mutually, because the addressing system of addressing system and LIN is different in the SILSN net, need ISN to be responsible for both sides' data format and addressing space are changed, wherein said addressing space is User Identity AID space and public network IP address space.
ISN with the subscriber equipment in the SILSN with User Identity (AID, claim to insert identifier again) be the packet of sign for the packet of sign is mapped to one or more snippets public network IP address of LIN network and port numbers, wherein the address space of these one or more snippets public network IP address compositions is designated as S1, therefore for the user in the SILSN, no matter how their identify label AID changes, when packet and after finally being sent to LIN through the conversion of ISN, all users' identify label AID can be mapped to some IP address and the port numbers in the S1, thereby for the user in the LIN network, user in the SILSN that they see is in the S1 space, user capture SILSN in the LIN network nets interior user like this, in fact just visits the address in S1 space.
Be network element safety in the protection SILSN core net, ISN can not allow LIN user directly visit the network element address of SILSN core net, only allows its visit SILSN user, that is to say that the user can only visit the address space in the S1 scope in the LIN.
As indicated above, the SILSN keeper in case of emergency operates the SILSN core network element for convenience, need be provided at the ability of visit core network element in the LIN network for the SILSN keeper, guaranteeing that the SILSN keeper can also must prevent the domestic consumer's visit core network element in LIN when LIN manages SILSN.
Because being used for the data traffic of network management among the SILSN generally is much smaller than being used for professional data traffic, and most of webmaster control measures are (as remote diagnosis, test and control) all initiate from SILSN is inner, the flow that is to say webmaster among the SILSN is mostly from SILSN inside, for very little from the webmaster flow of LIN management SILSN network element, be replenishing as a telemanagement, this application is used for urgent more and needs equipment vendors to support, perhaps in emergency circumstances experienced keeper is not in the situation of webmaster office space, this occasion is normally more rare, therefore this type of data traffic generally is very little, do not need too big disposal ability, unified control and management for ease of this type of data traffic, realize centralized management, present embodiment has been introduced a core net management node (Core Network Management Proxy for this reason, CNMP), the keeper who realizes being arranged in LIN with CNMP is to the SILSN network management, as shown in Figure 2:
(Core Network Management Proxy CNMP), is used for handling that the keeper of the SILSN that is positioned at LIN sends is used for the network management data bag to the core net management node;
ISN is used for receiving the packet that the user of LIN sends, and judges whether described packet sends to the packet of CNMP, if this packet is transmitted to CNMP; Otherwise, judge whether destination address is positioned at the S1 scope, if be positioned at the S1 scope, ISN is converted to AID with destination address after packet is changed, and is transmitted to ASN then, issues the purpose user of SILSN again; If the address is not positioned at the S1 scope, then directly abandon.
In the present embodiment, in order to guarantee that other users except that the SILSN administrator among the LIN can normally visit user in the SILSN, but can not visit the network node in the core net, need distinguish two types packet by ISN, the packet that sends by identification UE1 is type one or type two, present embodiment is preferably under the security limitations measure, as the special packet form, control same source address and send first packet etc., by by the destination address of the ISN recognition data bag address of CNMP whether, distinguish whether be come from the LIN network SILSN is carried out the management of data traffic.In the present invention, the address of described CNMP is the IP address, can be IPv4 or IPv6 address.
Certainly, also can pass through other execution modes, as adopting the form of different packets, perhaps the sign by agreement makes whether ISN identification is the packet that sends to CNMP.
Optionally, in order to prevent that further the user attacks the SILSN network in the LIN network, it is the packet of CNMP address that ISN only accepts address or the destination address of destination address in the S1 space, and other packets are abandoned.ISN is according to the source address of packet and the opening imformation of port, and whether decision transfers to CNMP is handled.
If do not give CNMP, judge that the destination address in the packet that described subscriber equipment initiates is the address of CNMP, then think second type packet; When the address of described packet is that CNMP address but this destination address are in the S1 space time, think first type packet, will handle, through the search purposes customer location by first type packet, and after encapsulating again, be transmitted to the ASN of the current registration of purpose user.
Handle if give CNMP, CNMP discerns initiator's identity, can be by carrying out alternately described initiator being discerned with ILR.When CNMP judged that the initiator of this packet is the keeper of SILSN, CNMP was forwarded to this packet the core network element of being managed.
Optionally, after ISN sent to CNMP with this packet, CNMP can also be further by carrying out authentication to the initiator with ILR alternately.After initiator's authentication is passed through, will set up a secure tunnel between initiator and the CNMP, by this secure tunnel, CNMP described initiator can be sent to given by the forwards of managed network element corresponding to managed network element.
Shown in Figure 3 is based on the network architecture schematic diagram of the further refinement of CNMP in the embodiment of the invention, after the packet of type two sends from UE1, judge that through ISN1 its form is the network management request data packet format, and when its source address and port do not belong in the confined scope, transfer to CNMP by ISN1 and handle; After CNMP receives this packet, extract User Identity in the packet, CNMP issues ILR with this identity then, to by ILR the identity of user UE1 being discerned, determine whether UE1 is administrator's identity of SILSN, again with the result notification CNMP of user identity identification.
Domestic consumer conducts interviews with keeper's identity of SILSN in the LIN, and CNMP can also comprise the steps: if after judging that the initiator of this packet is the keeper of SILSN, this packet is forwarded to before the core network element of being managed
The source address and the port of the packet correspondence that the open UE1 of CNMP notice ISN1 sends can also make ILR by authenticating through the identity of interacting message to UE1 with UE1 further via CNMP then, and ILR is with the result notification CNMP of authentication then; After authentication was passed through, CNMP handed to the core network element processing of being managed with the packet that follow-up UE1 sends to CNMP, handles as ASN2.
Wherein, after ILR passes through the authentication of UE1, ILR can also check further whether UE1 possesses the authority of the core network element that management managed, authority as ASN2, if ILR to the authentication of UE1 not by or ILR be checked through the authority that UE1 does not possess the core network element that management managed, then CNMP notice ISN carries out attack protection and handles, as can " closing " or source address and the pairing port of the UE1 that " shielding " opened;
Wherein, if CNMP finds certain LIN user and initiates network management request to CNMP repeatedly, but authentication is not repeatedly passed through, and when number of pass times not surpassed certain number of times thresholding, CNMP can notify source address and the port numbers state of ISN with its packet that sends to change " shielding " into;
Be in the user of " shielding " state, ISN will no longer transmit any packet of this user to CNMP.
Further, for the user who prevents to be positioned at LIN frequently sends packet CNMP is initiated Denial of Service attack (as dos attack), can also on ISN, preserve the source address and the source port opened state of the packet that sends with administrator's source address, the keeper that these states can be kept at a SILSN among the LIN is used for the source address of leading subscriber and the open state table of source port (Open State Table, OPT) in, ISN checks that whether the user source address is at OPT.When ISN receives when coming from LIN user's data bag, extract the source address of packet, check the open state of these source addresses and source port then at OPT;
If state is open to the outside world, then directly transmit user's data to CNMP, if state is " freezing ", then abandon this packet, if state is " shielding ", then abandons and alarm;
If the user source address not in OPT, is then put into OPT with source address/source port number of the user that carries in this packet, and is changed its state into " freezing ";
Follow-up ISN can be according to the instruction of CNMP, and the state of source address/source port of user in the change OPT will be as will " freezing " to change into open to the outside world or " shielding " etc.
In sum, for preventing that the domestic consumer that comes from LIN from attacking core network element, ISN transmits packet and comprises following scene to CNMP in the present embodiment:
1, destination address is not that the packet of the address of CNMP is not transmitted to CNMP;
2, be address and the packet of source address/source port in OPT of CNMP for destination address,, then unconditionally be transmitted to the corresponding network element of being managed if its state is open to the outside world;
3, for destination address be the address of CNMP and source address/source port at the packet of OPT, if its state is " shielding ", then, abandon this packet, and select alarm according to condition with this user behavior journalize;
4, for destination address be the address of CNMP and source address/source port at the packet of OPT, if its state is " freezing ", then abandon this packet;
5, be the not packet in OPT of the address of CNMP and source address/source port for destination address, ISN only transmits first packet that this source address/source port sends to CNMP, and this source address/source port put into OPT, its state is made as " freezing ".
Need to prove, in actual applications in the process, the function of described core net management node and Interworking gateway can be provided with on a node in described SILSN network, as the Interworking gateway in the network architecture among the present invention, logic interfacing by inside communicates, its method is separated under the situation of disposing identical with flow process and described core net management node and Interworking gateway, repeat no more herein, for ease of describing, among the present invention above-mentioned two kinds of situations are used to realize that the node of access control abbreviates the node that is used for access control as.
Hereinafter the situation of separately disposing with above-mentioned two network nodes in the embodiment of the invention describes.
In order to make those skilled in the art be expressly understood technical scheme provided by the invention more, be that example describes with concrete application scenarios below:
Embodiment one
Present embodiment one describes with the application example that the administrator of the SILSN that is positioned at LIN initiates to visit, as shown in Figure 4:
Step 401: the user UE1 that is arranged in LIN need visit the core net node of SILSN network, send network management request message to ISN, wherein said network management request message can be encapsulated in the IP packet, its destination address is the address of CNMP, after ISN receives network management request message, if being checked through the recipient of message is CNMP, execution in step 402;
Need to prove that CNMP should predesignate the form of this network management request message, the source address/source port of packet of finding to come from LIN as ISN is not in OPT the time, and CNMP checks whether data are this message format, if not then abandoning.If extraction source address port then, and in OPT, be index, generate a record with this source address port, its state is made as " freezing ", before receiving the order of CNMP open port, no longer receive other message that user UE1 sends, afterwards to avoid the Client-initiated Denial of Service attack.
Step 402:ISN receives network management request message, and this message is sent to CNMP;
Step 403:CNMP directly extracts user's access identifier AID in network management request message, send to ILR by " identification keeper identity request " then;
Step 404:ILR judges according to AID whether this user UE1 has keeper's identity, and return " identification keeper identity response " to CNMP, if this AID is not keeper's a sign, then with identification keeper identity response notice CNMP failure, identify if this AID is the keeper, then can proceed business with checking AID response notice CNMP;
After step 405:CNMP receives identification keeper identity response, if can proceed business, promptly,, then notify ISN to close the source port and the destination interface of this user UE1 correspondence if fail by the source address and the port of open this user UE1 correspondence of " port controlling message " notice ISN;
After step 406:ISN receives port controlling message, if CNMP requires unusual close port, then ISN judges the number of times that this source address is closed unusually, whether this source address to be put into blacklist according to the thresholding decision that sets in advance, carry out longer shielding, this source address of deletion and source port number in " source address make-up shielding list item " are saved source address make-up shielding table space then, and flow process finishes;
The port if CNMP requirement ISN opens, ISN open corresponding source port and destination interface allow ISN to transmit the message of the follow-up transmission of this user UE1 to CNMP, execution in step 407;
Step 407:CNMP is by mutual with ILR, this user UE1 is authenticated, whether among the core network element address of checking the current hope of this user UE1 management simultaneously and the ILR this user is preestablished manageable core network element address consistent, if authentication is passed through and the network element address unanimity of management, then proceed;
If authentication is passed through, UE1 is execution in step 408 then;
If the manageable network element address that among core network element that authentication is not passed through or the UE1 requirement is managed and the ILR UE1 is provided with is inconsistent, CNMP sends " port controlling " message to ISN, requires ISN to close source address and source port, the flow process end;
Step 408:UE1 to corresponding net element such as ASN, sends concrete webmaster message via CNMP after normal authentication is passed through, CNMP gives ASN with this forwards, and CNMP will receive that also the message of ASN sends to UE1;
Optionally, if consulted encryption key in the verification process of step 407, in this step, the message that UE1 sends to ASN also can send to CNMP by the mode of encrypting, and issues UE1 after the data encryption that CNMP also can send out ASN;
Wherein, the verification process of step 407 can adopt the authentication mode of prior art to authenticate;
The forwards that step 409:CNMP sends UE1 as ASN, sends to CNMP with ASN with corresponding message to corresponding network element;
Step 410:, notify the webmaster handling process of CNMP correspondence to finish when the webmaster handling process is that core network element of being managed such as ASN sent " flow process end " message to CNMP after step 409 finished;
After step 411:CNMP receives " flow process end " message, send " port controlling " message, require the normal close port of ISN to ISN.
After ISN received this message, with corresponding port shutdown, other message that no longer receive and transmit except the X1 form arrived SNM.
The method that present embodiment provides, by the conventional the Internet user who initiates access request is carried out authentication, control the authority of network node in the visit SILSN core net according to the result of authentication, protected the safety of core net, realize being positioned at the purpose that LIN domestic consumer can't visit SILSN core network element node simultaneously, by the port controlling of ISN, prevent the attack to CNMP simultaneously from domestic consumer in the LIN; Encryption by webmaster stream between UE and the CNMP transmits, and has improved safety of transmission.
Embodiment two
Present embodiment describes with the application example of domestic consumer's initiation visit of LIN network, as shown in Figure 5:
If whether step 505 in OPT, is further judged its state is open to the outside world,, then abandon if be not open to the outside world.
Step 506 is then transmitted this packet to CNMP if open.
Step 507, when destination address is not the CNMP address, by first kind of processing data packets, repeat no more herein.
Step 508, in the source address of described packet not in OPT, then judge whether to be network management request message, if then execution in step 509, otherwise execution in step 510.
Step 509, when determining to be network management request message, ISN puts into OPT with source address and port, and state is set to " freezing ", and this packet is sent to CNMP.
Step 510, determining it is not network management request message, then abandon
In the above-mentioned application example, ISN is that the destination address that comes from all data of LIN network can only be address in the S1 space or CNMP address;
CNMP handles functions such as the NMS user access come from LIN, authentication, encryption, has only the NMS user that passes through through CNMP and ILR authentication, just can visit the SILSN core network element, and the domestic consumer that comes from LIN can only visit the S1 space address;
The source address port that comes from LIN user is opened and is closed in the instruction that ISN sends according to CNMP;
ISN freezes the source address port of UE1 after first that receive UE1 is sent to the CNMP packet, and ASN is before receiving that CNMP " port controlling " opens port then, and the reception sources address is not other packets of user UE1;
But CNMP and ILR will compare NMS user managed network element address, do not allow user capture not belong to the core net address of administrator right;
Have only CNMP to think that identify label is keeper's user, CNMP just transmits this user data package and carries out authentification of user to ILR.
Have only the ILR authentication to pass through, and possess the NMS user of the corresponding core network element address ability of management, CNMP just transmits this user data package to corresponding core network element.
CNMP optionally carries out encryption and decryption for the data of UE1 and CNMP.
Need to prove, the present invention is that example describes with identify label and the locator separation network framework that ZTE Corporation proposes, but be not limited thereto, for other multiple identity network architecture of separating with the position suitable equally, HIP for example, identify label of all genus and locator separation network that LISP and Beijing Jiaotong University propose, similar because of implementation method, repeat no more herein.
The method that present embodiment provides; by the conventional the Internet user who initiates access request is carried out authentication; control the authority of network node in the visit SILSN core net according to the result of authentication; protect the safety of core net, realized being positioned at the purpose that LIN domestic consumer can't visit SILSN core network element node simultaneously.
As shown in Figure 6, the embodiment of the invention provides a kind of identify label and locator separation network system, comprises the node that is used for access control, and the node of described user capture control comprises:
Optionally, as shown in Figure 7, the described node that is used for access control can further include:
Described control module 604 also is used for allowing described user and described network node to communicate when described authentication module checking is the network manager.
Further, the described node that is used for access control also comprises:
Second judge module, if be used for not finding at described open state table the source address and the source port of described packet, the described node that is used for access control judges whether described packet is the network management request packet of predesignating again;
Second authentication module, if meet, verify whether described user is the network manager, when checking determined that described user is the network manager, the described node that is used for access control judged according to the addressable network node information of this network manager of configuration whether described user has the authority of the described network node of visit again;
Described control module also is used for determining that at described authentication module described user has the authority of the described network node of visit, allows described user and described network node to communicate.
Further, described control module 604 also is used for abandoning described packet under following arbitrary situation:
If it is not open finding the source address of described packet and the access rights of source port and described source address and source port correspondence in the correspondence relationship information of record;
Judge the non-network management request packet of predesignating of described packet;
The form of judging described packet is the network management request packet of predesignating, but the non-network manager of described user is determined in checking;
Judge that described packet is the network management request packet of predesignating, and verify and determine that described user is the network manager, but judge that described user does not have the authority of the described network node of visit.。
Optionally, the described node that is used for access control also comprises:
The 4th configuration module, be used for when total degree that described control module abandons the packet with same source address and source port surpasses the frequency threshold value set in advance, add the source address and the source port of described packet to the open state table, and the access rights that dispose described source address and source port correspondence are shielding;
Discard module is used to receive that having corresponding access rights directly abandons after for the source address of shielding and the packet of source port.
Further, as shown in Figure 8, described authentication module 702 can further include:
Transmitting element 7021 is used for sending keeper's identification request to the identity location register, carries described user's User Identity;
Receiving element 7022 is used for receiving management person's authentication identification response, comprises that described identity location register carries out authentication result according to the network manager's of configuration identify label to described User Identity in described keeper's authentication identification response;
Determining unit 7023 is used for the authentication result according to described keeper's authentication identification response, determines whether described user is the network manager.
Optionally, as shown in Figure 9, the described node that is used for access control can further include:
Optionally, as shown in figure 10, the described node that is used for access control can further include:
The 3rd configuration module 1002 is used for when described authentication module is determined the non-network manager of described user, will comprise the source address of described packet and the record deletion of source port in the described open state table.
Further, as shown in figure 11, described control module 604 can further include:
Acquiring unit 6041 is used for obtaining the cipher mode of described keeper's authentication response and described telex network;
Set up unit 6042, the cipher mode that is used to adopt described acquiring unit 6041 to obtain is set up described network node and described user's communications.
The system that present embodiment provides, by the conventional the Internet user who initiates access request is carried out authentication, control the authority of network node in the visit SILSN core net according to the result of authentication, protected the safety of core net, realize being positioned at the purpose that LIN domestic consumer can't visit SILSN core network element node simultaneously, by the port controlling of ISN, prevent the attack to CNMP simultaneously from domestic consumer in the LIN; Encryption by webmaster stream between UE and the CNMP transmits, and has improved safety of transmission.
One of ordinary skill in the art will appreciate that and realize that all or part of step that the foregoing description method is carried is to instruct relevant hardware to finish by program, described program can be stored in a kind of computer-readable recording medium, this program comprises one of step or its combination of method embodiment when carrying out.
In addition, each functional unit in each embodiment of the present invention can adopt the form of hardware to realize, also can adopt the form of software function module to realize.If described integrated module realizes with the form of software function module and during as independently production marketing or use, also can be stored in the computer read/write memory medium.
The above-mentioned storage medium of mentioning can be a read-only memory, disk or CD etc.
The above; only be the specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; can expect easily changing or replacing, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the described protection range of claim.
Claims (25)
1. a method of controlling user capture identify label and locator separation network is characterized in that, comprising:
The node that is used for access control receives the packet of user capture identify label and locator separation network network node;
Obtain the destination address and the destination interface of described packet,, obtain the source address and the source port of described packet again if destination address and destination interface belong to the address and the port of the purpose network element of the control that need conduct interviews;
The node that is used for access control is searched the access rights of described source address and source port correspondence according to the correspondence relationship information of the described network node authority of source address, source port and visit of the source address of the described described packet that obtains and source port and record;
If find the access rights of described source address and source port correspondence, the node of described access control is according to the communication of the described user of described control of authority to described network node.
2. method according to claim 1 is characterized in that:
Described need conduct interviews control address and port be meant: one or more core net management nodes (CNMP) address of node and the port of configuration, and/or, the address of network node and port in the identify label of configuration and the locator separation network.
3. method according to claim 1 is characterized in that, also comprises:
If do not find the source address and the source port of described packet in described open state table, the described node that is used for access control judges whether described packet is the network management request packet of predesignating again;
If meet, verify whether described user is the network manager;
If the network manager allows described user and described network node to communicate.
4. method according to claim 3 is characterized in that, also comprises, the described node that is used for access control abandons described packet under following arbitrary situation:
If the described node that is used for access control finds the access rights of the source address of described packet and source port and described source address and source port correspondence for open in the correspondence relationship information of record;
The described node that is used for access control is judged the non-network management request packet of predesignating of described packet;
The described node that is used for access control judges that described packet is the network management request packet of predesignating, but the non-network manager of described user is determined in checking.
5. method according to claim 1 is characterized in that,
If do not find the source address and the source port of described packet in described open state table, the described node that is used for access control judges whether described packet is the network management request packet of predesignating again;
If meet, verify whether described user is the network manager, when checking determined that described user is the network manager, the described node that is used for access control judged according to the addressable network node information of this network manager of configuration whether described user has the authority of the described network node of visit again;
If have the authority of the described network node of visit, allow described user and described network node to communicate, otherwise abandon described packet.
6. method according to claim 1 is characterized in that:
The node of described access control is according to described authority, when controlling the communicating by letter of described user and described network node, when open, allows described user and described network node to communicate in described authority, otherwise, abandon described packet.
7. according to claim 4 or 5 described methods, it is characterized in that:
When the total degree that abandons the packet with same source address and source port when the described node that is used for access control surpasses the frequency threshold value set in advance, add the source address and the source port of described packet to the open state table, and the access rights that dispose described source address and source port correspondence are shielding;
The described node that is used for access control receives that having corresponding access rights directly abandons after for the source address of shielding and the packet of source port.
8. according to claim 3 or 5 described methods, it is characterized in that whether the described user's of described checking identity is that the network manager realizes in the following manner:
The described node that is used for access control sends keeper's identification request to the identity location register, carries described user's User Identity;
Receiving management person's authentication identification response comprises that described identity location register carries out authentication result according to the network manager's of configuration identify label to described User Identity in described keeper's authentication identification response;
According to the authentication result in described keeper's authentication identification response, determine whether described user is the network manager.
9. method according to claim 8 is characterized in that, also comprises:
Include keeper's identifier in the described network management request packet, the described node that is used for access control is to extract wherein keeper's identifier from described network management request packet, send to described identity location register, described identity location register judges with keeper's identifier of receiving whether described user is the network manager according to keeper's identifier of configuration.
10. method according to claim 5 is characterized in that:
When definite described packet meets the network management request packet of predesignating, the described node that is used for access control also adds the source address and the source port of described packet to described open state table, and the access rights that dispose described source address and source port correspondence are for freezing.
11. method according to claim 10 is characterized in that:
As user as described in determining is the network manager, and the described node that is used for access control also is revised as opening with the source address of packet described in the described open state table and the access rights of source port correspondence.
12. method according to claim 10 is characterized in that:
As the non-network manager of user as described in determining, the described node that is used for access control comprises the source address of described packet and the record deletion of source port with described open state table.
13., it is characterized in that described user of described permission and described network node communicate in the following way and realize according to the described method of arbitrary claim in the claim 1 to 6:
The described node that is used for access control obtains the cipher mode of described keeper's authentication response and described telex network;
Adopt described cipher mode to set up described network node and described user's communications.
14. method according to claim 1 is characterized in that, the described node that is used for access control is the combination of Interworking gateway and core net management node, and the perhaps described node that is used for access control is an Interworking gateway.
15. identify label and locator separation network system is characterized in that, comprise the node that is used for access control, the equipment of described user capture control comprises:
Receiver module is used for receiving the packet of network node in conventional the Internet user capture identify label and the locator separation network;
Acquisition module, be used to obtain the destination address and the destination interface of described packet, as judge that destination address and destination interface belong to the address and the port of the purpose network element of the control that need conduct interviews, and obtain the source address and the source port of the packet of described receiver module reception again;
Search module, be used for searching the source address and the source port of described packet in the correspondence relationship information of the described network node authority of source address, source port and visit that writes down;
Control module, being used in the described module searches of searching is open to the source address of described packet and the access rights of source port and described source address and source port correspondence, allows described user and described network node to communicate.
16. system according to claim 15 is characterized in that, the described node that is used for access control also comprises:
First judge module is used for judging whether described packet is the network management request packet of predesignating when described open state table does not find the source address of described packet and source port again;
First authentication module is used for verifying whether described user is the network manager when described judge module is determined the described network management request packet of predesignating;
Described control module also is used for allowing described user and described network node to communicate when described authentication module checking is the network manager.
17. system according to claim 15 is characterized in that, the described node that is used for access control also comprises:
Second judge module, if be used for not finding at described open state table the source address and the source port of described packet, the described node that is used for access control judges whether described packet is the network management request packet of predesignating again;
Second authentication module, if meet, verify whether described user is the network manager, when checking determined that described user is the network manager, the described node that is used for access control judged according to the addressable network node information of this network manager of configuration whether described user has the authority of the described network node of visit again;
Described control module also is used for determining that at described authentication module described user has the authority of the described network node of visit, allows described user and described network node to communicate.
18. system according to claim 17 is characterized in that,
Described control module also is used for abandoning described packet under following arbitrary situation:
If it is not open finding the source address of described packet and the access rights of source port and described source address and source port correspondence in the correspondence relationship information of record;
Judge the non-network management request packet of predesignating of described packet;
Judge that the form of described packet meets the form of the network management request packet of predesignating, but the non-network manager of described user is determined in checking;
Judge that described packet is the network management request packet of predesignating, and verify and determine that described user is the network manager, but judge that described user does not have the authority of the described network node of visit.
19. method according to claim 18 is characterized in that,
The 4th configuration module, be used for when total degree that described control module abandons the packet with same source address and source port surpasses the frequency threshold value set in advance, add the source address and the source port of described packet to the open state table, and the access rights that dispose described source address and source port correspondence are shielding;
Discard module is used to receive that having corresponding access rights directly abandons after for the source address of shielding and the packet of source port.
20. system according to claim 17 is characterized in that, described authentication module comprises:
Transmitting element is used for sending keeper's identification request to the identity location register, carries described user's User Identity;
Receiving element is used for receiving management person's authentication identification response, comprises that described identity location register carries out authentication result according to the network manager's of configuration identify label to described User Identity in described keeper's authentication identification response;
Determining unit is used for the authentication result according to described keeper's authentication identification response, determines whether described user is the network manager.
21. system according to claim 16 is characterized in that, the described node that is used for access control also comprises:
First configuration module, be used for when described first judge module determines that described packet meets the network management request packet of predesignating, add the source address and the source port of described packet to described open state table, and the access rights that dispose described source address and source port correspondence are for freezing.
22. system according to claim 21, it is characterized in that in, the described node that is used for access control also comprises:
Second configuration module is used for when described first authentication module is determined described user for the network manager source address of packet described in the described open state table and the access rights of source port correspondence being revised as opening.
23. system according to claim 21 is characterized in that, the described node that is used for access control also comprises:
The 3rd configuration module is used for when described authentication module is determined the non-network manager of described user, will comprise the source address of described packet and the record deletion of source port in the described open state table.
24., it is characterized in that described control module also comprises according to claim 15 or 16 described systems:
Acquiring unit is used for obtaining the cipher mode of described keeper's authentication response and described telex network;
Set up the unit, the cipher mode that is used to adopt described acquiring unit to obtain is set up described network node and described user's communications.
25. system according to claim 15 is characterized in that:
Address and port that described acquisition module belongs to the purpose network element of the control that need conduct interviews as the destination address and the destination interface of packet as described in judging, be to judge the destination address of described packet and one or more core net management nodes (CNMP) address of node and the port whether destination interface disposes, and/or, the address of network node and port in the identify label of configuration and the locator separation network.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910205326.7A CN102045313B (en) | 2009-10-10 | 2009-10-10 | Method and system for controlling SILSN (Subscriber Identifier & Locator Separation Network) |
| PCT/CN2010/075908 WO2011041963A1 (en) | 2009-10-10 | 2010-08-11 | Method, apparatus and system for controlling user to access network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910205326.7A CN102045313B (en) | 2009-10-10 | 2009-10-10 | Method and system for controlling SILSN (Subscriber Identifier & Locator Separation Network) |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102045313A true CN102045313A (en) | 2011-05-04 |
| CN102045313B CN102045313B (en) | 2014-03-12 |
Family
ID=43856369
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910205326.7A Active CN102045313B (en) | 2009-10-10 | 2009-10-10 | Method and system for controlling SILSN (Subscriber Identifier & Locator Separation Network) |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN102045313B (en) |
| WO (1) | WO2011041963A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111193727A (en) * | 2019-12-23 | 2020-05-22 | 成都烽创科技有限公司 | Operation monitoring system and operation monitoring method |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102752266B (en) * | 2011-04-20 | 2015-11-25 | 中国移动通信集团公司 | Access control method and equipment thereof |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040160975A1 (en) * | 2003-01-21 | 2004-08-19 | Charles Frank | Multicast communication protocols, systems and methods |
| CN1567839A (en) * | 2003-06-24 | 2005-01-19 | 华为技术有限公司 | Port based network access control method |
| CN1801764A (en) * | 2006-01-23 | 2006-07-12 | 北京交通大学 | Internet access method based on identity and location separation |
-
2009
- 2009-10-10 CN CN200910205326.7A patent/CN102045313B/en active Active
-
2010
- 2010-08-11 WO PCT/CN2010/075908 patent/WO2011041963A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040160975A1 (en) * | 2003-01-21 | 2004-08-19 | Charles Frank | Multicast communication protocols, systems and methods |
| CN1567839A (en) * | 2003-06-24 | 2005-01-19 | 华为技术有限公司 | Port based network access control method |
| CN1801764A (en) * | 2006-01-23 | 2006-07-12 | 北京交通大学 | Internet access method based on identity and location separation |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111193727A (en) * | 2019-12-23 | 2020-05-22 | 成都烽创科技有限公司 | Operation monitoring system and operation monitoring method |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2011041963A1 (en) | 2011-04-14 |
| CN102045313B (en) | 2014-03-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101867530B (en) | Things-internet gateway system based on virtual machine and data interactive method | |
| JP3651721B2 (en) | Mobile computer device, packet processing device, and communication control method | |
| US6163843A (en) | Packet inspection device, mobile computer and packet transfer method in mobile computing with improved mobile computer authenticity check scheme | |
| CN101119206B (en) | Identification based integrated network terminal united access control method | |
| CN101682656B (en) | Method and apparatus for protecting the routing of data packets | |
| US8335918B2 (en) | MAC frame provision method and apparatus capable of establishing security in IEEE 802.15.4 network | |
| CN1531284B (en) | Safety communication of protection and controlling information for network basic structure | |
| KR101048510B1 (en) | Method and apparatus for enhancing security in Zigbee wireless communication protocol | |
| WO2012077603A1 (en) | Computer system, controller, and network monitoring method | |
| TWI292273B (en) | Apparatus of using watermarking to reduce communication overhead and method for the same | |
| US20150188888A1 (en) | Virtual private network gateway and method of secure communication therefor | |
| CN101902482B (en) | Method and system for realizing terminal security admission control based on IPv6 (Internet Protocol Version 6) automatic configuration | |
| CN105611534A (en) | Method and device for recognizing pseudo WiFi network by wireless terminal | |
| CN102480729A (en) | Method for preventing faked users and access point in radio access network | |
| CN102045307B (en) | Method for managing network equipment and corresponding network system | |
| JPH11177582A (en) | Packet transfer method and base station used for the method | |
| CN102123071B (en) | The method that realizes, network, terminal and the intercommunication service node that Packet Classification processes | |
| WO2011082584A1 (en) | Implementing method, network and terminal for processing data packet classification | |
| CN102045313B (en) | Method and system for controlling SILSN (Subscriber Identifier & Locator Separation Network) | |
| KR101088867B1 (en) | Network switch and security notification method therein | |
| CN101969478A (en) | Intelligent DNS message processing method and processing device | |
| Escudero-Andreu et al. | Analysis and design of security for next generation 4G cellular networks | |
| CN100556027C (en) | A kind of address renewing method of IKE Network Based | |
| US20130262672A1 (en) | Method and system for monitoring locator/identifier separation network | |
| JP4112962B2 (en) | Content transmission / reception system, content transmission device, content reception device, and content transmission / reception method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20201218 Address after: Room 705, 7 / F, room 9, 1699, Zuchongzhi South Road, Kunshan City, Suzhou City, Jiangsu Province Patentee after: Kunshan chuangzhihui Intellectual Property Operation Co.,Ltd. Address before: 518057 Department of law, Zhongxing building, South hi tech Industrial Park, Nanshan District hi tech Industrial Park, Guangdong, Shenzhen Patentee before: ZTE Corp. |
|
| CP02 | Change in the address of a patent holder | ||
| CP02 | Change in the address of a patent holder |
Address after: 215300 rooms 107 and 108, area C, 55 Xiaxi street, Kunshan Development Zone, Suzhou City, Jiangsu Province Patentee after: Kunshan chuangzhihui Intellectual Property Operation Co.,Ltd. Address before: Room 705, 7 / F, room 9, 1699, Zuchongzhi South Road, Kunshan City, Suzhou City, Jiangsu Province Patentee before: Kunshan chuangzhihui Intellectual Property Operation Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230927 Address after: Room 1412, No. 579, Qianjin East Road, Kunshan Development Zone, Suzhou City, Jiangsu Province, 215300 Patentee after: Suzhou Tanyun Purification Technology Co.,Ltd. Address before: 215300 rooms 107 and 108, area C, 55 Xiaxi street, Kunshan Development Zone, Suzhou City, Jiangsu Province Patentee before: Kunshan chuangzhihui Intellectual Property Operation Co.,Ltd. |