CN103001966B - The process of a kind of private network IP, recognition methods and device - Google Patents
The process of a kind of private network IP, recognition methods and device Download PDFInfo
- Publication number
- CN103001966B CN103001966B CN201210539673.5A CN201210539673A CN103001966B CN 103001966 B CN103001966 B CN 103001966B CN 201210539673 A CN201210539673 A CN 201210539673A CN 103001966 B CN103001966 B CN 103001966B
- Authority
- CN
- China
- Prior art keywords
- message
- network
- user identifier
- private network
- subscriber
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a kind of private network IP process, the method and apparatus identified. Described method includes: the IP message that subscriber's main station prepares to send intercepted and captured to network by subscriber's main station; Subscriber's main station adds user identifier in the heading of the IP message intercepted and captured and IP message is packaged, and then sends the IP message after encapsulation to network; Network access equipment obtains the IP message carrying user identifier that client sends, and wherein said user identifier is corresponding with the private network IP address of this IP message; Network access equipment extracts described user identifier from the IP message got, and obtains, according to described user identifier, the private network IP that client is corresponding, and determines the process strategy of this IP message according to this private network IP address. By the present invention, network access equipment can quickly by private network IP before IP message identification NAT, then carry out user authentication and traffic monitoring etc.
Description
Technical field
The present invention relates to network safety filed, particularly relate to the process of a kind of private network IP, recognition methods and device.
Background technology
Universal and development along with the Internet and network application, when in internal network, a main frame wants to send data to external network, first IP message is sent on NAT device, after local address, inside is converted into inside global address by NAT device, IP message is forwarded to external network. When internal host is carried out response by external network, IP response message is sent on NAT device, and the destination address in IP response message is replaced with internal local address by NAT device, and forwards the packet to internal host.
Existing NAT technology includes BasicNAT and NAPT. BasicNAT mode belongs to the conversion of man-to-man address, only changes IP address in this manner, and the port numbers of TCP/UDP agreement is not processed, and a public network IP address can not be used by multiple users simultaneously. The processing procedure of BasicNAT mode is as follows: NAT device receives the message accessing public network side server that private network side main frame sends; NAT device chooses an idle public network IP address, foundation and the nat translation table item (forward and reverse) between private network side message source IP address from address pool, and sends to public network side after message conversion according to the result searching forward NAT table item; After NAT device receives the back message of public network side, according to the reverse NAT table item of its purpose IP address search, and send to private network side after message conversion according to checking result. Due to BasicNAT mode unrealized address multiplex, the problem that therefore can not solve public network address shortage, NAPT mode then can solve this problem. NAPT mode belongs to the conversion of many-to-one address, and it makes multiple private user can share a public network IP address access outer net by using the form of " IP address+port numbers " to change, and is therefore the principal mode of address conversion realization. The processing procedure of NAPT mode is as follows: NAT device receives the message accessing public network side server that private network side main frame sends;NAT device chooses " public network IP address+port numbers " of a pair free time from address pool, NAPT transformation table entries (forward and reverse) between foundation and private network side message " source IP address+source port number ", and send to public network side after message conversion according to the result searching forward NAPT list item; After NAT device receives the back message of public network side, search reverse NAPT list item according to its " purpose IP address+destination slogan ", and send to private network side after message conversion according to checking result. Multiplexing due to this man-to-man conversion regime of BasicNAT unrealized public network address, it is impossible to the problem effectively solving IP Address Run Short, therefore in actual applications and be of little use. Private network main frame requires over NAT device when accessing outer net, and the source IP in IP message is become public network IP from main frame private network IP by NAT device so that the private network IP address of main frame is not known to the network access equipment after NAT.
In prior art, for security consideration, the IP address of major part private network main frame is not generally learnt by public network user, but in some practical application, it is necessary to obtain the private network IP address of main frame. In private network, network insertion is in order to do traffic monitoring and user authentication, network access equipment after NAT needs to obtain the private network IP of host subscriber, it is, therefore, desirable to provide a kind of method so that network access equipment can obtain the host subscriber private network IP before NAT by the IP after NAT.
Summary of the invention
In view of this, the present invention provides the process of a kind of private network IP, recognition methods, it is possible to quickly by private network IP before IP message identification NAT.
For realizing the object of the invention, implementation of the present invention is specific as follows:
A kind of method processing private network IP, is applied to subscriber's main station, and described method includes:
Intercept and capture the IP message that subscriber's main station prepares to send on network;
The heading of the IP message intercepted and captured adds user identifier and IP message is packaged, then the IP message after encapsulation is sent to network, so that network access equipment can determine, according to this user identifier, the user sending this IP message, wherein said user identifier is corresponding with the private network IP address of this IP message.
Present invention simultaneously provides a kind of method identifying private network IP, be applied to network access equipment, described method includes:
Obtain the IP message carrying user identifier that client sends;
From the IP message got, extract described user identifier, obtain, according to described user identifier, the private network IP that client is corresponding, and determine the process strategy of this IP message according to this private network IP address.
Present invention simultaneously provides a kind of device processing private network IP, be applied to subscriber's main station, described device includes:
Packet capture unit, the IP message sent on network for intercepting and capturing subscriber's main station to prepare;
Message process unit, for adding user identifier in the heading of the IP message intercepted and captured and IP message being packaged, then the IP message after encapsulation is sent to network, so that network access equipment can determine, according to this user identifier, the user sending this IP message, wherein said user identifier is corresponding with the private network IP address of this IP message.
Present invention simultaneously provides a kind of device identifying private network IP, be applied to network access equipment, it is characterised in that described device includes:
Receive message unit, for obtaining the IP message carrying user identifier that client sends;
User profile acquiring unit, for extracting described user identifier from the IP message got, obtains, according to described user identifier, the private network IP that client is corresponding, and determines the process strategy of this IP message according to this private network IP address.
Compared with prior art, the present invention is prepared by main frame on subscriber's main station to mail in the heading of the IP message of external network and adds unique user identifiers, after NAT device, network access device obtains private user IP by described unique user identifiers, make network access equipment can quickly by private network IP before IP message identification NAT, then carry out user authentication and traffic monitoring etc.
Accompanying drawing explanation
Fig. 1 is the device building-block of logic that the present invention processed, identified private network IP.
Fig. 2 is the schematic flow sheet processing private network IP method in an embodiment of the present invention.
Fig. 3 is the schematic flow sheet identifying private network IP method in an embodiment of the present invention.
Detailed description of the invention
The scheme that is typically designed that the present invention realizes is: install NDIS class driver on subscriber's main station, prepare to add user identifier in the heading of the IP message of network transmission at main frame by described NDIS class driver, the IP message carrying user identifier is then sent to network intermediary device after NAT device, after network intermediary device receives the IP message carrying user identifier, the private network IP of user is obtained according to described user identifier, and described IP message is processed, wherein said user identifier is corresponding with the private network IP address of this IP message.
For realizing the object of the invention, describe the present invention in detail below in conjunction with accompanying drawing. Refer to Fig. 1, the present invention provides the process device of a kind of private network IP, is applied to subscriber's main station; Correspondingly the present invention also provides for the identification device of a kind of private network IP and is applied to network access equipment. The process device being wherein applied to subscriber's main station end includes packet capture unit 101 and message process unit 102. With further reference to Fig. 2, for a kind of method flow schematic diagram processing private network IP provided by the invention, the described process device of its subscriber's main station end as shown in Figure 1 performs, and the method comprises the following steps:
Step 201, intercepts and captures the IP message that subscriber's main station prepares to send on network;
This step is performed by packet capture unit 101. Specifically, subscriber's main station is installed NDIS class interim driver, for instance passthru drives, and intercepts and captures all original messages from network interface card by described NDIS class interim driver. NDIS intermediate driver is operated between MINIPROT and PROTOCOL interface, derives downwards a PROTOCOL interface, upwards derives a MINIPORT interface. The driver that NDIS creates is inserted between NIC driver and transmission driver. When being sent on the PROTOCOL interface of derivation by MINIPORT interface after the NIC driver of lower floor receives message, described NDIS intermediate driver packet capture unit 101 just have received the message from host network card. Here receive various message, be not entirely IP message, such as there may also be the non-IP messages such as ARP message and icmp packet. Therefore in preferred mode, message is being intercepted and captured and before subsequent treatment, data message is filtered by described packet capture unit 101 according to the filtering rule pre-set, if the data message received is non-IP message, let pass, if the data message received is IP message, retains and call ready call back function MPSend and PeSendComplete process IP message. This completes Receive message unit 101 and intercept and capture the process of the IP message that subscriber's main station preparation sends on network.
Step 202, the heading of the IP message intercepted and captured adds user identifier and IP message is packaged, then sending to network the IP message after encapsulation so that network access equipment can determine, according to this user identifier, the user sending this IP message, wherein said user identifier is corresponding with the private network IP address of this IP message.
This step is performed by message process unit 102. Specifically, prepare after the IP message sent on network when Receive message unit 101 intercepts subscriber's main station, message process unit 102 adds user identifier in the option Option Field of the heading of described IP message, and described user identifier is the private network IP of private user main frame. What the heading of IP message had carries option Option Field, and what have does not have option Option Field, comprises 20 bytes, do not include option Option Field in common IP heading. Refer to table 1, the present invention uses the IP message carrying option Option Field in IP heading, and adds user identifier in option option. So, when the IP message being modified is by NAT device, source IP address in IP message is changed into the public network IP address of correspondence by NAT device, namely 32 potential source IP address fields of table 1 it are arranged in, but the treatment mechanism according to NAT, option Option Field in IP message then will not change, and described user identifier is arranged on inside the option option of IP heading, therefore changing in NAT process, therefore the IP message after NAT process still equally contains identical user identifier with the IP message before NAT. No matter this IP message is through how many times NAT process, and the ID in option Option Field can retain, say, that ID can cross over the network transmission of wide area.
Table 1
The heading of described IP message adds after user identifier, IP message is packaged. Preferably, NDIS interim driver processes IP message by ready call back function MPSend and PeSendComplete, NDIS intermediate drivers continues data to be sent to PROTOCOL interface by the MINIPROT interface derived after processing the IP EM end of message, then the IP message carrying user identifier is sent to network, so that after network access equipment gets the IP message carrying user identifier, user identifier according to the IP message got obtains the private network IP before NAT corresponding described in IP message.
When the IP message carrying user identifier is sent to after network by client, network access equipment just can receive the described IP message that client sends. Refer to a kind of device identifying private network IP provided by the invention in Fig. 1, be wherein applied on network access equipment, this device includes Receive message unit 103 and user profile acquiring unit 104. Please further refer to Fig. 3, for a kind of method identifying private network IP provided by the invention, the method is performed by the identification device of network access equipment end, comprises the following steps:
Step 301, obtains the IP message carrying user identifier that client sends;
This step is performed by Receive message unit 103. In private network environment, network access equipment accesses after NAT device, is connected with extraneous network, and being namely sent to the IP message of outer net needs to first pass through after NAT device carries out NAT conversion, in entrance network. When the IP message carrying user identifier is sent to after network by private user main frame, described Receive message unit 103 can get the IP message carrying user identifier that user sends, and wherein said user identifier is the private network IP of host subscriber.
Step 302, extracts described user identifier from the IP message got, and obtains the private network IP of client according to described user identifier, determines the process strategy of this IP message according to this private network IP address.
This step is performed by user profile acquiring unit 104. After described acquiring unit 103 obtains the IP message carrying user identifier that user sends, user profile acquiring unit 104 extracts described user identifier from the IP message got, obtain private network IP corresponding to client according to described user identifier, then undertaken described message as required abandoning, forward and at least two message processing method in speed limit. Described user identifier is the private network IP of main frame, is arranged in the option field of described IP message. After network access equipment gets the private network IP of host subscriber by described user identifier, it is possible to further according to the private network IP got the monitoring carrying out user authentication and flow.
The present invention by installing NDIS class interim driver on subscriber's main station, be ready for sending at main frame network IP message heading in add user identifier, network access equipment end just according to the private network IP before the described user identifier identification NAT in the IP message received, and then can reach the purpose of certification and traffic monitoring. Such as, internal network has A, B, C, D four host computer, A main frame portion allows net to access outer net, user identifier is added by being ready for sending in the IP heading of network at this four host computer, network access equipment is according to the described user identifier in the IP message received, and IP address before the NAT that each IP message is corresponding can be obtained, as the IP that private network IP is host A that described user identifier is corresponding, network access equipment can by received IP packet loss. Whether the main frame by this method and before can controlling NAT can surf the Net, and is unlikely to a main frame before there is NAT by after certification, the situation that the main frame before all NAT can both be surfed the Net.
The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all within the spirit and principles in the present invention, any amendment of making, equivalent replacement, improvement etc., should be included within the scope of protection of the invention.
Claims (9)
1. the method processing private network IP, is applied to subscriber's main station, and described subscriber's main station is provided with NDIS class interim driver, it is characterised in that described method includes:
The data message from host network card is received by described interim driver, data message is filtered by the filtering rule according to pre-setting, if the data message received is non-IP message, let pass, if the data message received is IP message, retain, and intercept and capture the IP message that subscriber's main station prepares to send on network, described IP message carries option Option Field;
Option Option Field in the heading of the IP message intercepted and captured adds user identifier and IP message is packaged, then the IP message after encapsulation is sent to network, so that network access equipment can determine, according to this user identifier, the user sending this IP message, wherein said user identifier is corresponding with the private network IP address of this IP message, and described user identifier is the private network IP of main frame.
2. the method for claim 1, it is characterised in that described interim driver is arranged between NIC driver and transmission driver.
3. the method for claim 1, it is characterised in that described intercepting and capturing subscriber's main station also includes before preparing the IP message sent on network:
Judge whether the message that subscriber's main station prepares to send on network is IP message;
This message if it is not, then let pass, otherwise intercepts and captures this IP message.
4. the method identifying private network IP, is applied to network access equipment, it is characterised in that described method includes:
Obtain the IP message carrying user identifier that client sends, described IP message is the message that the NDIS class interim driver installed through subscriber's main station processed, described user identifier is the private network IP of main frame, and described ID is arranged in the option Option Field of IP message;
From the IP message got, extract described user identifier, obtain, according to described user identifier, the private network IP that client is corresponding, and determine the process strategy of this IP message according to this private network IP address.
5. method as claimed in claim 4, it is characterised in that also include:
The described strategy that processes includes abandoning, forwards and at least two strategy in three kinds of strategies of speed limit.
6. processing a device of private network IP, be applied to subscriber's main station, described subscriber's main station is provided with NDIS class interim driver, it is characterised in that described device includes:
Packet capture unit, for receiving the data message from host network card by described interim driver, data message is filtered by the filtering rule according to pre-setting, if the data message received is non-IP message, let pass, if the data message received is IP message, retain, and intercept and capture the IP message that subscriber's main station prepares to send on network, described IP message carries option Option Field;
Message process unit, for the option Option Field in the heading of the IP message intercepted and captured adding user identifier and IP message being packaged, then the IP message after encapsulation is sent to network, so that network access equipment can determine, according to this user identifier, the user sending this IP message, wherein said user identifier is corresponding with the private network IP address of this IP message, and described user identifier is the private network IP of main frame.
7. device as claimed in claim 6, it is characterised in that described packet capture unit is further used for:
Before intercepting and capturing the IP message that subscriber's main station preparation sends on network, it is judged that whether the message that subscriber's main station prepares to send on network is IP message;
If not this message of then letting pass, otherwise intercept and capture this IP message.
8. identify a device of private network IP, be applied to network access equipment, it is characterised in that described device includes:
Receive message unit, for obtaining the IP message carrying user identifier that client sends, described IP message is the message that the NDIS class interim driver installed through subscriber's main station processed, described user identifier is the private network IP of main frame, and described ID is arranged in the option Option Field of IP message;
User profile acquiring unit, for extracting described user identifier from the IP message got, obtains, according to described user identifier, the private network IP that client is corresponding, determines the process strategy of this IP message according to this private network IP address.
9. device as claimed in claim 8, it is characterised in that also include:
The described strategy that processes includes abandoning, forwards and at least two strategy in three kinds of strategies of speed limit.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210539673.5A CN103001966B (en) | 2012-12-11 | 2012-12-11 | The process of a kind of private network IP, recognition methods and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210539673.5A CN103001966B (en) | 2012-12-11 | 2012-12-11 | The process of a kind of private network IP, recognition methods and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103001966A CN103001966A (en) | 2013-03-27 |
| CN103001966B true CN103001966B (en) | 2016-06-08 |
Family
ID=47930110
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210539673.5A Active CN103001966B (en) | 2012-12-11 | 2012-12-11 | The process of a kind of private network IP, recognition methods and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103001966B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107547428B (en) * | 2017-07-05 | 2022-03-22 | 新华三信息安全技术有限公司 | Message sending method and device, load balancing LB device and gateway device |
| CN108833513B (en) * | 2018-05-31 | 2021-01-26 | 中国联合网络通信集团有限公司 | Inter-node communication method and device of block chain and block chain node |
| CN109819070B (en) * | 2019-04-12 | 2020-07-07 | 苏州浪潮智能科技有限公司 | Network address translation method |
| CN110166474B (en) * | 2019-05-29 | 2021-07-09 | 新华三信息安全技术有限公司 | Message processing method and device |
| CN112565053B (en) * | 2020-12-01 | 2022-06-10 | 武汉绿色网络信息服务有限责任公司 | Method, device, service system and storage medium for identifying private network user |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040243710A1 (en) * | 2001-08-03 | 2004-12-02 | Xiaolei Mao | Method of user data exchange in the data network and a data network |
| CN101442425A (en) * | 2007-11-22 | 2009-05-27 | 华为技术有限公司 | Gateway management method, address distribution method and apparatus, system |
| CN101674587A (en) * | 2009-10-14 | 2010-03-17 | 成都市华为赛门铁克科技有限公司 | Method and system for realizing business monitoring and authentication agent server |
| CN102624935A (en) * | 2011-01-26 | 2012-08-01 | 华为技术有限公司 | Method, device and system for forwarding packet |
-
2012
- 2012-12-11 CN CN201210539673.5A patent/CN103001966B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040243710A1 (en) * | 2001-08-03 | 2004-12-02 | Xiaolei Mao | Method of user data exchange in the data network and a data network |
| CN101442425A (en) * | 2007-11-22 | 2009-05-27 | 华为技术有限公司 | Gateway management method, address distribution method and apparatus, system |
| CN101674587A (en) * | 2009-10-14 | 2010-03-17 | 成都市华为赛门铁克科技有限公司 | Method and system for realizing business monitoring and authentication agent server |
| CN102624935A (en) * | 2011-01-26 | 2012-08-01 | 华为技术有限公司 | Method, device and system for forwarding packet |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103001966A (en) | 2013-03-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103001966B (en) | The process of a kind of private network IP, recognition methods and device | |
| JP2009212617A (en) | Virtualization system, method, and program | |
| CN102594814B (en) | Terminal-based network access control system | |
| CN104767752A (en) | Distributed network isolating system and method | |
| JP2008066945A (en) | Attack detection system and attack detection method | |
| WO2014082577A1 (en) | Remote debugging method and system | |
| EP3007399A1 (en) | Method and device for forwarding message | |
| CN104168257A (en) | Data isolation device based on non-network mode, and method and system thereof | |
| CN101577729A (en) | Method for blocking bypass by combining DNS redirection with Http redirection | |
| US20190327208A1 (en) | Network traffic mangling application | |
| CN102546407B (en) | File transmitting method and device | |
| EP3720075A1 (en) | Data transmission method and virtual switch | |
| CN106302371A (en) | A kind of firewall control method based on subscriber service system and system | |
| CN102055765A (en) | Network communication system | |
| CN106713351B (en) | Secure communication method and device based on serial server | |
| CN106657035B (en) | A kind of network message transmission method and device | |
| CN103475746A (en) | Terminal service method and apparatus | |
| CN103560995A (en) | URL filtering method for realizing IPv4 and IPv6 at the same time | |
| CN104202206A (en) | Message processing device and method | |
| CN106331187A (en) | NAT (Network Address Translation) penetration method, device and system | |
| CN104993993A (en) | Message processing method, device, and system | |
| CN103327008A (en) | HTTP reorienting method and HTTP reorienting device | |
| CN202094935U (en) | Dynamic IP network based remote switch signal control system | |
| CN108848198B (en) | Portal differential pushing method of multi-service forwarding mode AP | |
| CN101083594A (en) | Method and system for managing network appliance |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Patentee after: Hangzhou Dipu Polytron Technologies Inc Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Patentee before: Hangzhou Dipu Technology Co., Ltd. |
|
| CP01 | Change in the name or title of a patent holder |