CN103780389A - Port based authentication method and network device - Google Patents
Port based authentication method and network device Download PDFInfo
- Publication number
- CN103780389A CN103780389A CN201210417090.5A CN201210417090A CN103780389A CN 103780389 A CN103780389 A CN 103780389A CN 201210417090 A CN201210417090 A CN 201210417090A CN 103780389 A CN103780389 A CN 103780389A
- Authority
- CN
- China
- Prior art keywords
- network equipment
- identification information
- safety certificate
- port
- trusted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
This invention provides a port based authentication method and a network device. The port based authentication method comprises: a first network device monitors a port within specified time when the first network device monitors that the physical port on the first network device for connecting to a second network device is available so as to wait to receive LLDP messages that the second network deice transmits, wherein the LLDP message comprises identifier information of the second network device and a security certificate; if the LLDP message is received within specified time, the first network device determines whether the trusted network device with the identifier information and the security certificate matching with the identifier information and the security certificate of the second network exists among the trusted network devices which are stored in advance; if yes, the first network device sets the state of the port as a connection state. This invention performs authentication on the network device based on the port, which increases the security of the network device.
Description
Technical field
The present invention relates to the network communications technology, relate in particular to a kind of method and network equipment based on port authentication.
Background technology
Along with the fast development of Internet service, in the Internet, the fail safe of the network equipment becomes the problem receiving much concern.The safety of the network equipment can be divided into several classes: basic safety, access security, safety connect and threatens to be protected.Wherein, aspect access security, mainly comprise authentication, mandate, book keeping operation (Authentication, Authorization, Accounting, referred to as AAA), remote customer dialing authentication (RemoteAuthentication Dial In User Service, referred to as RADIUS), terminal access controller access control system (Terminal Access Controller Access-Control System, referred to as TACACS) etc. technological means, the overwhelming majority is for access user for these technological means.Mutual between the network equipment is in reciprocal process, to authenticate or adopt the mode that interactive information is encrypted to guarantee the fail safe of access mostly.
But in the situation that network equipment private connects, between the network equipment, be do not authenticate and encrypt conventionally, so be easy to occur safety problem.
Summary of the invention
The embodiment of the present invention provides a kind of method and network equipment based on port authentication, in order to improve the fail safe of the network equipment.
First aspect provides a kind of method based on port authentication, comprising:
First network equipment is monitoring on described first network equipment when available with the ports physical of second network equipment connection, at the appointed time, monitor described port, receive to wait for the Link Layer Discovery Protocol LLDP message that described second network equipment sends, described LLDP message comprises the identification information of described second network equipment and the safety certificate of described second network equipment;
If receive described LLDP message within the described fixed time, described first network equipment judges the trusted network equipment that whether exists identification information and safety certificate to match with the identification information of described second network equipment and the safety certificate of described second network equipment respectively in the pre-stored trusted network equipment;
If the trusted network equipment that exists identification information and safety certificate to match with the identification information of described second network equipment and the safety certificate of described second network equipment respectively in the pre-stored trusted network equipment, the state of described port is set to connection status by described first network equipment.
In the possible implementation of the first of first aspect, the described method based on port authentication also comprises: if do not receive described LLDP message within the described fixed time, or the trusted network equipment that receives described LLDP but do not exist identification information and safety certificate to match with the identification information of described second network equipment and the safety certificate of described second network equipment respectively in the pre-stored trusted network equipment within the described fixed time, it is net down state that described first network equipment keeps the state of described port.
In the possible implementation of the second of first aspect, the described method based on port authentication also comprises: described first network equipment periodic according to the trusted network equipment list on certificate server, the identification information and the safety certificate that upgrade the trusted network equipment of local storage, the list of the described trusted network equipment comprises identification information and the safety certificate of the network equipment authenticating by described certificate server.
In conjunction with the possible implementation of the second of the possible implementation of the first of first aspect or first aspect or first aspect, in the third possible implementation of first aspect, described first network equipment judges in the pre-stored trusted network equipment whether exist identification information and safety certificate to comprise with the trusted network equipment that the identification information of described second network equipment and the safety certificate of described second network equipment match respectively:
The identification information of described first network equipment to described second network equipment and the safety certificate of described second network equipment are decrypted;
Described first network equipment judge in the pre-stored trusted network equipment, whether exist identification information and safety certificate respectively with the deciphering of described second network equipment after identification information and the trusted network equipment that matches of safety certificate after the deciphering of described second network equipment.
Second aspect provides a kind of method based on port authentication, comprising:
Second network equipment is monitoring on described second network equipment when available with the ports physical of first network equipment connection, link generation layer is found agreement LLDP message, and described LLDP message comprises the identification information of described second network equipment and the safety certificate of described second network equipment;
Described second network equipment sends described LLDP message by described port to described first network equipment, so that described first network equipment arranges on described first network equipment and the state of the port of described second network equipment connection according to the local pre-stored identification information of the trusted network equipment of the safety certificate of the identification information of the described second network equipment in described LLDP message and described second network equipment and described first network equipment and the safety certificate of the described trusted network equipment.
In the possible implementation of the first of second aspect, described second network equipment generates described LLDP message and comprises:
The identification information of described second network equipment to described second network equipment and the safety certificate of described second network equipment are encrypted;
Described second network equipment is encapsulated in the safety certificate after the encryption of the identification information after the encryption of described second network equipment and described second network equipment in described LLDP message.
In conjunction with the possible implementation of the first of second aspect or second aspect, in the possible implementation of the second of second aspect, described second network equipment comprises before generating described LLDP message:
Described second network equipment generates the safety certificate of described second network equipment by asymmetric arithmetic.
The third aspect provides a kind of network equipment, comprising:
Monitor module, for monitoring on the described network equipment when available with the ports physical of second network equipment connection, at the appointed time, monitor described port, receive to wait for the Link Layer Discovery Protocol LLDP message that described second network equipment sends, described LLDP message comprises the identification information of described second network equipment and the safety certificate of described second network equipment;
Judge module, for in the time that described monitoring module receives described LLDP message within the described fixed time, judge the trusted network equipment that whether exists identification information and safety certificate to match with the identification information of described second network equipment and the safety certificate of described second network equipment respectively in the pre-stored trusted network equipment;
Module is set, in the judged result of described judge module when being, the state of described port is set to connection status.
In the possible implementation of the first of the third aspect, the described network equipment also comprises: keep module, for in the time that described monitoring module does not receive described LLDP message within the described fixed time, or while being no, the state that keeps described port is down state in the judged result of described judge module.
In the possible implementation of the second of the third aspect, the described network equipment also comprises: update module, be used for periodically according to the trusted network equipment list on certificate server, the identification information and the safety certificate that upgrade the trusted network equipment of local storage, the list of the described trusted network equipment comprises identification information and the safety certificate of the network equipment authenticating by described certificate server.
Fourth aspect provides a kind of network equipment, comprising:
The first generation module, for monitoring on the described network equipment when available with the ports physical of first network equipment connection, link generation layer is found agreement LLDP message, and described LLDP message comprises the identification information of the described network equipment and the safety certificate of the described network equipment;
Sending module, for sending described LLDP message by described port to described first network equipment, so that described first network equipment arranges the state of the port being connected with the described network equipment on described first network equipment according to the identification information of the identification information of the described network equipment in described LLDP message and the safety certificate of the described network equipment and the local pre-stored trusted network equipment of described first network equipment and the safety certificate of the described trusted network equipment.
In the possible implementation of the first of fourth aspect, described the first generation module is encrypted specifically for the safety certificate of the identification information to the described network equipment and the described network equipment, and the safety certificate after the encryption of the identification information after the encryption of the described network equipment and the described network equipment is encapsulated in described LLDP message.
In conjunction with the possible implementation of the first of fourth aspect or fourth aspect, in the possible implementation of the second of fourth aspect, the described network equipment also comprises: the second generation module, and for generate the safety certificate of the described network equipment by asymmetric arithmetic.
The method based on port authentication and the network equipment that the embodiment of the present invention provides, first network monitoring of equipment is when available with the ports physical of second network equipment connection on first network equipment, the state that is not directly this port is set to connection status, but wait for the LLDP message that receives the transmission of second network equipment, if receive LLDP message at the appointed time, according to identification information and the safety certificate of the identification information of second network equipment in LLDP message and safety certificate and the local pre-stored trusted network equipment, judge whether second network equipment belongs to the trusted network equipment, if be set to connection status with the port of second network equipment connection on first network equipment again when judging second network equipment and belonging to the trusted network equipment, make first network equipment start normal work, realize the authentication based on port, can prevent that the network equipment private from connecing, be conducive to improve the fail safe of the network equipment.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the interconnective schematic diagram of the network equipment;
The method flow diagram based on port authentication that Fig. 2 provides for one embodiment of the invention;
The form schematic diagram of the LLDP message that Fig. 3 provides for one embodiment of the invention;
The method flow diagram based on port authentication that Fig. 4 provides for another embodiment of the present invention;
The structural representation of the network equipment that Fig. 5 provides for one embodiment of the invention;
The structural representation of the network equipment that Fig. 6 provides for another embodiment of the present invention;
The structural representation of the network equipment that Fig. 7 provides for further embodiment of this invention;
The structural representation of the network equipment that Fig. 8 provides for further embodiment of this invention;
The structural representation of the network equipment that Fig. 9 provides for further embodiment of this invention.
Embodiment
For making object, technical scheme and the advantage of the embodiment of the present invention clearer, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment in the present invention, those of ordinary skills, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
Fig. 1 is the interconnective schematic diagram of the network equipment.As shown in Figure 1, first network equipment 11 is connected with second network equipment 12, connects the port-for-port A of second network equipment 12 on first network equipment 11, the port-for-port B being connected with first network equipment 11 on second network equipment 12.In the prior art, if it is no problem to be connected between port A and port B physical circuit, the state that first network equipment 11 will arrange respectively port A and port B with second network equipment 12 is for being connected (UP) state, now, Internet protocol (Internet Protocol based on port A on first network equipment 11, referred to as IP) layer and each agreement of application layer will start normal work, correspondingly, on second network equipment 12, each agreement of the IP layer based on port B and application layer also can start normal work.
In the prior art, in order to strengthen the fail safe connecting between first network equipment 11 and second network equipment 12, a method is the mechanism that increases authentication on interaction protocol, such as in Routing Protocol, before protocol interaction, can increase password (password) authentication, authentication continues protocol processes below by meeting; Another kind method is that the interactive information of first network equipment 11 and second network equipment 12 is encrypted, and general cryptographic protocol is all IP-based.
But, on first network equipment 11 and second network equipment 12, the agreement of carrying is numerous, not every agreement has all realized security authentication mechanism, part agreement is all the state of port will be set to UP in the time that ports physical is available, then this part agreement just can normally have been worked, if now first network equipment 11 and second network equipment 12 belong to the situation that private connects, because the part agreement between first network equipment 11 and second network equipment 12 does not have security mechanism, thereby bring potential safety hazard can to the legitimate network equipment in first network equipment 11 and second network equipment 12.Private connects and refers to that disabled user is not in the situation that obtaining mandate, privately the network equipment is connected to the situation in network.For example, if first network equipment 11 is by disabled user privately in access network and be connected with second network equipment 12 legal in network, this connection just belongs to a kind of situation that first network equipment 11 and 12 privates of second network equipment connect.Again for example, if second network equipment 12 is by disabled user privately in access network and be connected with first network equipment 11 legal in network, this situation belongs to the another kind of situation that first network equipment 11 and 12 privates of second network equipment connect.
In addition, the fail safe difference of the authentication mechanism that different agreement is realized, some agreements are simple cipher authentication mode, be easy to be cracked, in the high application of some security requirement, the password that still may exist some illegal network equipments to use to crack and the legal network equipment carry out alternately, bring potential safety hazard to the legal network equipment.
Moreover, the method overwhelming majority who encrypts is IP-based mode, and prerequisite is between the network equipment, to be that IP can reach, based on this, some illegal network equipments just can carry out alternately with IP mode and legitimate network equipment, bring potential safety hazard to legitimate network equipment.
For the problems referred to above, the embodiment of the present invention provides a kind of method based on port authentication, the main thought of the method is: revise the network equipment monitoring ports physical and just the state of port is set to when available the flow process of UP, port status is set to the operation of UP with based on Link Layer Discovery Protocol (Link LayerDiscovery Protocol, referred to as LLDP) safety certification of this port is associated, only the port authentication based on LLLDP is set to UP by rear ability by the state of this port, if the port authentication based on LLDP does not pass through, give tacit consent to the state of this port always in down state.Provide unified secure interactive basis by the method for each agreement of IP layer and application layer on the network equipment, avoid each agreement to increase the processing of safety certification, also solved the situation that network equipment private connects, improved the fail safe of the network equipment, and be easy to realize simultaneously.
The method flow diagram based on port authentication that Fig. 2 provides for one embodiment of the invention.As shown in Figure 2, the method for the present embodiment comprises:
Step 201, first network equipment are monitoring on first network equipment when available with the ports physical of second network equipment connection, at the appointed time, monitor this port, receive to wait for the LLDP message that second network equipment sends, this LLDP message comprises the identification information of second network equipment and the safety certificate of second network equipment.
In the present embodiment, first network equipment and second network equipment can be the various devices in the Internet, for example, can be router, switch or server etc.First network equipment and second network equipment interconnect.
In the present embodiment, in first network equipment and the configuration of second network equipment, each port default is opened LLDP agreement, and acquiescence is opened the secured fashion switch based on port authentication, can directly the network layer state of this port be set to UP when monitoring ports physical when available like this, but by receiving the LLDP message of opposite equip. to judge whether opposite equip. is trusted device, and just the network layer state of port can be set to UP in the time of opposite equip. trusted, even if port is in network layer upstate.
LLDP is the second level discovery agreement defining in IEEE 802.1ab.Can obtain two layers of information of associated devices by LLDP, be conducive to the information such as topological state, the configuration conflict of equipment room of quick obtaining associated devices.The basic functional principle of LLDP is as follows:
The LLDP module of local device by with local device on physical topology (PTOPO) management information bank (MIB), entity (Entity) MIB, interface (Interface) MIB and other (Other) MIB carry out alternately, upgrade this end system of LLDP (local system) MIB and self-defining LLDP extension MIB.Then, the LLDP module of local device is encapsulated in the relevant information of local device in LLDP message, by the port that connects remote equipment on local device, LLDP message is sent to remote equipment.Meanwhile, the LLDP module of local device also can receive the LLDP message that remote equipment sends, and can upgrade LLDP far end system (remote system) MIB that records remote equipment relevant information on local device according to the LLDP message receiving.Like this, by LLDP far end system MIB, local device just can very clearly be known the information of the remote equipment oneself connecting, and what these information comprised connection is which port on remote equipment, bridge MAC Address of remote equipment etc.
In the present embodiment, first network equipment and second network equipment, in the time that the ports physical that monitors peer end of the connection is available, will send to opposite end LLDP message.Some information that stipulate, the identification information of the equipment that sends LLDP message and the safety certificate that this equipment uses in the Internet have been increased in comprising existing LLDP agreement in the LLDP of the present embodiment message.In the present embodiment, the form of LLDP message as shown in Figure 3, mainly comprises following field:
LLDP multicast address: namely object medium access control (Medium Access Control, referred to as MAC) address, be called again destination address (Destination Address, referred to as DA) field, in LLDP message, this field is multicast mac address 01-80-C2-00-00-0E;
Source MAC: be called again source address (Source Address, referred to as SA) field, send the MAC Address of the equipment of LLDP message; The message that sends to first network equipment take second network equipment is example, and this field should be filled to the MAC Address of second network equipment;
LLDP type of message (EtherType): in LLDP message, this field is 0x88CC;
LLDP data cell (Data Unit, referred to as DU): it is the main body of LLDP information exchange;
Frame check sequence (Frame Check Sequence, referred to as FCS).
LLDP DU mainly contains some type lengths values (Type Length Value, referred to as TLV) and forms, for example comprise class mark (class ID) TLV, port-mark (Port ID) TLV and life cycle (Time to Live) TLV etc.Based on this, second network equipment sends to the LLDP message of first network equipment in LLDP DU, to expand new TLV to carry the safety certificate of second network equipment.Can be any information that can unique identification second network equipment about the identification information of second network equipment, for example, can be the MAC Address of second network equipment.In addition, according to the specific implementation of second network equipment, the identification information of second network equipment can also be some other information, if for example second network equipment is router, the identification information of second network equipment can also be the sequence number (Serial Number, referred to as SN) of second network equipment.The identification information of second network equipment also can carry by the TLV expanding in LLDP message.
Concerning second network equipment, monitoring on second network equipment when available with the ports physical of first network equipment connection, will send and comprise the LLDP message of self identification information and safety certificate to first network equipment by this port, and also can wait for the identification information that carries first network equipment of reception first network equipment transmission and the LLDP message of safety certificate.Accordingly, first network equipment also can monitor the ports physical that connects second network equipment on first network equipment and can use, can send the LLDP message that comprises self identification information and safety certificate to second network equipment on the one hand, also can wait on the other hand and receive the identification information that carries second network equipment of second network equipment transmission and the LLDP message of safety certificate.
Wherein, the port that first network equipment and second network equipment are surveyed peer end of the connection whether physics can with mode include but not limited to: detect on this port, whether to insert the cable being connected with opposite equip., if detected that cable inserts, and thinks that this ports physical can use.In the present embodiment, said ports physical can be with referring to that this port connects by cable and opposite equip., and physical layer is good.Illustrate, the corresponding indicator light of network interface of active computer, if inserted in network interface after netting twine, this indicator light brightens, and just thinks that this network interface is that physics can be used.
In an optional execution mode, in order to improve the fail safe of the identification information of second network equipment and the safety certificate of second network equipment, second network equipment can be encrypted the safety certificate of the identification information of second network equipment and second network equipment, then the safety certificate after the encryption of the identification information after the encryption of second network equipment and second network equipment is encapsulated in and in LLDP message, sends to first network equipment.In like manner, first network equipment also first the safety certificate of the identification information to first network equipment and first network equipment be encrypted, then the safety certificate after the encryption of the identification information after the encryption of first network equipment and first network equipment is encapsulated in and in LLDP message, sends to second network equipment.
Further, in order to improve the reliability of safety certificate, first network equipment can use asymmetric arithmetic to generate the safety certificate of first network equipment, and in like manner, second network can use asymmetric arithmetic to generate the safety certificate of second network equipment.
In the present embodiment, in the time that first network monitoring of equipment is available to the ports physical that connects second network equipment on first network equipment, first the network layer state of this port is not set to UP, but the network layer state of giving tacit consent to this port is down state, each agreement based on IP layer and application layer on this first network equipment all thinks that port is also not ready for, and therefore can not enable.
In this explanation, port status described in various embodiments of the present invention is that down state refers to by this port and only can receive LLDP protocol massages, can not receive the state of other messages.Although the state of interconnective port is not also set to UP on first network equipment and second network equipment, but because LLDP message belongs to multicast message, its object MAC is special multicast MAC, for example, so first network equipment and second network equipment are the Ethernet message that can receive this particular protocol, but can not receive other messages (data message).
If step 202 receives the LLDP message that second network equipment sends within the described fixed time, first network equipment judges the trusted network equipment that whether exists identification information and safety certificate to match with the identification information of second network equipment and the safety certificate of second network equipment respectively in the pre-stored trusted network equipment; If judged result is yes, judge the trusted network equipment that exists identification information and safety certificate to match with the identification information of second network equipment and the safety certificate of second network equipment respectively in the pre-stored trusted network equipment, perform step 203; If judged result is no, judge the trusted network equipment that does not exist identification information and safety certificate to match with the identification information of second network equipment and the safety certificate of second network equipment respectively in the pre-stored trusted network equipment, perform step 204.
In the present embodiment, the pre-stored identification information of the trusted network equipment and the safety certificate of the trusted network equipment on first network equipment.Optionally, first network equipment can be stored by the form of trusted device list the information of the trusted network equipment, for example by the identification information of each trusted network equipment and safety certificate corresponding stored in trusted device list.Optionally, first network equipment can be by trusted device list storage in the non-volatile RAM (Non-Volatile Random Access Memory, referred to as NVRAM) of first network equipment.The trusted network equipment refers to the network equipment that has passed through the authentication of certificate server and obtained the safety certificate of being issued by the higher Third Party Authentication center of degree of belief.
Therefore, when first network equipment receives after the LLDP message of second network equipment transmission, can resolve LLDP message according to the form of LLDP message, therefrom obtain the identification information of second network equipment and the safety certificate of second network equipment.Then, first network equipment is by the safety certificate of the identification information of second network equipment and second network equipment, in the identification information of the pre-stored trusted network equipment and the safety certificate of the trusted network equipment, mate respectively, to judge the trusted network equipment that whether exists identification information and safety certificate to match with the identification information of second network equipment and the safety certificate of second network equipment respectively in the pre-stored trusted network equipment, if judged result is for existing, illustrate that second network equipment belongs to the network equipment trusty, if judged result is not for existing, illustrate that second network equipment does not belong to the network equipment trusty.
In this explanation, concerning identification information, matching described in the present embodiment mainly refers to identical.That is to say and judge that the process whether identification information of the pre-stored trusted network equipment and the identification information of second network equipment match namely judges the process whether identification information of the pre-stored trusted network equipment is identical with the identification information of second network equipment.For safety certificate, matching described in the present embodiment can refer to identical, also can refer to that one of them safety certificate can pass through the authentication of another safety certificate.Refer to identical this situation for matching, judge that the process whether safety certificate of the pre-stored trusted network equipment and the safety certificate of second network equipment match namely judges that whether the safety certificate of the pre-stored trusted network equipment is identical with the safety certificate of second network equipment.For the another kind of situation matching, judge that the safety certificate process whether identical with the safety certificate of second network equipment of the pre-stored trusted network equipment namely judges whether the safety certificate of second network equipment can be by the authentication of the safety certificate of the pre-stored trusted networks network equipment.Below by the another kind of mode so that safety certificate is matched for, step 202 is described in detail.
Concrete, first network equipment can be first compares the identification information of the mark of second network equipment and the pre-stored trusted network equipment one by one, if find the trusted network equipment that identification information is identical with the identification information of second network equipment in the pre-stored trusted network equipment, continue to use the safety certificate of the trusted network equipment that this identification information is identical with the identification information of second network equipment to authenticate the safety certificate of second network equipment, if the safety certificate that authentication result is second network equipment passes through authentication, identification information and safety certificate that this trusted network equipment is described match with identification information and the safety certificate of second network equipment respectively, illustrate that second network equipment belongs to the network equipment trusty, if the safety certificate that authentication result is second network equipment does not pass through authentication, illustrate that second network equipment does not belong to the network equipment trusty, in addition, if do not find the trusted network equipment that the identification information of identification information and second network equipment matches in the pre-stored trusted network equipment, can directly judge that second network equipment does not belong to the network equipment trusty.Or
First network equipment also can first use the safety certificate of the pre-stored trusted network equipment to authenticate the safety certificate of second network equipment one by one, if the safety certificate of second network equipment has passed through the authentication of the safety certificate of certain pre-stored trusted network equipment, think that the safety certificate of this trusted network equipment and the safety certificate of second network equipment match, the identification information of the trusted network equipment and the identification information of second network equipment that first network equipment continues the safety certificate of this safety certificate and second network equipment to match compare, if the identification information that comparative result is for both is identical, illustrate that second network equipment belongs to the network equipment trusty, if the identification information that comparative result is for both is not identical, illustrate that second network equipment does not belong to the network equipment trusty.In addition, if do not find the trusted network equipment that the safety certificate of safety certificate and second network equipment matches in the pre-stored trusted network equipment, can directly judge that second network equipment does not belong to the network equipment trusty.
Optionally, if the second network equipment in advance safety certificate of the identification information to second network equipment and second network equipment is encrypted, the embodiment of step 202 comprises: the LLDP message that first network equipment sends second network equipment is resolved, obtain the identification information of second network equipment and the safety certificate of second network equipment, then the safety certificate of the identification information to second network equipment and second network equipment is decrypted, then judge in the pre-stored trusted network equipment, whether exist identification information and safety certificate respectively with the deciphering of second network equipment after identification information and the trusted network equipment that matches of safety certificate after the deciphering of second network equipment.
The state that connects the port of second network equipment on first network equipment is set to connection (UP) state by step 203, first network equipment.
Judging second network equipment when first network equipment belongs to after the network equipment trusty, again the network layer state of the port that connects second network equipment on first network equipment is set to UP, after this on first network equipment, each agreement of IP layer and application layer just can normally have been moved, so neither need each upper-layer protocol to increase the processing of safety certification, also solved the situation that network equipment private connects simultaneously, improve the fail safe of the network equipment, and be easy to realize.
The state that connects the port of second network equipment on step 204, first network equipment maintenance first network equipment is down state.
In the present embodiment, first network equipment is judged while there is not the trusted network equipment that identification information and safety certificate match with identification information and the safety certificate of second network equipment respectively in the pre-stored trusted network equipment, and the state that first network equipment keeps connecting on first network equipment the port of second network equipment is that network layer is unavailable.
Wherein, first network equipment is judged in the pre-stored trusted network equipment and is not existed identification information and safety certificate specifically to comprise following several situation with the trusted network equipment that identification information and the safety certificate of second network equipment match respectively:
The LLDP message that second network equipment sends does not comprise the safety certificate of second network equipment;
The LLDP message that second network equipment sends comprises identification information and the safety certificate of second network equipment, but the identification information of second network equipment does not match with the identification information of any one trusted network equipment;
The LLDP message that second network equipment sends comprises identification information and the safety certificate of second network equipment, but the safety certificate of second network equipment does not match with the safety certificate of any one trusted network equipment.
Optionally, while there is not except judging at first network equipment the trusted network equipment that identification information and safety certificate match with identification information and the safety certificate of second network equipment respectively in the pre-stored trusted network equipment, the state that connects the port of second network equipment on first network equipment maintenance first network equipment is network layer down state, if first network equipment does not receive the LLDP message that second network equipment sends at the appointed time, also can to keep the state of the port that connects second network equipment on first network equipment be network layer down state to first network equipment, like this can be before cannot determining whether second network equipment is the network equipment trusty, each upper-layer protocol on first network equipment can not be enabled, guarantee the safety of first network equipment.
In an optional execution mode, due to the network equipment in the Internet to add and exit be dynamic change, in order to adapt to this dynamic change, the first network equipment of the present embodiment can periodically upgrade the identification information of the trusted network equipment and the safety certificate of the trusted network equipment of this locality storage.Renewal process comprises: identification information and the safety certificate of the network equipment trusty that newly adds the Internet are stored in to this locality, identification information and the safety certificate of the expired trusted network equipment are deleted from this locality.Wherein, a kind of update method is: according to the default update cycle, upgrade the identification information of the trusted network equipment and the safety certificate of the trusted network equipment of local storage by keeper or user with manual mode.Another kind of mode is: first network equipment periodic according to the trusted network equipment list on certificate server, upgrade identification information and the safety certificate of the trusted network equipment of local storage.Wherein, certificate server is the server that the network equipment is authenticated, if the network equipment has passed through the authentication of certificate server, illustrates that this network equipment is trusty.Certificate server records identification information and the safety certificate of the network equipment authenticating by certificate server by the list of the trusted network equipment.That is to say, the list of the trusted network equipment comprises identification information and the safety certificate of the network equipment authenticating by certificate server.
The identification information of the trusted network equipment of above-mentioned first network equipment to this locality storage and the operation that safety certificate upgrades not only can improve and judge whether second network equipment is the accuracy of the trusted network equipment, be conducive to further guarantee the fail safe of first network equipment, and by periodically updating, the information of these trusted network equipments need not for a long time or be permanently stored on first network equipment, be conducive to the fail safe of the identification information and the safety certificate that improve these trusted network equipments.
From above-mentioned, the present embodiment is set to port status the operation of UP and based on LLDP, the safety certification of this port is associated by handle, only the port authentication based on LLLDP is set to UP by rear ability by the state of this port, if the port authentication based on LLDP does not pass through, give tacit consent to the state of this port always in network layer down state, for each agreement of IP layer and application layer on the network equipment provides unified secure interactive basis, avoid each agreement to increase the processing of safety certification, also solved the situation that network equipment private connects simultaneously, improve the fail safe of the network equipment, and be easy to realize.
The method flow diagram based on port authentication that Fig. 4 provides for another embodiment of the present invention.As shown in Figure 4, the method for the present embodiment comprises:
In an optional execution mode, second network equipment generates described LLDP message and comprises: the identification information of second network equipment to second network equipment and the safety certificate of second network equipment are encrypted; Second network equipment is encapsulated in the safety certificate after the encryption of the identification information after the encryption of second network equipment and second network equipment in described LLDP message.
In an optional execution mode, second network equipment comprises before generating described LLDP message: second network equipment generates the safety certificate of second network equipment by asymmetric arithmetic.
Wherein, the identification information of second network equipment can be any information that can unique identification second network equipment, for example MAC Address of second network equipment.In addition, realize according to the difference of second network equipment, the identification information of second network equipment can also be some other information, if for example second network equipment is router, the identification information of second network equipment can be the SN of second network equipment.
The method based on port authentication that the present embodiment provides is the description of carrying out from the angle of second network equipment, about describe in detail can embodiment shown in Figure 2 description, do not repeat them here.
From above-mentioned, the present embodiment is set to port status the operation of UP and based on LLDP, the safety certification of this port is associated by handle, only the port authentication based on LLLDP is set to UP by rear ability by the state of this port, if the port authentication based on LLDP does not pass through, give tacit consent to the state of this port always in down state, for each agreement of IP layer and application layer on the network equipment provides unified secure interactive basis, avoid each agreement to increase the processing of safety certification, also solved the situation that network equipment private connects simultaneously, improve the fail safe of the network equipment, and be easy to realize.
The structural representation of the network equipment that Fig. 5 provides for one embodiment of the invention.As shown in Figure 5, the first network equipment of the present embodiment comprises: monitor module 51, judge module 52 and module 53 is set.
Wherein, monitor module 51, for monitoring on the present embodiment network equipment when available with the ports physical of second network equipment connection, at the appointed time, monitor described port, receive to wait for the LLDP message that second network equipment sends, described LLDP message comprises the identification information of second network equipment and the safety certificate of second network equipment.Monitor module 51 and be connected with judge module 52, for providing snoop results to judge module 52.
In an optional execution mode, as shown in Figure 6, the network equipment of the present embodiment also comprises: keep module 54.Keep module 54, be connected with monitoring module 51 and judge module 52, for monitoring module 51 do not receive described LLDP message within the described fixed time time, or in the judged result of judge module 52 while being no, the state that keeps described port is down state.
In an optional execution mode, as shown in Figure 6, the network equipment of the present embodiment also comprises: update module 55.Update module 55, be used for periodically according to the trusted network equipment list on certificate server, the identification information and the safety certificate that upgrade the trusted network equipment of local storage, the list of the described trusted network equipment comprises identification information and the safety certificate of the network equipment authenticating by certificate server.Optionally, update module 55 is connected with judge module 52, for the identification information of the trusted network equipment and the safety certificate of the trusted network equipment of local storage are provided to judge module 52.
In an optional execution mode, judge module 52 specifically can be used for identification information to second network equipment and the safety certificate of second network equipment is decrypted, judge in the pre-stored trusted network equipment, whether exist identification information and safety certificate respectively with the deciphering of second network equipment after identification information and the trusted network equipment that matches of safety certificate after the deciphering of second network equipment.
In an optional execution mode, the identification information of second network equipment can be the SN of second network equipment, but is not limited to this.
The first network equipment that the network equipment of the present embodiment can be used as in said method embodiment is realized, each functional module of the network equipment that the present embodiment provides can be used for carrying out the performed flow process of first network equipment in said method embodiment, its specific works principle repeats no more, and refers to the description of embodiment of the method.
The network equipment that the present embodiment provides, by handle, port status is set to the operation of UP and based on LLDP, the safety certification of this port is associated, only the port authentication based on LLLDP is set to UP by rear ability by the state of this port, if the port authentication based on LLDP does not pass through, give tacit consent to the state of this port always in down state state, for each agreement of IP layer and application layer on the network equipment provides unified secure interactive basis, avoid each agreement to increase the processing of safety certification, also solved the situation that network equipment private connects simultaneously, improve the fail safe of the network equipment.
The structural representation of the network equipment that Fig. 7 provides for further embodiment of this invention.As shown in Figure 7, the network equipment of the present embodiment comprises: communication interface 71, processor 72, memory 73 and bus.Communication interface 71, processor 72 and memory 73 interconnect and complete mutual communicating by letter by described bus.Described bus can be industry standard architecture (Industry Standard Architecture, referred to as ISA) bus, peripheral component interconnect (Peripheral Component, referred to as PCI) bus or extended industry-standard architecture (Extended Industry Standard Architecture, referred to as EISA) bus etc.Described bus can be divided into address bus, data/address bus, control bus etc.For ease of representing, in Fig. 7, only represent with a thick line, but do not represent only to have the bus of a bus or a type.Wherein:
The first network equipment that the network equipment of the present embodiment can be used as in said method embodiment is realized, the network equipment that the present embodiment provides can be used for carrying out the performed flow process of first network equipment in said method embodiment, its specific works principle repeats no more, and refers to the description of embodiment of the method.
The network equipment that the present embodiment provides, by handle, port status is set to the operation of UP and based on LLDP, the safety certification of this port is associated, only the port authentication based on LLLDP is set to UP by rear ability by the state of this port, if the port authentication based on LLDP does not pass through, give tacit consent to the state of this port always in down state, for each agreement of IP layer and application layer on the network equipment provides unified secure interactive basis, avoid each agreement to increase the processing of safety certification, also solved the situation that network equipment private connects simultaneously, improve the fail safe of the network equipment.
The structural representation of the network equipment that Fig. 8 provides for further embodiment of this invention.As shown in Figure 8, the network equipment of the present embodiment comprises: the first generation module 81 and sending module 82.
The first generation module 81, for monitoring on the present embodiment network equipment when available with the ports physical of first network equipment connection, generate LLDP message, described LLDP message comprises the identification information of the present embodiment network equipment and the safety certificate of the present embodiment network equipment.
Sending module 82, be connected with the first generation module 81, for sending to first network equipment the LLDP message that the first generation module 81 generates by the port that connects first network equipment on the present embodiment network equipment, so that first network equipment arranges the state of the port being connected with the present embodiment network equipment on first network equipment according to the identification information of the safety certificate of the identification information of the present embodiment network equipment in described LLDP message and the present embodiment network equipment and the local pre-stored trusted network equipment of first network equipment and the safety certificate of the trusted network equipment.
In an optional execution mode, the first generation module 81 specifically can be used for identification information to the present embodiment network equipment and the safety certificate of the present embodiment network equipment is encrypted, and the safety certificate after the encryption of the identification information after the encryption of the present embodiment network equipment and the present embodiment network equipment is encapsulated in described LLDP message.
In an optional execution mode, the network equipment of the present embodiment also comprises: the second generation module 83.The second generation module 83, before generating described LLDP message at the first generation module 81, generates the safety certificate of the present embodiment network equipment by asymmetric arithmetic.Optionally, the second generation module 83 is connected with the first generation module 81, for the safety certificate of the present embodiment network equipment is provided to the first generation module 81.
In an optional execution mode, the identification information of the present embodiment network equipment can be the SN of the present embodiment network equipment, but is not limited to this.
The second network equipment that the network equipment that the present embodiment provides can be used as in said method embodiment is realized.Each functional module of the network equipment that the present embodiment provides can be used for carrying out the performed flow process of second network equipment in said method embodiment, and its specific works principle repeats no more, and refers to the description of embodiment of the method.
The network equipment that the present embodiment provides, the network equipment that the first network equipment that can be used as providing with previous embodiment is realized cooperatively interacts, by handle, port status is set to the operation of UP and based on LLDP, the safety certification of this port is associated, only the port authentication based on LLLDP is set to UP by rear ability by the state of this port, if the port authentication based on LLDP does not pass through, give tacit consent to the state of this port always in down state, for each agreement of IP layer and application layer on the network equipment provides unified secure interactive basis, avoid each agreement to increase the processing of safety certification, also solved the situation that network equipment private connects simultaneously, improve the fail safe of the network equipment.
The structural representation of the network equipment that Fig. 9 provides for further embodiment of this invention.As shown in Figure 9, the network equipment of the present embodiment comprises: processor 91, communication interface 92, memory 93 and bus.Processor 91, communication interface 92 and memory 93 interconnect and complete mutual communicating by letter by described bus.Described bus can be isa bus, pci bus or eisa bus etc.Described bus can be divided into address bus, data/address bus, control bus etc.For ease of representing, in Fig. 9, only represent with a thick line, but do not represent only to have the bus of a bus or a type.Wherein:
Memory 93, for depositing program.Program can comprise program code, and described program code comprises computer-managed instruction.In addition, memory 93 can also be preserved the LLDP message that communication interface 92 receives, and the LLDP message that sends of storage or temporary communication interface 92 etc.
Memory 93 may comprise high-speed RAM memory, also may also comprise nonvolatile memory (non-volatile memory), for example at least one magnetic disc store.
The program that processor 91 is stored for execute store 93, for: monitoring on the present embodiment network equipment when available with the ports physical of first network equipment connection, generate LLDP message, described LLDP message comprises the identification information of the present embodiment network equipment and the safety certificate of the present embodiment network equipment.Concrete, processor 91, by the bus between processor 91 and communication interface 92, sends to communication interface 92 by generated LLDP message.
Processor 91 may be a CPU, or specific ASIC, or is configured to implement one or more integrated circuits of the embodiment of the present invention.
Communication interface 92 sends described LLDP message for the port by connecting first network equipment on the present embodiment network equipment to first network equipment, so that first network equipment arranges the state of the port being connected with the present embodiment network equipment on first network equipment according to the identification information of the safety certificate of the identification information of the present embodiment network equipment in described LLDP message and the present embodiment network equipment and the local pre-stored trusted network equipment of first network equipment and the safety certificate of the trusted network equipment.
The second network equipment that the network equipment that the present embodiment provides can be used as in said method embodiment is realized.The network equipment that the present embodiment provides can be used for carrying out the performed flow process of second network equipment in said method embodiment, and its specific works principle repeats no more, and refers to the description of embodiment of the method.
The network equipment that the present embodiment provides, the network equipment that the first network equipment that can be used as providing with previous embodiment is realized cooperatively interacts, by handle, port status is set to the operation of UP and based on LLDP, the safety certification of this port is associated, only the port authentication based on LLLDP is set to UP by rear ability by the state of this port, if the port authentication based on LLDP does not pass through, give tacit consent to the state of this port always in down state, for each agreement of IP layer and application layer on the network equipment provides unified secure interactive basis, avoid each agreement to increase the processing of safety certification, also solved the situation that network equipment private connects simultaneously, improve the fail safe of the network equipment.
One of ordinary skill in the art will appreciate that: all or part of step that realizes above-mentioned each embodiment of the method can complete by the relevant hardware of program command.Aforesaid program can be stored in a computer read/write memory medium.This program, in the time carrying out, is carried out the step that comprises above-mentioned each embodiment of the method; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CDs.
Finally it should be noted that: above each embodiment, only in order to technical scheme of the present invention to be described, is not intended to limit; Although the present invention is had been described in detail with reference to aforementioned each embodiment, those of ordinary skill in the art is to be understood that: its technical scheme that still can record aforementioned each embodiment is modified, or some or all of technical characterictic is wherein equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.
Claims (18)
1. the method based on port authentication, is characterized in that, comprising:
First network equipment is monitoring on described first network equipment when available with the ports physical of second network equipment connection, at the appointed time, monitor described port, receive to wait for the Link Layer Discovery Protocol LLDP message that described second network equipment sends, described LLDP message comprises the identification information of described second network equipment and the safety certificate of described second network equipment;
If receive described LLDP message within the described fixed time, described first network equipment judges the trusted network equipment that whether exists identification information and safety certificate to match with the identification information of described second network equipment and the safety certificate of described second network equipment respectively in the pre-stored trusted network equipment;
If the trusted network equipment that exists identification information and safety certificate to match with the identification information of described second network equipment and the safety certificate of described second network equipment respectively in the pre-stored trusted network equipment, the state of described port is set to connection status by described first network equipment.
2. the method based on port authentication according to claim 1, is characterized in that, also comprises:
If do not receive described LLDP message within the described fixed time, or the trusted network equipment that receives described LLDP but do not exist identification information and safety certificate to match with the identification information of described second network equipment and the safety certificate of described second network equipment respectively in the pre-stored trusted network equipment within the described fixed time, it is down state that described first network equipment keeps the state of described port.
3. the method based on port authentication according to claim 1, is characterized in that, also comprises:
Described first network equipment periodic according to the trusted network equipment list on certificate server, the identification information and the safety certificate that upgrade the trusted network equipment of local storage, the list of the described trusted network equipment comprises identification information and the safety certificate of the network equipment authenticating by described certificate server.
4. according to the method based on port authentication described in claim 1 or 2 or 3, it is characterized in that, described first network equipment judges in the pre-stored trusted network equipment whether exist identification information and safety certificate to comprise with the trusted network equipment that the identification information of described second network equipment and the safety certificate of described second network equipment match respectively:
The identification information of described first network equipment to described second network equipment and the safety certificate of described second network equipment are decrypted;
Described first network equipment judge in the pre-stored trusted network equipment, whether exist identification information and safety certificate respectively with the deciphering of described second network equipment after identification information and the trusted network equipment that matches of safety certificate after the deciphering of described second network equipment.
5. according to the method based on port authentication described in claim 1 or 2 or 3, it is characterized in that, the identification information of described second network equipment is the sequence number SN of described second network equipment.
6. the method based on port authentication, is characterized in that, comprising:
Second network equipment is monitoring on described second network equipment when available with the ports physical of first network equipment connection, link generation layer is found agreement LLDP message, and described LLDP message comprises the identification information of described second network equipment and the safety certificate of described second network equipment;
Described second network equipment sends described LLDP message by described port to described first network equipment, so that described first network equipment arranges on described first network equipment and the state of the port of described second network equipment connection according to the local pre-stored identification information of the trusted network equipment of the safety certificate of the identification information of the described second network equipment in described LLDP message and described second network equipment and described first network equipment and the safety certificate of the described trusted network equipment.
7. the method based on port authentication according to claim 6, is characterized in that, described second network equipment generates described LLDP message and comprises:
The identification information of described second network equipment to described second network equipment and the safety certificate of described second network equipment are encrypted;
Described second network equipment is encapsulated in the safety certificate after the encryption of the identification information after the encryption of described second network equipment and described second network equipment in described LLDP message.
8. according to the method based on port authentication described in claim 6 or 7, it is characterized in that, described second network equipment comprises before generating described LLDP message:
Described second network equipment generates the safety certificate of described second network equipment by asymmetric arithmetic.
9. according to the method based on port authentication described in claim 6 or 7, it is characterized in that, the identification information of described second network equipment is the sequence number SN of described second network equipment.
10. a network equipment, is characterized in that, comprising:
Monitor module, for monitoring on the described network equipment when available with the ports physical of second network equipment connection, at the appointed time, monitor described port, receive to wait for the Link Layer Discovery Protocol LLDP message that described second network equipment sends, described LLDP message comprises the identification information of described second network equipment and the safety certificate of described second network equipment;
Judge module, for in the time that described monitoring module receives described LLDP message within the described fixed time, judge the trusted network equipment that whether exists identification information and safety certificate to match with the identification information of described second network equipment and the safety certificate of described second network equipment respectively in the pre-stored trusted network equipment;
Module is set, in the judged result of described judge module when being, the state of described port is set to connection status.
11. network equipments according to claim 10, is characterized in that, also comprise:
Keep module, in the time that described monitoring module does not receive described LLDP message within the described fixed time, or in the judged result of described judge module while being no, the state that keeps described port is down state.
12. network equipments according to claim 10, is characterized in that, also comprise:
Update module, be used for periodically according to the trusted network equipment list on certificate server, the identification information and the safety certificate that upgrade the trusted network equipment of local storage, the list of the described trusted network equipment comprises identification information and the safety certificate of the network equipment authenticating by described certificate server.
13. according to the network equipment described in claim 10 or 11 or 12, it is characterized in that, described judge module is decrypted specifically for the safety certificate of the identification information to described second network equipment and described second network equipment, judge in the pre-stored trusted network equipment, whether exist identification information and safety certificate respectively with the deciphering of described second network equipment after identification information and the trusted network equipment that matches of safety certificate after the deciphering of described second network equipment.
14. according to the network equipment described in claim 10 or 11 or 12, it is characterized in that, the identification information of described second network equipment is the sequence number SN of described second network equipment.
15. 1 kinds of network equipments, is characterized in that, comprising:
The first generation module, for monitoring on the described network equipment when available with the ports physical of first network equipment connection, link generation layer is found agreement LLDP message, and described LLDP message comprises the identification information of the described network equipment and the safety certificate of the described network equipment;
Sending module, for sending described LLDP message by described port to described first network equipment, so that described first network equipment arranges the state of the port being connected with the described network equipment on described first network equipment according to the identification information of the identification information of the described network equipment in described LLDP message and the safety certificate of the described network equipment and the local pre-stored trusted network equipment of described first network equipment and the safety certificate of the described trusted network equipment.
16. network equipments according to claim 15, it is characterized in that, described the first generation module is encrypted specifically for the safety certificate of the identification information to the described network equipment and the described network equipment, and the safety certificate after the encryption of the identification information after the encryption of the described network equipment and the described network equipment is encapsulated in described LLDP message.
17. according to the network equipment described in claim 15 or 16, it is characterized in that, also comprises:
The second generation module, for generating the safety certificate of the described network equipment by asymmetric arithmetic.
18. according to the network equipment described in claim 15 or 16, it is characterized in that, the sequence number SN that the identification information of the described network equipment is the described network equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210417090.5A CN103780389A (en) | 2012-10-26 | 2012-10-26 | Port based authentication method and network device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210417090.5A CN103780389A (en) | 2012-10-26 | 2012-10-26 | Port based authentication method and network device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103780389A true CN103780389A (en) | 2014-05-07 |
Family
ID=50572263
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210417090.5A Pending CN103780389A (en) | 2012-10-26 | 2012-10-26 | Port based authentication method and network device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103780389A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105577618A (en) * | 2014-10-15 | 2016-05-11 | 中兴通讯股份有限公司 | Authentication method and apparatus |
| CN105721489A (en) * | 2016-03-16 | 2016-06-29 | 四川长虹电器股份有限公司 | Authentication method and system of IPs in IP white list based on digital certificates |
| CN107566143A (en) * | 2016-06-30 | 2018-01-09 | 中兴通讯股份有限公司 | A kind of vertical stack finds method and apparatus |
| CN109905285A (en) * | 2017-12-11 | 2019-06-18 | 北京华为数字技术有限公司 | A kind of method and the network equipment of network management |
| CN113972995A (en) * | 2020-07-24 | 2022-01-25 | 华为技术有限公司 | Network configuration method and device |
| CN114884803A (en) * | 2022-04-28 | 2022-08-09 | 交控科技股份有限公司 | Method, device, equipment and medium for processing multiple redundant states |
| CN116389168A (en) * | 2023-05-31 | 2023-07-04 | 北京芯盾时代科技有限公司 | Identity authentication method and device |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050163118A1 (en) * | 2004-01-23 | 2005-07-28 | Siemens Aktiengesellschaft | Method for assigning an IP address to a device |
| CN101207475A (en) * | 2006-12-15 | 2008-06-25 | 友劲科技股份有限公司 | Method for preventing non-authorization linking of network system |
| CN101345655A (en) * | 2008-08-15 | 2009-01-14 | 中兴通讯股份有限公司 | Method for discovering protocol and acquiring network connection information by utilization of link layer |
| CN101997684A (en) * | 2009-08-10 | 2011-03-30 | 北京多思科技发展有限公司 | Authorization authentication method, device and system |
| CN102246535A (en) * | 2008-12-10 | 2011-11-16 | 晶像股份有限公司 | Method, apparatus and system for employing a secure content protection system |
| CN102523089A (en) * | 2010-09-20 | 2012-06-27 | 微软公司 | Secondary credentials for batch system |
| CN202444500U (en) * | 2011-11-28 | 2012-09-19 | 宁波桔槐电子科技有限公司 | Remote identity authentication system for pervasive network |
-
2012
- 2012-10-26 CN CN201210417090.5A patent/CN103780389A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050163118A1 (en) * | 2004-01-23 | 2005-07-28 | Siemens Aktiengesellschaft | Method for assigning an IP address to a device |
| CN101207475A (en) * | 2006-12-15 | 2008-06-25 | 友劲科技股份有限公司 | Method for preventing non-authorization linking of network system |
| CN101345655A (en) * | 2008-08-15 | 2009-01-14 | 中兴通讯股份有限公司 | Method for discovering protocol and acquiring network connection information by utilization of link layer |
| CN102246535A (en) * | 2008-12-10 | 2011-11-16 | 晶像股份有限公司 | Method, apparatus and system for employing a secure content protection system |
| CN101997684A (en) * | 2009-08-10 | 2011-03-30 | 北京多思科技发展有限公司 | Authorization authentication method, device and system |
| CN102523089A (en) * | 2010-09-20 | 2012-06-27 | 微软公司 | Secondary credentials for batch system |
| CN202444500U (en) * | 2011-11-28 | 2012-09-19 | 宁波桔槐电子科技有限公司 | Remote identity authentication system for pervasive network |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105577618A (en) * | 2014-10-15 | 2016-05-11 | 中兴通讯股份有限公司 | Authentication method and apparatus |
| CN105721489A (en) * | 2016-03-16 | 2016-06-29 | 四川长虹电器股份有限公司 | Authentication method and system of IPs in IP white list based on digital certificates |
| CN107566143A (en) * | 2016-06-30 | 2018-01-09 | 中兴通讯股份有限公司 | A kind of vertical stack finds method and apparatus |
| CN107566143B (en) * | 2016-06-30 | 2022-02-25 | 深圳市中兴通讯技术服务有限责任公司 | Longitudinal stacking discovery method and device |
| CN109905285A (en) * | 2017-12-11 | 2019-06-18 | 北京华为数字技术有限公司 | A kind of method and the network equipment of network management |
| CN109905285B (en) * | 2017-12-11 | 2021-08-13 | 北京华为数字技术有限公司 | Network management method and network equipment |
| CN113972995A (en) * | 2020-07-24 | 2022-01-25 | 华为技术有限公司 | Network configuration method and device |
| CN113972995B (en) * | 2020-07-24 | 2023-04-28 | 华为技术有限公司 | Network configuration method and device |
| CN114884803A (en) * | 2022-04-28 | 2022-08-09 | 交控科技股份有限公司 | Method, device, equipment and medium for processing multiple redundant states |
| CN114884803B (en) * | 2022-04-28 | 2024-02-20 | 交控科技股份有限公司 | Method, device, equipment and medium for processing multiple redundant states |
| CN116389168A (en) * | 2023-05-31 | 2023-07-04 | 北京芯盾时代科技有限公司 | Identity authentication method and device |
| CN116389168B (en) * | 2023-05-31 | 2023-08-29 | 北京芯盾时代科技有限公司 | Identity authentication method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109155730B (en) | Method and system for device authorization | |
| US10257161B2 (en) | Using neighbor discovery to create trust information for other applications | |
| US9461975B2 (en) | Method and system for traffic engineering in secured networks | |
| JP4829554B2 (en) | Firewall that protects a group of devices, device that participates in the system, and method for updating firewall rules in the system | |
| EP3192229B1 (en) | Supporting differentiated secure communications among heterogeneous electronic devices | |
| US8886934B2 (en) | Authorizing physical access-links for secure network connections | |
| EP2716003B1 (en) | System and method for authenticating components in a network | |
| US20200358764A1 (en) | System and method for generating symmetric key to implement media access control security check | |
| CN106034104B (en) | Verification method, device and system for network application access | |
| US8718281B2 (en) | Rekey scheme on high speed links | |
| US11736304B2 (en) | Secure authentication of remote equipment | |
| CN103780389A (en) | Port based authentication method and network device | |
| US11451959B2 (en) | Authenticating client devices in a wireless communication network with client-specific pre-shared keys | |
| US20170295018A1 (en) | System and method for securing privileged access to an electronic device | |
| CN101282208B (en) | Method for updating safety connection association master key as well as server and network system | |
| CN104901940A (en) | 802.1X network access method based on combined public key cryptosystem (CPK) identity authentication | |
| CN110519259B (en) | Method and device for configuring communication encryption between cloud platform objects and readable storage medium | |
| CN105981028B (en) | Network element certification on communication network | |
| CN101938428B (en) | Message transmission method and equipment | |
| US11533617B2 (en) | Secure link aggregation | |
| WO2018172776A1 (en) | Secure transfer of data between internet of things devices | |
| EP2028822B1 (en) | Method and system for securing a commercial grid network over non-trusted routes | |
| CN107181762A (en) | Method and device that issue is serviced with access network encryption lock | |
| de Toledo et al. | Enabling security in software-defined wireless sensor networks for internet of things | |
| JP2024515154A (en) | Secure key management device, authentication system, wide area network, and method for generating session keys - Patents.com |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140507 |
|
| RJ01 | Rejection of invention patent application after publication |