CN102917071A - Tunnel connection request distribution method and device - Google Patents
Tunnel connection request distribution method and device Download PDFInfo
- Publication number
- CN102917071A CN102917071A CN2012104285769A CN201210428576A CN102917071A CN 102917071 A CN102917071 A CN 102917071A CN 2012104285769 A CN2012104285769 A CN 2012104285769A CN 201210428576 A CN201210428576 A CN 201210428576A CN 102917071 A CN102917071 A CN 102917071A
- Authority
- CN
- China
- Prior art keywords
- connection request
- message
- user
- lns
- request message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention provides a tunnel connection request distribution method which is applied to an NAT (Network Address Translation) gateway to dispatch an L2TP connection request from a user outside the NAT gateway. The method comprises the steps of judging whether an L2TP connection request message from the user requires local authentication according to a preset policy, conducting local processing if required, otherwise returning an authentication failure message to the user, storing session characteristics of the authentication failure message in a session table when the authentication failure message is received, acquiring the session characteristics of a request message when the request message is received subsequently, and searching whether the preposed session table contains a corresponding table entry according to the session characteristics, and forwarding the message to an LNS (Lonworks Network Service) server in the NAT gateway if the table contains the entry, otherwise locally processing the L2TP connection request message. A service network served by the LNS server is different from a local service network. According to the tunnel connection request distribution method, the objective LNS server to which the user is intended to access can be identified intelligently while the existing standard protocol is followed.
Description
Technical field
The present invention relates to data communication field, especially a kind of method and device of tunnel connection request distribution under Intranet.
Background technology
Along with network technology, especially the IP technology development of standardization and easily expansion, the Intelligent Video Surveillance Technology of IP based network is rapidly developed, and the IP monitoring has become the main flow of present monitoring.And for safety and cost, most monitor network all is deployed in the private network.A lot of mobile subscribers or public network user use decoding client (such as VC) will access the monitoring resource (such as the live resource on the encoder EC) that is positioned at private network, may dial by L2TP, the private network that mode by the tunnel is linked into enterprise conducts interviews, Fig. 1 is exactly so typical application scenarios, utilize the correlation technique of Tunnel Passing monitor network NAT, can the previous related application that proposes of REFERENCE TO RELATED people.
In order to save the investment in the networking, simultaneously also for the ease of network maintain management, video surveillance network and enterprise's office data network normally unite two into one.Please refer to shown in Figure 2ly, provide the LNS service at the NAT router of enterprise network outlet, make the user who is in outer net can be by the data of L2TP dialing access enterprises.In corporate intranet, also has simultaneously the LNS equipment of serving for video monitoring service specially.Under such application scenarios, the user's access monitoring business that need to take correct treatment measures to make to be in outer net just dials in to the monitoring LNS server of Intranet, and the subscriber dialing of other data of access enterprise is to the LNS server of enterprise network.
A kind of processing thinking of easily expecting is to realize by the mode of revising port numbers.Such as the user can use 1701 ports dialing when need to dial in to enterprise network, and the user uses the dialing of 1801 ports when need to dial in to monitor service, and namely the user distinguishes by different port numbers and self wants the different Network of accessing.Yet IETF(Internet Engineering task groups) stipulated that L2TP destination slogan can only be 1701 in the RFC2661 standard document of issue, if carry out above-mentioned change, then meaning can't the compatibility standard mode, need to carry out the agreement transformation of privatization, is unfavorable for that large-scale commercial applications uses.
Summary of the invention
In view of this, the invention provides the device of a kind of tunnel connection request distribution, be applied on the NAT gateway in order to the L2TP connection request of scheduling from the user of NAT gateway outside, wherein this device comprises:
The LNS service unit is used for judging according to predetermined policy whether needs authenticate in this locality for L2TP connection request message from the user, if it is process this request message, otherwise to user's return authentication failure message;
Preposition matching unit, be used for when receiving the authentification failure message that returns from the LNS service unit, the session characteristics of this message is kept in the preposition conversational list, when receiving user's L2TP connection request message, obtain the session characteristics of this L2TP connection request message, search according to this session characteristics whether corresponding list item is arranged in the preposition conversational list, if having, then with this L2TP connection request message repeating to the LNS server in the NAT intra-gateway network; If no, then this L2TP connection request message is sent to the LNS service unit;
Wherein said LNS service unit is respectively from the LNS server and serves different business networks.
The present invention also provides a kind of tunnel connection request distribution method, is applied on the NAT gateway it is characterized in that in order to the L2TP connection request of scheduling from the user of NAT gateway outside, and the method may further comprise the steps:
Steps A, judge according to predetermined policy whether needs authenticate in this locality for L2TP connection request message from the user, if it is process this request message in this locality, otherwise to user's return authentication failure message;
Step B, when receiving the authentification failure message that steps A returns, the session characteristics of this message is kept in the preposition conversational list, when receiving user's L2TP connection request message, obtain the session characteristics of this L2TP connection request message, search according to this session characteristics whether corresponding list item is arranged in the preposition conversational list, if have, then with this L2TP connection request message repeating to the LNS server in the NAT intra-gateway network; Process L2TP connection request message in this locality if no, then return steps A; Wherein the business network of LNS server service is different from the local service network.
The present invention can follow existing standard agreement, does not change under the user terminal software prerequisite, identifies intelligently the purpose LNS server that user view connects, and completing user is to the tunnel linking objective of different business network, and does not need the too much manual intervention of user.
Description of drawings
Fig. 1 is a kind of typical video monitoring networking schematic diagram of prior art.
Fig. 2 is a kind of networking diagram that typically has two LNS servers.
Fig. 3 is the building-block of logic of connection request dispensing device in tunnel in one embodiment of the present invention.
Fig. 4 is the process chart of one embodiment of the present invention.
Embodiment
The present invention is by processing especially in the authentication phase of L2TP connection request, under the prerequisite of basic guarantee user experience, Intelligent Recognition user's L2TP connection request is distributed to user's L2TP connection request on the LNS server of different business network front ends and processes.Below in conjunction with accompanying drawing the detailed realization in the better embodiment of the present invention is described.
Please refer to Fig. 2, Fig. 3 and Fig. 4, the invention provides a kind of tunnel connection request dispensing device.In preferred embodiment, the present invention adopts computer program to realize, this device runs on the NAT gateway, comprises preposition matching unit and LNS service unit.Below describing this device operates on the NAT gateway with the existing function of NAT gateway and cooperates the handling process that realizes the foregoing invention purpose.
Step 101, NAT gateway are processed L2TP connection request message up sending after receiving L2TP connection request message to preposition matching unit;
The NAT gateway after receiving message, if protocol massages then needs to send software view to process, deliver on the different protocol massages different functional units in other words protocol stack go to process.In the prior art, L2TP connection request message is to process as the LNS service unit of LNS server by being integrated in the NAT intra-gateway, and L2TP connection request message can be delivered to the LNS service unit on directly and go to process.But the present invention breaks such handling process, first these L2TP connection request message up sending is processed to preposition matching unit.
Step 102, preposition matching unit extracts the session characteristics of L2TP connection request message, searches whether corresponding list item is arranged in the preposition conversational list; Process if turn step 103, process otherwise turn step 104;
Step 103, preposition matching unit turns the LNS server of this L2TP connection request message repeating to Intranet step 108 and is processed by this LNS server;
Step 104, preposition matching unit is submitted to local LNS service unit with this L2TP connection request message, turns step 105 and is processed by this LNS service unit;
Step 105, LNS service unit judge at first whether this L2TP connection request message satisfies predetermined policy; If otherwise the return authentication failure message turns step 106 and processes; If so, then turning step 107 processes;
Step 106, on the opposite direction of session, when preposition matching unit was received the authentification failure message that the LNS service unit returns, the civilian session characteristics that extracts this authentification failure newspaper was kept in the preposition conversational list;
Step 107, the LNS service unit authenticates user name and the password in this L2TP connection request message, if authentification failure then return authentication failure message; If success, then return authentication success message and set up L2TP Tunnel with this user and be connected;
Step 108, the LNS server authenticates user name and the password in this L2TP connection request message, if authentification failure then return authentication failure message; If success, then return authentication success message and set up L2TP Tunnel with this user and be connected;
The session characteristics of message has a variety of, can make up based on the Feature Combination of various levels.The present invention describes as an example of most popular five-tuple example.The message five-tuple comprises source IP address, purpose IP address, source port, destination interface and protocol type.In the present invention, if preposition conversational list is hit, then there is the message of same session characteristics in step 107, to be processed by the LNS service unit before the explanation, and the result of LNS service unit is authentification failure or do not match predetermined policy, and this moment, preposition matching unit needed this message repeating LNS server in the Intranet is gone to process.Need to prove, preposition conversational list only is a concept in logic, define from function, and might not be an independent list item, may be incorporated into fully in the existing various conversational lists.
Among the present invention, the LNS service unit also can be understood as a kind of LNS server on the logical meaning, and the business network of only serving from the LNS server of Intranet is different.The LNS service unit is served non-video monitoring business network in preferred mode, and such as various office service networks, and Intranet LNS server service is in the video monitoring service network.The present invention need to distinguish the intention of user L2TP connection request, and the connection request of judging intelligently the user is to want to send on which LNS server on earth.This judgement is realized by the LNS service unit.
When the LNS service unit is received L2TP connection request message, be not to set about at once processing this request according to protocol requirement, but judge according to predetermined policy whether this message will be processed in this locality first.In preferred mode, predetermined policy is to identify to judge according to the business network that message carries, such as the user name form in the message may be user@domain, and the LNS service unit can identify to judge according to this business network of domian user's intention.The form of supposing user name is " user office service network ", that is to say in the user name and comprise " office service network " this exemplary identification, this business network identifier declaration user wishes to be connected on the local LNS service unit, because LNS service unit corresponding with service is local service network (being the office service network in this example), so continuing to process according to protocol requirement, the LNS service unit gets final product.Suppose that user name is " user@video monitoring service network ", business network identifier declaration user wherein wishes to be connected on the LNS server of Intranet, and this moment, the LNS service unit just can return an authentification failure message.During the preposition matching unit of authentification failure message process, the five-tuple of authentification failure message can be added in the preposition conversational list by preposition matching unit in step 106, and the implication of This move is that this user's connection request once was rejected.
After user terminal was received the authentification failure message, many times user terminal can be initiated L2TP connection request (having configured the autonomous retransmission strategy such as subscriber's local) again.The L2TP connection request message that user terminal resends can hit preposition conversational list in step 102 by nature when arriving preposition matching unit, then turned on the Intranet LNS server of corresponding video monitoring service network to process.The logical process here is summarized as follows: if the user wants to connect the LNS server corresponding to the video monitoring service network, then will inevitably be refused by the LNS service unit, the session characteristics of corresponding message can be added in the preposition conversational list, again connect and to hit conversational list, process and cause new L2TP connection request correctly to be forwarded on the LNS server.The present invention reconnects the mode that will inevitably mate session entry the L2TP connection request that the user resends is correctly sent on the LNS server by once returning failure handling by the user.If the user will be connected to the LNS service unit originally certainly, just can not experience such failure handling.
The situation of a kind of relative ideal described above, the processing procedure that can be suitable in most of situation in other words.Yet still there is particular case to need to consider in the above-mentioned processing procedure.Suppose that the user want to initiate connection request to the LNS server originally, but because (such as the form of user name is exactly " user " without any the business network sign in the L2TP connection request message, there be not " domain "), what this moment, the LNS service unit was obviously looked processes for mating predetermined policy thereby can continuing, if the username and password that carries in the user's message is correct, illustrate that this L2TP connection request sends to local, can return authentication the success message, user's intention is exactly to access the office service network.If but the user name of carrying in the user's message or password mistake, then in two kinds of situation: the first, what user view connected is the LNS service unit, but the user makes mistakes when inputting user name or password; The second, what user view connected is the LNS server, and username and password is affirmed mistake in the authentication of LNS service unit.
Under the both of these case, the LNS service unit all can the return authentication failure message, for the second situation, after preposition matching unit processing, the user reconnects on its LNS server of wishing to connect, if username and password is not inputed by mistake, naturally understands authentication success.Yet for the first situation, even if the user has revised username and password in the L2TP connection request message that resends, but because preposition matching unit can send on the LNS server according to the L2TP connection request message that the session characteristics that adds before conversational list to is automatically initiated the user again, this moment, the LNS server was certain to find user's username and password mistake; Because the LNS server is normally different from user name and password combination that the LNS service unit is preserved.So, in the first situation, no matter how the user processes, and the L2TP connection request message that it resends all can be sent on the LNS server to be processed, and the result is authentification failure all the time.
The problem that causes in order to evade above-mentioned special circumstances, preposition matching unit (had been received the authentification failure message before the user namely is described) except doing forward process when hitting conversational list, also need the current list item that is hit is deleted, so just avoided in above-mentioned the first situation the user constantly to ask to connect, it is just passable that continuous failed problem, certain prerequisite are that the user can be revised as correct combination in the follow-up combination that reconnects in the request username and password.The present invention can follow existing standard agreement, does not change under the user terminal software prerequisite, identifies intelligently the purpose LNS server that user view connects, and completing user is to the tunnel linking objective of different business network, and does not need the too much manual intervention of user.
The above only is preferred embodiment of the present invention, and is in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of making, is equal to replacement, improvement etc., all should be included within the scope of protection of the invention.
Claims (10)
1. the device of a tunnel connection request distribution is applied on the NAT gateway it is characterized in that in order to the L2TP connection request of scheduling from the user of NAT gateway outside, and this device comprises:
The LNS service unit is used for judging according to predetermined policy whether needs authenticate in this locality for L2TP connection request message from the user, if it is process this request message, otherwise to user's return authentication failure message;
Preposition matching unit, be used for when receiving the authentification failure message that returns from the LNS service unit, the session characteristics of this message is kept in the preposition conversational list, when receiving user's L2TP connection request message, obtain the session characteristics of this L2TP connection request message, search according to this session characteristics whether corresponding list item is arranged in the preposition conversational list, if having, then with this L2TP connection request message repeating to the LNS server in the NAT intra-gateway network; If no, then this L2TP connection request message is sent to the LNS service unit;
Wherein said LNS service unit is respectively from the LNS server and serves different business networks.
2. device as claimed in claim 1 is characterized in that, described LNS server service is in the video monitoring service network, and described LNS service unit is served non-video monitoring business network.
3. device as claimed in claim 1 is characterized in that, described predetermined policy comprises: if message identifying carries the sign of business network corresponding to LNS service unit, then process this authentication request; Otherwise to user's return authentication failure message.
4. device as claimed in claim 1 is characterized in that, when wherein this preposition matching unit is further used for existing list item corresponding to session characteristics with message in determining preposition conversational list, deletes this corresponding list item.
5. device as claimed in claim 1 is characterized in that, described session characteristics is the five-tuple of message.
6. tunnel connection request distribution method is applied on the NAT gateway it is characterized in that in order to the L2TP connection request of scheduling from the user of NAT gateway outside, and the method may further comprise the steps:
Steps A, judge according to predetermined policy whether needs authenticate in this locality for L2TP connection request message from the user, if it is process this request message in this locality, otherwise to user's return authentication failure message;
Step B, when receiving the authentification failure message that steps A returns, the session characteristics of this message is kept in the preposition conversational list, when receiving user's L2TP connection request message, obtain the session characteristics of this L2TP connection request message, search according to this session characteristics whether corresponding list item is arranged in the preposition conversational list, if have, then with this L2TP connection request message repeating to the LNS server in the NAT intra-gateway network; Process L2TP connection request message in this locality if no, then return steps A;
Wherein the business network of LNS server service is different from the local service network.
7. method as claimed in claim 6 is characterized in that, described LNS server service is in the video monitoring service network, and described local service network is non-video monitoring business network.
8. method as claimed in claim 6 is characterized in that, described predetermined policy comprises: if message identifying carries the sign of local service network, then process this authentication request; Otherwise to user's return authentication failure message.
9. method as claimed in claim 6 is characterized in that, described step B further comprises:
When in determining preposition conversational list, having list item corresponding to session characteristics with message, delete this corresponding list item.
10. method as claimed in claim 6 is characterized in that, described session characteristics is the five-tuple of message.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210428576.9A CN102917071B (en) | 2012-10-31 | 2012-10-31 | A kind of tunnel connection request distribution method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210428576.9A CN102917071B (en) | 2012-10-31 | 2012-10-31 | A kind of tunnel connection request distribution method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102917071A true CN102917071A (en) | 2013-02-06 |
CN102917071B CN102917071B (en) | 2016-06-08 |
Family
ID=47615301
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201210428576.9A Active CN102917071B (en) | 2012-10-31 | 2012-10-31 | A kind of tunnel connection request distribution method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102917071B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111600832A (en) * | 2019-07-25 | 2020-08-28 | 新华三技术有限公司 | Message processing method and device |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1374537B1 (en) * | 2001-03-27 | 2010-01-20 | Ericsson AB | Tunneling through access networks |
CN102546350A (en) * | 2012-02-10 | 2012-07-04 | 浙江宇视科技有限公司 | Method and device for saving WAN (wide area network) bandwidth in IP (internet protocol) monitoring system |
CN102546657A (en) * | 2012-02-10 | 2012-07-04 | 浙江宇视科技有限公司 | Methods for passing through and assisting in passing through network isolation equipment in Internet protocol (IP) monitoring system, and node |
CN102571524A (en) * | 2012-02-10 | 2012-07-11 | 浙江宇视科技有限公司 | Method for traversing and assisting to transverse network isolation equipment in IP (Internet Protocol) monitoring system and node |
-
2012
- 2012-10-31 CN CN201210428576.9A patent/CN102917071B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1374537B1 (en) * | 2001-03-27 | 2010-01-20 | Ericsson AB | Tunneling through access networks |
CN102546350A (en) * | 2012-02-10 | 2012-07-04 | 浙江宇视科技有限公司 | Method and device for saving WAN (wide area network) bandwidth in IP (internet protocol) monitoring system |
CN102546657A (en) * | 2012-02-10 | 2012-07-04 | 浙江宇视科技有限公司 | Methods for passing through and assisting in passing through network isolation equipment in Internet protocol (IP) monitoring system, and node |
CN102571524A (en) * | 2012-02-10 | 2012-07-11 | 浙江宇视科技有限公司 | Method for traversing and assisting to transverse network isolation equipment in IP (Internet Protocol) monitoring system and node |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111600832A (en) * | 2019-07-25 | 2020-08-28 | 新华三技术有限公司 | Message processing method and device |
Also Published As
Publication number | Publication date |
---|---|
CN102917071B (en) | 2016-06-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7716378B2 (en) | System and method to associate a private user identity with a public user identity | |
US7472411B2 (en) | Method for stateful firewall inspection of ICE messages | |
EP2710776B1 (en) | Anonymous signalling | |
US20090319611A1 (en) | Method and System for Facilitating Exchange of A Data Between Applications Using a Communication Platform | |
US8959193B2 (en) | Group management device | |
CN106302371A (en) | A kind of firewall control method based on subscriber service system and system | |
US8335211B2 (en) | Communication system and control server | |
CN104811371A (en) | Brand-new instant messaging system | |
EP2693691B1 (en) | Method and apparatus for initializing gateway in device management system | |
CN107517138A (en) | Equipment detection method and device | |
CN105959188B (en) | Method and device for controlling user terminal to be on-line | |
CN105337973A (en) | Message exchange method and system | |
US8650313B2 (en) | Endpoint discriminator in network transport protocol startup packets | |
CN102202071A (en) | Microsoft service network (MSN)-based network video monitoring method and system | |
BRPI0812140B1 (en) | METHOD FOR IDENTIFYING A SERVICE, APPLICATION PROTOCOL PORT AND SERVICE PROCESSING SYSTEM | |
CN107645570A (en) | Client loading method and device | |
CN105553712A (en) | Server for realizing double-channel connection, terminal, method and system | |
CN106533894A (en) | Brand new secure instant messaging system | |
US20110238810A1 (en) | System and method for state management based on instant messaging platform | |
CN102523236A (en) | Method and equipment for establishing dynamic connection | |
US10666614B2 (en) | Multicast security control method and device based on DNS | |
CN102917071A (en) | Tunnel connection request distribution method and device | |
CN109218436A (en) | A kind of lan device discovery method based on dual-port redundancy technique | |
CN104902497A (en) | Method and device for managing mobile phone hotspot connection | |
US8276204B2 (en) | Relay device and relay method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |