CN102655458A - Multicast safety management method and multicast boundary control device (MBC) - Google Patents
Multicast safety management method and multicast boundary control device (MBC) Download PDFInfo
- Publication number
- CN102655458A CN102655458A CN2012101213561A CN201210121356A CN102655458A CN 102655458 A CN102655458 A CN 102655458A CN 2012101213561 A CN2012101213561 A CN 2012101213561A CN 201210121356 A CN201210121356 A CN 201210121356A CN 102655458 A CN102655458 A CN 102655458A
- Authority
- CN
- China
- Prior art keywords
- user
- multicast
- mbc
- message
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a multicast safety management method. The method comprises the following steps that: an MBC (multicast boundary control device) is used for sending registration to a VM (Video Management), receiving and recording a user multicast permission classification list issued from the MV after the registration is successful, and recording permission information of users after receiving messages containing the permission information of the users; and after receiving the messages of the users, the MBC is used for establishing a user multicast port control list, controlling the transmission of multicast data of the users according to the user multicast port control, and transmitting the multicast data if the users are legal or prohibiting the transmission of the multicast data if the users are illegal. On the basis of the same ideology, the invention provides the MBC. The multicast safety management method and the MBC can be used for effectively controlling multicast flow in a monitoring network and preventing the users from illegally requesting the broadcasting of multicast, and have the advantages of being simple in configuration and strong in adaptability.
Description
Technical field
The present invention relates to multicast management techniques, relate in particular to the technology of the security of multicast management under the network environment of video monitoring.
Background technology
Along with the development of video/audio encoding and decoding technology and Network storage technology, with the view data digitlization of video camera, and in the Internet transmission over networks, that storage has formed digital video monitoring is technological.
In the IP video monitoring system, mainly form by front end encoding device, rear end decoding device, center management server and central storage device.In current system, the real-time video monitoring data send to the recipient through clean culture, because encoding device is limited in one's ability, therefore when having a plurality of recipient, the part visitor often occurs and can't receive real time video data.In order to address this problem, medium processing device arises at the historic moment, and medium processing device is mainly accomplished the reception of wall scroll real time video data, and duplicates many unicast streams and send to the recipient.
Under the pattern of 1:N (the corresponding a plurality of receiving terminals of source end); Adopt the meeting of medium processing device to cause unicast data in network, to increase fast; Network equipment insufficient bandwidth, thereby or medium processing device duplicate that forwarding performance is not enough can't to satisfy recipient's demand.
In video monitoring system,, often adopt the multicast mode to send real time video data for conserve network bandwidth; And only need adding corresponding multicast group, the recipient can receive video data; The bandwidth of network has been practiced thrift in the application of multicast, still, has also brought the safety management problem simultaneously.In the network environment as shown in Figure 1; A lot of VC are arranged, and some is legal, if but after an illegal VC access network is arranged; And with authorized user under the same VLAN of same switch; This illegal VC can obtain the flow multicast group address that authorized user is receiving through the method for grabbing the IGMP protocol package at the network interface of oneself so, sends corresponding IGMP Report message then, carries out the flow eavesdropping; Perhaps this disabled user is directly through sending the IGMP Report message of magnanimity, and the scanning of carrying out multicast group adds, and the multicast data flow in the whole net is all guided to enterprising the committing theft of its receiving port listen; Even the IP address of directly stealing certain validated user, counterfeit validated user adds multicast, obtains video monitoring information, and above-mentioned way brings potential safety hazard all can for the video monitoring networking.
Summary of the invention
In view of this, the present invention provides a kind of security of multicast management method, comprising:
A MBC initiates registration to video management server VM; Receive and write down the user multicast power grading list that issues from VM; Wherein, said user right grading list is that VM plans the user in administering and the user right set up and the mapping table of multicast address range of receiving in advance in advance;
B MBC obtains and the recording user authority information; And after MBC receives user's message, set up the control table of user port multicast according to the user multicast power grading list of coming source port, record of said message and said user's authority information;
When C receives user's multicast on demand request as MBC, whether has the authority that receives said multicast packet, if then transmit said multicast on demand request, if not, then forbid transmitting said order request according to said user port multicast control table judges.
Based on same inventive concept, the present invention also provides a kind of MBC, is applied to move in the video surveillance network of multicast, and said MBC comprises:
Registering modules is used for when MBC starts, and uses the management ip address of MBC to send registration message as source address to VM;
Logging modle receives and writes down the interior user multicast power grading list of compass of competency that VM issues, and obtains the also user right information of recording user, and the source port that comes of user's message received in record;
Control module is used for after MBC receives user's message, sets up the control table of user port multicast according to the user multicast power grading list of coming source port, record of said message and said user's authority information; And be used for when receiving user's order request; Whether has the authority that receives said multicast packet according to said user port multicast control table judges, if then transmit said multicast on demand request; If, then do not forbid transmitting said multicast on demand request.
The present invention has realized the control of the user multicast in the monitoring network environment has been guaranteed that the reception safety of group broadcasting video frequency data flow is controlled, simultaneously through said method and device; Realized and to have received authority by the flexible configuration multicast; Configuration is simple, changes for a short time, and applicability is good.
Description of drawings
Fig. 1 is a kind of application networking sketch map provided by the invention.
Fig. 2 is a method flow sketch map of the present invention.
Fig. 3 is an apparatus module sketch map of the present invention.
Embodiment
Video management server VM (Video Management) is meant the equipment that comprises following one or more functions: can manage the equipment in the control supervisory control system concentratedly; Can dispatch various video monitoring services; Can manage and distribute the supervisory user authority.
MBC: multicast edge control appliance (Multicast Boundary Control Device) has started the network equipment of dynamic multicast border characteristic.
The inventive method mainly comprises following step:
MBC initiates registration to VM; Receive and write down the user multicast power grading list that issues from VM; Wherein, said user multicast power grading list is that VM plans the user in administering and the user right set up and the mapping table of multicast address range of receiving in advance.
MBC receives the message that comprises user right information, the authority information of recording user; After MBC receives user's message, set up the control table of user port multicast according to the user multicast power grading list of coming source port, record of said message and said user's authority information;
MBC receives user's multicast on demand request, whether has the authority that receives said multicast packet according to said user port multicast control table judges, if then transmit said multicast on demand request, if not, then forbid transmitting said multicast on demand request.
Wherein, the message that comprises user right information that MBC receives maybe be from the user, also maybe be from VM.When said message during from the user, MBC sets up the control table of user port multicast according to the user multicast power grading list of coming source port, record of message and said user's authority information.When said message during from VM, MBC recording user authority information; Receive the message of respective user as MBC after, come the user multicast power grading list of source port, record and said user's authority information according to message, MBC sets up the control table of user port multicast.
The instance that following basis is concrete is elaborated to the present invention.
Step 1 is planned the user's in the range of management authority by VM equipment, and the corresponding multicast address range of receiving of user right is planned set up the user multicast power grading list.
Video monitoring networking as shown in Figure 1; MBC1 is deployed in the network insertion edge, is connected with two users under it, videoconference client VC1 and VC2; VM is deployed in the central area; VM carries out the division of user right to overall user, such as VC1 being planned to high authority user, VC2 is planned to the low rights user; VM also carries out corresponding to user right with the multicast group address range of receiving; As shown in table 1, be example to be divided into level Four here, in actual use; The user can be provided with the user right classification according to actual conditions; Simultaneously, the G1 here, G2, G3 represent continuous multicast group address scope, and G1+G2+G3 forms whole multicast address scopes; Certainly in actual use, the user can be according to actual needs with governable multicast address according to self-defining a certain rule divide into groups to represent the user can the receiving group group address realm.
| User right | The multicast group address range of receiving |
| High | All (G1+G2+G3) |
| In | G2+G3 |
| Low | G3 |
| Do not have | Do not have |
Table 1 user multicast power grading list
Step 2: in MBC1 configuration management IP address ip 1, MBC1 equipment sends the MBC registration message to VM after reaching the standard grade and starting, and the concrete realizations such as message format of carrying this message can adopt existing SIP message format to realize, or adopts private message to realize.Wherein, the management ip address of this MBC can be used as the gateway address of its each VC that connects down, and VM just can be known the IP address range of the VC of this MBC administration thus, promptly knows which VC of its administration.Here the management ip address that uses MBC is a kind of way of realization as the gateway address of each VC; In concrete the realization, know the VC address realm of MBC management as long as can realize VM, for example; MBC carries own direct-connected network segment information simultaneously when VM registers.Such as, MBC is 10.10.10.1 with the up address that is connected of VM, own direct-connected network segment comprises 10.10.1.x/24; 10.10.2.x/24.VM just knows and comes the VC of automatic network 10.10.1.x/24 and network 10.10.2.x/24 should belong to this MBC so.
Step 3:VM sends to MBC1 with above-mentioned user multicast power grading list after receiving the MBC1 registration message, the user right classification signal table with table 1 carries out example description below.
Step 4:MBC1 sets up a port set Broadcast Control tabulation according to the user multicast power grading list that receives; The initialization user port multicast control table of MBC1 elder generation; It is apparent that each port does not have acceptable multicast address scope in initial, and is specifically as shown in table 2:
Table 2 port set Broadcast Control tabulation
Step 5:VC1 inserts at the port 2 of MBC; VC1 sends log-on message to VM; Concrete mutual message can adopt existing SIP message to realize; Also can be the private message between VC and VM, VC1 carries the information such as ID, IP address and/or access gateway address of self in logon message.
Step 6:VM judges affiliated MBC and the user right information of VC1, if succeed in registration, the MBC1 of notice VC1 under it sends the user right information that the control message is announced VC1 self.
Wherein, In above-mentioned steps, the authority information of user VC1 self also can send the control message by VM and inform MBC1; When perhaps notifying VC1 to send information notification MBC1; The user right of the said VC1 of MBC1 known in the proclamation of self also transmitting messages, thereby strengthen the reliability of user right information, and the message that prevents the reporting of user authority information is by disabled user's intercepting or modification.
After step 7:VC1 receives VM notice, send the control message that carries self authority information to MBC1.After MBC1 receives the control message of VC1, obtain and recorded message in the user right information of carrying, and judge the source port that comes of this user's message, for example be port 2; , if VC1 user right authority is high, then the tabulation of port set Broadcast Control shown in the updating form 2 is as shown in table 3:
| Port | Forbid receiving class range |
| Port1 | G1+G2+G3 |
| Port2 | Do not have |
| Port3 | G1+G2+G3 |
| ?... | G1+G2+G3 |
Port set Broadcast Control tabulation after table 3 upgrades
Perhaps
Step 7 ': VM sends the control message that comprises VC1 user right information to MBC1; MBC1 obtains and notes the user right of VC1, after MBC1 receives the IGMP request message or other user's messages from VC1, through operation IGSP (Internet Group Management Protocol Snooping; Internet group management protocol snooping) knows the source port that comes of message; According to the source port that comes of message, and the user right of the VC1 of record, port set Broadcast Control tabulation upgraded.
Step 8: when VC1 program request video camera multicast real-time video, VC1 sends the multicast on demand request through port 2 to MBC1, and for example IGMP adds message, and request adds the group G1 under the said video.
Step 9:MBC1 judge G1 not port2 forbid receiving in the class range, then transmit said multicast on demand request, follow-uply then realize normal multicast forwarding according to IGSP.
If having the disabled user to pass through port one illegally inserts; Scan through multicast group address; Learn and have multicast group address G1 and/or G2; When it sends IGMP and adds message request adding group G1 or G2, MBC1 according to existing port set Broadcast Control tabulation judge G1 or G2 port1 forbid receiving in the class range, then abandon this message.
VC can be periodically to the user right information of MBC announcement oneself, and MBC upgrades corresponding port multicast control table entry in view of the above.When MBC is an initial condition at overtime then aging this port of the control message that comprises user right information of not receiving that the user sends.In addition, if after VM judged that VC withdraws from, VM directly notified MBC1 that the port of this VC source address is reverted to initial condition.
In the above-described embodiment, in order to guarantee and other compatibility of apparatus that the function of dynamic multicast border characteristic can be selected based on port open or close.After certain port open dynamic multicast border characteristic, said port is carried out above-mentioned flow process, receives according to said user port multicast control table control user multicast.When certain port was not opened dynamic multicast border characteristic, the flow process of handling multicast was unaffected, according to original flow processing.
In an embodiment of the present invention, a kind of MBC is provided simultaneously, is applied to move in the video surveillance network of multicast, said MBC comprises:
Registering modules is used for when MBC starts, and uses the management ip address of MBC to send registration message as source address to VM;
Logging modle receives and writes down the interior user multicast power grading list of compass of competency that VM issues, and obtains the also user right information of recording user, and the source port that comes of user's message received in record;
Control module is used for after MBC receives user's message, sets up the control table of user port multicast according to the user multicast power grading list of coming source port, record of said message and said user's authority information; And be used for when receiving user's order request; Whether has the authority that receives said multicast packet according to said user port multicast control table judges, if then transmit said multicast on demand request; If, then do not forbid transmitting said multicast on demand request.
Wherein, said Registering modules further comprises:
Carry the direct-connected network segment information of said MBC self and initiate registration, so that said VM knows the user's addresses scope of said MBC administration to VM.
Said MBC further comprises:
Update module; The periodic control message that comprises user right information that receives; The source port that comes according to said message; Upgrade said port status, after overtime, do not receive the said control message that comprises user right information, then in the control table of user port multicast the state of port in source is updated to initial condition said.
Block of state; Whether be used to control said control module enables; If the state of control module is an opening; Then user's order request and multicast data flow reception are controlled,, then transmitted according to existing normal flow if be closed condition according to the user port multicast control table in the said control module.
The above only is the preferable implementation of the present invention, and any modification of being made based on the present invention's spirit that is equal to all should be covered by in the claim scope of the present invention.
Claims (10)
1. security of multicast management method is applied to it is characterized in that said method comprises on the multicast boundary control appliance MBC:
A, MBC initiate registration to video management server VM; Receive and write down the user multicast power grading list that issues from VM; Wherein, said user multicast power grading list is that VM plans the user in administering and the user right set up and the mapping table of multicast address range of receiving in advance;
B, MBC obtain and the recording user authority information; After MBC receives user's message, set up the control table of user port multicast according to the user multicast power grading list of coming source port, record of said message and said user's authority information;
C, when MBC receives user's multicast on demand request; Whether has the authority that receives said multicast packet according to said user port multicast control table judges, if then transmit said multicast on demand request; If, then do not forbid transmitting said multicast on demand request.
2. method according to claim 1 is characterized in that step B further comprises: said user right information is that VM or user send through the control message.
3. method according to claim 2 is characterized in that step B is specially: MBC receives the message that comprises user right information from VM, recording user authority information; After MBC receives user's message, come the user multicast power grading list of source port, record and said user's authority information to set up the control table of user port multicast according to message.
4. according to the arbitrary described method of claim 1 to 3, it is characterized in that said method further comprises: said MBC regularly obtains user right information through the control message, and the source port status of the said user's message of corresponding renewal; When said MBC does not receive the said control message that comprises user right information after overtime, then the state with user port multicast control table port is updated to initial condition.
5. method according to claim 1 is characterized in that, said MBC carries self direct-connected network segment information in the message that VM initiates to register, so that VM knows the user's addresses scope of said MBC administration in order to confirm user's ownership MBC.
6. a MBC is applied to move in the video surveillance network of multicast, it is characterized in that said MBC comprises:
Registering modules is used for when MBC starts, and uses the management ip address of MBC to send registration message as source address to VM;
Logging modle receives and writes down the interior user multicast power grading list of compass of competency that VM issues, and obtains the also user right information of recording user, and the source port that comes of user's message received in record;
Control module is used for after MBC receives user's message, sets up the control table of user port multicast according to the user multicast power grading list of coming source port, record of said message and said user's authority information; And be used for when receiving user's order request; Whether has the authority that receives said multicast packet according to said user port multicast control table judges, if then transmit said multicast on demand request; If, then do not forbid transmitting said multicast on demand request.
7. MBC according to claim 6 is characterized in that, wherein said user right information is that VM or user send through the control message.
8. MBC according to claim 6 is characterized in that, said Registering modules further comprises:
Carry the direct-connected network segment information of said MBC self and initiate registration, so that said VM knows the user's addresses scope of said MBC administration to confirm user's ownership MBC to VM.
9. MBC according to claim 6 is characterized in that, said MBC further comprises:
Update module; The periodic control message that comprises user right information that receives; The source port that comes according to said message; Upgrade said port status, after overtime, do not receive the said control message that comprises user right information, then in the control table of user port multicast the state of port in source is updated to initial condition said.
10. MBC according to claim 6 is characterized in that, said MBC further comprises:
Whether block of state is used to control said control module and enables.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210121356.1A CN102655458B (en) | 2012-04-23 | 2012-04-23 | A kind of multicast safety management method and multicast boundary control appliance |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210121356.1A CN102655458B (en) | 2012-04-23 | 2012-04-23 | A kind of multicast safety management method and multicast boundary control appliance |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102655458A true CN102655458A (en) | 2012-09-05 |
| CN102655458B CN102655458B (en) | 2015-10-14 |
Family
ID=46730985
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210121356.1A Active CN102655458B (en) | 2012-04-23 | 2012-04-23 | A kind of multicast safety management method and multicast boundary control appliance |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102655458B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102905199A (en) * | 2012-09-28 | 2013-01-30 | 杭州华三通信技术有限公司 | Implement method and device of multicast service and device thereof |
| CN105791318A (en) * | 2016-04-29 | 2016-07-20 | 浙江宇视科技有限公司 | Multicast safety access apparatus and method thereof |
| CN115623253A (en) * | 2022-12-02 | 2023-01-17 | 浙江宇视科技有限公司 | Scene-aware video stream management method, system, device, and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1540920A (en) * | 2003-04-23 | 2004-10-27 | 华为技术有限公司 | Method for implementing controllable multicast operation |
| CN101202715A (en) * | 2007-11-27 | 2008-06-18 | 杭州华三通信技术有限公司 | Method and apparatus for multicast authority auto dispositions |
| CN102340511A (en) * | 2011-11-03 | 2012-02-01 | 杭州华三通信技术有限公司 | Safety control method and device |
-
2012
- 2012-04-23 CN CN201210121356.1A patent/CN102655458B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1540920A (en) * | 2003-04-23 | 2004-10-27 | 华为技术有限公司 | Method for implementing controllable multicast operation |
| CN101202715A (en) * | 2007-11-27 | 2008-06-18 | 杭州华三通信技术有限公司 | Method and apparatus for multicast authority auto dispositions |
| CN102340511A (en) * | 2011-11-03 | 2012-02-01 | 杭州华三通信技术有限公司 | Safety control method and device |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102905199A (en) * | 2012-09-28 | 2013-01-30 | 杭州华三通信技术有限公司 | Implement method and device of multicast service and device thereof |
| CN102905199B (en) * | 2012-09-28 | 2015-11-25 | 杭州华三通信技术有限公司 | A kind of multicast service realizing method and equipment thereof |
| CN105791318A (en) * | 2016-04-29 | 2016-07-20 | 浙江宇视科技有限公司 | Multicast safety access apparatus and method thereof |
| CN105791318B (en) * | 2016-04-29 | 2019-04-12 | 浙江宇视科技有限公司 | A kind of security of multicast access device and method |
| CN115623253A (en) * | 2022-12-02 | 2023-01-17 | 浙江宇视科技有限公司 | Scene-aware video stream management method, system, device, and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102655458B (en) | 2015-10-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Rahman et al. | Group communication for the constrained application protocol (CoAP) | |
| JP4785390B2 (en) | Communication method between home appliances and apparatus for realizing the method | |
| CN1822545B (en) | Method of controlling communication between a head-end system and a plurality of client systems | |
| KR100859712B1 (en) | Apparatus for blocking forged multicast source packets and method thereof | |
| US20050111474A1 (en) | IP multicast communication system | |
| CN102057623B (en) | Method for obtaining terminal status | |
| JP2001265729A (en) | Multicast system, authentication server terminal, multicast recipient terminal managing method and recording medium | |
| CN102123050A (en) | Network terminal management method | |
| KR20080053087A (en) | The system and method of providing iptv services in next generation networks | |
| CN103326882B (en) | A kind of video monitoring network management method and device | |
| WO2011010278A1 (en) | Method and device for a light host management protocol on multicast capable router | |
| US7327730B2 (en) | Data packet transmission method and network switch applying same thereto | |
| CN102655458A (en) | Multicast safety management method and multicast boundary control device (MBC) | |
| CN103905218A (en) | Multi-node architecture multimedia transmission system and multimedia transmission control method thereof | |
| CN110086771B (en) | Method and device for managing protocol conversion equipment | |
| CN111147789A (en) | Method, device and equipment for recording audio and video stream and storage medium | |
| CN102368707B (en) | Method, equipment and system for multicast control | |
| CN102347906A (en) | Multi-cast method and multi-cast network system | |
| CN104113484A (en) | Message forwarding processing method and device | |
| CN103634274A (en) | Safe method for video exchange and system | |
| KR100670786B1 (en) | Apparatus for providing selective IPTV service using user profile and method thereof | |
| CN101924641B (en) | Method, device and system for processing multicast source information | |
| CN108965219B (en) | Data processing method and device based on video network | |
| CN101309154B (en) | Datagram sending method, sending apparatus and transmission system | |
| CN105791318A (en) | Multicast safety access apparatus and method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |