CN105791318A - Multicast safety access apparatus and method thereof - Google Patents

Multicast safety access apparatus and method thereof Download PDF

Info

Publication number
CN105791318A
CN105791318A CN201610279594.3A CN201610279594A CN105791318A CN 105791318 A CN105791318 A CN 105791318A CN 201610279594 A CN201610279594 A CN 201610279594A CN 105791318 A CN105791318 A CN 105791318A
Authority
CN
China
Prior art keywords
multicast
address
source
list
management server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610279594.3A
Other languages
Chinese (zh)
Other versions
CN105791318B (en
Inventor
周迪
余剑声
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Uniview Technologies Co Ltd
Original Assignee
Zhejiang Uniview Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Uniview Technologies Co Ltd filed Critical Zhejiang Uniview Technologies Co Ltd
Priority to CN201610279594.3A priority Critical patent/CN105791318B/en
Publication of CN105791318A publication Critical patent/CN105791318A/en
Application granted granted Critical
Publication of CN105791318B publication Critical patent/CN105791318B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/16Arrangements for providing special services to substations
    • H04L12/18Arrangements for providing special services to substations for broadcast or conference, e.g. multicast
    • H04L12/185Arrangements for providing special services to substations for broadcast or conference, e.g. multicast with management of multicast group membership

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a multicast safety access apparatus and a method thereof. The multicast safety access apparatus comprises a first unit and a second unit. A first unit of a multicast source side applies different access control lists on the first unit and a port of a layer 2 switch accessing the multicast source so that the first unit and the layer 2 switch accessing the multicast source only forward a multicast data packet sent by a legally registered multicast source and do not forward any multicast data packet sent by an illegal multicast source and control to the multicast source is realized. A second unit of a multicast receiving equipment side applies the different access control lists on the second unit and a port of the layer 2 switch accessing the multicast receiving equipment so that the second unit and the layer 2 switch accessing the multicast source only receive a IGMP message which is sent by legally registered multicast receiving equipment and is joining in a multicast group that the message has an authority to join in and do not receive any IGMP message sent by illegal multicast receiving equipment and control to the multicast receiving equipment is realized.

Description

A kind of security of multicast access device and method
Technical field
The invention belongs to field of data transmission, particularly relate to a kind of security of multicast access device and method.
Background technology
The problem that multicasting technology solves the single-point transmission of packet, multipoint reception, it is achieved that the efficient transmission that packet is point-to-multipoint in an ip network, it is possible to save the network bandwidth in a large number, reduce offered load.
While multicasting technology brings plurality of advantages, there is also uncontrollable problem.First, multicast user can arbitrarily add and exit a multicast group, and the uncontrollable user of network manager adds and exits multicast group, thus cannot ensure that only legal multicast user is able to receive that multicast packet;Secondly, in multicast network, multicast source cannot be controlled by manager equally, so that illegal multicast packet carries out propagation in multicast network and is possibly realized.Based on above-mentioned reason, when IP monitoring system disposes multicast, need also exist for can multicast source, multicast receivers being controlled accordingly, ensure that video multicast data are transmitted by legal multicast source, and it is received by legal multicast receivers, it is achieved the transmission that video monitoring data is safe and reliable in multicast.
Summary of the invention
It is an object of the invention to provide a kind of security of multicast access device and method, to solve multicast source and the uncontrollable problem of multicast receivers in existing multicasting technology.
To achieve these goals, technical solution of the present invention is as follows:
A kind of security of multicast access device, for multicast source and multicast reception equipment being managed and control in multicast network, described multicast network is provided with management server, described security of multicast access device includes first module and second unit, described first module includes multicast source detection module and the first security of multicast module, described second unit includes multicast reception equipment Inspection module and the second security of multicast module, wherein:
Described multicast source detection module, for after multicast packet being detected, the ARP table of inquiry first module, obtain the IP address of all multicast sources, and the multicast address of the multicast source of lawful registration is obtained by searching and managing server, thus obtaining including the information about multicast source list of multicast source IP address and multicast address;
Described first security of multicast module, for according to information about multicast source list and by inquiring about the first module in incoming multicast source or the port information in incoming multicast source that layer 2-switched ARP table obtains generates multicast source security strategy table, and generate the access control list for each multicast source according to multicast source security strategy table, port in the first module accessed at each multicast source or Layer 2 switch is applied the access for this multicast source and controls list, make the multicast packet that the first module in incoming multicast source or Layer 2 switch only forward the multicast source of lawful registration on the management server to send, do not forward any multicast packet that the multicast source do not registered on the management server sends;
Described multicast reception equipment Inspection module, for after the IGMP message that multicast reception equipment sends being detected, the ARP table of inquiry second unit, obtain the IP address of all multicast reception equipment, and obtain login user corresponding to multicast reception equipment by searching and managing server and have permission the multicast group of addition, thus obtain including multicast reception IP address of equipment, login user has permission the multicast reception facility information list of multicast group of addition;
Described second security of multicast module, for according to multicast reception facility information list and receive the port information of equipment by the incoming multicast inquired about incoming multicast and receive the second unit of equipment or layer 2-switched ARP obtains and generate multicast reception device security policy table, and generate the access control list for each multicast reception equipment according to multicast reception device security policy table, port on the second unit or Layer 2 switch of the access of each multicast reception equipment applies the access for this multicast reception equipment and controls list, the multicast reception equipment allowing lawful registration on the management server is added with the multicast group that authority adds, forbid not adding any multicast group at the multicast reception equipment of management server registration.
Further, described multicast source detection module is after multicast packet being detected, the ARP table of inquiry first module, obtain the IP address of all multicast sources, and the multicast address of the multicast source of lawful registration is obtained by searching and managing server, thus obtaining including the multicast source list of multicast source IP address and multicast address, including:
Multicast source detection module, after multicast packet being detected, inquires about the ARP table of first module, obtains the IP address of all multicast sources, and is recorded in multicast source IP address table the IP address of all multicast sources;
Multicast source IP address table is sent to management server by multicast source detection module, management server queries multicast source registration table, obtain all lawful registration and to the IP address of the multicast source of management server and distribute to each lawful registration multicast address to the multicast source of management server, then in the IP address table of multicast source, each lawful registration adds the multicast address of this multicast source after the IP address of the multicast source of management server, generate an information about multicast source list comprising multicast source IP address and multicast address corresponding to multicast source, then information about multicast source list is sent to multicast source detection module by management server.
Further, described first security of multicast module is according to information about multicast source list and by inquiring about the first module in incoming multicast source or the port information in incoming multicast source that layer 2-switched ARP table obtains generates multicast source security strategy table, and generate the access control list for each multicast source according to multicast source security strategy table, port in the first module accessed at each multicast source or Layer 2 switch is applied the access for this multicast source and controls list, make the multicast packet that the first module in incoming multicast source or Layer 2 switch only forward the multicast source of lawful registration on the management server to send, do not forward any multicast packet that the multicast source do not registered on the management server sends, including:
The first module in the first security of multicast module polls incoming multicast source or layer 2-switched ARP table, obtain first module or the port numbers in Layer 2 switch incoming multicast source, then the device name in incoming multicast source and port numbers are added in information about multicast source list, generate the multicast source security strategy table of a device name comprising multicast address corresponding to multicast source IP address, multicast source and incoming multicast source and port numbers;
nullFirst security of multicast module generates the access for each multicast source according to multicast source security strategy table and controls list,Wherein control list and only comprise, for accessing of the multicast source of lawful registration on the management server, the IP address that source IP address is this multicast source,Purpose IP address is the permission entry of the multicast address distributing to this multicast source,The control list that accesses for the multicast source do not registered on the management server only comprises the source IP address IP address as this multicast source,Purpose IP address be any multicast address forbid entry,And on the first module that the access control list application for each multicast source accessed in this multicast source or layer 2-switched port,Make first module that the multicast source of lawful registration accesses or the IP address of the multicast source that layer 2-switched port only forwards source IP address to be this lawful registration、Purpose IP address is that management server-assignment is to the multicast packet of the multicast address of the multicast source of this lawful registration,Make first module that the multicast source not having lawful registration accesses or any multicast packet that layer 2-switched port does not forward this multicast source to send.
Further, described multicast reception equipment Inspection module is after the IGMP message that multicast reception equipment sends being detected, the ARP table of inquiry second unit, obtain the IP address of all multicast reception equipment, and obtain login user corresponding to multicast reception equipment by searching and managing server and have permission the multicast group of addition, thus obtain including multicast reception IP address of equipment, the multicast reception facility information list of the multicast group that had permission addition by multicast reception equipment login user, including:
Multicast reception equipment Inspection module is after the IGMP message that multicast reception equipment sends being detected, the ARP table of inquiry second unit, obtain the IP address of all multicast reception equipment, and the IP address of all multicast reception equipment is recorded in multicast reception IP address of equipment table;
nullMulticast reception IP address of equipment table is sent to management server by multicast reception equipment Inspection module,Management server queries multicast reception device registry,Obtain the IP address of the multicast reception equipment of all lawful registration、The multicast group list of access is had permission by the user of the user of each multicast reception equipment login management server and each login management server,Then the user being added with this multicast reception equipment login management server in multicast reception facility information list behind the IP address of the multicast reception equipment of each lawful registration has permission the multicast group list of addition,Generate an IP address including multicast reception equipment and had permission the multicast reception facility information list of multicast group list of addition by multicast reception equipment login user,Multicast reception facility information list is sent to multicast reception equipment Inspection module by management server.
Further, described second security of multicast module is according to multicast reception facility information list and receives the port information of equipment by the incoming multicast inquired about incoming multicast and receive the second unit of equipment or layer 2-switched ARP obtains and generates multicast reception device security policy table, and generate the access control list for each multicast reception equipment according to multicast reception device security policy table, port on the second unit or Layer 2 switch of the access of each multicast reception equipment applies the access for this multicast reception equipment and controls list, the multicast reception equipment allowing lawful registration on the management server is added with the multicast group that authority adds, forbid not adding any multicast group at the multicast reception equipment of management server registration, including:
Second security of multicast module polls incoming multicast receives the second unit of equipment or layer 2-switched ARP table, obtain second unit or the port numbers of Layer2 switching incoming multicast reception equipment, then incoming multicast is received the device name of equipment and port numbers adds in multicast reception facility information list, generates the multicast reception device security policy table of one device name comprising multicast group list corresponding to multicast reception IP address of equipment, multicast reception equipment and incoming multicast reception equipment and port numbers;
nullSecond security of multicast module generates the access for each multicast reception equipment according to multicast reception device security policy table and controls list,Wherein only comprise the multicast address in the multicast group list that in multicast reception device security policy table, this multicast reception equipment is corresponding for accessing in the permission entry controlling list of the multicast reception equipment of lawful registration on the management server,The control list that accesses for the multicast reception equipment do not registered on the management server comprises the source IP address IP address as this multicast reception equipment、Protocol type be IGMP forbid entry,And on the port of the Layer 2 switch that the access control list application for each multicast reception equipment accessed in this multicast reception equipment or second unit,The multicast reception equipment allowing lawful registration on the management server is added with the multicast group that authority adds,Forbid not adding any multicast group at the multicast reception equipment of management server registration.
Present invention also offers a kind of security of multicast cut-in method, for multicast source and multicast reception equipment being managed and control in multicast network, described multicast network is provided with management server, described multicast network also includes the first module for multicast source carries out Access Control and for multicast reception equipment carries out the second unit of Access Control, and described security of multicast cut-in method includes:
First module is after multicast packet being detected, the ARP table of inquiry first module, obtain the IP address of all multicast sources, and obtained the multicast address of the multicast source of lawful registration by searching and managing server, thus obtaining including the information about multicast source list of multicast source IP address and multicast address;
First module is according to information about multicast source list and by inquiring about the first module in incoming multicast source or the port information in incoming multicast source that layer 2-switched ARP table obtains generates multicast source security strategy table, and generate the access control list for each multicast source according to multicast source security strategy table, port in the first module accessed at each multicast source or Layer 2 switch is applied the access for this multicast source and controls list, make the multicast packet that the first module in incoming multicast source or Layer 2 switch only forward the multicast source of lawful registration on the management server to send, do not forward any multicast packet that the multicast source do not registered on the management server sends;
Second unit is after the IGMP message that multicast reception equipment sends being detected, the ARP table of inquiry second unit, obtain the IP address of all multicast reception equipment, and obtain login user corresponding to multicast reception equipment by searching and managing server and have permission the multicast group of addition, thus obtain including multicast reception IP address of equipment, login user has permission the multicast reception facility information list of multicast group of addition;
Second unit is according to multicast reception facility information list and receives the port information of equipment by the incoming multicast inquired about incoming multicast and receive the second unit of equipment or layer 2-switched ARP obtains and generates multicast reception device security policy table, and generate the access control list for each multicast reception equipment according to multicast reception device security policy table, port on the second unit or Layer 2 switch of the access of each multicast reception equipment applies the access for this multicast reception equipment and controls list, the multicast reception equipment allowing lawful registration on the management server is added with the multicast group that authority adds, forbid not adding any multicast group at the multicast reception equipment of management server registration.
Further, after described first module detects multicast packet, the ARP table of inquiry first module, obtain the IP address of all multicast sources, and the multicast address of the multicast source of lawful registration is obtained by searching and managing server, thus obtaining including the information about multicast source list of multicast source IP address and multicast address, including:
After multicast packet being detected, the ARP table of inquiry first module, obtain the IP address of all multicast sources, and the IP address of all multicast sources is recorded in multicast source IP address table;
Multicast source IP address table is sent to management server, management server queries multicast source registration table, obtain all lawful registration and to the IP address of the multicast source of management server and distribute to each lawful registration multicast address to the multicast source of management server, then in the IP address table of multicast source, each lawful registration adds the multicast address of this multicast source after the IP address of the multicast source of management server, generate an information about multicast source list comprising multicast source IP address and multicast address corresponding to multicast source, then information about multicast source list is sent to first module by management server.
Further, described first module is according to information about multicast source list and by inquiring about the first module in incoming multicast source or the port information in incoming multicast source that layer 2-switched ARP table obtains generates multicast source security strategy table, and generate the access control list for each multicast source according to multicast source security strategy table, port in the first module accessed at each multicast source or Layer 2 switch is applied the access for this multicast source and controls list, make the multicast packet that the first module in incoming multicast source or Layer 2 switch only forward the multicast source of lawful registration on the management server to send, do not forward any multicast packet that the multicast source do not registered on the management server sends, including:
The first module in first module inquiry incoming multicast source or layer 2-switched ARP table, obtain first module or the port numbers in Layer 2 switch incoming multicast source, then the device name in incoming multicast source and port numbers are added in information about multicast source list, generate the multicast source security strategy table of a device name comprising multicast address corresponding to multicast source IP address, multicast source and incoming multicast source and port numbers;
nullFirst module generates the access for each multicast source according to multicast source security strategy table and controls list,Wherein control list and only comprise, for accessing of the multicast source of lawful registration on the management server, the IP address that source IP address is this multicast source,Purpose IP address is the permission entry of the multicast address distributing to this multicast source,The control list that accesses for the multicast source do not registered on the management server only comprises the source IP address IP address as this multicast source,Purpose IP address be any multicast address forbid entry,And on the first module that the access control list application for each multicast source accessed in this multicast source or layer 2-switched port,Make first module that the multicast source of lawful registration accesses or the IP address of the multicast source that layer 2-switched port only forwards source IP address to be this lawful registration、Purpose IP address is that management server-assignment is to the multicast packet of the multicast address of the multicast source of this lawful registration,Make any multicast packet that the first module not accessed or layer 2-switched port do not forward this multicast source to send at the multicast source of lawful registration.
Further, described second unit is after the IGMP message that multicast reception equipment sends being detected, the ARP table of inquiry second unit, obtain the IP address of all multicast reception equipment, and obtain login user corresponding to multicast reception equipment by searching and managing server and have permission the multicast group of addition, thus obtain including multicast reception IP address of equipment, the multicast reception facility information list of the multicast group that had permission addition by multicast reception equipment login user, including:
Second unit, after the IGMP message that multicast reception equipment sends being detected, inquires about the ARP table of second unit, obtains the IP address of all multicast reception equipment, and is recorded in multicast reception IP address of equipment table the IP address of all multicast reception equipment;
Multicast reception IP address of equipment table is sent to management server by second unit, management server queries multicast reception device registry, obtain the IP address of the multicast reception equipment of all lawful registration, the multicast group list of access is had permission by the user of the user of each multicast reception equipment login management server and each login management server, then the user being added with this multicast reception equipment login management server in multicast reception facility information list behind the IP address of the multicast reception equipment of each lawful registration has permission the multicast group list of addition, generate an IP address including multicast reception equipment and had permission the multicast reception facility information list of multicast group list of addition by multicast reception equipment login user, multicast reception facility information list is sent to second unit by management server.
Further, described second unit root is according to multicast reception facility information list and receives the port information of equipment by the incoming multicast inquired about incoming multicast and receive the second unit of equipment or layer 2-switched ARP obtains and generates multicast reception device security policy table, and generate the access control list for each multicast reception equipment according to multicast reception device security policy table, port on the second unit or Layer 2 switch of the access of each multicast reception equipment applies the access for this multicast reception equipment and controls list, the multicast reception equipment allowing lawful registration on the management server is added with the multicast group that authority adds, forbid not adding any multicast group at the multicast reception equipment of management server registration, including:
Second unit inquiry incoming multicast receives the second unit of equipment or layer 2-switched ARP table, obtain incoming multicast and receive the port numbers of equipment, then incoming multicast is received the device name of equipment and port numbers adds in multicast reception facility information list, generates the multicast reception device security policy table of one device name comprising multicast group list corresponding to multicast reception IP address of equipment, multicast reception equipment and incoming multicast reception equipment and port numbers;
nullSecond unit generates the access for each multicast reception equipment according to multicast reception device security policy table and controls list,Wherein only comprise the multicast address in the multicast group list that in multicast reception device security policy table, this multicast reception equipment is corresponding for accessing in the permission entry controlling list of the multicast reception equipment of lawful registration on the management server,The control list that accesses for the multicast reception equipment do not registered on the management server comprises the source IP address IP address as this multicast reception equipment、Protocol type be IGMP forbid entry,And on the port of the Layer 2 switch that the access control list application for each multicast reception equipment accessed in this multicast reception equipment or second unit,The multicast reception equipment allowing lawful registration on the management server is added with the multicast group that authority adds,Forbid not adding any multicast group at the multicast reception equipment of management server registration.
The present invention proposes a kind of security of multicast access device and method, by using security of multicast access device to control multicast source at multicast source, only forward the multicast packet that the multicast source of lawful registration on the management server sends, the multicast packet that illegal multicast source is sent directly abandons, add security of multicast access device at multicast reception equipment side and control multicast receivers, the multicast reception equipment only allowing lawful registration on the management server adds its multicast group having permission, make illegal multicast reception equipment can not add any multicast group, solve the problem that multicast source and multicast reception equipment can not be managed and control in prior art.
Accompanying drawing explanation
Fig. 1 is the structure chart of security of multicast access device of the present invention;
Fig. 2 is the network topological diagram of the present embodiment security of multicast access device;
Fig. 3 is the flow chart of security of multicast cut-in method of the present invention.
Detailed description of the invention
Below in conjunction with drawings and Examples, technical solution of the present invention being described in further details, following example do not constitute limitation of the invention.
The present embodiment one security of multicast access device, as it is shown in figure 1, include first module and second unit, first module includes multicast source detection module and the first security of multicast module, and second unit includes multicast reception equipment Inspection module and the second security of multicast module.In existing multicast network, multicast source and multicast reception equipment are typically via Layer 2 switch incoming multicast network, and in the present embodiment, multicast source is directly accessed first module or first accesses Layer 2 switch, accesses first module by Layer 2 switch;Multicast reception equipment is directly accessed second unit or first accesses Layer 2 switch, accesses second unit by Layer 2 switch.The security of multicast access device of the present embodiment is provided with layer 2-switched management ip address in advance, for Layer 2 switch being managed and configuring, the security of multicast access device of the present embodiment is also provided with in advance the IP address of management server, is used for and manages the multicast source of server interaction lawful registration in management server or the information of multicast reception equipment.
In the present embodiment, first module is for being managed multicast source and controlling.First, the all multicast sources accessed are detected by multicast source detection module, the all IP packets being sent to first module are monitored by the present embodiment multicast source detection module, when multicast source detection module monitors multicast packet, the ARP table of inquiry first module, obtains the IP address of all multicast sources and records in multicast source IP address table.
The multicast source registration table of multicast source detection module searching and managing server, obtain all lawful registration and to the IP address of the multicast source of management server and distribute to each lawful registration multicast address to the multicast source of management server, then in the IP address table of multicast source, each lawful registration adds the multicast address of this multicast source after the IP address of the multicast source of management server, generates an information about multicast source list comprising multicast source IP address and multicast address corresponding to multicast source.
In the present embodiment, information about multicast source list can also generate by the following method:
Multicast source IP address table is sent to management server by multicast source detection module, management server queries multicast source registration table, obtain all lawful registration and to the IP address of the multicast source of management server and distribute to each lawful registration multicast address to the multicast source of management server, then in the IP address table of multicast source, each lawful registration adds the multicast address of this multicast source after the IP address of the multicast source of management server, generate an information about multicast source list comprising multicast source IP address and multicast address corresponding to multicast source, then information about multicast source list is sent to multicast source detection module by management server
It should be noted that, in the table, the only IP address of multicast source of the lawful registration multicast address to there being the multicast source distributing to this lawful registration in management server, without multicast address corresponding to the IP address of multicast source register in management server as sky.
After multicast source detection module generates information about multicast source list, the first module in the first security of multicast module polls incoming multicast source or layer 2-switched ARP table, obtain the port numbers in incoming multicast source on first module or Layer 2 switch, then the device name in incoming multicast source and port numbers are added in above-mentioned information about multicast source list, generate the multicast source security strategy table of a device name comprising multicast address corresponding to multicast source IP address, multicast source and incoming multicast source and port numbers.
It should be noted that when multicast source is directly accessed first module, has the IP address of this multicast source in the ARP of first module, but layer 2-switched ARP table do not have the IP address of this multicast source;When multicast source is not directly accessed first module and accesses Layer 2 switch, all can there is the IP address of this multicast source in first module and layer 2-switched ARP table, multicast source can be distinguished by this method and be directly accessed first module or access Layer 2 switch.
nullFirst security of multicast module generates the access for each multicast source according to multicast source security strategy table and controls list,Wherein control list and only comprise, for accessing of the multicast source of lawful registration on the management server, the IP address that source IP address is this multicast source,Purpose IP address is the permission entry of the multicast address distributing to this multicast source,The control list that accesses for the multicast source do not registered on the management server only comprises the source IP address IP address as this multicast source,Purpose IP address be any multicast address forbid entry,And on the port of the Layer 2 switch that the access control list application for each multicast source accessed in this multicast source or first module,Make the IP address of the multicast source that the port of Layer 2 switch that the multicast source of lawful registration accesses or first module only forwards source IP address to be this lawful registration、Purpose IP address is that management server-assignment is to the multicast packet of the multicast address of the multicast source of this lawful registration,Make any multicast packet that the port of Layer 2 switch that the multicast source not having lawful registration accesses or first module does not forward this multicast source to send.
It should be noted that the present embodiment for the multicast source do not registered on the management server access control list only comprise the source IP address IP address as this multicast source, purpose IP address be any multicast address forbid entry.Can also for the multicast source do not registered on the management server access control list only comprise the source IP address IP address as this multicast source, purpose IP address be arbitrary address forbid entry, forbid illegal multicast source devices send any packet.
By said method, first module achieves the management to multicast source and control.
In the present embodiment, second unit is for being managed multicast reception equipment and controlling.When multicast reception equipment needs receiving multicast data, IGMP message request can be sent and add corresponding multicast group.The all IP packets being sent to second unit are monitored by the present embodiment multicast reception equipment Inspection module, when the IGMP message that multicast reception equipment Inspection module monitors to multicast reception equipment sends, the ARP table of inquiry second unit, obtain the IP address of all multicast reception equipment, and record in multicast reception IP address of equipment table.
The multicast reception device registry of multicast reception equipment Inspection module polls management server, obtain the IP address of the multicast reception equipment of all lawful registration, the multicast group list of access is had permission by the user of the user of each multicast reception equipment login management server and each login management server, then the user being added with this multicast reception equipment login management server in multicast reception facility information list behind the IP address of the multicast reception equipment of each lawful registration has permission the multicast group list of addition, generate an IP address including multicast reception equipment and had permission the multicast reception facility information list of multicast group list of addition by multicast reception equipment login user.
In the present embodiment, the list of multicast reception facility information can also generate by the following method:
nullMulticast reception IP address of equipment table is sent to management server by multicast reception equipment Inspection module,Management server queries multicast reception device registry,Obtain the IP address of the multicast reception equipment of all lawful registration、The multicast group list of access is had permission by the user of the user of each multicast reception equipment login management server and each login management server,Then the user being added with this multicast reception equipment login management server in multicast reception facility information list behind the IP address of the multicast reception equipment of each lawful registration has permission the multicast group list of addition,Generate an IP address including multicast reception equipment and had permission the multicast reception facility information list of multicast group list of addition by multicast reception equipment login user,Multicast reception facility information list is sent to multicast reception equipment Inspection module by management server.Meanwhile, the multicast reception IP address of equipment table that management server sends according to second unit, the multicast reception device registry of oneself adds the IP address of the second unit of the multicast reception equipment access of each lawful registration.
It should be noted that, in the table, only in management server, the IP address of the multicast reception equipment of lawful registration logs in the user of management server by the multicast reception equipment of this lawful registration have permission the multicast group list of addition to having, without multicast group list corresponding to the IP address of multicast reception equipment register in management server as sky.
After multicast reception equipment Inspection module generates multicast reception facility information list, second security of multicast module polls incoming multicast receives the second unit of equipment or layer 2-switched ARP table, obtain incoming multicast on second unit or Layer 2 switch and receive the port numbers of equipment, device name and port numbers that then incoming multicast receives equipment add in the above-mentioned table comprising the multicast group list corresponding with multicast reception equipment of multicast reception IP address of equipment, generate one and comprise multicast reception IP address of equipment, multicast group list and incoming multicast that multicast reception equipment is corresponding receive the device name of equipment and the multicast reception device security policy table of port numbers, without multicast group list corresponding to the multicast reception equipment register in management server as sky.
It should be noted that when multicast reception equipment is directly accessed second unit, has the IP address of this multicast reception equipment in the ARP of second unit, but layer 2-switched ARP table do not have the IP address of this multicast reception equipment;When multicast reception equipment is not directly accessed second unit and accesses Layer 2 switch, all can there is the IP address of this multicast reception equipment in second unit and layer 2-switched ARP table, multicast reception equipment can be distinguished by this method and be directly accessed second unit or access Layer 2 switch.
nullSecond security of multicast module generates the access for each multicast reception equipment according to multicast reception device security policy table and controls list,Wherein only comprise the multicast address in the multicast group list that in multicast reception device security policy table, this multicast reception equipment is corresponding for accessing in the permission entry controlling list of the multicast reception equipment of lawful registration on the management server,The control list that accesses for the multicast reception equipment do not registered on the management server comprises the source IP address IP address as this multicast reception equipment、Protocol type be IGMP forbid entry,And on the port of the Layer 2 switch that the access control list application for each multicast reception equipment accessed in this multicast reception equipment or second unit,The multicast reception equipment allowing lawful registration on the management server on that port is added with the multicast group that authority adds,Forbid not adding any multicast group at the multicast reception equipment of management server registration.Even if the IGMP message that the port of the Layer 2 switch that the multicast reception equipment of lawful registration accesses or second unit allows the multicast group that the user that the multicast reception equipment being added with this lawful registration that the multicast reception equipment of this lawful registration sends logs in management server has permission addition is passed through, make any IGMP message that this multicast reception equipment of port blocking of Layer 2 switch that the multicast reception equipment not having lawful registration accesses or second unit sends.
It should be noted that, when the user logging in management server on the multicast reception equipment of certain lawful registration changes, manage the IP address of the second unit that server finds the multicast reception equipment of this lawful registration to access from the multicast reception device registry of oneself, the IP address of the multicast reception equipment changed by login user and the multicast group list according to the permission build of the user of new login are handed down to this second unit, the multicast group list that multicast reception equipment that second unit changes according to login user in the management information updating multicast reception device security policy table that issues of server is corresponding, generate new access and control list, then delete old access and control list, on the second unit that new access control list application is accessed at this multicast reception equipment or layer 2-switched port.
The present embodiment for the multicast reception equipment do not registered on the management server access control list comprise a source IP address as the IP address of this multicast reception equipment, protocol type be IGMP forbid entry, port prevents the IGMP message that multicast reception equipment sends.Can also directly forbid all types of messages that illegal multicast reception device mac address sends, thus reaching the purpose forbidding not adding any multicast group at the multicast reception equipment of management server registration.
By said method, second unit achieves the management to multicast reception equipment and control.
Below by citing, the present embodiment is illustrated, the network structure of this example is as shown in Figure 2, wherein video management server is management server, IPC1, IPC2, IPC4 and IPC5 is the lawful registration multicast source to video management server, IPC3 and IPC6 is illegal multicast source, client 1, client 2, the multicast reception equipment that client 4 and client 5 are lawful registration to video management server, client 3 and client 6 are illegal multicast reception equipment, user 1, user 2, user 4 and user 5 are respectively through client 1, client 2, client 4 and client 5 log in video management server.
After multicast source detection module detects the IPC multicast packet sent, the ARP table of inquiry first module, obtain the IP address of all IPC, such as following table:
IPC numbers The IP address of IPC
IPC1 192.168.1.1
IPC2 192.168.1.2
IPC3 192.168.1.3
IPC4 192.168.2.1
IPC5 192.168.2.2
IPC6 192.168.2.3
Table 1
Then, table 1 is sent to video management server by multicast source detection module, video management server oneself multicast source registration table of inquiry, by distribute to IPC1, IPC2, IPC4 and IPC5 multicast address join in table 1, generate following table:
IPC numbers The IP address of IPC Multicast address
IPC1 192.168.1.1 231.8.1.1
IPC2 192.168.1.2 231.8.1.2
IPC3 192.168.1.3
IPC4 192.168.2.1 231.8.1.3
IPC5 192.168.2.2 231.8.1.4
IPC6 192.168.2.3
Table 2
Table 2 is sent to first module by video management server, multicast source detection module is transmitted to the first security of multicast module after receiving table 2, the ARP table of the first security of multicast module polls first module and Layer 2 switch 1, obtain the network equipment and port numbers that all multicast sources access, and the network equipment that all multicast sources are accessed and port number information addition table 2, generate security of multicast Policy Table, such as following table:
Table 3
First security of multicast module generates the access for each IPC according to table 3 and controls list, particularly as follows: generate the access control list being numbered 1 for IPC1, it be 192.168.1.1, purpose IP address is the permission entry of 231.8.1.1 that this access controls to comprise in list a source IP address;The access control list being numbered 2 is generated for IPC2, it is 192.168.1.2 that this access controls to comprise a source IP address in list, purpose IP address is the permission entry of 231.8.1.2, the access control list being numbered 3 is generated for IPC3, what this access controlled to comprise in list a source IP address to be 192.168.1.3, purpose IP address be any forbids entry;Generating for IPC4 and be numbered the access of 4 and control list, it be 192.168.2.1, purpose IP address is the permission entry of 231.8.1.3 that this access controls to comprise in list a source IP address;Generating for IPC5 and be numbered the access of 5 and control list, it be 192.168.2.2, purpose IP address is the permission entry of 231.8.1.4 that this access controls to comprise in list a source IP address;Generating for IPC6 and be numbered the access of 6 and control list, what this access controlled to comprise in list a source IP address to be 192.168.2.3, purpose IP address be any multicast address forbids entry.
Then, first security of multicast module is applied to the G1 mouth of first module by accessing control list 1, access is controlled list 2 and is applied to the G2 mouth of first module, access is controlled list 3 and is applied to the G3 mouth of first module, access is controlled list 4 and is applied to the G1/0/1 mouth of Layer 2 switch 1, access is controlled list 5 and is applied to the G1/0/2 mouth of Layer 2 switch 1, access is controlled list 6 and is applied to the G1/0/3 mouth of Layer 2 switch 1.
By said method, first module achieves the control to the IPC accessed, and makes lawful registration can send multicast packet to the IPC1 of video management server, IPC2, IPC4 and IPC5, makes illegal IPC3 and IPC6 can not send multicast packet.
After multicast reception equipment Inspection module detects the IGMP message that client sends, the ARP table of inquiry second unit, obtain the IP address of all clients, such as following table:
Client is numbered Client ip address
Client 1 192.168.11.1
Client 2 192.168.11.2
Client 3 192.168.11.3
Client 4 192.168.12.1
Client 5 192.168.12.2
Client 6 192.168.12.3
Table 4
Then, table 4 is sent to video management server by multicast reception equipment Inspection module, the multicast reception device registry of video management server inquiry oneself, and the multicast reception device registry of video management server is as follows:
Table 5
Multicast group list corresponding for the client of lawful registration each in table 5 is joined in table 4 by video management server, generates following table:
Client is numbered Client ip address Allow the multicast group list added
Client 1 192.168.11.1 231.8.1.1/231.8.1.2/231.8.1.3
Client 2 192.168.11.2 232.8.1.1/231.8.1.2
Client 3 192.168.11.3
Client 4 192.168.12.1 232.8.1.1
Client 5 192.168.12.2 232.8.1.2
Client 6 192.168.12.3
Table 6
The IP address of second unit is added in table 5 by video management server simultaneously, generates following table:
Table 7
Then, table 6 is sent to second unit by video management server, multicast reception equipment Inspection module is transmitted to the second security of multicast module after receiving table 6, the ARP table of the second security of multicast module polls second unit and Layer 2 switch 2, obtain the network equipment and port numbers that all multicast reception equipment accesses, and the network equipment and the port number information of the access of all multicast reception equipment are added table 6, generate security of multicast Policy Table, such as following table:
Table 8
Second security of multicast module generates the access for each client according to table 8 and controls list, particularly as follows: generate the access control list being numbered 1 for client 1, the permission entry of this access control list only comprises multicast address 231.8.1.1,231.8.1.2 and 231.8.1.3;Generate the access control list being numbered 2 for client 2, the permission entry of this access control list only comprises multicast address 231.8.1.1,231.8.1.2;Generating for client 3 and be numbered the access of 3 and control list, what this access controlled to comprise in list source IP address to be 192.168.11.3, protocol type be IGMP forbids entry;Generate the access control list being numbered 4 for client 4, the permission entry of this access control list only comprises multicast address 231.8.1.1;Generate the access control list being numbered 5 for client 5, the permission entry of this access control list only comprises multicast address 231.8.1.2;Generating for client 6 and be numbered the access of 6 and control list, what this access controlled that list comprises source IP address to be 192.168.12.3, protocol type be IGMP forbids entry.
Then, second security of multicast module is applied on the G1 port of second unit by accessing control list 1, it is applied on the G2 port of second unit by accessing control list 2, it is applied on the G3 port of second unit by accessing control list 3, it is applied on the G1/0/1 port of Layer 2 switch 2 by accessing control list 4, it is applied on the G1/0/2 port of Layer 2 switch 2 by accessing control list 5, is applied in accessing control list 6 on the G1/0/3 port of Layer 2 switch 2.
When the user 4 logging in video management server in client 4 exits, after then again logging in user 5 again, the multicast reception device registry on video management server can be updated to following table:
Table 9
Video management server finds the IP address 10.1.1.1 of second unit from table 9, by IP address 10.1.1.1, the IP address 192.168.12.1 of client 4 that changes of user and the multicast group list 232.8.1.2 of correspondence that log in video management server are handed down to second unit, after the information updating security strategy table that second unit issues according to video management server, generate following table:
Table 10
Then, second unit is according to the multicast group list 232.8.1.2 of client 4 correspondence in table 10, generate a new access and control list, the permission entry of this access control list only comprises multicast address 231.8.1.2, then delete to access and control list 4, by new access control list application on the G1/0/1 port of Layer 2 switch 2.
Pass through said method, second unit achieves the management to client and control, make lawful registration can add its multicast group having permission addition to the management client 1 of server, client 2, client 4 and client 5, make illegal client 3 and client 6 can not add any multicast group.
As shown in Figure 3, the present embodiment also proposed a kind of security of multicast cut-in method, it is applied to above-mentioned security of multicast access device, for multicast source and multicast reception equipment being managed and control in multicast network, described multicast network is provided with management server, described multicast network also includes the first module for multicast source carries out Access Control and for multicast reception equipment carries out the second unit of Access Control, and described security of multicast cut-in method includes:
First module is after multicast packet being detected, the ARP table of inquiry first module, obtain the IP address of all multicast sources, and obtained the multicast address of the multicast source of lawful registration by searching and managing server, thus obtaining including the information about multicast source list of multicast source IP address and multicast address;
First module is according to information about multicast source list and by inquiring about the first module in incoming multicast source or the port information in incoming multicast source that layer 2-switched ARP table obtains generates multicast source security strategy table, and generate the access control list for each multicast source according to multicast source security strategy table, port in the first module accessed at each multicast source or Layer 2 switch is applied the access for this multicast source and controls list, make the multicast packet that the first module in incoming multicast source or Layer 2 switch only forward the multicast source of lawful registration on the management server to send, do not forward any multicast packet that the multicast source do not registered on the management server sends;
Second unit is after the IGMP message that multicast reception equipment sends being detected, the ARP table of inquiry second unit, obtain the IP address of all multicast reception equipment, and obtain login user corresponding to multicast reception equipment by searching and managing server and have permission the multicast group of addition, thus obtain including multicast reception IP address of equipment, login user has permission the multicast reception facility information list of multicast group of addition;
Second unit is according to multicast reception facility information list and receives the port information of equipment by the incoming multicast inquired about incoming multicast and receive the second unit of equipment or layer 2-switched ARP obtains and generates multicast reception device security policy table, and generate the access control list for each multicast reception equipment according to multicast reception device security policy table, port on the second unit or Layer 2 switch of the access of each multicast reception equipment applies the access for this multicast reception equipment and controls list, the multicast reception equipment allowing lawful registration on the management server is added with the multicast group that authority adds, forbid not adding any multicast group at the multicast reception equipment of management server registration.
Wherein, after described first module detects multicast packet, the ARP table of inquiry first module, obtain the IP address of all multicast sources, and the multicast address of the multicast source of lawful registration is obtained by searching and managing server, thus obtaining including the multicast source list of multicast source IP address and multicast address, including:
After multicast packet being detected, the ARP table of inquiry first module, obtain the IP address of all multicast sources, and the IP address of all multicast sources is recorded in multicast source IP address table;
Multicast source IP address table is sent to management server, management server queries multicast source registration table, obtain all lawful registration and to the IP address of the multicast source of management server and distribute to each lawful registration multicast address to the multicast source of management server, then in the IP address table of multicast source, each lawful registration adds the multicast address of this multicast source after the IP address of the multicast source of management server, generate an information about multicast source list comprising multicast source IP address and multicast address corresponding to multicast source, then information about multicast source list is sent to first module by management server.
Wherein, described first module is according to information about multicast source list and by inquiring about the first module in incoming multicast source or the port information in incoming multicast source that layer 2-switched ARP table obtains generates multicast source security strategy table, and generate the access control list for each multicast source according to multicast source security strategy table, port in the first module accessed at each multicast source or Layer 2 switch is applied the access for this multicast source and controls list, make the multicast packet that the first module in incoming multicast source or Layer 2 switch only forward the multicast source of lawful registration on the management server to send, do not forward any multicast packet that the multicast source do not registered on the management server sends, including:
The first module in first module inquiry incoming multicast source or layer 2-switched ARP table, obtain first module or the port numbers in Layer 2 switch incoming multicast source, then the device name in incoming multicast source and port numbers are added in information about multicast source list, generate the multicast source security strategy table of a device name comprising multicast address corresponding to multicast source IP address, multicast source and incoming multicast source and port numbers;
nullFirst module generates the access for each multicast source according to multicast source security strategy table and controls list,Wherein control list and only comprise, for accessing of the multicast source of lawful registration on the management server, the IP address that source IP address is this multicast source,Purpose IP address is the permission entry of the multicast address distributing to this multicast source,The control list that accesses for the multicast source do not registered on the management server only comprises the source IP address IP address as this multicast source,Purpose IP address be any multicast address forbid entry,And on the first module that the access control list application for each multicast source accessed in this multicast source or layer 2-switched port,Make first module that the multicast source of lawful registration accesses or the IP address of the multicast source that layer 2-switched port only forwards source IP address to be this lawful registration、Purpose IP address is that management server-assignment is to the multicast packet of the multicast address of the multicast source of this lawful registration,Make any multicast packet that the first module not accessed or layer 2-switched port do not forward this multicast source to send at the multicast source of lawful registration.
Wherein, described second unit is after the IGMP message that multicast reception equipment sends being detected, the ARP table of inquiry second unit, obtain the IP address of all multicast reception equipment, and obtain login user corresponding to multicast reception equipment by searching and managing server and have permission the multicast group of addition, thus obtain including multicast reception IP address of equipment, the multicast reception facility information list of the multicast group that had permission addition by multicast reception equipment login user, including:
Second unit, after the IGMP message that multicast reception equipment sends being detected, inquires about the ARP table of second unit, obtains the IP address of all multicast reception equipment, and is recorded in multicast reception IP address of equipment table the IP address of all multicast reception equipment;
Multicast reception IP address of equipment table is sent to management server by second unit, management server queries multicast reception device registry, obtain the IP address of the multicast reception equipment of all lawful registration, the multicast group list of access is had permission by the user of the user of each multicast reception equipment login management server and each login management server, then the user being added with this multicast reception equipment login management server in multicast reception facility information list behind the IP address of the multicast reception equipment of each lawful registration has permission the multicast group list of addition, generate an IP address including multicast reception equipment and had permission the multicast reception facility information list of multicast group list of addition by multicast reception equipment login user, multicast reception facility information list is sent to second unit by management server.
Wherein, described second unit root is according to multicast reception facility information list and receives the port information of equipment by the incoming multicast inquired about incoming multicast and receive the second unit of equipment or layer 2-switched ARP obtains and generates multicast reception device security policy table, and generate the access control list for each multicast reception equipment according to multicast reception device security policy table, port on the second unit or Layer 2 switch of the access of each multicast reception equipment applies the access for this multicast reception equipment and controls list, the multicast reception equipment allowing lawful registration on the management server is added with the multicast group that authority adds, forbid not adding any multicast group at the multicast reception equipment of management server registration, including:
Second unit inquiry incoming multicast receives the second unit of equipment or layer 2-switched ARP table, obtain incoming multicast and receive the port numbers of equipment, then incoming multicast is received the device name of equipment and port numbers adds in multicast reception facility information list, generates the multicast reception device security policy table of one device name comprising multicast group list corresponding to multicast reception IP address of equipment, multicast reception equipment and incoming multicast reception equipment and port numbers;
nullSecond unit generates the access for each multicast reception equipment according to multicast reception device security policy table and controls list,Wherein only comprise the multicast address in the multicast group list that in multicast reception device security policy table, this multicast reception equipment is corresponding for accessing in the permission entry controlling list of the multicast reception equipment of lawful registration on the management server,The control list that accesses for the multicast reception equipment do not registered on the management server comprises the source IP address IP address as this multicast reception equipment、Protocol type be IGMP forbid entry,And on the port of the Layer 2 switch that the access control list application for each multicast reception equipment accessed in this multicast reception equipment or second unit,The multicast reception equipment allowing lawful registration on the management server is added with the multicast group that authority adds,Forbid not adding any multicast group at the multicast reception equipment of management server registration.
Above example is only limited in order to technical scheme to be described; when without departing substantially from present invention spirit and essence thereof; those of ordinary skill in the art are when can make various corresponding change and deformation according to the present invention, but these change accordingly and deformation all should belong to the scope of the claims appended by the present invention.

Claims (10)

1. a security of multicast access device, for multicast source and multicast reception equipment being managed and control in multicast network, described multicast network is provided with management server, it is characterized in that, described security of multicast access device includes first module and second unit, described first module includes multicast source detection module and the first security of multicast module, and described second unit includes multicast reception equipment Inspection module and the second security of multicast module, wherein:
Described multicast source detection module, for after multicast packet being detected, the ARP table of inquiry first module, obtain the IP address of all multicast sources, and the multicast address of the multicast source of lawful registration is obtained by searching and managing server, thus obtaining including the information about multicast source list of multicast source IP address and multicast address;
Described first security of multicast module, for according to information about multicast source list and by inquiring about the first module in incoming multicast source or the port information in incoming multicast source that layer 2-switched ARP table obtains generates multicast source security strategy table, and generate the access control list for each multicast source according to multicast source security strategy table, port in the first module accessed at each multicast source or Layer 2 switch is applied the access for this multicast source and controls list, make the multicast packet that the first module in incoming multicast source or Layer 2 switch only forward the multicast source of lawful registration on the management server to send, do not forward any multicast packet that the multicast source do not registered on the management server sends;
Described multicast reception equipment Inspection module, for after the IGMP message that multicast reception equipment sends being detected, the ARP table of inquiry second unit, obtain the IP address of all multicast reception equipment, and obtain login user corresponding to multicast reception equipment by searching and managing server and have permission the multicast group of addition, thus obtain including multicast reception IP address of equipment, login user has permission the multicast reception facility information list of multicast group of addition;
Described second security of multicast module, for according to multicast reception facility information list and receive the port information of equipment by the incoming multicast inquired about incoming multicast and receive the second unit of equipment or layer 2-switched ARP obtains and generate multicast reception device security policy table, and generate the access control list for each multicast reception equipment according to multicast reception device security policy table, port on the second unit or Layer 2 switch of the access of each multicast reception equipment applies the access for this multicast reception equipment and controls list, the multicast reception equipment allowing lawful registration on the management server is added with the multicast group that authority adds, forbid not adding any multicast group at the multicast reception equipment of management server registration.
2. security of multicast access device according to claim 1, it is characterized in that, described multicast source detection module is after multicast packet being detected, the ARP table of inquiry first module, obtain the IP address of all multicast sources, and the multicast address of the multicast source of lawful registration is obtained by searching and managing server, thus obtaining including the information about multicast source list of multicast source IP address and multicast address, including:
Multicast source detection module, after multicast packet being detected, inquires about the ARP table of first module, obtains the IP address of all multicast sources, and is recorded in multicast source IP address table the IP address of all multicast sources;
Multicast source IP address table is sent to management server by multicast source detection module, management server queries multicast source registration table, obtain all lawful registration and to the IP address of the multicast source of management server and distribute to each lawful registration multicast address to the multicast source of management server, then in the IP address table of multicast source, each lawful registration adds the multicast address of this multicast source after the IP address of the multicast source of management server, generate an information about multicast source list comprising multicast source IP address and multicast address corresponding to multicast source, then information about multicast source list is sent to multicast source detection module by management server.
3. security of multicast access device according to claim 1, it is characterized in that, described first security of multicast module is according to information about multicast source list and by inquiring about the first module in incoming multicast source or the port information in incoming multicast source that layer 2-switched ARP table obtains generates multicast source security strategy table, and generate the access control list for each multicast source according to multicast source security strategy table, port in the first module accessed at each multicast source or Layer 2 switch is applied the access for this multicast source and controls list, make the multicast packet that the first module in incoming multicast source or Layer 2 switch only forward the multicast source of lawful registration on the management server to send, do not forward any multicast packet that the multicast source do not registered on the management server sends, including:
The first module in the first security of multicast module polls incoming multicast source or layer 2-switched ARP table, obtain first module or the port numbers in Layer 2 switch incoming multicast source, then the device name in incoming multicast source and port numbers are added in information about multicast source list, generate the multicast source security strategy table of a device name comprising multicast address corresponding to multicast source IP address, multicast source and incoming multicast source and port numbers;
nullFirst security of multicast module generates the access for each multicast source according to multicast source security strategy table and controls list,Wherein control list and only comprise, for accessing of the multicast source of lawful registration on the management server, the IP address that source IP address is this multicast source,Purpose IP address is the permission entry of the multicast address distributing to this multicast source,The control list that accesses for the multicast source do not registered on the management server only comprises the source IP address IP address as this multicast source,Purpose IP address be any multicast address forbid entry,And on the first module that the access control list application for each multicast source accessed in this multicast source or layer 2-switched port,Make first module that the multicast source of lawful registration accesses or the IP address of the multicast source that layer 2-switched port only forwards source IP address to be this lawful registration、Purpose IP address is that management server-assignment is to the multicast packet of the multicast address of the multicast source of this lawful registration,Make first module that the multicast source not having lawful registration accesses or any multicast packet that layer 2-switched port does not forward this multicast source to send.
4. security of multicast access device according to claim 1, it is characterized in that, described multicast reception equipment Inspection module is after the IGMP message that multicast reception equipment sends being detected, the ARP table of inquiry second unit, obtain the IP address of all multicast reception equipment, and obtain login user corresponding to multicast reception equipment by searching and managing server and have permission the multicast group of addition, thus obtain including multicast reception IP address of equipment, login user has permission the multicast reception facility information list of multicast group of addition, including:
Multicast reception equipment Inspection module is after the IGMP message that multicast reception equipment sends being detected, the ARP table of inquiry second unit, obtain the IP address of all multicast reception equipment, and the IP address of all multicast reception equipment is recorded in multicast reception IP address of equipment table;
nullMulticast reception IP address of equipment table is sent to management server by multicast reception equipment Inspection module,Management server queries multicast reception device registry,Obtain the IP address of the multicast reception equipment of all lawful registration、The multicast group list of access is had permission by the user of the user of each multicast reception equipment login management server and each login management server,Then the user being added with this multicast reception equipment login management server in multicast reception IP address of equipment table behind the IP address of the multicast reception equipment of each lawful registration has permission the multicast group list of addition,Generate an IP address including multicast reception equipment and the login user that logged in by multicast reception equipment has permission the multicast reception facility information list of multicast group list of addition,Multicast reception facility information list is sent to multicast reception equipment Inspection module by management server.
5. security of multicast access device according to claim 1, it is characterized in that, described second security of multicast module is according to multicast reception facility information list and receives the port information of equipment by the incoming multicast inquired about incoming multicast and receive the second unit of equipment or layer 2-switched ARP obtains and generates multicast reception device security policy table, and generate the access control list for each multicast reception equipment according to multicast reception device security policy table, port on the second unit or Layer 2 switch of the access of each multicast reception equipment applies the access for this multicast reception equipment and controls list, the multicast reception equipment allowing lawful registration on the management server is added with the multicast group that authority adds, forbid not adding any multicast group at the multicast reception equipment of management server registration, including:
Second security of multicast module polls incoming multicast receives the second unit of equipment or layer 2-switched ARP table, obtain second unit or the port numbers of Layer2 switching incoming multicast reception equipment, then incoming multicast is received the device name of equipment and port numbers adds in multicast reception facility information list, generates the multicast reception device security policy table of one device name comprising multicast group list corresponding to multicast reception IP address of equipment, multicast reception equipment and incoming multicast reception equipment and port numbers;
nullSecond security of multicast module generates the access for each multicast reception equipment according to multicast reception device security policy table and controls list,Wherein only comprise the multicast address in the multicast group list that in multicast reception device security policy table, this multicast reception equipment is corresponding for accessing in the permission entry controlling list of the multicast reception equipment of lawful registration on the management server,The control list that accesses for the multicast reception equipment do not registered on the management server comprises the source IP address IP address as this multicast reception equipment、Protocol type be IGMP forbid entry,And on the port of the Layer 2 switch that the access control list application for each multicast reception equipment accessed in this multicast reception equipment or second unit,The multicast reception equipment allowing lawful registration on the management server is added with the multicast group that authority adds,Forbid not adding any multicast group at the multicast reception equipment of management server registration.
6. a security of multicast cut-in method, for multicast source and multicast reception equipment being managed and control in multicast network, described multicast network is provided with management server, it is characterized in that, described multicast network also includes the first module for multicast source carries out Access Control and for multicast reception equipment carries out the second unit of Access Control, and described security of multicast cut-in method includes:
First module is after multicast packet being detected, the ARP table of inquiry first module, obtain the IP address of all multicast sources, and obtained the multicast address of the multicast source of lawful registration by searching and managing server, thus obtaining including the information about multicast source list of multicast source IP address and multicast address;
First module is according to information about multicast source list and by inquiring about the first module in incoming multicast source or the port information in incoming multicast source that layer 2-switched ARP table obtains generates multicast source security strategy table, and generate the access control list for each multicast source according to multicast source security strategy table, port in the first module accessed at each multicast source or Layer 2 switch is applied the access for this multicast source and controls list, make the multicast packet that the first module in incoming multicast source or Layer 2 switch only forward the multicast source of lawful registration on the management server to send, do not forward any multicast packet that the multicast source do not registered on the management server sends;
Second unit is after the IGMP message that multicast reception equipment sends being detected, the ARP table of inquiry second unit, obtain the IP address of all multicast reception equipment, and obtain login user corresponding to multicast reception equipment by searching and managing server and have permission the multicast group of addition, thus obtain including multicast reception IP address of equipment, login user has permission the multicast reception facility information list of multicast group of addition;
Second unit is according to multicast reception facility information list and receives the port information of equipment by the incoming multicast inquired about incoming multicast and receive the second unit of equipment or layer 2-switched ARP obtains and generates multicast reception device security policy table, and generate the access control list for each multicast reception equipment according to multicast reception device security policy table, port on the second unit or Layer 2 switch of the access of each multicast reception equipment applies the access for this multicast reception equipment and controls list, the multicast reception equipment allowing lawful registration on the management server is added with the multicast group that authority adds, forbid not adding any multicast group at the multicast reception equipment of management server registration.
7. security of multicast cut-in method according to claim 6, it is characterized in that, after described first module detects multicast packet, the ARP table of inquiry first module, obtain the IP address of all multicast sources, and the multicast address of the multicast source of lawful registration is obtained by searching and managing server, thus obtaining including the information about multicast source list of multicast source IP address and multicast address, including:
After multicast packet being detected, the ARP table of inquiry first module, obtain the IP address of all multicast sources, and the IP address of all multicast sources is recorded in multicast source IP address table;
Multicast source IP address table is sent to management server, management server queries multicast source registration table, obtain all lawful registration and to the IP address of the multicast source of management server and distribute to each lawful registration multicast address to the multicast source of management server, then in the IP address table of multicast source, each lawful registration adds the multicast address of this multicast source after the IP address of the multicast source of management server, generate an information about multicast source list comprising multicast source IP address and multicast address corresponding to multicast source, then information about multicast source list is sent to first module by management server.
8. security of multicast cut-in method according to claim 6, it is characterized in that, described first module is according to information about multicast source list and by inquiring about the first module in incoming multicast source or the port information in incoming multicast source that layer 2-switched ARP table obtains generates multicast source security strategy table, and generate the access control list for each multicast source according to multicast source security strategy table, port in the first module accessed at each multicast source or Layer 2 switch is applied the access for this multicast source and controls list, make the multicast packet that the first module in incoming multicast source or Layer 2 switch only forward the multicast source of lawful registration on the management server to send, do not forward any multicast packet that the multicast source do not registered on the management server sends, including:
The first module in first module inquiry incoming multicast source or layer 2-switched ARP table, obtain first module or the port numbers in Layer 2 switch incoming multicast source, then the device name in incoming multicast source and port numbers are added in information about multicast source list, generate the multicast source security strategy table of a device name comprising multicast address corresponding to multicast source IP address, multicast source and incoming multicast source and port numbers;
nullFirst module generates the access for each multicast source according to multicast source security strategy table and controls list,Wherein control list and only comprise, for accessing of the multicast source of lawful registration on the management server, the IP address that source IP address is this multicast source,Purpose IP address is the permission entry of the multicast address distributing to this multicast source,The control list that accesses for the multicast source do not registered on the management server only comprises the source IP address IP address as this multicast source,Purpose IP address be any multicast address forbid entry,And on the first module that the access control list application for each multicast source accessed in this multicast source or layer 2-switched port,Make first module that the multicast source of lawful registration accesses or the IP address of the multicast source that layer 2-switched port only forwards source IP address to be this lawful registration、Purpose IP address is that management server-assignment is to the multicast packet of the multicast address of the multicast source of this lawful registration,Make any multicast packet that the first module not accessed or layer 2-switched port do not forward this multicast source to send at the multicast source of lawful registration.
9. security of multicast cut-in method according to claim 6, it is characterized in that, described second unit is after the IGMP message that multicast reception equipment sends being detected, the ARP table of inquiry second unit, obtain the IP address of all multicast reception equipment, and obtain login user corresponding to multicast reception equipment by searching and managing server and have permission the multicast group of addition, thus obtain including multicast reception IP address of equipment, the multicast reception facility information list of the multicast group that had permission addition by multicast reception equipment login user, including:
Second unit, after the IGMP message that multicast reception equipment sends being detected, inquires about the ARP table of second unit, obtains the IP address of all multicast reception equipment, and is recorded in multicast reception IP address of equipment table the IP address of all multicast reception equipment;
Multicast reception IP address of equipment table is sent to management server by second unit, management server queries multicast reception device registry, obtain the IP address of the multicast reception equipment of all lawful registration, the multicast group list of access is had permission by the user of the user of each multicast reception equipment login management server and each login management server, then the user being added with this multicast reception equipment login management server in multicast reception facility information list behind the IP address of the multicast reception equipment of each lawful registration has permission the multicast group list of addition, generate an IP address including multicast reception equipment and had permission the multicast reception facility information list of multicast group list of addition by multicast reception equipment login user, multicast reception facility information list is sent to second unit by management server.
10. security of multicast cut-in method according to claim 6, it is characterized in that, described second unit root is according to multicast reception facility information list and receives the port information of equipment by the incoming multicast inquired about incoming multicast and receive the second unit of equipment or layer 2-switched ARP obtains and generates multicast reception device security policy table, and generate the access control list for each multicast reception equipment according to multicast reception device security policy table, port on the second unit or Layer 2 switch of the access of each multicast reception equipment applies the access for this multicast reception equipment and controls list, the multicast reception equipment allowing lawful registration on the management server is added with the multicast group that authority adds, forbid not adding any multicast group at the multicast reception equipment of management server registration, including:
Second unit inquiry incoming multicast receives the second unit of equipment or layer 2-switched ARP table, obtain incoming multicast and receive the port numbers of equipment, then incoming multicast is received the device name of equipment and port numbers adds in multicast reception facility information list, generates the multicast reception device security policy table of one device name comprising multicast group list corresponding to multicast reception IP address of equipment, multicast reception equipment and incoming multicast reception equipment and port numbers;
nullSecond unit generates the access for each multicast reception equipment according to multicast reception device security policy table and controls list,Wherein only comprise the multicast address in the multicast group list that in multicast reception device security policy table, this multicast reception equipment is corresponding for accessing in the permission entry controlling list of the multicast reception equipment of lawful registration on the management server,The control list that accesses for the multicast reception equipment do not registered on the management server comprises the source IP address IP address as this multicast reception equipment、Protocol type be IGMP forbid entry,And on the port of the Layer 2 switch that the access control list application for each multicast reception equipment accessed in this multicast reception equipment or second unit,The multicast reception equipment allowing lawful registration on the management server is added with the multicast group that authority adds,Forbid not adding any multicast group at the multicast reception equipment of management server registration.
CN201610279594.3A 2016-04-29 2016-04-29 A kind of security of multicast access device and method Active CN105791318B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610279594.3A CN105791318B (en) 2016-04-29 2016-04-29 A kind of security of multicast access device and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610279594.3A CN105791318B (en) 2016-04-29 2016-04-29 A kind of security of multicast access device and method

Publications (2)

Publication Number Publication Date
CN105791318A true CN105791318A (en) 2016-07-20
CN105791318B CN105791318B (en) 2019-04-12

Family

ID=56400116

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610279594.3A Active CN105791318B (en) 2016-04-29 2016-04-29 A kind of security of multicast access device and method

Country Status (1)

Country Link
CN (1) CN105791318B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106790134A (en) * 2016-12-28 2017-05-31 浙江宇视科技有限公司 The access control method and Security Policy Server of a kind of video monitoring system
CN111885422A (en) * 2020-06-12 2020-11-03 视联动力信息技术股份有限公司 Method, system and device for processing multicast source
WO2023092497A1 (en) * 2021-11-26 2023-06-01 Oppo广东移动通信有限公司 Groupcast message processing method and related apparatus

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1741492A (en) * 2005-08-31 2006-03-01 杭州华为三康技术有限公司 Equiment and method for controlling group transmitting data retransmission
CN1801711A (en) * 2006-01-18 2006-07-12 杭州华为三康技术有限公司 Multicast group member identification method and apparatus
CN1960321A (en) * 2005-10-31 2007-05-09 中兴通讯股份有限公司 Control method for implementing security of multicast
CN101364877A (en) * 2008-09-28 2009-02-11 福建星网锐捷网络有限公司 Security policy configuring method and apparatus thereof
WO2012065407A1 (en) * 2010-11-19 2012-05-24 中兴通讯股份有限公司 Multicast message control method and apparatus
CN102655458A (en) * 2012-04-23 2012-09-05 浙江宇视科技有限公司 Multicast safety management method and multicast boundary control device (MBC)

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1741492A (en) * 2005-08-31 2006-03-01 杭州华为三康技术有限公司 Equiment and method for controlling group transmitting data retransmission
CN1960321A (en) * 2005-10-31 2007-05-09 中兴通讯股份有限公司 Control method for implementing security of multicast
CN1801711A (en) * 2006-01-18 2006-07-12 杭州华为三康技术有限公司 Multicast group member identification method and apparatus
CN101364877A (en) * 2008-09-28 2009-02-11 福建星网锐捷网络有限公司 Security policy configuring method and apparatus thereof
WO2012065407A1 (en) * 2010-11-19 2012-05-24 中兴通讯股份有限公司 Multicast message control method and apparatus
CN102655458A (en) * 2012-04-23 2012-09-05 浙江宇视科技有限公司 Multicast safety management method and multicast boundary control device (MBC)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106790134A (en) * 2016-12-28 2017-05-31 浙江宇视科技有限公司 The access control method and Security Policy Server of a kind of video monitoring system
CN106790134B (en) * 2016-12-28 2021-01-29 浙江宇视科技有限公司 Access control method of video monitoring system and security policy server
CN111885422A (en) * 2020-06-12 2020-11-03 视联动力信息技术股份有限公司 Method, system and device for processing multicast source
WO2023092497A1 (en) * 2021-11-26 2023-06-01 Oppo广东移动通信有限公司 Groupcast message processing method and related apparatus

Also Published As

Publication number Publication date
CN105791318B (en) 2019-04-12

Similar Documents

Publication Publication Date Title
EP1715628B1 (en) A method for realizing the multicast service
EP2204963B1 (en) Session monitoring method, device and system based on multicast technique
US20050111474A1 (en) IP multicast communication system
EP2202919B1 (en) Method and apparatus for controlling the upward multicast traffic
CN100433730C (en) Method and system of multicast and video-on-demand
CN102546666B (en) The method preventing IGMP from cheating and to attack and device
JP4579152B2 (en) Multicast distribution system, multicast reception information collection device, multicast reception information collection method, and computer program
KR20150063906A (en) Methods and apparatuses for searching available device on M2M environment
JP5548696B2 (en) Multicast quality of service module and method
CN105791318A (en) Multicast safety access apparatus and method thereof
CN101309157B (en) Multicast service management method and apparatus thereof
CN102984031A (en) Method and device for allowing encoding equipment to be safely accessed to monitoring and control network
JP2008060631A (en) Communication equipment and multicast user authentication method
EP2728795B1 (en) Processing method, device and system for controlling packet broadcast
US7483388B2 (en) Method and system for sending a multimedia stream in an IP multicast network
CN105827451B (en) A kind of method and apparatus automatically configuring the whole network controllable multicast
CN102655458B (en) A kind of multicast safety management method and multicast boundary control appliance
CN106559268A (en) For the dynamic port partition method and device of IP monitoring systems
KR20150066401A (en) Data handling technique in the M2M Environment
CN103501272B (en) A kind of flux of multicast retransmission method and equipment
JP2005064583A (en) Data relaying apparatus and data relaying method
JP2006295339A (en) Gateway apparatus and program thereof
KR102639919B1 (en) Method and apparatus for processing multicast for each service in passive optical network
Sharma et al. Implementing key Technologies in Multicast Environment through IP Multicast.
Hanna et al. The Java Reliable Multicast Service™: A Reliable Multicast Library

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant