CN104660597B - Three layers of authentication method, device and three layers of authenticated exchange machine - Google Patents

Three layers of authentication method, device and three layers of authenticated exchange machine Download PDF

Info

Publication number
CN104660597B
CN104660597B CN201510071992.1A CN201510071992A CN104660597B CN 104660597 B CN104660597 B CN 104660597B CN 201510071992 A CN201510071992 A CN 201510071992A CN 104660597 B CN104660597 B CN 104660597B
Authority
CN
China
Prior art keywords
data message
port
user
acl
matching
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510071992.1A
Other languages
Chinese (zh)
Other versions
CN104660597A (en
Inventor
林鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruijie Networks Co Ltd
Original Assignee
Fujian Star Net Communication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Star Net Communication Co Ltd filed Critical Fujian Star Net Communication Co Ltd
Priority to CN201510071992.1A priority Critical patent/CN104660597B/en
Publication of CN104660597A publication Critical patent/CN104660597A/en
Application granted granted Critical
Publication of CN104660597B publication Critical patent/CN104660597B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention, which provides a kind of three layers of authentication method, device and three layers of authenticated exchange machine, method, to be included:In the data message that first port reception user sends, routing table is matched according to the source IP address of data message, when it is message to be certified that matching result, which is the data message that the user sends, the data message is matched in ACL table, data message is sent to CPU according to matching result and is authenticated handling.Three layers of authentication method, device and the three layers of authenticated exchange machine of the present invention, by using above-mentioned technical proposal, routing table is matched according to the source IP address of data message in the routing table, and when matching result is message to be certified, data message is matched in ACL table, so as to be forwarded to the process that processing is authenticated in CPU, two layers of authentication function can only be realized by solving interchanger in the prior art, the problem of can not effectively realizing three layers of certification.

Description

Three layers of authentication method, device and three layers of authenticated exchange machine
Technical field
The present invention relates to communication technical field, more particularly to a kind of three layers of authentication method, device and three layers of authenticated exchange machine.
Background technology
In current network, interchanger is mainly used in double layer network and does distributed authentication, after user authentication, by issuing ACL (Access Control List, accesses control list) rules, source MAC (the Media Access of user bound Control, medium access control) or source MAC and source IP (Internet Protocol, procotol) information, as certification Whether judgement.In big double layer network environment, interchanger opens centralized certification, the program is also logical as gateway device Mac address table is crossed, judges to identify user's whether certification with the presence or absence of the source MAC of user in address table.
In existing network, three layers of certification are all to realize the equipment forwarded based on software to serve as by router etc.. No interchanger serves as three layers of authenticating device in the prior art, and subject matter has two:On the one hand, interchanger serves as three layers of certification Equipment, whether user's certification can only be distinguished by source IP, this is at present without maturation and the chip solution that can be used directly;Separately On the one hand, three layers of authenticating device are served as, it is multiple operators (such as UNICOM, movement) generally to export, different users, purchase Set meal is different, and some users purchase is UNICOM's set meal, and some users purchase is mobile set meal, then these different use The flow at family will also walk different circuits, that is, need to select to export according to source IP, and the routing forwarding on current interchanger is all It is to be based on purpose IP.If necessary to be forwarded based on source IP, that will be realized by ACL, by force the source IP of matching message, Then certain circuit is redirected to, so each user will account for an ACL table item, and for currently used chip, generally Host routes table capacity is much larger than ACL table capacity, such as can at most reach 512K capacity, but ACL capacity at most only has 8K, But in a campus network, user is typically above 10,000 people, can not be realized at all with ACL.
In summary, interchanger can only realize two layers of authentication function in the prior art, can not effectively realize three layers of certification work( Energy.
The content of the invention
The present invention provides a kind of three layers of authentication method, device and three layers of authenticated exchange machine, to solve to hand in the prior art Two layers of authentication function can only be realized by changing planes, the problem of can not realizing three layers of certification.
The invention provides a kind of three layers of authentication method, methods described includes:
In the data message that first port reception user sends, routing table is matched according to the source IP address of data message, Matching result is the data message that the user sends when being message to be certified, the data message is carried out in ACL table Match somebody with somebody, data message is sent to CPU according to matching result and is authenticated handling;
The list item that the message to be certified for receiving first port is forwarded to CPU is pre-set in the ACL table.
The present invention also provides a kind of three layers of authentication device, and described device includes:
Matching module, for the data message sent in first port reception user, assisted according to the source network of data message IP address matching routing table is discussed, when it is message to be certified that matching result, which is the data message that the user sends, by the number Matched according to message in access control list ACL, data message is sent to CPU according to matching result and is authenticated locating Reason;
ACL table setup module, it is forwarded to for pre-setting the message to be certified for receiving first port in ACL table CPU list item.
The present invention also provides a kind of three layers of authenticated exchange machine, and the interchanger includes above-mentioned three layers of authentication device.
Three layers of authentication method, device and the three layers of authenticated exchange machine of the present invention, by using above-mentioned technical proposal, are routeing Routing table is matched according to the source IP address of data message in table, and when matching result is message to be certified, by data message Matched in ACL table, so as to be forwarded to the process that processing is authenticated in CPU, solve interchanger in the prior art Two layers of authentication function can be realized, the problem of can not effectively realizing three layers of certification.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, drawings in the following description are this hairs Some bright embodiments, for those of ordinary skill in the art, without having to pay creative labor, can be with Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is the topological schematic diagram of a scenario that interchanger serves as three layers of authenticating device;
Fig. 2 is three layers of authentication method flow chart that the embodiment of the present invention one provides;
Fig. 3 is three layers of authentication method flow chart that the embodiment of the present invention two provides;
Fig. 4 is three layers of authentication device structural representation that the embodiment of the present invention three provides;
Fig. 5 is three layers of authenticated exchange machine structural representation that the embodiment of the present invention four provides.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is Part of the embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art The every other embodiment obtained under the premise of creative work is not made, belongs to the scope of protection of the invention.
Interchanger will realize three layers of authentication function, then need to realize that the source IP address based on message judges whether user has recognized Card, and routing is carried out based on source IP address after the authentication has been successful, interchanger serves as topological scene such as Fig. 1 of three layers of authenticating device Shown, wherein interchanger internally connects the gateway device of different zones, and different users, interchanger pair are connected under gateway device The different carrier network of outer connection, it is different with three layers of certification can be realized on switches per family, after certification success, user Data message can be forwarded to according to demand in different carrier networks, it is necessary to illustrate, Fig. 1 only gives the present invention One example topology of technical scheme, the scene domain that the present invention applies is not intended to limit, such as interchanger not necessarily passes through net Equipment connection user terminal is closed, the network of its external connection is also not necessarily limited to the situations such as each carrier network.
Fig. 2 is three layers of authentication method flow chart that the embodiment of the present invention one provides, and specifically includes following steps:
101, in the data message that first port reception user sends, matched and route according to the source IP address of data message Table;
201, when it is message to be certified that matching result, which is the data message that the user sends, the data message is existed Matched in ACL table, data message is sent to CPU according to matching result and is authenticated handling;
The list item that the message to be certified for receiving first port is forwarded to CPU is pre-set in ACL table.
In order to allow data message to carry out source IP address matching in the routing table of interchanger, can actually connect Advance setting is first carried out before receiving data message to interchanger,
Therefore it is further alternative, before the data message that first port receives that user sends, in addition to:
Three layers of authentication function are opened in first port, and open URPF (Unicast Reverse Path Forwarding, the forwarding of unicast inverse path) check, so that the data message that first port receives carries out source in the routing table IP address matches.
URPF major function is for preventing the attack based on source IP address deception, and interface once enables URPF functions, when the interface receives data message, validity checking can be carried out to the source IP address of data message first, for The message that passes through is checked, can just further search for going to the forwarding-table item of purpose IP address, into message forwarding process, otherwise, By dropping packets, the present invention realizes the source IP address matching feature of interchanger routing table using URPF.
On the other hand, it is 0 (chip initial value) to deposit classid values in the routing table due to some chips of current interchanger When, internal use can be used as by chip, generally can not directly used, be otherwise possible to occur and forward the defects of abnormal, in order to Solve this defect,
It is further alternative, non-32 bitmask in routing table and outlet are corresponded into route table items for first port Classid is modified as non-zero value.
By taking the topological structure in Fig. 1 as an example, user PC A (IP:192.168.11.3 belong to North user) Baidu is accessed, The user is UNICOM's account, and interchanger needs to be authenticated the user and forward follow-up data message, when interchanger receives PC After A message, routing table is matched according to PC A source IP address (192.168.11.3), the partial information in initial route table is such as Following table one, wherein first two columns are the keyword message of matching, and rear three are classified as the outlet information of forwarding.
Table one
Wherein default route by user oneself configure, do not do here it is assumed that with "" replace.
Before data message is received, L3_AUTH functions are first opened on the ports of Gi 5/1 and (open three layers of certification work( Can), and URPF inspections are opened, while travel through outlet and route (non-32 bitmask) for Gi 5/1 all-network, update the route Information, a Flag is transmitted to bottom, the classid of corresponding route table items is revised as 255, the list item is matched with triggering Message is subsequently matched into ACL table, and amended routing table is as shown in following table two:
Table two
In addition it is also necessary to internal addition ACL table item, the HTTP that the port is received (HyperText Transfer Protocol, HTTP) message or HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer, HTTP safety version) message send CPU processing, and the message that other classid are 255 does discard processing, ACL table As shown in following table three, wherein first three keyword for being classified as matching, last is classified as the implementation strategy after matching.
Table three
HTTP message is that the TCP that purpose port is 80 (Transmission Control Protocol, passes transport control protocol View) message, HTTPS is the TCP message that purpose port is 433, and preceding two ACL table items represent that by source port be Gi's 5/1 HTTP/HTTPS messages send CPU processing, and it is Gi 5/1 by source port that latter article of ACL table item, which represents, and classid is 255 by the The packet loss of three layers of source certification (i.e. source IP certification) (in two list items before not matching).
It should be noted that it is the situation for web authentication that HTTP/HTTPS messages, which are authenticated, if authentication mode Non- web authentication and be other authentication modes, list item corresponding to other authentication modes can also be added in ACL table, here no longer It is described in detail.
For user A when accessing Baidu, browser first have issued HTTP message, and interchanger receives this from the ports of Gi 5/1 HTTP message, searched in the routing table based on source IP (192.168.11.3), this list item of 192.168.11.0 can be hit, obtained To classid=255, then application target IP (112.23.23.5) is searched, and does not find, message then is gone into ACL Table is matched, and matches dst port=80 list item, according to implementation strategy by messages transmitted to CPU, and is stamped and is needed certification Code identification codes, after message is sent to CPU, triggering authentication flow, identifying procedure is identical with prior art, no longer superfluous here State.
The present embodiment passes through in the routing table according to the source IP address of data message matching routing table, and in matching result For message to be certified when, data message is matched in ACL table, so as to be forwarded to be authenticated in CPU processing process, Two layers of authentication function can only be realized by solving interchanger in the prior art, the problem of can not effectively realizing three layers of certification.
Fig. 3 is three layers of authentication method flow chart that the embodiment of the present invention two provides, and the present embodiment is on the basis of embodiment one On add it is follow-up issue the user source IP authenticated in the routing table and correspond to list item, and message is gone to by a list item ACL table is specific as follows to realize the step of message forwards according to source IP:
Step 101~201 are identical with embodiment one, repeat no more.
301, after certification success, the route table items with user's source IP address unique match are issued in the routing table;
401, the data message that the user subsequently sends is received in first port, by matching user's source IP address The route table items of unique match, the data message forwarding is matched into ACL table, turned data message according to matching result Send out;
The list item for forwarding specified categorical data message, the specified classification number are pre-set in the ACL table It is according to message:The data message sent with the user has the data message of same category.
It is further alternative, in order to realize the function of drainage or load balancing, data message can be passed through designated port Forward, be provided that the list item for forwarding specified categorical data message by designated port accordingly, in ACL table.
Such as source IP address belongs to the data message of UNICOM user and can specified by corresponding with UNICOM carrier network Port is forwarded, and the data message that source IP address belongs to mobile subscriber can be specified by the port with mobile operator networks Forward, to realize the drainage based on source IP address, it is UNICOM's class of subscriber or mobile subscriber's classification now to specify classification.
In another example the classification of load balancing can be carried out based on source IP address, the source IP address for belonging to one kind is sent Data message is forwarded by port corresponding with the category, and to reach the purpose of load balancing, now specified classification is Carry out some classification of load balancing classification.
It is further alternative, data message is forwarded by designated port in order to realize, can be in the following manner Realize:
Designated value will be arranged to the classid values in the route table items of user's source IP address unique match, designated value is used Categorical data message is specified in mark, pre-setting the forwarding strategy that matching classid is designated value accordingly, in ACL table is: It is forwarded to designated port.
It should be noted that it is not only by way of realizing specified categorical data message the setting of classid values One mode, i.e., it can also be realized by the setting of other fields in routing table, as long as this field is not intended to script road Operation is specifically forwarded by table.
Continue to continue above-mentioned PC A and access the example of Baidu to illustrate, message is sent to after CPU completes certification, and interchanger receives The configured information that certification passes through, obtains IP address, the account information of user, and knows that the user belongs to UNICOM's account, in It is to issue 192.168.11.3 in the routing table, outlet is Gi 5/1, classid=3 list item, represents that user belongs to UNICOM's account Number, it is necessary to be forwarded by UNICOM's carrier network, the routing table after issuing is as shown in following table four:
Table four
In addition, corresponding classid=3 list item is also pre-set in ACL table, such as 5 first list item institutes of following table Show, it is Gi 5/1 by source port to represent and classid is that 3 messages by third layer source certification (i.e. source IP certification) are gone to 192.168.111.2 corresponding port.
Table five
, can accurate matching in the routing table after so receiving the data message that PC A are subsequently sent on the ports of Gi 5/1 To 192.168.11.3 list item, classid is modified as 3 according to route table items, subsequently hits classid when matching ACL =3 list item, can be by message subsequently through the port so as to which message is forwarded to corresponding to 192.168.111.2 on port UNICOM's carrier network is forwarded to, message drainage is carried out according to source IP address so as to realize.
The present embodiment issues the route table items with user's source IP address unique match by certification in the routing table after successful, And the method that corresponding forwarding-table item is pre-set in ACL table so that when first port receives the follow-up data message of user, Data message can directly be forwarded, realized by source IP address to distinguish data message, and to source IP address Accurate matching is completed in the routing table, only needs to distinguish the list item with user's source IP address identical category in ACL table, The occupancy of ACL table item is greatly reduced, solves and each user's distribution is necessary for based on source IP address forwarding in the prior art One ACL table item and can not large-scale application the problem of.
Fig. 4 is three layers of authentication device structural representation that the embodiment of the present invention three provides, and described device includes:
Matching module 10, for the data message sent in first port reception user, according to the source network of data message Protocol IP address matches routing table, when it is message to be certified that matching result, which is the data message that the user sends, by described in Data message is matched in access control list ACL, is sent data message to CPU according to matching result and is authenticated locating Reason;
ACL table setup module 20, forwarded for pre-setting the message to be certified for receiving first port in ACL table To CPU list item.
Three layers of authentication device are being matched by matching routing table according to the source IP address of data message in the routing table When being as a result message to be certified, data message is matched in ACL table, processing is authenticated in CPU so as to be forwarded to Process, two layers of authentication function can only be realized by solving interchanger in the prior art, the problem of can not effectively realizing three layers of certification.
In order to allow data message to carry out source IP address matching in the routing table of interchanger, can actually connect Advance setting is first carried out before receiving data message to interchanger,
Therefore further alternative, three layers of authentication device also include:
Module 30 is pre-seted, for before first port receives the data message that sends of user, being opened in first port Three layers of authentication function, and open unicast inverse path forwarding URPF and check, so that the data message that first port receives is on road By carrying out source IP address matching in table.
On the other hand, it is 0 (chip initial value) to deposit classid values in the routing table due to some chips of current interchanger When, internal use can be used as by chip, generally can not directly used, be otherwise possible to occur and forward the defects of abnormal, in order to Solve this defect,
Further alternative, three layers of authentication device also include:
Routing table setup module 40, for non-32 bitmask in routing table and outlet to be corresponded into route table items for first port Classid be modified as non-zero value.
Further alternative, the routing table setup module 40 is additionally operable to after the authentication has been successful, issue in the routing table with The route table items of user's source IP address unique match;
The matching module 10 is additionally operable to the data message subsequently sent in the first port reception user, passes through matching The route table items of user's source IP address unique match, the data message forwarding are matched into ACL table, according to matching As a result data message forwarding is gone out;
The ACL table setup module 20 is additionally operable to pre-set in ACL table and forwards specified categorical data message List item, the specified categorical data message is:The data message sent with the user has the data message of same category.
Three layers of authentication device by issuing the route with user's source IP address unique match in the routing table after certification success List item, and the method for corresponding to forwarding-table item is pre-set in ACL table so that first port receives the subsequent datagrams of user Wen Shi, data message can directly be forwarded, realized by source IP address to distinguish data message, and to source IP The accurate matching of location is completed in the routing table, only needs to distinguish the list item with user's source IP address identical category in ACL table , the occupancy of ACL table item is greatly reduced, solves and each user is necessary for based on source IP address forwarding in the prior art Distribute an ACL table item and can not large-scale application the problem of.
Further alternative, the matching module 10 is used to data message forwarding be gone out according to matching result, specific bag Include:
The matching module 10 is used to be forwarded the data message by designated port according to matching result;
The ACL table setup module 20 is used to pre-set forward specified categorical data message in ACL table List item, specifically include:
The ACL table setup module 20 be used for pre-set in ACL table specified categorical data message is forwarded to it is specified The list item of port.
Three layers of authentication device in ACL table by setting dress to specify what categorical data message was forwarded by designated port List item, and data message is forwarded data message by designated port by matching ACL table, realize data message Drainage or the function of load balancing.
It is further alternative, the routing table setup module 40 be additionally operable to by with user's source IP address unique match Classid values in route table items are arranged to designated value, and the designated value is used to identify specified categorical data message;
The ACL table setup module 20 be used for pre-set in ACL table specified categorical data message is forwarded to it is specified The list item of port, is specifically included:
The ACL table setup module 20 is used to pre-set the forwarding strategy that matching classid is designated value in ACL table For:It is forwarded to designated port.
Fig. 5 is three layers of authenticated exchange machine structural representation that the embodiment of the present invention four provides, and the interchanger includes above-mentioned Three layers of authentication device.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above method embodiment can pass through Programmed instruction related hardware is completed, and foregoing program can be stored in a computer read/write memory medium, the program Upon execution, the step of execution includes above method embodiment;And foregoing storage medium includes:ROM, RAM, magnetic disc or light Disk etc. is various can be with the medium of store program codes.
Device embodiment described above is only schematical, wherein the module or unit that illustrate as separating component It can be or may not be physically separate, can be as the part that unit is shown or may not be physics list Member, you can with positioned at a place, or can also be distributed at least two NEs.It can select according to the actual needs Some or all of module therein or unit are selected to realize the purpose of this embodiment scheme.Those of ordinary skill in the art are not In the case of paying performing creative labour, you can to understand and implement.
Finally it should be noted that:The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although The present invention is described in detail with reference to the foregoing embodiments, it will be understood by those within the art that:It still may be used To be modified to the technical scheme described in foregoing embodiments, or equivalent substitution is carried out to which part technical characteristic; And these modification or replace, do not make appropriate technical solution essence depart from various embodiments of the present invention technical scheme spirit and Scope.

Claims (13)

1. a kind of three layers of authentication method, it is characterised in that methods described includes:
In the data message that first port reception user sends, matched and route according to the source network Protocol IP address of data message Table, when it is message to be certified that matching result, which is the data message that the user sends, by the data message in access control Matched in list ACL, data message is sent to central processor CPU according to matching result and is authenticated handling;
The list item that the message to be certified for receiving first port is forwarded to CPU is pre-set in the ACL table.
2. according to the method for claim 1, it is characterised in that first port receive the data message that sends of user it Before, in addition to:
Three layers of authentication function are opened in first port, and opens unicast inverse path forwarding URPF and checks, so that first port connects The data message received carries out source IP address matching in the routing table.
3. according to the method for claim 2, it is characterised in that the data message sent in first port reception user The step of before also include:
Non- 32 bitmask in routing table and outlet are corresponded to the classid of route table items for first port and be modified as non-zero value.
4. according to the method described in claim any one of 1-3, it is characterised in that methods described also includes:
After certification success, the route table items with user's source IP address unique match are issued in the routing table;
The data message that the user subsequently sends is received in first port, by matching user's source IP address unique match Route table items, the data message forwarding is matched into ACL table, data message forwarding gone out according to matching result;
The list item for forwarding specified categorical data message, the specified categorical data report are pre-set in the ACL table Wen Wei:The data message sent with the user has the data message of same category.
5. according to the method for claim 4, it is characterised in that it is described that data message forwarding is gone out according to matching result, Specifically include:
The data message is forwarded by designated port according to matching result;
The list item for forwarding specified categorical data message is pre-set in the ACL table, is specifically included:
The list item that specified categorical data message is forwarded to designated port is pre-set in ACL table.
6. according to the method for claim 5, it is characterised in that methods described also includes:
Designated value will be arranged to the classid values in the route table items of user's source IP address unique match, it is described to specify It is worth for identifying specified categorical data message;
The list item that specified categorical data message is forwarded to designated port is pre-set in the ACL table, is specifically included:
The forwarding strategy that matching classid is designated value is pre-set in the ACL table is:It is forwarded to designated port.
7. a kind of three layers of authentication device, it is characterised in that described device includes:
Matching module, for the data message sent in first port reception user, according to the source network protocol IP of data message Address matches routing table, when it is message to be certified that matching result, which is the data message that the user sends, by the datagram Text is matched in access control list ACL, is sent data message to CPU according to matching result and is authenticated handling;
ACL table setup module, CPU is forwarded to for pre-setting the message to be certified for receiving first port in ACL table List item.
8. device according to claim 7, it is characterised in that also include:
Module is pre-seted, for before first port receives the data message that sends of user, opening three layers in first port and recognizing Function is demonstrate,proved, and opens unicast inverse path forwarding URPF and checks, so that the data message that first port receives is in the routing table Carry out source IP address matching.
9. device according to claim 8, it is characterised in that also include:
Routing table setup module, for non-32 bitmask in routing table and outlet to be corresponded into route table items for first port Classid is modified as non-zero value.
10. according to the device described in claim any one of 7-9, it is characterised in that
The routing table setup module is additionally operable to after the authentication has been successful, is issued in the routing table unique with user's source IP address The route table items of matching;
The matching module is additionally operable to the data message subsequently sent in the first port reception user, by matching the use The route table items of family source IP address unique match, the data message forwarding is matched into ACL table, will according to matching result Data message forwarding is gone out;
The ACL table setup module is additionally operable to pre-set the list item for forwarding specified categorical data message in ACL table, The specified categorical data message is:The data message sent with the user has the data message of same category.
11. device according to claim 10, it is characterised in that the matching module is used for data according to matching result Message forwards, and specifically includes:
The matching module is used to be forwarded the data message by designated port according to matching result;
The ACL table setup module is used to pre-set the list item for forwarding specified categorical data message in ACL table, tool Body includes:
The ACL table setup module is used to pre-set in ACL table specified categorical data message is forwarded into designated port List item.
12. device according to claim 11, it is characterised in that
The routing table setup module be additionally operable to by with the classid in the route table items of user's source IP address unique match Value is arranged to designated value, and the designated value is used to identify specified categorical data message;
The ACL table setup module is used to pre-set in ACL table specified categorical data message is forwarded into designated port List item, specifically include:
The ACL table setup module is used to pre-set the forwarding strategy that matching classid is designated value in ACL table:Turn It is sent to designated port.
13. a kind of three layers of authenticated exchange machine, it is characterised in that the interchanger includes three described in claim any one of 7-12 Layer authentication device.
CN201510071992.1A 2015-02-11 2015-02-11 Three layers of authentication method, device and three layers of authenticated exchange machine Active CN104660597B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510071992.1A CN104660597B (en) 2015-02-11 2015-02-11 Three layers of authentication method, device and three layers of authenticated exchange machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510071992.1A CN104660597B (en) 2015-02-11 2015-02-11 Three layers of authentication method, device and three layers of authenticated exchange machine

Publications (2)

Publication Number Publication Date
CN104660597A CN104660597A (en) 2015-05-27
CN104660597B true CN104660597B (en) 2017-11-24

Family

ID=53251300

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510071992.1A Active CN104660597B (en) 2015-02-11 2015-02-11 Three layers of authentication method, device and three layers of authenticated exchange machine

Country Status (1)

Country Link
CN (1) CN104660597B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106341338B (en) * 2016-09-09 2019-09-17 杭州迪普科技股份有限公司 A kind of retransmission method and device of message
CN108134738A (en) * 2017-12-21 2018-06-08 山东大学 A kind of user independently selects campus network export to select system
CN111654485B (en) * 2020-05-26 2023-04-07 新华三信息安全技术有限公司 Client authentication method and device
CN111953663B (en) * 2020-07-27 2022-10-21 新华三技术有限公司 Method and equipment for controlling user to authenticate
CN111984965A (en) * 2020-08-31 2020-11-24 成都安恒信息技术有限公司 Multi-source user management authentication system and method based on operation and maintenance audit system
CN114826745A (en) * 2022-04-28 2022-07-29 成都安恒信息技术有限公司 Method for realizing user authentication in transparent scene

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7657940B2 (en) * 2004-10-28 2010-02-02 Cisco Technology, Inc. System for SSL re-encryption after load balance
CN101917434A (en) * 2010-08-18 2010-12-15 清华大学 Method for verifying intra-domain Internet protocol (IP) source address
CN103561026A (en) * 2013-11-04 2014-02-05 神州数码网络(北京)有限公司 Method and device for updating hardware access control list and switch

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7657940B2 (en) * 2004-10-28 2010-02-02 Cisco Technology, Inc. System for SSL re-encryption after load balance
CN101917434A (en) * 2010-08-18 2010-12-15 清华大学 Method for verifying intra-domain Internet protocol (IP) source address
CN103561026A (en) * 2013-11-04 2014-02-05 神州数码网络(北京)有限公司 Method and device for updating hardware access control list and switch

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于802.1x的三层交换机认证系统与无线局域网认证系统的研究与实现;钟碧磊;《万方》;20051231;全文 *

Also Published As

Publication number Publication date
CN104660597A (en) 2015-05-27

Similar Documents

Publication Publication Date Title
CN104660597B (en) Three layers of authentication method, device and three layers of authenticated exchange machine
US11032190B2 (en) Methods and systems for network security universal control point
US10122629B2 (en) Systems and methods for externalizing network functions via packet trunking
US8332948B2 (en) Intelligent integrated network security device
US10237230B2 (en) Method and system for inspecting network traffic between end points of a zone
US9667442B2 (en) Tag-based interface between a switching device and servers for use in frame processing and forwarding
US8964747B2 (en) System and method for restricting network access using forwarding databases
CN109314664B (en) Zombie main control machine discovery equipment and method
CN105991444B (en) The method and apparatus of business processing
CN108881328B (en) Data packet filtering method and device, gateway equipment and storage medium
CN106911778A (en) A kind of flow bootstrap technique and system
US10003529B2 (en) Method and system for memory allocation in a software-defined networking (SDN) system
CN106973053A (en) The acceleration method and system of BAS Broadband Access Server
Kang et al. A New Logging-based IP Traceback Approach using Data Mining Techniques.
CN107438068A (en) A kind of method and device of preventing ARP aggression
CN107733867A (en) It is a kind of to find Botnet and the method and system of protection
CN110381006A (en) Message processing method, device, storage medium and processor
CN109040124A (en) The method and apparatus of processing message for interchanger
Luo et al. SDN/NFV-based security service function tree for cloud
CA2738690A1 (en) Distributed packet flow inspection and processing
CN114172731A (en) Method, device, equipment and medium for quickly verifying and tracing IPv6 address
CN106254252A (en) The delivery method of a kind of Flow spec route and device
CN110166375A (en) A kind of message forwarding method and device
EP3059911A1 (en) A router
US20240146762A1 (en) Intelligent manipulation of denial-of-service attack traffic

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: Cangshan District of Fuzhou City, Fujian province 350002 Jinshan Road No. 618 Garden State Industrial Park 19 floor

Patentee after: RUIJIE NETWORKS CO., LTD.

Address before: Cangshan District of Fuzhou City, Fujian province 350002 Jinshan Road No. 618 Garden State Industrial Park 19 floor

Patentee before: Beijing Star-Net Ruijie Networks Co.,Ltd.