CN104219123B - Realize the method and system that application differentiation is ensured - Google Patents
Realize the method and system that application differentiation is ensured Download PDFInfo
- Publication number
- CN104219123B CN104219123B CN201310210874.5A CN201310210874A CN104219123B CN 104219123 B CN104219123 B CN 104219123B CN 201310210874 A CN201310210874 A CN 201310210874A CN 104219123 B CN104219123 B CN 104219123B
- Authority
- CN
- China
- Prior art keywords
- idg
- application
- gateway
- data traffic
- specific
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 230000004069 differentiation Effects 0.000 title claims abstract description 43
- 238000011144 upstream manufacturing Methods 0.000 claims abstract description 9
- 230000005540 biological transmission Effects 0.000 claims description 16
- 238000013475 authorization Methods 0.000 claims description 5
- 230000005641 tunneling Effects 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of method and system realized and ensured using differentiation, wherein, method includes:IDG clients send L2TP Tunnel application to IDG gateways, including the application account number and password of application-specific;IDG gateway requests L2TP AAA systems using account number with password to being authenticated;If being application-specific distribution particular address by certification;The upstream data flow of application-specific is sent to IDG gateways by IDG clients by L2TP Tunnel;Core router is based on source address routing policy and upstream data flow is routed into CN2 carryings;IDC egress router is based on destination address routing policy and downlink data flow is routed into CN2 carryings;Downlink data flow is sent to IDG clients by IDG gateways by L2TP Tunnel.The embodiment of the present invention can meet the differentiation requirements of support end to end in a network to specific user and application.
Description
Technical Field
The invention relates to a communication technology, in particular to a method and a system for realizing application differentiation guarantee.
Background
Currently, the intelligent pipe capability proposed by operators requires end-to-end differentiated security in the network for specific internet applications (e.g., video calls, games, etc.). The method guarantees the metropolitan area Network and the access Network by adopting a quality of service (QoS) marking and queue scheduling mode, and guarantees the Internet application to be guaranteed by routing to a special Network of a China telecommunication Next generation Carrier Network (CNCN, CN2 for short) in a backbone Network. Currently, in order to distinguish a specific application of a specific user, it is necessary to distinguish through a two-dimensional parameter (source address, destination address), and perform QoS marking or configure policy routing on a network access device accordingly.
In the current network solution, QoS marking needs to be performed on the basis of the two-dimensional parameter (source address and destination address) at the broadband Access Server (BRAS) side of the Access control device, or a metro network core router configures policy routing based on the two-dimensional parameter (source address and destination address). Meanwhile, it is necessary that the egress router at the Internet Data Center (IDC) configures policy routing based on the two-dimensional parameters (source address, destination address). Fig. 1 is a schematic diagram of a system architecture for differentiated support of users and applications in the prior art.
However, in the course of implementing the present invention, the inventors found that the above prior art has at least the following problems:
in order to implement differentiated guarantee for a specific user and a specific application, in the prior art, the specific application of the specific user can be distinguished only through a two-dimensional parameter routing strategy (source address and destination address), because IP addresses allocated to broadband users are dispersed, QoS marks or routing strategies based on the source address and the destination address cannot be configured in advance in a network, and policy routing based on the two-dimensional parameter (source address and destination address) puts higher requirements on a metropolitan area network and an IDC (Internet data center) outlet router.
Disclosure of Invention
The technical problem to be solved by the embodiment of the invention is as follows: a method and a system for realizing application differentiation guarantee are provided to meet the end-to-end differentiation guarantee requirement of a specific user and an application in a network.
The method for realizing application differentiation guarantee provided by the embodiment of the invention comprises the following steps:
when an application client preset with a specific application in a user terminal is started, an intelligent differentiation guarantee gateway IDG client in the user terminal sends a two-layer tunnel protocol L2TP tunnel application to an IDG gateway, wherein the L2TP tunnel application comprises an application account and a password of the specific application; the IDG gateway is arranged in the metropolitan area network and is positioned at the core router side of the metropolitan area network;
the IDG gateway requests the L2TP authentication, authorization and accounting AAA system to authenticate the application account and the password;
responding to the application account and the password passing authentication, and allocating a specific address in a specific address field for the specific application by the IDG gateway;
the IDG client tunnels the uplink data traffic of the specific application to the IDG gateway through L2 TP;
the IDG gateway forwards the uplink data traffic to a core router;
the core router routes the uplink data traffic with the source address as the specific address to the CN2 bearer of the China telecom next generation bearer network based on a preset source address routing strategy;
after receiving the downlink data traffic of the specific application, an egress router of the internet data center IDC routes the downlink data traffic of which the destination address is the specific address to the CN2 for bearing based on a preset destination address routing strategy;
the core router forwards the downlink data traffic to an IDG gateway;
the IDG gateway tunnels the downstream data traffic to the IDG client via L2 TP.
In another embodiment of the method for implementing application differentiation provisioning, the IDG client is specifically an IDG plug-in unit preset in the specific application.
In another embodiment of the foregoing method for implementing application differentiation provisioning, before the IDG client sends an L2TP tunnel application to the IDG gateway, the method further includes:
and the IDG client acquires the application account and the password of the specific application from the application client through an Application Program Interface (API).
In another embodiment of the method for implementing application differentiation provisioning, the IDG client specifically transmits the uplink data traffic of the specific application to the IDG gateway through an L2TP tunnel through a virtual network card interface on the IDG client.
In another embodiment of the method for implementing application differentiated assurance, the method further includes:
the L2TP AAA system acquires an application account number and a password from an application server of a specific application in advance and stores the application account number and the password.
In another embodiment of the method for implementing application differentiation support, the IDG client sends an L2TP tunnel application and uplink data traffic to the IDG gateway through a broadband access server BRAS, and receives downlink data traffic sent by the IDG gateway;
setting a high quality of service (QoS) flag on the BRAS for a gateway address of the IDG gateway;
setting a high QoS flag on the core router for the particular address;
the method further comprises the following steps:
after receiving the uplink data traffic, the BRAS responds to the destination address in the uplink data traffic as the gateway address of the IDG gateway and carries out high QoS transmission quality on the uplink data traffic;
and after receiving the downlink data traffic, the core router responds to the specific address as the destination address in the downlink data traffic, and performs high QoS transmission quality on the downlink data traffic.
The system for realizing application differentiation guarantee comprises a user terminal and a broadband access server BRAS, wherein the user terminal is provided with an application client; further comprising:
the intelligent differentiation security gateway IDG client is arranged in a user terminal and used for presetting specific application in the user terminal, and when the application client is started, a two-layer tunnel protocol L2TP tunnel application is sent to the IDG gateway, wherein the L2TP tunnel application comprises an application account and a password of the specific application; and tunneling the upstream data traffic of the specific application to an IDG gateway through L2 TP;
the IDG gateway is arranged in the metropolitan area network and positioned at the core router side of the metropolitan area network, and is used for responding to the received L2TP tunnel application and requesting an L2TP authentication, authorization and accounting AAA system to authenticate the application account and the password; responding to the application account and the password passing authentication, and allocating a specific address in a specific address field for the specific application by the IDG gateway; forwarding the uplink data traffic to a core router; and transmitting the downlink data traffic of the specific application forwarded by the core router to the IDG client through an L2TP tunnel;
the system comprises an L2TP AAA system, a password acquisition module and a password acquisition module, wherein the L2TP AAA system is used for acquiring and storing an application account and a password from an application server of a specific application in advance;
the core router is used for routing the uplink data traffic with the source address as the specific address to the CN2 bearer of the China telecom next generation bearer network based on a preset source address routing strategy; and forwarding the downlink data traffic of the specific application carried by CN2 to the IDG gateway;
and the egress router of the internet data center IDC is configured to route, after receiving the downlink data traffic of the specific application, the downlink data traffic of which the destination address is the specific address to the CN2 for carrying based on a preset destination address routing policy.
In another embodiment of the system for implementing application differentiation provisioning, the IDG client is specifically an IDG plug-in unit preset in the specific application.
In another embodiment of the above system for implementing application differentiation provisioning, the IDG client is further configured to obtain an application account and a password of the specific application from the application client through an application program interface API before sending the L2TP tunnel application to the IDG gateway.
In another embodiment of the system for implementing application differentiation provisioning, the IDG client specifically transmits the uplink data traffic of the specific application to the IDG gateway through an L2TP tunnel through a virtual network card interface on the IDG client.
In another embodiment of the system for implementing application differentiation provisioning, the IDG client sends an L2TP tunnel application and uplink data traffic to the IDG gateway through a BRAS, and receives downlink data traffic sent by the IDG gateway;
the BRAS is also used for storing a high-quality-of-service QoS mark set aiming at the gateway address of the IDG gateway; and after receiving the uplink data traffic, responding to the destination address in the uplink data traffic as the gateway address of the IDG gateway, and performing high QoS transmission quality on the uplink data traffic;
the core router is further used for storing a high QoS mark set for the specific address; and after receiving the downlink data traffic, responding to the specific address as the destination address in the downlink data traffic, and performing high QoS transmission quality on the downlink data traffic.
Based on the method and system for realizing application differentiation support provided by the above embodiments of the present invention, an IDG gateway is set in a metropolitan area network, an IDG client is set at a user terminal, when a user accesses a specific application, an application can be applied to establish an L2TP tunnel between the IDG client and a metropolitan area network L2TP gateway, the IDG gateway allocates a specific address in a specific address segment for the specific application, and performs policy routing scheduling based on the specific address, so as to distinguish the specific application of the specific user, thereby satisfying the end-to-end differentiation support requirements for the specific user and the specific application in the metropolitan area network and a backbone network.
The technical solution of the present invention is further described in detail by the accompanying drawings and embodiments.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description, serve to explain the principles of the invention.
The invention will be more clearly understood from the following detailed description, taken with reference to the accompanying drawings, in which:
fig. 1 is a schematic diagram of a system architecture for differentiated support of users and applications in the prior art.
Fig. 2 is a flowchart of an embodiment of a method for implementing application differentiation security according to the present invention.
Fig. 3 is a schematic structural diagram of an embodiment of a system for implementing application differentiation security according to the present invention.
Detailed Description
Various exemplary embodiments of the present invention will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present invention unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the invention, its application, or uses.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
Fig. 2 is a flowchart of an embodiment of a method for implementing application differentiation security according to the present invention. As shown in fig. 2, the method for implementing application differentiation security of this embodiment includes:
210, when an application client preset with a specific application in the user terminal is started, an intelligent differential provisioning gateway (IDG) client in the user terminal sends a Layer2Tunneling Protocol (L2 TP) tunnel application to the IDG gateway, where the L2TP tunnel application includes an application account and a password of the specific application.
The IDG gateway is disposed in the metro network and is located at the core router side of the metro network.
Illustratively, the IDG client may specifically be an IDG plug-in unit preset in a specific application.
220, the IDG gateway requests the L2TP Authentication, Authorization, and accounting (AAA) system to authenticate the application account and password in the L2TP tunnel application.
230, if the application account and password in the L2TP tunnel application are authenticated, the IDG gateway assigns a specific address in the specific address field to the specific application.
Otherwise, if the application account and the password in the L2TP tunnel application are not authenticated, the subsequent process of this embodiment is not executed.
The IDG client tunnels the application-specific upstream data traffic to the IDG gateway through L2TP 240.
The IDG gateway forwards the upstream data traffic to the core router 250.
And 260, the core router routes the uplink data traffic with the source address being the specific address to the CN2 bearer based on a preset source address routing strategy.
270, after receiving the downlink data traffic of the specific application, the egress router of the IDC routes the downlink data traffic whose destination address is the specific address to the CN2 for carrying based on the preset destination address routing policy.
280, the core router forwards the downstream data traffic to the IDG gateway.
290, the IDG gateway tunnels downstream data traffic to the IDG client via L2 TP.
The embodiment of the invention only carries out policy routing configuration on the exit routers of the metro network and the IDC aiming at the specific address field distributed by the IDG gateway, carries out source address policy routing on the exit of the metro network aiming at the uplink data traffic, and carries out destination address policy routing on the exit router of the IDC aiming at the downlink data traffic, thereby realizing the differentiated bearing of the specific application of a specific user. In the embodiment of the invention, the existing user internet access flow is not influenced, and other internet applications still carry out internet access through the IP address distributed by the BRAS equipment.
Based on the method for realizing application differentiation support provided by the above embodiment of the present invention, an IDG gateway is arranged in a metropolitan area network, an IDG client is arranged at a user terminal, when a user accesses a specific application, an application can be made to establish an L2TP tunnel between the IDG client and a metropolitan area network L2TP gateway, the IDG gateway allocates a specific address in a specific address field for the specific application, and performs policy routing scheduling based on the specific address, so as to distinguish the specific application of the specific user, thereby satisfying the end-to-end differentiation support requirements for the specific user and the specific application in the metropolitan area network and a backbone network.
According to another embodiment of the method for implementing application differentiated assurance according to the present invention, operation 210 in the embodiment shown in fig. 2 is preceded by: before the IDG client sends the L2TP tunnel application to the IDG gateway, the method may further include:
the IDG client obtains an Application account and a password of a specific Application from the Application client through an Application Program Interface (API).
In operation 240, the IDG client may specifically tunnel uplink data traffic of a specific application to the IDG gateway through the L2TP through the virtual network card interface on the IDG client, which is a specific example but not a limitation of the embodiment of the method for implementing application differentiation provisioning according to the present invention.
According to another embodiment of the method for implementing application differentiation assurance of the present invention, the method may further include: the L2TP AAA system obtains application account number and password from application server of specific application in advance and stores them.
According to another specific example but not by limitation of the embodiment of the method for implementing differentiated assurance according to the present invention, in each of the above embodiments, the IDG client may specifically send, to the IDG gateway, an L2TP tunnel application and an uplink data traffic through a broadband access server (BRAS), and receive a downlink data traffic sent by the IDG gateway. Further illustratively, a high quality of service (QoS) flag may be set on the BRAS for the gateway address of the IDG gateway in advance, and a high QoS flag may be set on the core router for a specific address in advance. Then, in this embodiment, the method may further include:
after receiving the uplink data traffic, the BRAS responds to the gateway address of the IDG gateway as the destination address in the uplink data traffic, and performs high QoS transmission quality on the uplink data traffic, so that differentiated bearing in the metropolitan area network is realized;
and after receiving the downlink data traffic, the core router responds to the specific address of the destination address in the downlink data traffic, and performs high QoS transmission quality on the downlink data traffic.
Fig. 3 is a schematic structural diagram of an embodiment of a system for implementing application differentiation security according to the present invention. The method for implementing application differentiation support according to the present invention can be further described with reference to fig. 3 by taking the following specific application embodiment as an example:
a user terminal accesses the internet, and allocates an internet address, such as 202.112.10.1, through a BRAS based on the existing Point-to-Point protocol over Ethernet (PPPoE) dialing mode;
a user initiates an L2TP tunnel application by using an IDG plug-in unit built in a client of a specific application (such as a game) in a user terminal, and simultaneously sends an application account number and a password of the specific application;
after the user applies for a specific application service to the application server, the application account and the password of the user are obtained, and the L2TP AAA system may obtain and store the application account and the password from the application server.
After receiving the L2TP tunnel application sent by the user terminal, the IDG gateway authenticates the application account and the password in the L2TP tunnel application through the L2TP AAA system, and allocates an address in a specific address field of the metropolitan area network to the user after the application account and the password in the L2TP tunnel application pass the authentication, where the address is called a specific address, for example, 210.74.0.1;
the IDG plug-in unit enables the specific application to surf the internet through a specific address 210.74.0.1 distributed by the IDG gateway, uplink data traffic of the specific application is transmitted to the IDG gateway through an L2TP tunnel, and other internet applications still surf the internet through an original address 202.112.10.1;
the IDG gateway forwards the upstream data traffic to a Core Router (CR) of the metropolitan area network;
the core router carries out routing of a source address routing strategy aiming at a specific address field, and the uplink data flow of a user accessing a specific application is carried through CN 2;
the IDC exit router carries out the routing of a destination address routing strategy aiming at a specific address segment, and the downlink data flow of the application server is borne through CN 2;
in the metropolitan area network, the BRAS and the core router can configure a high QoS identifier for the address of the IDG gateway in advance, that is: the BRAS sets high QoS aiming at the destination address of the IDG gateway during uplink, the core router sets high QoS aiming at the specific address distributed by the IDG gateway for the user during downlink, the BRAS carries out high QoS transmission quality on uplink data flow, and the core router carries out high QoS transmission quality on downlink data flow, so that the end-to-end transmission quality of specific application of a specific user is guaranteed, and differential bearing is realized.
Fig. 3 is a schematic structural diagram of an embodiment of a system for implementing application differentiation security according to the present invention. The system for implementing application differentiation support in this embodiment can be used to implement the above-described methods for implementing application differentiation support according to the present invention. As shown in fig. 3, it includes a user terminal, a BRAS, an IDG client, an IDG gateway, an L2TP AAA system, a core router, and an egress router of an IDC. The user terminal is provided with an application client. Wherein,
the IDG client is arranged in the user terminal, supports an L2TP tunnel dialing (LAC) function, and is used for sending an L2TP tunnel application to the IDG gateway when an application client preset with a specific application in the user terminal is started, wherein the L2TP tunnel application comprises an application account and a password of the specific application; and supporting a differentiated routing function of tunneling the destination address of the specific application, and tunneling the uplink data traffic of the specific application to the IDG gateway through L2 TP.
Illustratively, the IDG client may specifically be an IDG plug-in unit preset in a specific application.
The IDG gateway is arranged in the metropolitan area network, is positioned at the core router side of the metropolitan area network, supports an L2TP server (LNS) function, and is used for requesting an L2TP AAA system to authenticate an application account and a password in an L2TP tunnel application in response to receiving the L2TP tunnel application; responding to the application account and the password passing the authentication, and allocating a specific address in a specific address field for a specific application by the IDG gateway; forwarding the uplink data traffic to the core router; and tunneling the downstream data traffic of the specific application forwarded by the core router to the IDG client through L2 TP.
And the L2TP AAA system is used for acquiring and storing the application account number and the password from the application server of the specific application in advance.
The core router is used for routing the uplink data traffic with the source address being the specific address to the CN2 for bearing based on a preset source address routing strategy; and forwarding application-specific downstream data traffic carried by CN2 to the IDG gateway.
And the egress router of the IDC is used for routing the downlink data traffic with the destination address as the specific address to the CN2 for bearing based on a preset destination address routing policy after receiving the downlink data traffic of the specific application.
Based on the system for realizing application differentiation support provided by the above embodiment of the present invention, an IDG gateway is arranged in a metropolitan area network, an IDG client is arranged at a user terminal, when a user accesses a specific application, the system can apply for establishing an L2TP tunnel between the IDG client and a metropolitan area network L2TP gateway, the IDG gateway allocates a specific address in a specific address field for the specific application, and performs policy routing scheduling based on the specific address, so as to distinguish the specific application of the specific user, thereby meeting the end-to-end differentiation support requirements for the specific user and the specific application in the metropolitan area network and a backbone network.
According to another embodiment of the system for implementing application differentiation assurance of the present invention, the IDG client further supports an API interface with the application client to acquire information such as a user account and a password, and may be configured to acquire the application account and the password of a specific application from the application client through the API before sending an L2TP tunnel application to the IDG gateway.
According to a specific example but not limitation of the embodiment of the system for implementing application differentiation provisioning according to the present invention, the IDG client may establish an L2TP virtual network card interface, and specifically, may transmit the uplink data traffic of a specific application to the IDG gateway through an L2TP tunnel through the virtual network card interface on the IDG client.
According to another embodiment of the system for implementing application differentiation support, the IDG client may specifically send an L2TP tunnel application, an uplink data traffic to the IDG gateway through the BRAS, and receive a downlink data traffic sent by the IDG gateway. Accordingly, the BRAS may also be used to store a high QoS flag set for the gateway address of the IDG gateway; and after receiving the uplink data traffic, responding to the destination address in the uplink data traffic as the gateway address of the IDG gateway, and performing high QoS transmission quality on the uplink data traffic. The core router may also be used to store a high QoS flag set for a particular address; and after receiving the downlink data traffic, responding to the specific address as the destination address in the downlink data traffic, and performing high QoS transmission quality on the downlink data traffic.
In the present specification, the embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts in the embodiments are referred to each other. For the system embodiment, since it basically corresponds to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The method, system of the present invention may be implemented in a number of ways. For example, the methods and systems of the present invention may be implemented in software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order for the steps of the method is for illustrative purposes only, and the steps of the method of the present invention are not limited to the order specifically described above unless specifically indicated otherwise. Furthermore, in some embodiments, the present invention may also be embodied as a program recorded in a recording medium, the program including machine-readable instructions for implementing a method according to the present invention. Thus, the present invention also covers a recording medium storing a program for executing the method according to the present invention.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
The embodiment of the invention allocates the specific address field for the specific application of the specific user by establishing the L2TP tunnel, thereby simplifying the complexity of distinguishing the user and the application. In the backbone network guarantee, one-dimensional (source address or destination address) strategy routing configuration can be carried out on a metropolitan area network outlet router and an IDC outlet router, the scheme of guaranteeing the specific application of a user through CN2 is realized, and the configuration complexity of the original method is simplified; high QoS marking can be carried out on the BRAS side aiming at the destination address of the IDG gateway, thereby realizing the guarantee of end-to-end transmission quality aiming at the specific application of a specific user.
The embodiment of the invention fully utilizes the advantages of the existing mature technology L2TP, can solve the problem that the special application guarantee for a special user cannot be realized in the existing network through the matching of the IDG gateway and the client and the simple configuration of the network side equipment, has simple deployment mode and stronger innovation and feasibility.
The description of the present invention has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to practitioners skilled in this art. The embodiment was chosen and described in order to best explain the principles of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.
Claims (11)
1. A method for realizing application differentiation guarantee is characterized by comprising the following steps:
when an application client preset with a specific application in a user terminal is started, an intelligent differentiation guarantee gateway IDG client in the user terminal sends a two-layer tunnel protocol L2TP tunnel application to an IDG gateway, wherein the L2TP tunnel application comprises an application account and a password of the specific application; the IDG gateway is arranged in the metropolitan area network and is positioned at the core router side of the metropolitan area network;
the IDG gateway requests the L2TP authentication, authorization and accounting AAA system to authenticate the application account and the password;
responding to the application account and the password passing authentication, and allocating a specific address in a specific address field for the specific application by the IDG gateway;
the IDG client tunnels the uplink data traffic of the specific application to the IDG gateway through L2 TP;
the IDG gateway forwards the uplink data traffic to a core router;
the core router routes the uplink data traffic with the source address as the specific address to the CN2 bearer of the China telecom next generation bearer network based on a preset source address routing strategy;
after receiving the downlink data traffic of the specific application, an egress router of the internet data center IDC routes the downlink data traffic of which the destination address is the specific address to the CN2 for bearing based on a preset destination address routing strategy;
the core router forwards the downlink data traffic to an IDG gateway;
the IDG gateway transmits the downlink data traffic to the IDG client through an L2TP tunnel;
and the IDG client sends the L2TP tunnel application and the uplink data traffic to the IDG gateway through a broadband access server BRAS and receives the downlink data traffic sent by the IDG gateway.
2. The method of claim 1, wherein the IDG client is specifically an IDG plug-in unit preset in the specific application.
3. The method of claim 1, wherein before the IDG client sends the L2TP tunnel application to the IDG gateway, the method further comprises:
and the IDG client acquires the application account and the password of the specific application from the application client through an Application Program Interface (API).
4. The method of claim 1, wherein the IDG client tunnels the application-specific upstream data traffic to the IDG gateway through L2TP, specifically through a virtual network card interface on the IDG client.
5. The method of any one of claims 1 to 4, further comprising:
the L2TP AAA system acquires an application account number and a password from an application server of a specific application in advance and stores the application account number and the password.
6. The method of claim 5,
setting a high quality of service (QoS) flag on the BRAS for a gateway address of the IDG gateway;
setting a high QoS flag on the core router for the particular address;
the method further comprises the following steps:
after receiving the uplink data traffic, the BRAS responds to the destination address in the uplink data traffic as the gateway address of the IDG gateway and carries out high QoS transmission quality on the uplink data traffic;
and after receiving the downlink data traffic, the core router responds to the specific address as the destination address in the downlink data traffic, and performs high QoS transmission quality on the downlink data traffic.
7. A system for realizing application differentiation guarantee comprises a user terminal and a broadband access server BRAS, wherein the user terminal is provided with an application client; it is characterized by also comprising:
the intelligent differentiation security gateway IDG client is arranged in the user terminal and used for sending a two-layer tunnel protocol L2TP tunnel application to the IDG gateway when an application client preset with a specific application in the user terminal is started, wherein the L2TP tunnel application comprises an application account and a password of the specific application; and tunneling the upstream data traffic of the specific application to an IDG gateway through L2 TP;
the IDG gateway is arranged in the metropolitan area network, is positioned at the core router side of the metropolitan area network and is used for responding to the received L2TP tunnel application and requesting an L2TP authentication, authorization and accounting AAA system to authenticate the application account and the password; responding to the application account and the password passing authentication, and allocating a specific address in a specific address field for the specific application by the IDG gateway; forwarding the uplink data traffic to a core router; and transmitting the downlink data traffic of the specific application forwarded by the core router to the IDG client through an L2TP tunnel;
the system comprises an L2TP AAA system, a password acquisition module and a password acquisition module, wherein the L2TP AAA system is used for acquiring and storing an application account and a password from an application server of a specific application in advance;
the core router is used for routing the uplink data traffic with the source address as the specific address to the CN2 bearer of the China telecom next generation bearer network based on a preset source address routing strategy; and forwarding the downlink data traffic of the specific application carried by CN2 to the IDG gateway;
the exit router of the internet data center IDC is used for routing the downlink data traffic with the specific address as the destination address to the CN2 for bearing based on a preset destination address routing strategy after receiving the downlink data traffic of the specific application;
the IDG client sends an L2TP tunnel application and uplink data traffic to the IDG gateway through the BRAS and receives downlink data traffic sent by the IDG gateway.
8. The system of claim 7, wherein the IDG client is specifically an IDG plug-in unit preset in the specific application.
9. The system of claim 7, wherein the IDG client is further configured to obtain the application account number and the password of the specific application from the application client through an application program interface API before sending the L2TP tunnel application to the IDG gateway.
10. The system of claim 7, wherein the IDG client tunnels the application-specific upstream data traffic to the IDG gateway via L2TP, in particular via a virtual network card interface on the IDG client.
11. The system according to any one of claims 7 to 10,
the BRAS is also used for storing a high-quality-of-service QoS mark set aiming at the gateway address of the IDG gateway; and after receiving the uplink data traffic, responding to the destination address in the uplink data traffic as the gateway address of the IDG gateway, and performing high QoS transmission quality on the uplink data traffic;
the core router is further used for storing a high QoS mark set for the specific address; and after receiving the downlink data traffic, responding to the specific address as the destination address in the downlink data traffic, and performing high QoS transmission quality on the downlink data traffic.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310210874.5A CN104219123B (en) | 2013-05-31 | 2013-05-31 | Realize the method and system that application differentiation is ensured |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310210874.5A CN104219123B (en) | 2013-05-31 | 2013-05-31 | Realize the method and system that application differentiation is ensured |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104219123A CN104219123A (en) | 2014-12-17 |
| CN104219123B true CN104219123B (en) | 2017-10-27 |
Family
ID=52100276
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310210874.5A Active CN104219123B (en) | 2013-05-31 | 2013-05-31 | Realize the method and system that application differentiation is ensured |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104219123B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109495461B (en) * | 2018-11-01 | 2021-07-23 | 北京车和家信息技术有限公司 | Data access request processing method and device and vehicle-mounted central control system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1392708A (en) * | 2001-06-19 | 2003-01-22 | 深圳市中兴通讯股份有限公司 | Allocation method of wide band access user |
| CN101222684A (en) * | 2008-01-22 | 2008-07-16 | 中兴通讯股份有限公司 | Method, device and system for optimizing group data service node routing |
| CN102752217A (en) * | 2012-07-16 | 2012-10-24 | 北京国创富盛通信股份有限公司 | Network acceleration system and network acceleration method |
-
2013
- 2013-05-31 CN CN201310210874.5A patent/CN104219123B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1392708A (en) * | 2001-06-19 | 2003-01-22 | 深圳市中兴通讯股份有限公司 | Allocation method of wide band access user |
| CN101222684A (en) * | 2008-01-22 | 2008-07-16 | 中兴通讯股份有限公司 | Method, device and system for optimizing group data service node routing |
| CN102752217A (en) * | 2012-07-16 | 2012-10-24 | 北京国创富盛通信股份有限公司 | Network acceleration system and network acceleration method |
Non-Patent Citations (3)
| Title |
|---|
| 《L2TP在武汉电信宽带VPDN业务中的应用》;李翠红,徐丽华;《信息通信》;20050131(第1期);第31-33页 * |
| 《中国电信IP网管系统QoS子系统的研究和实现》;马涛;《中国优秀硕士学位论文全文数据库信息科技辑》;20061115;正文第二章第2.4节 * |
| 《城域网出口与国干互连的策略》;彭睿;《信息通信》;20110131(第1期);第77页第一节、第78页图2和第三节, * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104219123A (en) | 2014-12-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2533466B1 (en) | Method and apparatus for providing network access to a user entity | |
| EP1881660B1 (en) | A method, apparatus and system for wireless access | |
| US20150350912A1 (en) | Residential service delivery based on unique residential apn | |
| US8509440B2 (en) | PANA for roaming Wi-Fi access in fixed network architectures | |
| JP5987122B2 (en) | Network address translated device identification for device specific traffic flow steering | |
| JP6373399B2 (en) | Access node device for forwarding data packets | |
| CN101711031B (en) | Portal authenticating method during local forwarding and access controller (AC) | |
| CN108173981A (en) | For the network address translation of the application of subscriber-aware service | |
| WO2013107136A1 (en) | Terminal access authentication method and customer premise equipment | |
| US6928463B1 (en) | Broadband content delivery via personal content tunnel | |
| WO2014176964A1 (en) | Communication managing method and communication system | |
| JP2022501879A (en) | Access authentication | |
| CN102480403B (en) | Method for providing virtual private network service, device and system | |
| JP2014146950A (en) | Network communication system | |
| CN104219123B (en) | Realize the method and system that application differentiation is ensured | |
| CN110138796B (en) | Multicast control method and device | |
| KR20110138085A (en) | Local routing system in a mobile communication system, apparatus thereof and method thereof | |
| JP5947763B2 (en) | COMMUNICATION SYSTEM, COMMUNICATION METHOD, AND COMMUNICATION PROGRAM | |
| KR100996147B1 (en) | Method for Forced-allocating Communication Path between Affiliate Terminals and VAN in High-speed Mobile Internet | |
| KR20080081878A (en) | Packet access router in high-speed mobile internet and recording medium | |
| CN108243263A (en) | A kind of cut-in method of mobile hotspot device and mobile hotspot device | |
| CN106982178B (en) | Resource allocation method, network management equipment and system | |
| CN103152333A (en) | Method for identifying subscriber for L2TP (Layer Two Tunneling Protocol) networking in 3G (3-generation) access and L2TP Network Server (LNS) | |
| ITPO20130008A1 (en) | PROTECTED INTERNET ACCESS SYSTEM | |
| CN105591864A (en) | Method and system for distributing wireless local area network user data, and broadband access server (BRAS) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |