Summary of the invention
The embodiment of the invention provides a kind of method and system of controlling user capture identify label and locator separation network, can protect the safety of identify label and locator separation network.
In order to address the above problem, the invention provides a kind of method of controlling network node in user capture identify label and the locator separation network, it is characterized in that, comprising:
The node that is used for access control receives the packet of user capture identify label and locator separation network network node;
Obtain the destination address and the destination interface of described packet,, obtain the source address and the source port of described packet again if destination address and destination interface belong to the address and the port of the purpose network element of the control that need conduct interviews;
The node that is used for access control is searched the access rights of described source address and source port correspondence according to the correspondence relationship information of the described network node authority of source address, source port and visit of the source address of the described described packet that obtains and source port and record;
If find the access rights of described source address and source port correspondence, the node of described access control is communicated by letter according to the described user of described control of authority and described network node.
Further, described method also can have characteristics:
Described need conduct interviews control address and port be meant: one or more core net management nodes (CNMP) address of node and the port of configuration, and/or, the address of network node and port in the identify label of configuration and the locator separation network.
Further, described method also can have characteristics:
If do not find the source address and the source port of described packet in described open state table, the described node that is used for access control judges whether described packet is the network management request packet of predesignating again;
If meet, verify whether described user is the network manager;
If the network manager allows described user and described network node to communicate.
Further, described method also can have characteristics: comprise that also the described node that is used for access control abandons described packet under following arbitrary situation:
If the described node that is used for access control finds the access rights of the source address of described packet and source port and described source address and source port correspondence for open in the correspondence relationship information of record;
The described node that is used for access control is judged the non-network management request packet of predesignating of described packet;
The described node that is used for access control judges that described packet is the network management request packet of predesignating, but the non-network manager of described user is determined in checking.
Further, described method also can have characteristics:
If do not find the source address and the source port of described packet in described open state table, the described node that is used for access control judges whether described packet is the network management request packet of predesignating again;
If meet, verify whether described user is the network manager, when checking determined that described user is the network manager, the described node that is used for access control judged according to the addressable network node information of this network manager of configuration whether described user has the authority of the described network node of visit again;
If have the authority of the described network node of visit, allow described user and described network node to communicate, otherwise abandon described packet.
Further, described method also can have characteristics:
The node of described access control is according to described authority, when controlling the communicating by letter of described user and described network node, when open, allows described user and described network node to communicate in described authority, otherwise, abandon described packet.
Further, described method also can have characteristics:
When the total degree that abandons the packet with same source address and source port when the described node that is used for access control surpasses the frequency threshold value set in advance, add the source address and the source port of described packet to the open state table, and the access rights that dispose described source address and source port correspondence are shielding;
The described node that is used for access control receives that having corresponding access rights directly abandons after for the source address of shielding and the packet of source port.
Further, described method also can have characteristics: whether the described user's of described checking identity is that the network manager realizes in the following manner:
The described node that is used for access control sends keeper's identification request to the identity location register, carries described user's User Identity;
Receiving management person's authentication identification response comprises that described identity location register carries out authentication result according to the network manager's of configuration identify label to described User Identity in described keeper's authentication identification response;
According to the authentication result in described keeper's authentication identification response, determine whether described user is the network manager.
Further, described method also can have characteristics:
Include keeper's identifier in the described network management request packet, the described node that is used for access control is to extract wherein keeper's identifier from described network management request packet, send to described identity location register, described identity location register judges with keeper's identifier of receiving whether described user is the network manager according to keeper's identifier of configuration.
Further, described method also can have characteristics:
When definite described packet meets the network management request packet of predesignating, the described node that is used for access control also adds the source address and the source port of described packet to described open state table, and the access rights that dispose described source address and source port correspondence are for freezing.
Further, described method also can have characteristics:
As user as described in determining is the network manager, and the described node that is used for access control also is revised as opening with the source address of packet described in the described open state table and the access rights of source port correspondence.
Further, described method also can have characteristics:
As the non-network manager of user as described in determining, the described node that is used for access control comprises the source address of described packet and the record deletion of source port with described open state table.
Further, described method also can have characteristics: described user of described permission and described network node communicate in the following way and realize:
The described node that is used for access control obtains the cipher mode of described keeper's authentication response and described telex network;
Adopt described cipher mode to set up described network node and described user's communications.
Further, described method also can have characteristics: the described node that is used for access control is the combination of Interworking gateway and core net management node, and the perhaps described node that is used for access control is an Interworking gateway.
Correspondingly, a kind of identify label provided by the invention and locator separation network system comprise the node that is used for access control, and the equipment of described user capture control comprises:
Receiver module is used for receiving the packet of network node in conventional the Internet user capture identify label and the locator separation network;
Acquisition module, be used to obtain the destination address and the destination interface of described packet, as judge that destination address and destination interface belong to the address and the port of the purpose network element of the control that need conduct interviews, and obtain the source address and the source port of the packet of described receiver module reception again;
Search module, be used for searching the source address and the source port of described packet in the correspondence relationship information of the described network node authority of source address, source port and visit that writes down;
Control module, being used in the described module searches of searching is open to the source address of described packet and the access rights of source port and described source address and source port correspondence, allows described user and described network node to communicate.
Further, described system also can have characteristics: the described node that is used for access control also comprises:
First judge module is used for judging whether described packet is the network management request packet of predesignating when described open state table does not find the source address of described packet and source port again;
First authentication module is used for verifying whether described user is the network manager when described judge module is determined the described network management request packet of predesignating;
Described control module also is used for allowing described user and described network node to communicate when described authentication module checking is the network manager.
Further, described system also can have characteristics: the described node that is used for access control also comprises:
Second judge module, if be used for not finding at described open state table the source address and the source port of described packet, the described node that is used for access control judges whether described packet is the network management request packet of predesignating again;
Second authentication module, if meet, verify whether described user is the network manager, when checking determined that described user is the network manager, the described node that is used for access control judged according to the addressable network node information of this network manager of configuration whether described user has the authority of the described network node of visit again;
Described control module also is used for determining that at described authentication module described user has the authority of the described network node of visit, allows described user and described network node to communicate.
Further, described system also can have characteristics: described control module also is used for abandoning described packet under following arbitrary situation:
If it is not open finding the source address of described packet and the access rights of source port and described source address and source port correspondence in the correspondence relationship information of record;
Judge the non-network management request packet of predesignating of described packet;
Judge that the form of described packet meets the form of the network management request packet of predesignating, but the non-network manager of described user is determined in checking;
Judge that described packet is the network management request packet of predesignating, and verify and determine that described user is the network manager, but judge that described user does not have the authority of the described network node of visit.
Further, described system also can have characteristics:
The 4th configuration module, be used for when total degree that described control module abandons the packet with same source address and source port surpasses the frequency threshold value set in advance, add the source address and the source port of described packet to the open state table, and the access rights that dispose described source address and source port correspondence are shielding;
Discard module is used to receive that having corresponding access rights directly abandons after for the source address of shielding and the packet of source port.
Further, described system also can have characteristics, and described authentication module comprises:
Transmitting element is used for sending keeper's identification request to the identity location register, carries described user's User Identity;
Receiving element is used for receiving management person's authentication identification response, comprises that described identity location register carries out authentication result according to the network manager's of configuration identify label to described User Identity in described keeper's authentication identification response;
Determining unit is used for the authentication result according to described keeper's authentication identification response, determines whether described user is the network manager.
Further, described system also can have characteristics, and the described node that is used for access control also comprises:
First configuration module, be used for when described first judge module determines that described packet meets the network management request packet of predesignating, add the source address and the source port of described packet to described open state table, and the access rights that dispose described source address and source port correspondence are for freezing.
System according to claim 21, it is characterized in that in, the described node that is used for access control also comprises:
Second configuration module is used for when described first authentication module is determined described user for the network manager source address of packet described in the described open state table and the access rights of source port correspondence being revised as opening.
Further, described system also can have characteristics, and the described node that is used for access control also comprises:
The 3rd configuration module is used for when described authentication module is determined the non-network manager of described user, will comprise the source address of described packet and the record deletion of source port in the described open state table.
According to claim 15 or 16 described systems, it is characterized in that described control module also comprises:
Acquiring unit is used for obtaining the cipher mode of described keeper's authentication response and described telex network;
Set up the unit, the cipher mode that is used to adopt described acquiring unit to obtain is set up described network node and described user's communications.
Further, described system also can have characteristics:
Address and port that described acquisition module belongs to the purpose network element of the control that need conduct interviews as the destination address and the destination interface of packet as described in judging, be to judge the destination address of described packet and one or more core net management nodes (CNMP) address of node and the port whether destination interface disposes, and/or, the address of network node and port in the identify label of configuration and the locator separation network.
Adopt said method and system, solved the method for the NMS user visit SILSN core network element that is positioned at LIN, guaranteed the safety of core net.In one embodiment, LIN domestic consumer can also be realized being positioned at and SILSN core network element node can't be visited.In one embodiment, also can prevent to come from of the attack (by port controlling in ISN) of the interior domestic consumer of LIN to CNMP; And the encryption that can realize webmaster stream between UE1 and the CNMP transmits.In addition, all core net nodes only accept to come from the management packets of CNMP, help the safety of core network element management.
Embodiment
Describe the specific embodiment of the present invention in detail below in conjunction with accompanying drawing.
In the SILSN network, ISN plays the effect of SILSN network and LIN network interworking, when the user in user in the LIN network and the SILSN core net visits mutually, because the addressing system of addressing system and LIN is different in the SILSN net, need ISN to be responsible for both sides' data format and addressing space are changed, wherein said addressing space is User Identity AID space and public network IP address space.
ISN with the subscriber equipment in the SILSN with User Identity (AID, claim to insert identifier again) be the packet of sign for the packet of sign is mapped to one or more snippets public network IP address of LIN network and port numbers, wherein the address space of these one or more snippets public network IP address compositions is designated as S1, therefore for the user in the SILSN, no matter how their identify label AID changes, when packet and after finally being sent to LIN through the conversion of ISN, all users' identify label AID can be mapped to some IP address and the port numbers in the S1, thereby for the user in the LIN network, user in the SILSN that they see is in the S1 space, user capture SILSN in the LIN network nets interior user like this, in fact just visits the address in S1 space.
Be network element safety in the protection SILSN core net, ISN can not allow LIN user directly visit the network element address of SILSN core net, only allows its visit SILSN user, that is to say that the user can only visit the address space in the S1 scope in the LIN.
As indicated above, the SILSN keeper in case of emergency operates the SILSN core network element for convenience, need be provided at the ability of visit core network element in the LIN network for the SILSN keeper, guaranteeing that the SILSN keeper can also must prevent the domestic consumer's visit core network element in LIN when LIN manages SILSN.
Because being used for the data traffic of network management among the SILSN generally is much smaller than being used for professional data traffic, and most of webmaster control measures are (as remote diagnosis, test and control) all initiate from SILSN is inner, the flow that is to say webmaster among the SILSN is mostly from SILSN inside, for very little from the webmaster flow of LIN management SILSN network element, be replenishing as a telemanagement, this application is used for urgent more and needs equipment vendors to support, perhaps in emergency circumstances experienced keeper is not in the situation of webmaster office space, this occasion is normally more rare, therefore this type of data traffic generally is very little, do not need too big disposal ability, unified control and management for ease of this type of data traffic, realize centralized management, present embodiment has been introduced a core net management node (Core Network Management Proxy for this reason, CNMP), the keeper who realizes being arranged in LIN with CNMP is to the SILSN network management, as shown in Figure 2:
(Core Network Management Proxy CNMP), is used for handling that the keeper of the SILSN that is positioned at LIN sends is used for the network management data bag to the core net management node;
ISN is used for receiving the packet that the user of LIN sends, and judges whether described packet sends to the packet of CNMP, if this packet is transmitted to CNMP; Otherwise, judge whether destination address is positioned at the S1 scope, if be positioned at the S1 scope, ISN is converted to AID with destination address after packet is changed, and is transmitted to ASN then, issues the purpose user of SILSN again; If the address is not positioned at the S1 scope, then directly abandon.
In the present embodiment, in order to guarantee that other users except that the SILSN administrator among the LIN can normally visit user in the SILSN, but can not visit the network node in the core net, need distinguish two types packet by ISN, the packet that sends by identification UE1 is type one or type two, present embodiment is preferably under the security limitations measure, as the special packet form, control same source address and send first packet etc., by by the destination address of the ISN recognition data bag address of CNMP whether, distinguish whether be come from the LIN network SILSN is carried out the management of data traffic.In the present invention, the address of described CNMP is the IP address, can be IPv4 or IPv6 address.
Certainly, also can pass through other execution modes, as adopting the form of different packets, perhaps the sign by agreement makes whether ISN identification is the packet that sends to CNMP.
Optionally, in order to prevent that further the user attacks the SILSN network in the LIN network, it is the packet of CNMP address that ISN only accepts address or the destination address of destination address in the S1 space, and other packets are abandoned.ISN is according to the source address of packet and the opening imformation of port, and whether decision transfers to CNMP is handled.
If do not give CNMP, judge that the destination address in the packet that described subscriber equipment initiates is the address of CNMP, then think second type packet; When the address of described packet is that CNMP address but this destination address are in the S1 space time, think first type packet, will handle, through the search purposes customer location by first type packet, and after encapsulating again, be transmitted to the ASN of the current registration of purpose user.
Handle if give CNMP, CNMP discerns initiator's identity, can be by carrying out alternately described initiator being discerned with ILR.When CNMP judged that the initiator of this packet is the keeper of SILSN, CNMP was forwarded to this packet the core network element of being managed.
Optionally, after ISN sent to CNMP with this packet, CNMP can also be further by carrying out authentication to the initiator with ILR alternately.After initiator's authentication is passed through, will set up a secure tunnel between initiator and the CNMP, by this secure tunnel, CNMP described initiator can be sent to given by the forwards of managed network element corresponding to managed network element.
Shown in Figure 3 is based on the network architecture schematic diagram of the further refinement of CNMP in the embodiment of the invention, after the packet of type two sends from UE1, judge that through ISN1 its form is the network management request data packet format, and when its source address and port do not belong in the confined scope, transfer to CNMP by ISN1 and handle; After CNMP receives this packet, extract User Identity in the packet, CNMP issues ILR with this identity then, to by ILR the identity of user UE1 being discerned, determine whether UE1 is administrator's identity of SILSN, again with the result notification CNMP of user identity identification.
Domestic consumer conducts interviews with keeper's identity of SILSN in the LIN, and CNMP can also comprise the steps: if after judging that the initiator of this packet is the keeper of SILSN, this packet is forwarded to before the core network element of being managed
The source address and the port of the packet correspondence that the open UE1 of CNMP notice ISN1 sends can also make ILR by authenticating through the identity of interacting message to UE1 with UE1 further via CNMP then, and ILR is with the result notification CNMP of authentication then; After authentication was passed through, CNMP handed to the core network element processing of being managed with the packet that follow-up UE1 sends to CNMP, handles as ASN2.
Wherein, after ILR passes through the authentication of UE1, ILR can also check further whether UE1 possesses the authority of the core network element that management managed, authority as ASN2, if ILR to the authentication of UE1 not by or ILR be checked through the authority that UE1 does not possess the core network element that management managed, then CNMP notice ISN carries out attack protection and handles, as can " closing " or source address and the pairing port of the UE1 that " shielding " opened;
Wherein, if CNMP finds certain LIN user and initiates network management request to CNMP repeatedly, but authentication is not repeatedly passed through, and when number of pass times not surpassed certain number of times thresholding, CNMP can notify source address and the port numbers state of ISN with its packet that sends to change " shielding " into;
Be in the user of " shielding " state, ISN will no longer transmit any packet of this user to CNMP.
Further, for the user who prevents to be positioned at LIN frequently sends packet CNMP is initiated Denial of Service attack (as dos attack), can also on ISN, preserve the source address and the source port opened state of the packet that sends with administrator's source address, the keeper that these states can be kept at a SILSN among the LIN is used for the source address of leading subscriber and the open state table of source port (Open State Table, OPT) in, ISN checks that whether the user source address is at OPT.When ISN receives when coming from LIN user's data bag, extract the source address of packet, check the open state of these source addresses and source port then at OPT;
If state is open to the outside world, then directly transmit user's data to CNMP, if state is " freezing ", then abandon this packet, if state is " shielding ", then abandons and alarm;
If the user source address not in OPT, is then put into OPT with source address/source port number of the user that carries in this packet, and is changed its state into " freezing ";
Follow-up ISN can be according to the instruction of CNMP, and the state of source address/source port of user in the change OPT will be as will " freezing " to change into open to the outside world or " shielding " etc.
In sum, for preventing that the domestic consumer that comes from LIN from attacking core network element, ISN transmits packet and comprises following scene to CNMP in the present embodiment:
1, destination address is not that the packet of the address of CNMP is not transmitted to CNMP;
2, be address and the packet of source address/source port in OPT of CNMP for destination address,, then unconditionally be transmitted to the corresponding network element of being managed if its state is open to the outside world;
3, for destination address be the address of CNMP and source address/source port at the packet of OPT, if its state is " shielding ", then, abandon this packet, and select alarm according to condition with this user behavior journalize;
4, for destination address be the address of CNMP and source address/source port at the packet of OPT, if its state is " freezing ", then abandon this packet;
5, be the not packet in OPT of the address of CNMP and source address/source port for destination address, ISN only transmits first packet that this source address/source port sends to CNMP, and this source address/source port put into OPT, its state is made as " freezing ".
Need to prove, in actual applications in the process, the function of described core net management node and Interworking gateway can be provided with on a node in described SILSN network, as the Interworking gateway in the network architecture among the present invention, logic interfacing by inside communicates, its method is separated under the situation of disposing identical with flow process and described core net management node and Interworking gateway, repeat no more herein, for ease of describing, among the present invention above-mentioned two kinds of situations are used to realize that the node of access control abbreviates the node that is used for access control as.
Hereinafter the situation of separately disposing with above-mentioned two network nodes in the embodiment of the invention describes.
In order to make those skilled in the art be expressly understood technical scheme provided by the invention more, be that example describes with concrete application scenarios below:
Embodiment one
Present embodiment one describes with the application example that the administrator of the SILSN that is positioned at LIN initiates to visit, as shown in Figure 4:
Step 401: the user UE1 that is arranged in LIN need visit the core net node of SILSN network, send network management request message to ISN, wherein said network management request message can be encapsulated in the IP packet, its destination address is the address of CNMP, after ISN receives network management request message, if being checked through the recipient of message is CNMP, execution in step 402;
Need to prove that CNMP should predesignate the form of this network management request message, the source address/source port of packet of finding to come from LIN as ISN is not in OPT the time, and CNMP checks whether data are this message format, if not then abandoning.If extraction source address port then, and in OPT, be index, generate a record with this source address port, its state is made as " freezing ", before receiving the order of CNMP open port, no longer receive other message that user UE1 sends, afterwards to avoid the Client-initiated Denial of Service attack.
Step 402:ISN receives network management request message, and this message is sent to CNMP;
Step 403:CNMP directly extracts user's access identifier AID in network management request message, send to ILR by " identification keeper identity request " then;
Step 404:ILR judges according to AID whether this user UE1 has keeper's identity, and return " identification keeper identity response " to CNMP, if this AID is not keeper's a sign, then with identification keeper identity response notice CNMP failure, identify if this AID is the keeper, then can proceed business with checking AID response notice CNMP;
After step 405:CNMP receives identification keeper identity response, if can proceed business, promptly,, then notify ISN to close the source port and the destination interface of this user UE1 correspondence if fail by the source address and the port of open this user UE1 correspondence of " port controlling message " notice ISN;
After step 406:ISN receives port controlling message, if CNMP requires unusual close port, then ISN judges the number of times that this source address is closed unusually, whether this source address to be put into blacklist according to the thresholding decision that sets in advance, carry out longer shielding, this source address of deletion and source port number in " source address make-up shielding list item " are saved source address make-up shielding table space then, and flow process finishes;
The port if CNMP requirement ISN opens, ISN open corresponding source port and destination interface allow ISN to transmit the message of the follow-up transmission of this user UE1 to CNMP, execution in step 407;
Step 407:CNMP is by mutual with ILR, this user UE1 is authenticated, whether among the core network element address of checking the current hope of this user UE1 management simultaneously and the ILR this user is preestablished manageable core network element address consistent, if authentication is passed through and the network element address unanimity of management, then proceed;
If authentication is passed through, UE1 is execution in step 408 then;
If the manageable network element address that among core network element that authentication is not passed through or the UE1 requirement is managed and the ILR UE1 is provided with is inconsistent, CNMP sends " port controlling " message to ISN, requires ISN to close source address and source port, the flow process end;
Step 408:UE1 to corresponding net element such as ASN, sends concrete webmaster message via CNMP after normal authentication is passed through, CNMP gives ASN with this forwards, and CNMP will receive that also the message of ASN sends to UE1;
Optionally, if consulted encryption key in the verification process of step 407, in this step, the message that UE1 sends to ASN also can send to CNMP by the mode of encrypting, and issues UE1 after the data encryption that CNMP also can send out ASN;
Wherein, the verification process of step 407 can adopt the authentication mode of prior art to authenticate;
The forwards that step 409:CNMP sends UE1 as ASN, sends to CNMP with ASN with corresponding message to corresponding network element;
Step 410:, notify the webmaster handling process of CNMP correspondence to finish when the webmaster handling process is that core network element of being managed such as ASN sent " flow process end " message to CNMP after step 409 finished;
After step 411:CNMP receives " flow process end " message, send " port controlling " message, require the normal close port of ISN to ISN.
After ISN received this message, with corresponding port shutdown, other message that no longer receive and transmit except the X1 form arrived SNM.
The method that present embodiment provides, by the conventional the Internet user who initiates access request is carried out authentication, control the authority of network node in the visit SILSN core net according to the result of authentication, protected the safety of core net, realize being positioned at the purpose that LIN domestic consumer can't visit SILSN core network element node simultaneously, by the port controlling of ISN, prevent the attack to CNMP simultaneously from domestic consumer in the LIN; Encryption by webmaster stream between UE and the CNMP transmits, and has improved safety of transmission.
Embodiment two
Present embodiment describes with the application example of domestic consumer's initiation visit of LIN network, as shown in Figure 5:
Step 501, ISN receive the packet of LIN, extract its destination address.
Step 502, ISN judge whether the destination address of this packet is the CNMP address, if then execution in step 503, otherwise, execution in step 507.
Step 503, when destination address is the CNMP address, extract the source address and the source port number of packet.
Step 504, judge source address and port numbers whether in OPT, if, then execution in step 505, otherwise, execution in step 508.
If whether step 505 in OPT, is further judged its state is open to the outside world,, then abandon if be not open to the outside world.
Step 506 is then transmitted this packet to CNMP if open.
Step 507, when destination address is not the CNMP address, by first kind of processing data packets, repeat no more herein.
Step 508, in the source address of described packet not in OPT, then judge whether to be network management request message, if then execution in step 509, otherwise execution in step 510.
Step 509, when determining to be network management request message, ISN puts into OPT with source address and port, and state is set to " freezing ", and this packet is sent to CNMP.
Step 510, determining it is not network management request message, then abandon
In the above-mentioned application example, ISN is that the destination address that comes from all data of LIN network can only be address in the S1 space or CNMP address;
CNMP handles functions such as the NMS user access come from LIN, authentication, encryption, has only the NMS user that passes through through CNMP and ILR authentication, just can visit the SILSN core network element, and the domestic consumer that comes from LIN can only visit the S1 space address;
The source address port that comes from LIN user is opened and is closed in the instruction that ISN sends according to CNMP;
ISN freezes the source address port of UE1 after first that receive UE1 is sent to the CNMP packet, and ASN is before receiving that CNMP " port controlling " opens port then, and the reception sources address is not other packets of user UE1;
But CNMP and ILR will compare NMS user managed network element address, do not allow user capture not belong to the core net address of administrator right;
Have only CNMP to think that identify label is keeper's user, CNMP just transmits this user data package and carries out authentification of user to ILR.
Have only the ILR authentication to pass through, and possess the NMS user of the corresponding core network element address ability of management, CNMP just transmits this user data package to corresponding core network element.
CNMP optionally carries out encryption and decryption for the data of UE1 and CNMP.
Need to prove, the present invention is that example describes with identify label and the locator separation network framework that ZTE Corporation proposes, but be not limited thereto, for other multiple identity network architecture of separating with the position suitable equally, HIP for example, identify label of all genus and locator separation network that LISP and Beijing Jiaotong University propose, similar because of implementation method, repeat no more herein.
The method that present embodiment provides; by the conventional the Internet user who initiates access request is carried out authentication; control the authority of network node in the visit SILSN core net according to the result of authentication; protect the safety of core net, realized being positioned at the purpose that LIN domestic consumer can't visit SILSN core network element node simultaneously.
As shown in Figure 6, the embodiment of the invention provides a kind of identify label and locator separation network system, comprises the node that is used for access control, and the node of described user capture control comprises:
Receiver module 601 is used for receiving the packet of network node in conventional the Internet user capture identify label and the locator separation network;
Acquisition module 602 is used to obtain the source address and the source port of the packet that described receiver module receives;
Search module 603, be used for searching the source address and the source port of described packet in the correspondence relationship information of the described network node authority of source address, source port and visit that writes down;
Control module 604 is used for searching access rights that module 603 finds the source address of described packet and source port and described source address and source port correspondence for open described, allows described user and described network node to communicate.
Optionally, as shown in Figure 7, the described node that is used for access control can further include:
First judge module 701 is used for judging whether described packet is the network management request packet of predesignating when described open state table does not find the source address of described packet and source port again;
First authentication module 702 is used for verifying whether described user is the network manager when described judge module 701 is determined the described network management request packet of predesignating;
Described control module 604 also is used for allowing described user and described network node to communicate when described authentication module checking is the network manager.
Further, the described node that is used for access control also comprises:
Second judge module, if be used for not finding at described open state table the source address and the source port of described packet, the described node that is used for access control judges whether described packet is the network management request packet of predesignating again;
Second authentication module, if meet, verify whether described user is the network manager, when checking determined that described user is the network manager, the described node that is used for access control judged according to the addressable network node information of this network manager of configuration whether described user has the authority of the described network node of visit again;
Described control module also is used for determining that at described authentication module described user has the authority of the described network node of visit, allows described user and described network node to communicate.
Further, described control module 604 also is used for abandoning described packet under following arbitrary situation:
If it is not open finding the source address of described packet and the access rights of source port and described source address and source port correspondence in the correspondence relationship information of record;
Judge the non-network management request packet of predesignating of described packet;
The form of judging described packet is the network management request packet of predesignating, but the non-network manager of described user is determined in checking;
Judge that described packet is the network management request packet of predesignating, and verify and determine that described user is the network manager, but judge that described user does not have the authority of the described network node of visit.。
Optionally, the described node that is used for access control also comprises:
The 4th configuration module, be used for when total degree that described control module abandons the packet with same source address and source port surpasses the frequency threshold value set in advance, add the source address and the source port of described packet to the open state table, and the access rights that dispose described source address and source port correspondence are shielding;
Discard module is used to receive that having corresponding access rights directly abandons after for the source address of shielding and the packet of source port.
Further, as shown in Figure 8, described authentication module 702 can further include:
Transmitting element 7021 is used for sending keeper's identification request to the identity location register, carries described user's User Identity;
Receiving element 7022 is used for receiving management person's authentication identification response, comprises that described identity location register carries out authentication result according to the network manager's of configuration identify label to described User Identity in described keeper's authentication identification response;
Determining unit 7023 is used for the authentication result according to described keeper's authentication identification response, determines whether described user is the network manager.
Optionally, as shown in Figure 9, the described node that is used for access control can further include:
First configuration module 901, be used for when described first judge module determines that described packet meets the network management request packet of predesignating, add the source address and the source port of described packet to described open state table, and the access rights that dispose described source address and source port correspondence are for freezing.
Optionally, as shown in figure 10, the described node that is used for access control can further include:
Second configuration module 1001 is used for when described first authentication module is determined described user for the network manager source address of packet described in the described open state table and the access rights of source port correspondence being revised as opening.
The 3rd configuration module 1002 is used for when described authentication module is determined the non-network manager of described user, will comprise the source address of described packet and the record deletion of source port in the described open state table.
Further, as shown in figure 11, described control module 604 can further include:
Acquiring unit 6041 is used for obtaining the cipher mode of described keeper's authentication response and described telex network;
Set up unit 6042, the cipher mode that is used to adopt described acquiring unit 6041 to obtain is set up described network node and described user's communications.
The system that present embodiment provides, by the conventional the Internet user who initiates access request is carried out authentication, control the authority of network node in the visit SILSN core net according to the result of authentication, protected the safety of core net, realize being positioned at the purpose that LIN domestic consumer can't visit SILSN core network element node simultaneously, by the port controlling of ISN, prevent the attack to CNMP simultaneously from domestic consumer in the LIN; Encryption by webmaster stream between UE and the CNMP transmits, and has improved safety of transmission.
One of ordinary skill in the art will appreciate that and realize that all or part of step that the foregoing description method is carried is to instruct relevant hardware to finish by program, described program can be stored in a kind of computer-readable recording medium, this program comprises one of step or its combination of method embodiment when carrying out.
In addition, each functional unit in each embodiment of the present invention can adopt the form of hardware to realize, also can adopt the form of software function module to realize.If described integrated module realizes with the form of software function module and during as independently production marketing or use, also can be stored in the computer read/write memory medium.
The above-mentioned storage medium of mentioning can be a read-only memory, disk or CD etc.
The above; only be the specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; can expect easily changing or replacing, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the described protection range of claim.