CN105610599A - Method and device for managing user data - Google Patents
Method and device for managing user data Download PDFInfo
- Publication number
- CN105610599A CN105610599A CN201410690360.9A CN201410690360A CN105610599A CN 105610599 A CN105610599 A CN 105610599A CN 201410690360 A CN201410690360 A CN 201410690360A CN 105610599 A CN105610599 A CN 105610599A
- Authority
- CN
- China
- Prior art keywords
- user
- access
- meter
- ipsec
- list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
Abstract
The invention discloses a method and a device for managing user data. The method comprises steps: a user information list containing Internet protocol security (IPsec) configuration information is received; a global user node is generated according to the user information in the user information list; and the global user node is added to a global user list, and accessed users are managed through the global user list. Thus, the problem that the management efficiency is reduced due to too many accessed users in a related technology is solved.
Description
Technical field
The present invention relates to the communications field, in particular to a kind of user data management and device.
Background technology
IPsec is the IPsec of IETF (InternetEngineeringTaskForce, Internet engineering duty group)One group of IP security protocol collection that group sets up. IPsec has defined the security service using in internetwork layer, its functionComprise data encryption, the access control to NE, data source address validation, data integrity inspection and anti-Only Replay Attack.
The long-range access of IPsec is a kind of VPN access technology based on IPsec tunnel encipherment protection. With peer-to-peerNetwork model difference, long-range access is used client-server model. Different from peer-to-peer ike negotiation, far awayJourney accesses between first stage and second stage, need to carry out extended authentication and pattern configurations exchange. IKEAfter one-phase has been consulted, server is initiated extended authentication to client. First stage by wildcard orThe mode of person's certificate provides the certification of device level; And extended authentication is outside this, utilizes and existingly widely usedly recognizeCard mechanism, as RADIUS, SecurID and one-time password (OTP) etc. provide the certification of user class. ClientEnd, by after extended authentication, enters pattern configurations switching phase. Client is obtained access to IPsecVPN gatewayThe configuration information that internal network is required, comprise gateway be its distribution implicit IP address, internal dns server,The IP address of WINS server etc. After pattern configurations finishes, enter IKE second stage and consult, generate safetyAlliance, has so far consulted. After this Terminal Server Client can, under the IPsec path protection of setting up before, makeBy the internal network resource of the implicit IP address access IPsecVPN gateway protection distributing.
Long-range access client-side information is in charge of and is safeguarded to IPsecVPN gateway. In integrated system, instituteSome long-distance users are linked into master control, are convenient to maintenance customer's information. But integrated system access user capacityLimited, equipment also needs to bear other business conventionally simultaneously in addition, user's access speed and IPsec message placeRationality can be a little less than. Distributed system is having obvious advantage compared with integrated system advantage aspect performance and capacity. PointCloth formula system is generally made up of master control, line card, IPsec service card, and various management work are mainly responsible in master control,Such as gateway configuration management and routing table management etc.; Line card is mainly responsible for message repeating; Service card is mainly responsible for placeReason application protocol, such as IPsec agreement, the hardware enciphering and deciphering chip of service card can provide powerful IPsec placeReason ability. When a large number of users access, can use multiple IPsec service cards to process, the problem of introducing thus simultaneouslyBe user distribution at multiple service cards, cause user management very complicated.
For the problem that too much causes the efficiency of management to reduce due to access user in correlation technique, not yet propose at presentEffectively solution.
Summary of the invention
The invention provides a kind of user data management and device, at least to solve correlation technique due to accessThe problem that user too much causes the efficiency of management to reduce.
According to an aspect of the present invention, provide a kind of user data management, having comprised:
Reception includes the user profile list of internet protocol security IPsec configuration information; Believe according to userUser profile in breath list generates overall user node; Overall user node is added in overall subscriber's meter, logicalCross the user of overall subscriber's meter management access.
Preferably, the user profile in user profile list comprise following one of at least: user's group, service card groundLocation, IPsec configuration information, wherein, IPsec configuration information is used to access user configuration Intranet resource; UserInformation list also comprises: access user concordance list, for index access user, access user concordance list is by IPsecInterface and user's Intranet IP composition.
Preferably, in the following manner one of at least, the user by overall subscriber's meter management access:
Scheme one, judges in overall subscriber's meter according to predetermined threshold value, and whether the access customer number of user's group is greater than in advanceIf threshold value; If the determination result is YES, close access interface;
Scheme two, obtains abnormal service card by inquiring about overall subscriber's meter; By reaching the standard grade in abnormal service cardWhole users delete;
Scheme three, searches access user according to access user concordance list, and access user is carried out to predetermined registration operation,Predetermined registration operation comprise following one of at least: inquiry, delete.
Preferably, after the user by overall subscriber's meter management access, also comprise: according to overall subscriber's meterIn user profile generating table entry; Set up and communicate by letter with customer access equipment according to list item.
Preferably, set up and communicate by letter with customer access equipment according to list item, comprising: mode one: receive user's accessThe encryption message that equipment sends; Carry out internet protocol security IPsec decapsulation to encrypting message, separatedInternal layer message after encapsulation; Interior stored messages is sent to the Intranet equipment that customer access equipment is corresponding;
Or,
Mode two, receives the plaintext that Intranet equipment sends; By internet protocol security IPsec encapsulation expressly,Obtain the message after encapsulation; Message is sent to customer access equipment.
According to another aspect of the present invention, provide a kind of user data management device, having comprised:
Receiver module, for receiving the user profile row that include internet protocol security IPsec configuration informationTable; Generation module, for generating overall user node according to the user profile of user profile list; Management mouldPiece, for overall user node is added to overall subscriber's meter, by the user of overall subscriber's meter management access.
Preferably, the user profile in user profile list comprise following one of at least: user's group, service card groundLocation, IPsec configuration information, wherein, IPsec configuration information is used to access user configuration Intranet resource; WithFamily information list also comprises: access user concordance list, for index access user, access user concordance list byIPsec interface and user's Intranet IP composition.
Preferably, administration module, in the following manner one of at least, by overall subscriber's meter management accessUser: the first administrative unit, for judge overall subscriber's meter according to predetermined threshold value, the access of user group is usedWhether amount is greater than predetermined threshold value; If the determination result is YES, close access interface; The second administrative unit, usesIn obtaining abnormal service card by inquiring about overall subscriber's meter; By the whole users that reach the standard grade in abnormal service cardDelete; The 3rd administrative unit, for searching access user according to access user concordance list, and holds access userRow predetermined registration operation, predetermined registration operation comprise following one of at least: inquiry, delete.
Preferably, device also comprises: list item generation module, and for the use accessing by overall subscriber's meter managementAfter family, according to the user profile generating table entry in overall subscriber's meter; Communication module, for generating according to list itemThe list item that module generates is set up and is communicated by letter with customer access equipment.
Preferably, communication module, comprising: the first receiving element, and for receiving adding of customer access equipment transmissionSecret report literary composition; Deblocking unit, carries out internet protocol security for the encryption message that the first receiving element is receivedIPsec decapsulation, obtains the internal layer message after decapsulation; The first transmitting element, for the internal memory that solution is honored as a queenMessage is sent to the Intranet equipment that customer access equipment is corresponding; Or the second receiving element, for receiving IntranetThe plaintext that equipment sends; Encapsulation unit, for by internet protocol security IPsec encapsulation expressly, obtainsMessage after encapsulation; The second transmitting element, for being sent to customer access equipment by message.
By the present invention, adopt and receive the user profile that includes internet protocol security IPsec configuration informationList; Generate overall user node according to the user profile in user profile list; Overall user node is addedIn overall situation subscriber's meter, by the user of overall subscriber's meter management access, solve because access user too much causesThe problem that the efficiency of management reduces, and then reached the effect of lifting to the access user efficiency of management.
Brief description of the drawings
Accompanying drawing described herein is used to provide a further understanding of the present invention, forms the application's a part,Schematic description and description of the present invention is used for explaining the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is according to the flow chart of the user data management of the embodiment of the present invention;
Fig. 2 is according to the structure chart of the user profile list of the embodiment of the present invention;
Fig. 3 is the Organization Chart that the embodiment of the present invention is passed through overall subscriber's meter leading subscriber;
Fig. 4 is according to the structured flowchart of the user data management device of the embodiment of the present invention;
Fig. 5 is the structured flowchart of user data management device according to the preferred embodiment of the invention;
Fig. 6 is the structured flowchart of user data management device according to the preferred embodiment of the invention;
Fig. 7 is the structured flowchart of user data management device according to the preferred embodiment of the invention;
Fig. 8 is the schematic diagram of the running environment applicable according to the embodiment of the present invention;
Fig. 9 is that the IPsecVPN gateway that provides according to the embodiment of the present invention is to client access request handling processSchematic diagram.
Detailed description of the invention
Hereinafter also describe the present invention in detail with reference to accompanying drawing in conjunction with the embodiments. It should be noted that, do not rushingIn prominent situation, the feature in embodiment and embodiment in the application can combine mutually.
A kind of user data management is provided in the present embodiment, and Fig. 1 is the use according to the embodiment of the present inventionThe flow chart of user data management method, as shown in Figure 1, this flow process comprises the steps:
Step S102, receives the user profile list that includes internet protocol security IPsec configuration information.
Step S104, generates overall user node according to the user profile in user profile list.
Step S106, adds overall user node in overall subscriber's meter, by overall subscriber's meter management accessUser.
A kind of user data management that the embodiment of the present invention provides is applicable to internet protocol security(InternetProtocolSecurity, be called for short IPsec) gateway device, wherein, gateway device comprise withUnder one of at least: master control, service card, line card. Step 102 is suitable for and master control to step 106, master control foundationUser profile in the user profile list that the service card receiving reports, generates overall user node, and will give birth toThe overall user node becoming adds overall subscriber's meter, by the user of overall subscriber's meter management access. In stepBefore 102, service card receives the negotiation table literary composition of the access user of line card forwarding, carries out IPsec according to negotiation packetProcess, obtain internal address and user that should access user to organize configuration information, and according to above-mentioned internal addressAnd user's assembly puts the user node on Information generation service card, and this user node is added to the user of business boardIn information list, and this user profile list is uploaded to master control, thereby carries out step S102.
By above-mentioned steps, adopt and receive the user's letter that includes internet protocol security IPsec configuration informationBreath list; Generate overall user node according to the user profile in user profile list; Overall user node is addedEnter in overall subscriber's meter, by the user of overall subscriber's meter management access, solved because access user is too much ledCause the problem that the efficiency of management reduces, and then reached the effect of lifting to the access user efficiency of management.
Preferably, the user profile in user profile list comprise following one of at least: user's group, service card groundLocation, IPsec configuration information, wherein, IPsec configuration information is used to access user configuration Intranet resource;
User profile list also comprises: access user concordance list, and for index access user, access user indexTable is made up of IPsec interface and user's Intranet IP.
Wherein, as shown in Figure 2, Fig. 2 is the structure chart of user profile list, comprising in user profile list:
(1) whole long-distance user's nodes in above-mentioned service card, access user correspondence generates on service cardUser node;
(2) the user profile list in service card is used IPsec interface and user's Intranet IP as index, usesIn user node corresponding to index;
(3) the user profile of user node storage comprise following one of at least: access user group, service cardThe outer net address of address, access user, IPsec configuration information. Wherein, IPsec configuration information is negotiation packetOn service card, by the IPsec configuration after IKE protocol processes, this access user is according to the Intranet IP distributingAddress, the Internet resources and the network equipment that use Intranet to use.
Preferably, in the following manner one of at least, by the user of overall subscriber's meter management access, as Fig. 3Shown in, Fig. 3 is the Organization Chart that the embodiment of the present invention is passed through overall subscriber's meter leading subscriber, specific as follows:
Scheme one, judges in overall subscriber's meter according to predetermined threshold value, and whether the access customer number of user's group is greater than in advanceIf threshold value; If the determination result is YES, close access interface;
The parameter that IPsecVPN gateway carries while negotiation according to access user deposits user node to correspondenceUnder user's group of IPsec interface. These users can reach the standard grade from different service cards. By IPsec interface-useFamily group way to manage, master control can know that each user organizes the distribution situation of access user at each service card in real time.When number of users under user organizes reaches the maximum quantity of permission, master control notice client is closed user's access function.
Scheme two, obtains abnormal service card by inquiring about overall subscriber's meter; By reaching the standard grade in abnormal service cardWhole users delete;
When service card is uploaded user profile, carry service card address information, it is all that master control safeguards that this service card is reached the standard gradeUser. These users can belong to different user's groups. When service card occurs abnormal or pulled out from equipmentWhile going out, master control can perception, and all users that this service card is reached the standard grade delete.
Scheme three, searches access user according to access user concordance list, and access user is carried out to predetermined registration operation,Predetermined registration operation comprise following one of at least: inquiry, delete.
Use IPsec interface and user's Intranet IP of access user to carry out index as key assignments. The work of this concordance listWith being fast finding user. When gateway management person need to play certain user offline, master control is by obtaining inputIPsec interface and user's Intranet IP of user's access, master control finds after this user, this user deleted, andInforming business card is deleted. Equally, in the time that keeper checks certain user's specifying information, master control also canBy the inquiry request fast finding user who obtains, display user's information.
Preferably, after the user by overall subscriber's meter management access, also comprise: according to overall subscriber's meterIn user profile generating table entry; Set up and communicate by letter with customer access equipment according to list item.
Preferably, set up and communicate by letter with customer access equipment according to list item, comprising: mode one: receive user's accessThe encryption message that equipment sends; Carry out internet protocol security IPsec decapsulation to encrypting message, separatedInternal layer message after encapsulation; Interior stored messages is sent to the Intranet equipment that customer access equipment is corresponding;
Or,
Mode two, receives the plaintext that Intranet equipment sends; By internet protocol security IPsec encapsulation expressly,Obtain the message after encapsulation; Message is sent to customer access equipment.
A kind of user data management device is also provided in the present embodiment, and this device is used for realizing above-described embodimentAnd preferred embodiment, carried out repeating no more of explanation. As used below, term " module "Can realize the combination of software and/or the hardware of predetermined function. Although the described device of following examples is betterGround is realized with software, but hardware, or the realization of the combination of software and hardware also may and be conceived.
Fig. 4 is according to the structured flowchart of the user data management device of the embodiment of the present invention, as shown in Figure 4, and shouldDevice comprises: receiver module 22, generation module 24 and administration module 26, wherein,
Receiver module 22, for receiving the user profile that includes internet protocol security IPsec configuration informationList;
Generation module 24, is connected with receiver module 22, for raw according to the user profile of user profile listBecome overall user node;
Administration module 26, is connected with generation module 24, for overall user node is added to overall subscriber's meter,By the user of overall subscriber's meter management access.
Preferably, the user profile in user profile list comprise following one of at least: user's group, service card groundLocation, IPsec configuration information, wherein, IPsec configuration information is used to access user configuration Intranet resource; WithFamily information list also comprises: access user concordance list, for index access user, access user concordance list byIPsec interface and user's Intranet IP composition.
Preferably, Fig. 5 is the structured flowchart of user data management device according to the preferred embodiment of the invention, asShown in Fig. 5, this device, except comprising all modules shown in Fig. 4, also comprises: the first administrative unit 261,The second administrative unit 262 and the 3rd administrative unit 263, wherein, administration module 26, in the following mannerOne of at least, the user by overall subscriber's meter management access:
The first administrative unit 261, for judge overall subscriber's meter according to predetermined threshold value, the access of user's group is usedWhether amount is greater than predetermined threshold value; If the determination result is YES, close access interface;
The second administrative unit 262, for obtaining abnormal service card by inquiring about overall subscriber's meter; By abnormalThe whole users that reach the standard grade in service card delete;
The 3rd administrative unit 263, for searching access user according to access user concordance list, and to access userCarry out predetermined registration operation, predetermined registration operation comprise following one of at least: inquiry, delete.
Preferably, Fig. 6 is the structured flowchart of user data management device according to the preferred embodiment of the invention, asShown in Fig. 6, this device, except comprising all modules shown in Fig. 4, also comprises: list item generation module 42 HesCommunication module 44, wherein,
List item generation module 42, for after the user by overall subscriber's meter management access, according to the overall situationUser profile generating table entry in subscriber's meter;
Communication module 44, is connected with list item generation module 42, for what generate according to list item generation module 42List item is set up and is communicated by letter with customer access equipment.
Preferably, Fig. 7 is the structured flowchart of user data management device according to the preferred embodiment of the invention, logicalLetter module 44, comprising: the first receiving element 441, deblocking unit 442, the first transmitting element 443, secondReceiving element 444, encapsulation unit 445 and the second transmitting element 446, wherein,
The first receiving element 441, the encryption message sending for receiving customer access equipment;
Deblocking unit 442, is connected with the first receiving element 441, for what the first receiving element 441 was receivedEncrypt message and carry out internet protocol security IPsec decapsulation, obtain the internal layer message after decapsulation;
The first transmitting element 443, is connected with deblocking unit 442, in deblocking unit 442 solutions are honored as a queenStored messages is sent to the Intranet equipment that customer access equipment is corresponding;
Or,
The second receiving element 444, the plaintext sending for receiving Intranet equipment;
Encapsulation unit 445, is connected with the second receiving element 444, for passing through internet protocol security IPsecEncapsulation expressly, obtains the message after encapsulation;
The second transmitting element 446, is connected with encapsulation unit 445, for message is sent to customer access equipment.
Technical problem to be solved by this invention is: overcome IPsec in the distributed system existing in prior artThe problem of remote access user's complex management, the distributed user administration side that provides a kind of master control to cooperate with service cardMethod.
The present invention is by the following technical solutions: IPsec service card is responsible for remote access user's negotiation, each IPsecService card maintenance customer information list will send master control simultaneously in user profile; Master control is safeguarded complete according to upper carry informationOffice's subscriber's meter. All user profile that this service card is reached the standard grade are safeguarded in user profile list; Overall situation subscriber's meter maintenance networkClose all user profile that each service card is reached the standard grade. User profile is included as private net address, the mould that access user distributesFormula configuration information, service card address etc. Be described as follows:
(1) long-range access client is initiated to consult, and line card selects an IPsec service card to process negotiationMessage.
(2) consult successfully, service card generates local user's node, and user profile is synchronized to master control.
(3) master control receives the user profile of sending on service card, generates user node, and adds overall userTable.
(4) master control issues line card according to user profile generating table entry, and line card, by looking into the list item issuing, is guaranteedThe IPsec data message that follow-up access user and Intranet equipment room send is sent to the service card that user reaches the standard grade to carry outProcess.
(5) when user offline, IPsec service card is deleted user node, and notifies master control to delete.
Specific as follows, as shown in Figure 8, long-range access client access public network, gets public network IP address(2.1.1.X). Client wishes to access the Intranet resource of IPsecVPN gateway protection now. Client is to netClose and initiate long-range access negotiation, request gateway distributes IP address of internal network (1.1.1.X) and other configuration informations,It after success, is available this internal address access Intranet resource. The data message sending between intranet host and clientBe subject to IPsec tunnel encipherment protection.
As shown in Figure 9, IPsecVPN gateway is as follows to client access request handling process:
(1) gateway management person's configuring negotiation relevant parameter, ensures that client access negotiation can be successful. MainlyConfiguration comprises:
Step1. consult first stage, second stage relevant parameter. Normally under configuration template, select to consult ginsengNumber.
Step2.IPsec interface. IPsec interface is a kind of logic interfacing of the IPsec of carrying agreement. Need to be by itThe configuration template of front generation is tied under IPsec interface, and client first finds IPsec interface while negotiation, thenObtain the configuration of its lower binding.
Step3. user's group. User organizes lower configuration extended authentication and pattern configurations relevant parameter, and user organizes fairPermitted the maximum number of access etc.
(2) line card packet sending and receiving module is received the negotiation packet that client sends, according to special algorithm, selectedA service card, arrives this service card processing by text delivery. The follow-up negotiation packet that this client sends is also thrownBeing delivered to same service card processes.
(3) service card is received after negotiation packet, and message is issued to IPsec processing module. IPsec processing moduleBe responsible for IKE protocol related function, comprise first stage negotiation, the negotiation of extended authentication/pattern configurations and second-orderSection is consulted.
(4), after consulting successfully, IPsec processing module is according to the internal address and the user that distribute for clientInformation generation local user node is put in assembly, joins in user profile list. Service card user profile list numberAccording to structure as shown in Figure 2:
All long-distance user's nodes of this service card access are safeguarded in the list of service card user profile.
User profile list is used IPsec interface+user private network IP to carry out index as key assignments.
The user profile of user node storage comprises: access user group, service card address, client public network groundLocation, pattern configurations information etc.
(5) service card IPsec processing module generates after local user's node, will in user profile, deliver to master controlIPsec processing module, generates overall user node, adds in overall subscriber's meter. As shown in Figure 3, master control is completeOffice's subscriber's meter provides three kinds of modes to manage access user:
A, organize management based on IPsec interface-user.
The parameter that IPsecVPN gateway carries while negotiation according to access user deposits user node to correspondenceUnder user's group of IPsec interface. These users can reach the standard grade from different service cards. By IPsec interface-useFamily group way to manage, master control can know that each user organizes the distribution situation of access user at each service card in real time.When number of users under user organizes reaches the maximum quantity of permission, master control notice client is closed user's access function.
B, consult the management of place service card based on access user.
While sending user profile on service card, carry service card address information, it is all that master control safeguards that this service card is reached the standard gradeUser. These users can belong to different user's groups. When service card occurs abnormal or pulled out from equipmentWhile going out, master control can perception, and all users that this service card is reached the standard grade delete.
C, access user concordance list.
Use IPsec interface+user private network IP of access user to carry out index as key assignments. This concordance listEffect is fast finding user. In the time that gateway management person need to play certain user offline, by input user accessIPsec interface+user private network IP, master control finds after this user, this user is deleted, and informing businessCard is deleted. Equally, in the time that keeper checks certain user's specifying information, also can fast finding user,Display user's information.
(6) master control IPsec processing module generates various list items according to the user profile in overall subscriber's meter, issuesTo the packet sending and receiving module of line card. These list items are after client accesses successfully, gateway processes clientIPsec encryption and decryption data message uses. Line card packet sending and receiving module is done following processing according to the list item issuing:
A, send to the ciphertext of Intranet equipment to be delivered to the service card that client reaches the standard grade client to carry out IPsecDecapsulation, then internal layer message is beamed back line card by service card, and line card continues to be transmitted to client by message wishes to visitThe Intranet equipment of asking.
B, send to the plaintext of client to be delivered to the service card that client reaches the standard grade Intranet equipment to carry out IPsecEncapsulation, then the message after encapsulation is beamed back line card by service card, continues to be transmitted to client.
By the way, can realize the demand of all access users of management gateway, comprise check user profile,Log out a particular user, subscriber's meter and relating module interlock etc., possess that consumer positioning speed is fast, way to manage is diversifiedEtc. advantage:
Under a, user's group, be provided with the maximum access customer number of permission. In the time reaching maximum number, follow-up access shouldThe request of user's group is all rejected. Because the user of user under organizing can reach the standard grade at multiple service cards, therefore only haveMaster control overall situation subscriber's meter can get user and organize current access customer number. When master control finds that number of users reachesAfter limit, informing business card is closed the access function of this user's group, all this user's groups that are linked into of service card refusalIke negotiation; Due to sequential, close after access function in main controlling user group, still may receiveThe local user's node sending on service card, now can not join overall subscriber's meter, and should incite somebody to action by informing business cardRedundant subscribers is deleted. Work as user offline, number of users is during lower than maximum number, and master control informing business card is opened this userThe access function of group.
B, keeper can check that the user of each user's group or each service card accesses situation, and eachThe configuration information that user is concrete.
C, can realize the interlock of subscriber's meter and relating module. Such as Configuration Manager, keeper revises gateway and joinsPostpone, master control can be processed by informing business card accordingly. Such as user's group of IPsec interface binding is deletedRemove, master control notifies each service card that all access users of this user's group of ownership are deleted, and notifies client.
D, keeper can be played unique user to roll off the production line by access user concordance list, also can connect with IPsecMouth, user's group or service card are that unit logs out a particular user. While logging out a particular user, master control is used user from the overall situationIn the table of family, delete, and informing business card removal.
Obviously, it is apparent to those skilled in the art that above-mentioned of the present invention each module or each step can useGeneral calculation element is realized, and they can concentrate on single calculation element, or is distributed in multiple metersOn the network that calculation device forms, alternatively, they can be realized with the executable program code of calculation element,Thereby, they can be stored in storage device and be carried out by calculation element, and in some cases, canTo carry out shown or described step with the order being different from herein, or they are made into respectively to each collectionBecome circuit module, or the multiple modules in them or step are made into single integrated circuit module realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, for this areaTechnical staff, the present invention can have various modifications and variations. It is within the spirit and principles in the present invention all,Any amendment of doing, be equal to replacement, improvement etc., within protection scope of the present invention all should be included in.
Claims (10)
1. a user data management, is characterized in that, comprising:
Reception includes the user profile list of internet protocol security IPsec configuration information;
Generate overall user node according to the user profile in described user profile list;
Described overall user node is added in overall subscriber's meter, by described overall subscriber's meter management accessUser.
2. method according to claim 1, is characterized in that, the user profile in described user profile listComprise following one of at least: user's group, service card address, described IPsec configuration information, wherein, instituteState IPsec configuration information and be used to access user configuration Intranet resource;
Described user profile list comprises: access user concordance list, for index access user, described in connectAccess customer concordance list is made up of IPsec interface and user's Intranet IP.
3. method according to claim 2, is characterized in that, in the following manner one of at least, and by instituteState the user of overall subscriber's meter management access:
Scheme one, judges in described overall subscriber's meter according to predetermined threshold value, the access user of described user's groupWhether number is greater than described predetermined threshold value; If the determination result is YES, close access interface;
Scheme two, obtains abnormal service card by inquiring about described overall subscriber's meter; By described abnormal industryThe whole users that reach the standard grade in business card delete;
Scheme three, searches access user according to described access user concordance list, and described access user is heldRow predetermined registration operation, described predetermined registration operation comprise following one of at least: inquiry, delete.
4. method according to claim 2, is characterized in that, manages by described overall subscriber's meter describedAfter the user of access, also comprise:
According to the described user profile generating table entry in described overall subscriber's meter;
Set up and communicate by letter with described customer access equipment according to described list item.
5. method according to claim 4, is characterized in that, describedly connects according to described list item and described userEnter equipment and set up communication, comprising:
Mode one: receive the encryption message that customer access equipment sends; Carry out interconnected to described encryption messageFidonetFido security IPsec decapsulation, obtains the internal layer message after decapsulation; Described interior stored messages is sent outDeliver to the Intranet equipment that described customer access equipment is corresponding;
Or,
Mode two, receives the plaintext that Intranet equipment sends; By internet protocol security, IPsec encapsulatesDescribed plaintext, obtains the message after encapsulation; Described message is sent to customer access equipment.
6. a user data management device, is characterized in that, comprising:
Receiver module, for receiving the user's letter that includes internet protocol security IPsec configuration informationBreath list;
Generation module, for generating overall user node according to the user profile of described user profile list;
Administration module, for described overall user node is added to overall subscriber's meter, by the described overall situationThe user of subscriber's meter management access.
7. device according to claim 6, is characterized in that, the user profile in described user profile listComprise following one of at least: user's group, service card address, described IPsec configuration information, wherein, instituteState IPsec configuration information and be used to access user configuration Intranet resource;
Described user profile list comprises: access user concordance list, for index access user, described in connectAccess customer concordance list is made up of IPsec interface and user's Intranet IP.
8. device according to claim 7, is characterized in that, described administration module, for passing through with belowFormula one of at least, the user by described overall subscriber's meter management access:
The first administrative unit, for judging described overall subscriber's meter, described user's group according to predetermined threshold valueAccess customer number whether be greater than described predetermined threshold value; If the determination result is YES, close access interface;
The second administrative unit, for obtaining abnormal service card by inquiring about described overall subscriber's meter; By instituteThe whole users that reach the standard grade that state in abnormal service card delete;
The 3rd administrative unit, for searching access user according to described access user concordance list, and to describedAccess user is carried out predetermined registration operation, described predetermined registration operation comprise following one of at least: inquiry, delete.
9. device according to claim 7, is characterized in that, described device also comprises:
List item generation module, for after the described user by described overall subscriber's meter management access,According to the described user profile generating table entry in described overall subscriber's meter;
Communication module, for the described list item and the described user access that generate according to described list item generation moduleEquipment is set up communication.
10. device according to claim 7, is characterized in that, described communication module, comprising:
The first receiving element, the encryption message sending for receiving described customer access equipment;
Deblocking unit, carries out internet protocol for the described encryption message that described the first receiving element is receivedView security IPsec decapsulation, obtains the internal layer message after decapsulation;
The first transmitting element, is sent to described user's access for the described interior stored messages that described solution is honored as a queenThe Intranet equipment that equipment is corresponding;
Or,
The second receiving element, the plaintext sending for receiving Intranet equipment;
Encapsulation unit, for encapsulating described plaintext by internet protocol security IPsec, is encapsulatedAfter message;
The second transmitting element, for being sent to described customer access equipment by described message.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410690360.9A CN105610599B (en) | 2014-11-25 | 2014-11-25 | User data management and device |
| PCT/CN2015/073522 WO2016082363A1 (en) | 2014-11-25 | 2015-03-02 | User data management method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410690360.9A CN105610599B (en) | 2014-11-25 | 2014-11-25 | User data management and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105610599A true CN105610599A (en) | 2016-05-25 |
| CN105610599B CN105610599B (en) | 2019-03-01 |
Family
ID=55990145
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410690360.9A Active CN105610599B (en) | 2014-11-25 | 2014-11-25 | User data management and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN105610599B (en) |
| WO (1) | WO2016082363A1 (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107896233A (en) * | 2017-12-28 | 2018-04-10 | 广州汇智通信技术有限公司 | A kind of SCTP flow datas management method, system and equipment |
| CN111147382A (en) * | 2019-12-31 | 2020-05-12 | 杭州迪普科技股份有限公司 | Message forwarding method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102014007A (en) * | 2010-12-29 | 2011-04-13 | 武汉日电光通信工业有限公司 | Distributed system service management system and method |
| US20120226804A1 (en) * | 2010-12-29 | 2012-09-06 | Murali Raja | Systems and methods for scalable n-core stats aggregation |
| CN103686725A (en) * | 2012-09-26 | 2014-03-26 | 成都鼎桥通信技术有限公司 | User data management method, user data management equipment and user data management system |
-
2014
- 2014-11-25 CN CN201410690360.9A patent/CN105610599B/en active Active
-
2015
- 2015-03-02 WO PCT/CN2015/073522 patent/WO2016082363A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102014007A (en) * | 2010-12-29 | 2011-04-13 | 武汉日电光通信工业有限公司 | Distributed system service management system and method |
| US20120226804A1 (en) * | 2010-12-29 | 2012-09-06 | Murali Raja | Systems and methods for scalable n-core stats aggregation |
| CN103686725A (en) * | 2012-09-26 | 2014-03-26 | 成都鼎桥通信技术有限公司 | User data management method, user data management equipment and user data management system |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107896233A (en) * | 2017-12-28 | 2018-04-10 | 广州汇智通信技术有限公司 | A kind of SCTP flow datas management method, system and equipment |
| CN107896233B (en) * | 2017-12-28 | 2021-09-10 | 广州汇智通信技术有限公司 | SCTP stream data management method, system and equipment |
| CN111147382A (en) * | 2019-12-31 | 2020-05-12 | 杭州迪普科技股份有限公司 | Message forwarding method and device |
| CN111147382B (en) * | 2019-12-31 | 2021-09-21 | 杭州迪普科技股份有限公司 | Message forwarding method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2016082363A1 (en) | 2016-06-02 |
| CN105610599B (en) | 2019-03-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3537741B1 (en) | Machine-to-machine node erase procedure | |
| CN103036867B (en) | Based on virtual private network services equipment and the method for mutual certification | |
| WO2017185999A1 (en) | Method, apparatus and system for encryption key distribution and authentication | |
| WO2017185692A1 (en) | Key distribution and authentication method, apparatus and system | |
| US20170126623A1 (en) | Protected Subnet Interconnect | |
| Tesei et al. | IOTA-VPKI: A DLT-based and resource efficient vehicular public key infrastructure | |
| CN108848111A (en) | A kind of decentralization Virtual Private Network construction method based on block chain technology | |
| US20090249067A1 (en) | System and Method for Pre-Placing Secure Content on an End User Storage Device | |
| US20140215217A1 (en) | Secure Communication | |
| CN115632779B (en) | Quantum encryption communication method and system based on power distribution network | |
| CN104662839A (en) | Linked identifiers for multiple domains | |
| CN101277297A (en) | Conversation control system and method | |
| CN102088352A (en) | Data encryption transmission method and system for message-oriented middleware | |
| JP6621416B2 (en) | Method and system for generating a secure communication channel between two security modules | |
| CN112804356A (en) | Block chain-based networking equipment supervision authentication method and system | |
| CN108833113A (en) | A kind of authentication method and system of the enhancing communication security calculated based on mist | |
| CN101697522A (en) | Virtual private network networking method, communication system and related equipment | |
| CN106533894A (en) | Brand new secure instant messaging system | |
| KR100892616B1 (en) | Method For Joining New Device In Wireless Sensor Network | |
| CN105681268B (en) | Data transferring method and device | |
| CN109150829A (en) | Software definition cloud network trust data distribution method, readable storage medium storing program for executing and terminal | |
| CN105610599A (en) | Method and device for managing user data | |
| CN114221822B (en) | Distribution network method, gateway device and computer readable storage medium | |
| KR101329968B1 (en) | Method and system for determining security policy among ipsec vpn devices | |
| CN108900518A (en) | Believable software definition cloud network data distribution systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |