CN103001966A - Processing and identifying method and device for private network IP - Google Patents
Processing and identifying method and device for private network IP Download PDFInfo
- Publication number
- CN103001966A CN103001966A CN2012105396735A CN201210539673A CN103001966A CN 103001966 A CN103001966 A CN 103001966A CN 2012105396735 A CN2012105396735 A CN 2012105396735A CN 201210539673 A CN201210539673 A CN 201210539673A CN 103001966 A CN103001966 A CN 103001966A
- Authority
- CN
- China
- Prior art keywords
- message
- network
- user identifier
- private network
- subscriber
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a processing and identifying method and a device for a private network IP. The method includes that a user host intercepts an IP message ready to be sent to a network by the user host; the user host adds a user identifier into a message header of the interrupted IP message, packages the IP message, and sends the packaged message to the network; a network access device obtains the IP message sent by the client and carried with the user identifier, wherein the user identifier corresponds to a private network IP address of the IP message; and the network access device extracts the user identifier from the obtained IP message, obtains the private network IP corresponding to the client according to the user identifier, and determines processing strategies for the IP message according to the private network IP address. Through the method and the device, the network access device can identify the private network IP before network address translation (NAT) quickly through the IP message for user authentication and flow monitoring.
Description
Technical field
The present invention relates to network safety filed, relate in particular to processing, recognition methods and the device of a kind of private network IP.
Background technology
Along with popularizing and development of the Internet and network application, when a main frame is wanted to send data to external network in the internal network, first the IP message is sent on the NAT device, after NAT device is converted into inside global address with inner local address, with the IP message repeating to external network.When external network was replied internal host, the IP response message was sent on the NAT device, and NAT device replaces with inner local address with the destination address in the IP response message, and forwards the packet to internal host.
Existing NAT technology comprises Basic NAT and NAPT.Basic NAT mode belongs to man-to-man address transition, only changes in this manner the IP address, and the port numbers of TCP/UDP agreement is not processed, and a public network IP address can not be used by a plurality of users simultaneously.The processing procedure of Basic NAT mode is as follows: NAT device is received the message of the access public network side server that the private network side main frame sends; NAT device is chosen the public network IP address of a free time from address pool, set up with private network side message source IP address between nat translation table item (forward and reverse), and according to the result who searches forward NAT list item message is changed backward public network side transmission; After NAT device is received the back message using of public network side, according to the reverse NAT list item of its purpose IP address search, and according to checking result message is changed backward private network side and send.Because therefore Basic NAT mode and unrealized address multiplex can not solve the problem of public network address shortage, the NAPT mode then can address this problem.The NAPT mode belongs to many-to-one address transition, and it is changed by the form of using " IP address+port numbers ", makes a plurality of private users can share a public network IP address access outer net, therefore is the principal mode that address transition realizes.The processing procedure of NAPT mode is as follows: NAT device is received the message of the access public network side server that the private network side main frame sends; NAT device is chosen a pair of free time " public network IP address+port numbers " from address pool, set up with private network side message " source IP address+source port number " between NAPT transformation table entries (forward and reverse), and according to the result who searches forward NAPT list item message is changed backward public network side transmission; After NAT device is received the back message using of public network side, search reverse NAPT list item according to its " purpose IP address+destination slogan ", and according to checking result message is changed backward private network side transmission.Because this man-to-man conversion regime of Basic NAT and unrealized public network address is multiplexing, can not effectively solve the problem of IP Address Run Short, therefore in actual applications and be of little use.Need to pass through NAT device during private network host access outer net, NAT device becomes public network IP with the source IP in the IP message by main frame private network IP, so that the private network IP address of main frame is not by known to the network access equipment behind the NAT.
In the prior art, for security consideration, the IP address of most of private network main frame is not usually learnt by public network user, but in some practical application, need to be obtained the private network IP address of main frame.Network insertion is in order to do traffic monitoring and the user authenticates in the private network, network access equipment behind the NAT need to obtain host subscriber's private network IP, therefore the IP of network access equipment after by NAT, a kind of method need to be proposed, so that can obtain the host subscriber's private network IP before the NAT.
Summary of the invention
In view of this, the invention provides processing, the recognition methods of a kind of private network IP, the IP message that passes through that can be very fast is identified the front private network IP of NAT.
For realizing the object of the invention, implementation of the present invention is specific as follows:
A kind of method of processing private network IP is applied to subscriber's main station, and described method comprises:
Intercept and capture subscriber's main station and prepare the IP message that on network, sends;
In the heading of the IP message of intercepting and capturing, add user identifier and the IP message is encapsulated, then the IP message after will encapsulating is sent to network, so that network access equipment can determine to send according to this user identifier the user of this IP message, wherein said user identifier is corresponding with the private network IP address of this IP message.
The present invention provides a kind of method of identifying private network IP simultaneously, is applied to network access equipment, and described method comprises:
Obtain the IP message that carries user identifier that client sends;
From the IP message that gets access to, extract described user identifier, obtain private network IP corresponding to client according to described user identifier, and determine the processing policy of this IP message according to this private network IP address.
The present invention provides a kind of device of processing private network IP simultaneously, is applied to subscriber's main station, and described device comprises:
The packet capture unit be used for to be intercepted and captured subscriber's main station and prepare the IP message that sends on network;
Message process unit, be used for encapsulating at the heading interpolation user identifier of the IP message of intercepting and capturing and to the IP message, then the IP message after will encapsulating is sent to network, so that network access equipment can determine to send according to this user identifier the user of this IP message, wherein said user identifier is corresponding with the private network IP address of this IP message.
The present invention provides a kind of device of identifying private network IP simultaneously, is applied to network access equipment, it is characterized in that, described device comprises:
The Receive message unit is used for obtaining the IP message that carries user identifier that client sends;
The user profile acquiring unit is used for extracting described user identifier from the IP message that gets access to, and obtains private network IP corresponding to client according to described user identifier, and determines the processing policy of this IP message according to this private network IP address.
Compared with prior art, the present invention prepares to mail to by the main frame on subscriber's main station in the heading of IP message of external network and adds unique user identifier, network access device obtains private user IP by described unique user identifier behind the NAT device, so that network access equipment can be very fast pass through private network IP before the IP message identification NAT, carry out that then the user authenticates with traffic monitoring etc.
Description of drawings
Fig. 1 is the device building-block of logic that the present invention processed, identified private network IP.
Fig. 2 is the schematic flow sheet of processing private network IP method in an embodiment of the present invention.
Fig. 3 is the schematic flow sheet of identification private network IP method in an embodiment of the present invention.
Embodiment
The general design that the present invention realizes is: at subscriber's main station NDIS class driver is installed, in the heading of the IP message that the main frame preparation sends to network, add user identifier by described NDIS class driver, the IP message that carries user identifier then sends to the network intermediate equipment through behind the NAT device, after receiving the IP message that carries user identifier when the network intermediate equipment, obtain user's private network IP according to described user identifier, and described IP message processed, wherein said user identifier is corresponding with the private network IP address of this IP message.
For realizing the object of the invention, describe the present invention in detail below in conjunction with accompanying drawing.Please refer to Fig. 1, the invention provides the processing unit of a kind of private network IP, be applied to subscriber's main station; Correspondingly the present invention also provides the recognition device of a kind of private network IP to be applied to network access equipment.The processing unit that wherein is applied to the subscriber's main station end comprises packet capture unit 101 and message process unit 102.Please with further reference to Fig. 2, be a kind of method flow schematic diagram of processing private network IP provided by the invention, its described processing unit by subscriber's main station end shown in Figure 1 is carried out, and the method may further comprise the steps:
Step 201 is intercepted and captured subscriber's main station and prepare the IP message that sends on network;
This step is carried out by packet capture unit 101.Particularly, at subscriber's main station NDIS class interim driver is installed, for example passthru drives, by described NDIS class interim driver intercepting and capturing all original messages from network interface card.The NDIS intermediate driver is operated between MINIPROT and the PROTOCOL interface, derives a PROTOCOL interface downwards, upwards derives a MINIPORT interface.The driver that NDIS is created is inserted between NIC driver and the transmission driver.After receiving message, the NIC driver of lower floor can send on the PROTOCOL interface of derivation the message that described NDIS intermediate driver packet capture unit 101 has just received from host network card by the MINIPORT interface.Here receive various messages, be not all to be the IP message, such as also the non-IP messages such as ARP message and icmp packet may be arranged.Therefore in preferred mode, message is intercepted and captured and subsequent treatment before, described packet capture unit 101 filters the data message according to the filtering rule that sets in advance, if the data message that receives is non-IP message then lets pass, if the data message that receives is the IP message then keeps and call ready call back function MPSend and PeSend Complete process IP message.So just finish Receive message unit 101 and intercepted and captured subscriber's main stations are prepared the IP message that sends on network process.
Step 202, in the heading of the IP message of intercepting and capturing, add user identifier and the IP message is encapsulated, then the IP message after will encapsulating is sent to network so that network access equipment can determine to send according to this user identifier the user of this IP message, and wherein said user identifier is corresponding with the private network IP address of this IP message.
This step is carried out by message process unit 102.Particularly, when Receive message unit 101 intercepts the IP message that subscriber's main station prepares to send on network after, message process unit 102 is added user identifier in the option of the heading of described IP message Option Field, described user identifier is the private network IP of private user main frame.The heading of IP message has carries the option Option Field, and what have does not have an option Option Field, comprises 20 bytes in the common IP heading, does not comprise the option Option Field.Please refer to table 1, the present invention uses the IP message that carries the option Option Field in the IP heading, and adds user identifier in the option option.So, when the IP message that is modified passes through NAT device, NAT device public network IP address corresponding to the source IP address in the IP message changes into, namely be arranged in 32 potential source IP address fields of table 1, but the treatment mechanism according to NAT, option Option Field in the IP message then can not change, and described user identifier is arranged on the option option the inside of IP heading, therefore in the NAT process, do not change, so the IP message of NAT after processing is still the same with IP message before the NAT contains identical user identifier.No matter this IP message is processed through how many times NAT, and the user ID in the Option Option Field can keep, and that is to say that user ID can cross over the Internet Transmission of wide area.
Table 1
In the heading of described IP message, add after the user identifier, the IP message is encapsulated.Preferably, the NDIS interim driver is by ready call back function MPSend and PeSend Complete process IP message, the NDIS intermediate layer drives the MINIPROT interface that continuation is crossed derivation to data communication device after the process IP EM end of message and sends to the PROTOCOL interface, the IP message that then will carry user identifier is sent to network, so that after network access equipment gets access to the IP message that carries user identifier, obtain the private network IP before the NAT of the described correspondence of IP message according to user identifier described in the IP message that gets access to.
After IP message that client will be carried user identifier was sent to network, network access equipment just can receive the described IP message that client sends.Please refer to a kind of device of identifying private network IP provided by the invention among Fig. 1, wherein be applied on the network access equipment, this device comprises Receive message unit 103 and user profile acquiring unit 104.Please further with reference to figure 3, be a kind of method of identifying private network IP provided by the invention, the method is carried out by the recognition device of network access equipment end, may further comprise the steps:
Step 301 is obtained the IP message that carries user identifier that client sends;
This step is carried out by Receive message unit 103.In the private network environment, network access equipment accesses after NAT device, links to each other with extraneous network, and the IP message that namely sends to outer net needs first to be undertaken after the NAT conversion by NAT device, in entering network.After IP message that the private user main frame will carry user identifier was sent to network, described Receive message unit 103 can get access to the IP message that carries user identifier that the user sends, and wherein said user identifier is host subscriber's private network IP.
Step 302 is extracted described user identifier from the IP message that gets access to, obtain the private network IP of client according to described user identifier, determines the processing policy of this IP message according to this private network IP address.
This step is carried out by user profile acquiring unit 104.After described acquiring unit 103 obtains the IP message that carries user identifier of user's transmission, user profile acquiring unit 104 extracts described user identifier from the IP message that gets access to, obtain private network IP corresponding to client according to described user identifier, then as required described message is abandoned, at least two kinds of message processing methods in forwarding and the speed limit.Described user identifier is the private network IP of main frame, is arranged in the option field of described IP message.After network access equipment gets access to host subscriber's private network IP by described user identifier, can be further according to the private network IP that gets access to and carry out the user and authenticate monitoring with flow.
The present invention is by installing NDIS class interim driver at subscriber's main station, in being ready for sending the heading of IP message of network, main frame adds user identifier, the network access equipment end just can be according to the private network IP before the described user identifier identification NAT in the IP message that receives, and then reaches the purpose of authentication and traffic monitoring.For example, A, B, C, D four host computer are arranged in the internal network, A main frame section allows net access outer net, by adding user identifier in the IP heading that is ready for sending network at this four host computer, network access equipment is according to the described user identifier in the IP message that receives, and can obtain the front IP address of NAT corresponding to each IP message, when private network IP corresponding to described user identifier was the IP of host A, network access equipment can be with received IP packet loss.Also can control by this method the front main frame of NAT and whether can surf the Net, and be unlikely to occur a front main frame of NAT by after the authentication, the situation that the front main frame of all NAT can both be surfed the Net.
The above only is preferred embodiment of the present invention, and is in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of making, is equal to replacement, improvement etc., all should be included within the scope of protection of the invention.
Claims (17)
1. a method of processing private network IP is applied to subscriber's main station, it is characterized in that, described method comprises:
Intercept and capture subscriber's main station and prepare the IP message that on network, sends;
In the heading of the IP message of intercepting and capturing, add user identifier and the IP message is encapsulated, then the IP message after will encapsulating is sent to network, so that network access equipment can determine to send according to this user identifier the user of this IP message, wherein said user identifier is corresponding with the private network IP address of this IP message.
2. as claimed in claim method is characterized in that, described method realizes by interim driver, and described interim driver is arranged between NIC driver and the transmission driver.
3. the method for claim 1 is characterized in that, described user identifier is the private network IP of main frame.
4. the method for claim 1 is characterized in that, described user identifier is added in the option Option Field in the IP heading.
5. the method for claim 1 is characterized in that, before the IP message that described intercepting and capturing subscriber's main station is prepared to send on network, also comprises:
Judge whether the message that subscriber's main station is prepared to send is the IP message on network;
If not, this message of then letting pass, otherwise intercept and capture this IP message.
6. a method of identifying private network IP is applied to network access equipment, it is characterized in that, described method comprises:
Obtain the IP message that carries user identifier that client sends;
From the IP message that gets access to, extract described user identifier, obtain private network IP corresponding to client according to described user identifier, and determine the processing policy of this IP message according to this private network IP address.
7. method as claimed in claim 6 is characterized in that, described user identifier is the private network IP of main frame.
8. method as claimed in claim 6 is characterized in that, described user ID is arranged in the Option Option Field of IP message.
9. method as claimed in claim 6 is characterized in that, also comprises:
Described processing policy comprise abandon, at least two kinds of strategies in forwarding and three kinds of strategies of speed limit.
10. a device of processing private network IP is applied to subscriber's main station, it is characterized in that, described device comprises:
The packet capture unit be used for to be intercepted and captured subscriber's main station and prepare the IP message that sends on network;
Message process unit, be used for encapsulating at the heading interpolation user identifier of the IP message of intercepting and capturing and to the IP message, then the IP message after will encapsulating is sent to network, so that network access equipment can determine to send according to this user identifier the user of this IP message, wherein said user identifier is corresponding with the private network IP address of this IP message.
11. device as claimed in claim 10 is characterized in that, described user identifier is the private network IP of main frame.
12. device as claimed in claim 10 is characterized in that, described user identifier is added in the option Option Field in the IP heading.
13. device as claimed in claim 10 is characterized in that, described packet capture unit is further used for:
Before the IP message that the intercepting and capturing subscriber's main station is prepared to send, judge whether the message that subscriber's main station is prepared to send is the IP message on network on network;
If not this message of then letting pass, otherwise intercept and capture this IP message.
14. a device of identifying private network IP is applied to network access equipment, it is characterized in that, described device comprises:
The Receive message unit is used for obtaining the IP message that carries user identifier that client sends;
The user profile acquiring unit is used for extracting described user identifier from the IP message that gets access to, and obtains private network IP corresponding to client according to described user identifier, determines the processing policy of this IP message according to this private network IP address.
15. device as claimed in claim 14 is characterized in that, described user identifier is the private network IP of main frame.
16. device as claimed in claim 14 is characterized in that, described user ID is arranged in the Option Option Field of IP message.
17. device as claimed in claim 14 is characterized in that, also comprises:
Described processing policy comprise abandon, at least two kinds of strategies in forwarding and three kinds of strategies of speed limit.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210539673.5A CN103001966B (en) | 2012-12-11 | 2012-12-11 | The process of a kind of private network IP, recognition methods and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210539673.5A CN103001966B (en) | 2012-12-11 | 2012-12-11 | The process of a kind of private network IP, recognition methods and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103001966A true CN103001966A (en) | 2013-03-27 |
CN103001966B CN103001966B (en) | 2016-06-08 |
Family
ID=47930110
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201210539673.5A Active CN103001966B (en) | 2012-12-11 | 2012-12-11 | The process of a kind of private network IP, recognition methods and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103001966B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107547428A (en) * | 2017-07-05 | 2018-01-05 | 新华三信息安全技术有限公司 | A kind of file transmitting method, device, load balancing LB equipment and gateway device |
CN108833513A (en) * | 2018-05-31 | 2018-11-16 | 中国联合网络通信集团有限公司 | Block chain communication method between nodes, device and block chain node |
CN109819070A (en) * | 2019-04-12 | 2019-05-28 | 苏州浪潮智能科技有限公司 | A kind of method for network address translation |
CN110166474A (en) * | 2019-05-29 | 2019-08-23 | 新华三信息安全技术有限公司 | A kind of message processing method and device |
CN112565053A (en) * | 2020-12-01 | 2021-03-26 | 武汉绿色网络信息服务有限责任公司 | Method, device, service system and storage medium for identifying private network user |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040243710A1 (en) * | 2001-08-03 | 2004-12-02 | Xiaolei Mao | Method of user data exchange in the data network and a data network |
CN101442425A (en) * | 2007-11-22 | 2009-05-27 | 华为技术有限公司 | Gateway management method, address distribution method and apparatus, system |
CN101674587A (en) * | 2009-10-14 | 2010-03-17 | 成都市华为赛门铁克科技有限公司 | Method and system for realizing business monitoring and authentication agent server |
CN102624935A (en) * | 2011-01-26 | 2012-08-01 | 华为技术有限公司 | Method, device and system for forwarding packet |
-
2012
- 2012-12-11 CN CN201210539673.5A patent/CN103001966B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040243710A1 (en) * | 2001-08-03 | 2004-12-02 | Xiaolei Mao | Method of user data exchange in the data network and a data network |
CN101442425A (en) * | 2007-11-22 | 2009-05-27 | 华为技术有限公司 | Gateway management method, address distribution method and apparatus, system |
CN101674587A (en) * | 2009-10-14 | 2010-03-17 | 成都市华为赛门铁克科技有限公司 | Method and system for realizing business monitoring and authentication agent server |
CN102624935A (en) * | 2011-01-26 | 2012-08-01 | 华为技术有限公司 | Method, device and system for forwarding packet |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107547428A (en) * | 2017-07-05 | 2018-01-05 | 新华三信息安全技术有限公司 | A kind of file transmitting method, device, load balancing LB equipment and gateway device |
CN107547428B (en) * | 2017-07-05 | 2022-03-22 | 新华三信息安全技术有限公司 | Message sending method and device, load balancing LB device and gateway device |
CN108833513A (en) * | 2018-05-31 | 2018-11-16 | 中国联合网络通信集团有限公司 | Block chain communication method between nodes, device and block chain node |
CN108833513B (en) * | 2018-05-31 | 2021-01-26 | 中国联合网络通信集团有限公司 | Inter-node communication method and device of block chain and block chain node |
CN109819070A (en) * | 2019-04-12 | 2019-05-28 | 苏州浪潮智能科技有限公司 | A kind of method for network address translation |
CN109819070B (en) * | 2019-04-12 | 2020-07-07 | 苏州浪潮智能科技有限公司 | Network address translation method |
CN110166474A (en) * | 2019-05-29 | 2019-08-23 | 新华三信息安全技术有限公司 | A kind of message processing method and device |
CN112565053A (en) * | 2020-12-01 | 2021-03-26 | 武汉绿色网络信息服务有限责任公司 | Method, device, service system and storage medium for identifying private network user |
Also Published As
Publication number | Publication date |
---|---|
CN103001966B (en) | 2016-06-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9654395B2 (en) | SDN-based service chaining system | |
WO2021207922A1 (en) | Packet transmission method, device, and system | |
CN102594814B (en) | Terminal-based network access control system | |
US11689501B2 (en) | Data transfer method and virtual switch | |
CN104767752A (en) | Distributed network isolating system and method | |
JP2008066945A (en) | Attack detection system and attack detection method | |
CN103001966B (en) | The process of a kind of private network IP, recognition methods and device | |
CN105554009B (en) | A method of passing through Network Data Capture device operating system information | |
CN103780610A (en) | Network data recovery method based on protocol characteristics | |
CN101577729A (en) | Method for blocking bypass by combining DNS redirection with Http redirection | |
CN109587156A (en) | Abnormal network access connection identification and blocking-up method, system, medium and equipment | |
CN102055765A (en) | Network communication system | |
US20190327208A1 (en) | Network traffic mangling application | |
CN106657035B (en) | A kind of network message transmission method and device | |
CN104993993A (en) | Message processing method, device, and system | |
CN112165460B (en) | Flow detection method, device, computer equipment and storage medium | |
CN101360090A (en) | Application protocol recognition method | |
CN108848198B (en) | Portal differential pushing method of multi-service forwarding mode AP | |
CN111464550B (en) | HTTPS transparent protection method for message processing equipment | |
CN108989480A (en) | A method of client address is obtained in server | |
CN104994113B (en) | A kind of ADSL wireless routers and the method and system for realizing forced gate under bridge mode using the router | |
CN101969478A (en) | Intelligent DNS message processing method and processing device | |
WO2011082584A1 (en) | Implementing method, network and terminal for processing data packet classification | |
CN109150925B (en) | IPoE static authentication method and system | |
CN103607350A (en) | Method and device for generating route |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CP01 | Change in the name or title of a patent holder | ||
CP01 | Change in the name or title of a patent holder |
Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Patentee after: Hangzhou Dipu Polytron Technologies Inc Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Patentee before: Hangzhou Dipu Technology Co., Ltd. |