CN105991558B - Safe mode machinery of consultation, device and equipment under a kind of mobile network cloud scene - Google Patents

Safe mode machinery of consultation, device and equipment under a kind of mobile network cloud scene Download PDF

Info

Publication number
CN105991558B
CN105991558B CN201510059653.1A CN201510059653A CN105991558B CN 105991558 B CN105991558 B CN 105991558B CN 201510059653 A CN201510059653 A CN 201510059653A CN 105991558 B CN105991558 B CN 105991558B
Authority
CN
China
Prior art keywords
safe mode
equipment
supported
sent
itself
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510059653.1A
Other languages
Chinese (zh)
Other versions
CN105991558A (en
Inventor
庄小君
朱红儒
齐旻鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201510059653.1A priority Critical patent/CN105991558B/en
Publication of CN105991558A publication Critical patent/CN105991558A/en
Application granted granted Critical
Publication of CN105991558B publication Critical patent/CN105991558B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention discloses safe mode machineries of consultation under a kind of mobile network cloud scene, this method comprises: before communicating or communication start when, the safe mode that itself is supported is reported to the second equipment by the first equipment, the second equipment inspection simultaneously judges the safe mode itself supported, and the safe mode for selecting the safe mode supported with first equipment to match is sent to first equipment;First equipment and the second equipment are physical equipment or Virtual NE.The present invention further simultaneously discloses a kind of device for realizing the method and equipment.

Description

Safe mode machinery of consultation, device and equipment under a kind of mobile network cloud scene
Technical field
The present invention relates to safe modes under safe technique in network in correspondence field more particularly to a kind of mobile network cloud scene to assist Quotient's method, apparatus and equipment.
Background technique
With the development of the technologies such as mobile Internet, cloud computing, virtualization technology also starts to introduce mobile network.Virtualization The introducing of technology, so that device hardware and software decoupling, the function of legacy network devices is all deployed in general in the form of software Above the virtual machine of hardware.This brings the benefits such as deployment cycle is short, upgrading is fast to operator, but simultaneously also pacifies virtualization Entirely, it is brought into mobile network the problems such as software security.
In the case where virtualizing scene, the communication between virtual machine is obtained or the machine of virtual machine by other virtual machine in order to prevent Confidential information needs to realize stringent virtual machine isolation by other virtual machine unauthorized access.What will usually be communicated with each other is virtual Machine is drawn in the same virtual LAN (VLAN), to realize the isolation to other virtual machines.The network function of virtualization is run Face on a virtual machine, communication between these Virtual NE or using the communication protocol between conventional physical equipment, so peace Full mechanism also adopts security mechanism when conventional physical communication between devices.Accordingly, it is possible to bring following problem:
It is also used first, ought be divided between two Virtual NE for realizing security isolation in identical VLAN IPSec is protected, and Safety Redundancy has been resulted in;And it is communicated between each equipment (including Virtual NE and physical equipment) By ipsec tunnel, the workload that will lead to configuration of IP Sec is very big;
Second, when a Virtual NE and not in the same security domain, such as: when the conventional physical equipment in VLAN communicates, Attacker can be intercepted and captured or be distorted the communication information not being protected by Internet;
Third, the quantity of Virtual NE and conventional physical equipment may be very more for the core network of Yun Huahou, and And each virtualization network element carries out creation and requires manually to be configured, so workload can be very big.
Summary of the invention
To solve existing technical problem, the embodiment of the present invention provides safe mode under a kind of mobile network cloud scene Machinery of consultation, device and equipment.
The embodiment of the invention provides safe mode machineries of consultation under a kind of mobile network cloud scene, this method comprises:
When before communicating or communication starts, the safe mode that itself is supported is reported to the second equipment by the first equipment, described Second equipment inspection simultaneously judges the safe mode itself supported, and the safe mode supported with first equipment is selected to match Safe mode be sent to first equipment;First equipment and the second equipment are as follows: physical equipment or Virtual NE.
Wherein, the safe mode that itself is supported is reported to the second equipment by first equipment, comprising:
Before communicating, first equipment sends safe mode to the second equipment and negotiates to request, and the safe mode is negotiated The safe mode that first equipment is supported is carried in request;Alternatively,
When communicating beginning, first equipment sends initial communication request message to the second equipment, includes in the message Safe mode negotiates request, and the safe mode negotiates to carry the safe mode that first equipment is supported in request.
Wherein, the safe mode includes at least following one kind:
The VID of equipment, equipment support the mark of IPSec;
The VID of the equipment, are as follows: the ID for the virtual LAN VLAN that equipment is belonged to.
Wherein, the second equipment inspection and judge itself support safe mode, and select with the first equipment branch The safe mode that the safe mode held matches is sent to first equipment, comprising:
In the case of before communication, second equipment receives safe mode and negotiates after requesting, and checks whether itself has VID, and whether the VID of itself is identical as the VID of the first equipment described in safe mode negotiation request, if identical, selects VLAN negotiates the addition of the VLAN safe mode of selection in safe mode to be sent to described first in response as safe mode Equipment;If it is not the same, then selecting IPSec as safe mode, and negotiate supporting the mark of IPSec to add in safe mode First equipment is sent in response;Alternatively,
The case where when starting for communication, after second equipment receives initial communication request message, whether check itself There is a VID, and whether the VID of itself in initial communication request message, safe mode negotiates the first equipment described in request VID is identical, if identical, selects VLAN as safe mode, and the VLAN safe mode of selection is added in safe mode Negotiate to be sent to first equipment in response;Negotiate if it is not the same, will then the mark of IPSec be supported to add in safe mode In response, and first equipment, Huo Zhezhi are sent to by the initial communication response message that the safe mode negotiates to respond is carried Connect the Establishing process that IPSec is initiated to first equipment.
In one embodiment, this method further include:
The second equipment inspection and judge itself support safe mode when, if there is no with first equipment When the safe mode that the safe mode of support matches, safe mode negotiation failure news is then sent to by second equipment First equipment.
In one embodiment, this method further include:
First equipment negotiates safe mode after requesting to be digitally signed, and is reported to second equipment;Described second Equipment verifies the digital signature, after being verified, the safe mode supported with first equipment is selected to match Safe mode, and to safe mode negotiate response be digitally signed, later will with digital signature safe mode negotiate Response is sent to first equipment.
The embodiment of the invention also provides safe mode consulting device under a kind of mobile network cloud scene, which includes: Safe mode sending module, inspection judge selecting module and safe mode receiving module;Wherein, before communicating or communication start When,
The safe mode sending module, the safe mode for supporting itself corresponding device are reported to opposite equip.,
The inspection judges selecting module, the safe mode supported for checking and judging itself corresponding device, and selects The safe mode that the safe mode supported with opposite equip. matches is sent to the opposite equip.;
The safe mode receiving module, the safe mould supported for receiving the opposite equip. that opposite equip. reports Formula;
The equipment and opposite equip. are as follows: physical equipment or Virtual NE.
In one embodiment,
The inspection judges selecting module, when checking and judging the safe mode of itself corresponding device support, is also used to When determining the safe mode that the safe mode for being not present and supporting with the opposite equip. matches, triggers the safe mode and send Module;Correspondingly,
The safe mode sending module is also used to that safe mode negotiation failure news is sent to the opposite end and is set It is standby.
In one embodiment,
The safe mode sending module is also used to negotiating the safe mode of itself corresponding device into request to carry out digital label After name, it is reported to opposite equip.;The safe mode that the safe mode that selection is supported with opposite equip. matches, and to safe mode Negotiate response to be digitally signed, the safe mode with digital signature is negotiated into response later and is sent to the opposite equip.; Accordingly;
The inspection judges selecting module, is also used to verify the digital signature that the opposite equip. is sent, verify By rear, the safe mode sending module is triggered.
The embodiment of the invention also provides safe mode consulting device under a kind of mobile network cloud scene, which includes: Devices described above.
Safe mode machinery of consultation, device and equipment under mobile network cloud scene provided in an embodiment of the present invention, are communicating When preceding or communication starts, the safe mode that itself is supported is reported to the second equipment by the first equipment, and the second equipment inspection is simultaneously Judge the safe mode itself supported, and the safe mode for selecting the safe mode supported with first equipment to match is sent To first equipment;First equipment and the second equipment are physical equipment or Virtual NE.The embodiment of the present invention can be real Auto negotiation safe mode between existing equipment, rationally utilizes existing security mechanism, avoids security mechanism redundancy, and can Communication security between effective guarantee equipment saves configuration and the maintenance workload of IPsec, also greatly reduces manual configuration Workload, improve work efficiency.
Detailed description of the invention
In attached drawing (it is not necessarily drawn to scale), similar appended drawing reference can describe phase in different views As component.Similar reference numerals with different letter suffix can indicate the different examples of similar component.Attached drawing with example and Unrestricted mode generally shows each embodiment discussed herein.
Fig. 1 is safe mode machinery of consultation implementation flow chart under mobile network cloud scene described in the embodiment of the present invention;
Fig. 2 is the structural schematic diagram of safe mode consulting device under mobile network cloud scene described in the embodiment of the present invention;
Fig. 3 is equipment room safe mode machinery of consultation implementation flow chart in one application scenarios of the embodiment of the present invention;
Fig. 4 is equipment room safe mode machinery of consultation implementation flow chart in another application of embodiment of the present invention scene;
Fig. 5 is equipment room safe mode machinery of consultation implementation flow chart in another application of embodiment of the present invention scene.
Specific embodiment
In the embodiment of the present invention, when before communicating or communication starts, in the safe mode that the first equipment supports itself The second equipment is offered, the second equipment inspection simultaneously judges the safe mode itself supported, and selects and the first equipment branch The safe mode that the safe mode held matches is sent to first equipment;First equipment and the second equipment set for physics Standby or Virtual NE.
The present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.
Fig. 1 is safe mode machinery of consultation implementation flow chart under mobile network cloud scene described in the embodiment of the present invention, such as Fig. 1 It is shown, this method comprises:
Step 101: when before communicating or communication starts, the safe mode that itself is supported is reported to second and set by the first equipment It is standby;
Step 102: the second equipment inspection simultaneously judges the safe mode itself supported, and selects to support with first equipment The safe mode that matches of safe mode be sent to first equipment;First equipment and the second equipment are physical equipment or void Quasi- network element.
In the embodiment of the present invention, before communicating, the safe mode that itself is supported is reported to second and set by first equipment It is standby, comprising:
First equipment negotiates request to the second equipment transmission safe mode, and the safe mode is negotiated in request described in carrying The safe mode that first equipment is supported, the safe mode include: the ID for the VLAN that the first equipment is belonged to, i.e. VID, and Support the mark etc. of IPSec.
In the embodiment of the present invention, communicate start when, the safe mode that itself is supported is reported to the by first equipment Two equipment, comprising:
First equipment sends initial communication request message to the second equipment, negotiates to request comprising safe mode in the message, The safe mode negotiates to carry the safe mode that first equipment is supported in request, and the safe mode includes: first The ID for the VLAN that equipment is belonged to, i.e. VID, and support the mark etc. of IPSec.
In the embodiment of the present invention, before communicating, the second equipment inspection simultaneously judges the safe mode itself supported, and selects It selects the safe mode that the safe mode supported with first equipment matches and is sent to first equipment, comprising:
Second equipment receive safe mode negotiate request after, check itself whether there is VID, and the VID of itself whether It is identical as the VID of the first equipment described in safe mode negotiation request, if identical, select VLAN as safe mode, and The safe mode addition of selection is negotiated to be sent to first equipment in response in safe mode;If it is not the same, then selecting The mark for supporting IPSec addition is sent to described first in safe mode negotiation response and set by IPSec as safe mode It is standby.
In the embodiment of the present invention, when communicating beginning, the second equipment inspection simultaneously judges the safe mode that itself is supported, And the safe mode for selecting the safe mode supported with first equipment to match is sent to first equipment, comprising:
After second equipment receives initial communication request message, check itself whether there is VID, and the VID of itself whether It is identical as the VID of the first equipment described in the safe mode negotiation request in initial communication request message, if identical, select VLAN negotiates the addition of the VLAN safe mode of selection in safe mode to be sent to described first in response as safe mode Equipment;Negotiate in response if it is not the same, will then the mark of IPSec be supported to add in safe mode, and the safe mould will be carried The initial communication response message that formula negotiates response is sent to first equipment;Alternatively, initiating IPSec's to first equipment Establishing process.
Auto negotiation safe mode between equipment may be implemented in the embodiment of the present invention, rationally utilizes existing security mechanism, Avoid security mechanism redundancy, and can communication security between effective guarantee equipment, save the configuration and maintenance of IPsec Workload also greatly reduces the workload of manual configuration, improves work efficiency.
In one embodiment, this method further include: in the second equipment inspection and judge the safe mould itself supported When formula, when the safe mode to match if there is no the safe mode supported with first equipment, second equipment is then Safe mode negotiation failure news is sent to first equipment.In this way, first equipment can re-initiate safety Mode negotiation process.
The embodiment of the present invention can guarantee that the communication between equipment is certain to be kept safe as a result, prevent malice from setting The standby deliberately empty safe mode of selection, so that the communication between equipment may cannot get any protection, so as to cause Content of Communication The security threats such as be tampered, intercept.
In one embodiment, this method further include: safe mode is negotiated request (including safe mode) by the first equipment Second equipment is reported to after being digitally signed (such as being digitally signed using the private key of the first equipment itself);It is described Second equipment verifies the digital signature, after being verified, negotiates response (comprising setting with described first to safe mode The safe mode that the standby safe mode supported matches) be digitally signed (such as: number is carried out using the private key of the second equipment Signature), the safe mode with digital signature is negotiated into response later and is sent to first equipment.
Certainly, the safe mode including safe mode that subsequent first equipment receives that second equipment is sent is negotiated After response, the verifying being digitally signed is also needed, subsequent process could be carried out with second equipment by being verified.
The embodiment of the invention also provides safe mode consulting devices under a kind of mobile network cloud scene, as shown in Fig. 2, should Device include: safe mode sending module 20, check judge selecting module 21 and safe mode receiving module 33;Wherein, logical Before letter or when communication starts,
The safe mode sending module 20, the safe mode for supporting itself corresponding device are reported to opposite end and set It is standby,
The inspection judges selecting module 21, the safe mode supported for checking and judging itself corresponding device, and selects It selects the safe mode that the safe mode supported with opposite equip. matches and is sent to the opposite equip.;
The safe mode receiving module 22, the safe mould supported for receiving the opposite equip. that opposite equip. reports Formula;
The equipment and opposite equip. are as follows: physical equipment or Virtual NE.
In the embodiment of the present invention, before communicating, in the safe mode that the safe mode sending module 20 supports itself Offer opposite equip., comprising:
20 corresponding device of safe mode sending module sends safe mode to opposite equip. and negotiates request, the safe mode Negotiate to carry the safe mode that 20 corresponding device of safe mode sending module is supported, the safe mode packet in request It includes: the ID for the VLAN that the first equipment is belonged to, i.e. VID, and support the mark etc. of IPSec.
In the embodiment of the present invention, communicate start when, safe mould that the safe mode sending module 20 supports itself Formula is reported to opposite equip., comprising:
20 corresponding device of safe mode sending module sends initial communication request message to opposite equip., includes in the message Safe mode negotiates request, carries 20 corresponding device of safe mode sending module in the safe mode negotiation request and is propped up The safe mode held, the safe mode includes: the ID for the VLAN that the first equipment is belonged to, i.e. VID, and supports IPSec's Mark etc..
In the embodiment of the present invention, before communicating, the inspection judges that selecting module 21 checks and judges itself corresponding device The safe mode of support, and the safe mode for selecting the safe mode supported with opposite equip. to match is sent to the opposite end and sets It is standby, comprising:
Inspection judges that selecting module 21 checks whether itself corresponding device has VID, and whether the VID assists with safe mode The VID for consulting and requesting opposite equip. described in asking is identical, if identical, selects VLAN as safe mode, and by the safety of selection Mode addition is negotiated to be sent to the opposite equip. in response in safe mode;If it is not the same, then selecting IPSec as safety Mode, and the mark for supporting IPSec addition is negotiated to be sent to the opposite equip. in response in safe mode.
In the embodiment of the present invention, when communicating beginning, the inspection judges that selecting module 21 checks and judges belonging to itself The safe mode that equipment is supported, and it is described right to select the safe mode to match with the safe mode that opposite equip. is supported to be sent to End equipment, comprising:
Inspection judges that selecting module 21 checks whether itself corresponding device has VID, and whether the VID asks with initial communication The VID for asking the safe mode in message to negotiate opposite equip. described in request is identical, if identical, selects VLAN as safety Mode, and the addition of the VLAN safe mode of selection is negotiated to be sent to the opposite equip. in response in safe mode;If no It is identical, then the mark of IPSec will be supported to add and negotiated in response in safe mode, and negotiates response for the safe mode is carried Initial communication response message is sent to the opposite equip.;Alternatively, initiating the Establishing process of IPSec to the opposite equip..
Auto negotiation safe mode between equipment may be implemented in the embodiment of the present invention, rationally utilizes existing security mechanism, Avoid security mechanism redundancy, and can communication security between effective guarantee equipment, save the configuration and maintenance of IPsec Workload also greatly reduces the workload of manual configuration, improves work efficiency.
In one embodiment, the inspection judges selecting module 21, is checking and is judging what itself corresponding device was supported When safe mode, when being also used to determine the safe mode that the safe mode for being not present and supporting with the opposite equip. matches, touching Send out safe mode sending module described;Correspondingly,
The safe mode sending module 20 is also used to that safe mode negotiation failure news is sent to the opposite end and is set It is standby.
The embodiment of the present invention can guarantee that the communication between equipment is certain to be kept safe as a result, prevent malice from setting The standby deliberately empty safe mode of selection, so that the communication between equipment may cannot get any protection, so as to cause Content of Communication The security threats such as be tampered, intercept.
In one embodiment, the safe mode sending module 20 is also used to the safe mode of itself corresponding device Negotiate request be digitally signed (such as: counted using the private key of itself corresponding device of safe mode sending module 20 Word signature) after, it is reported to opposite equip.;The safe mode that the safe mode that selection is supported with opposite equip. matches, and to peace Syntype is negotiated response (safe mode that the safe mode comprising supporting with the opposite equip. matches) and is digitally signed (such as: be digitally signed using the private key of itself corresponding device of safe mode sending module 20), it later will be with number The safe mode of word signature negotiates response and is sent to the opposite equip.;Correspondingly,
The inspection judges selecting module 21, is also used to verify the digital signature that the opposite equip. is sent, test After card passes through, the safe mode sending module is triggered.
The embodiment of the invention also provides safe mode consulting device under a kind of mobile network cloud scene, which includes: Devices described above.The equipment is physical equipment or Virtual NE.
The embodiment of the present invention is described below with reference to concrete application scene.
Scene one
Fig. 3 is equipment room safe mode machinery of consultation implementation flow chart in one application scenarios of the embodiment of the present invention, such as Fig. 3 institute Show, in this scene, the first equipment and the second equipment before the communication starts, first carry out safe mode negotiations process, specific steps are as follows:
Step 301: being carried out when the first equipment (can be physical equipment and be also possible to Virtual NE) needs with the second equipment When communication, the first equipment sends safe mode to the second equipment and negotiates request, and the peace that the equipment is supported is carried in the request Syntype, comprising: the ID for the VLAN that the first equipment is belonged to i.e. VID supports the mark etc. of IPSec;
Step 302: the second equipment receive safe mode negotiate request after, whether search oneself has VID, and VID whether with The VID of the first equipment received is identical, if identical, directly selecting safe mode is VLAN, and VLAN safe mode is added Negotiate to issue the first equipment in response in safe mode;If it is different, then being assisted supporting the mark of IPSec to add in safe mode The first equipment is issued in quotient's response;
Step 303: the first equipment receive safe mode negotiate response after, according to response in message initiate with the second equipment Subsequent communications.
Here, if the first equipment passes through comprising the VID of the second equipment and identical as the VID of the first equipment in response VLAN and the second equipment carry out subsequent communications;If the mark comprising support IPSec in response, the initiation of the first equipment is set with second The standby process for establishing IPSec.
It should be understood that the ability that above-mentioned first equipment default just supports safe mode to negotiate.If it does not, so Above-mentioned process would not be initiated by the first equipment.A second equipment either traditional physical equipment still virtualizes network element, It is both needed to the ability for supporting safe mode to negotiate, the safe mode for selecting first equipment and the second equipment all to support.This selection Safe mode do not allow to have empty safe mode, i.e. the safe mode that the second equipment returns does not allow not selecting any safety Mode negotiates then the first equipment will re-initiate safe mode and records failure information.It is possible thereby to guarantee the first equipment And the second communication between equipment is certain to be kept safe, and prevents rogue device from deliberately selecting empty safe mode, so that Communication between first equipment and the second equipment may cannot get any protection, be tampered, intercept so as to cause Content of Communication Equal security threats.
Scene two
Fig. 4 is equipment room safe mode machinery of consultation implementation flow chart in another application of embodiment of the present invention scene, such as Fig. 4 Shown, in this scene, the first equipment executes safe mode negotiations process, specific steps when communicating and starting with the second equipment are as follows:
Step 401: being carried out when the first equipment (physical equipment can be made to be also possible to Virtual NE) needs with the second equipment When communication, the first equipment sends initial communication request message to the second equipment, negotiates to request comprising safe mode in the message, The safe mode that the equipment is supported is carried in the request, comprising: the ID for the VLAN that the first equipment is belonged to, i.e. VID are supported The mark etc. of IPSec;
Step 402: whether after the second equipment receives initial communication request message, searching oneself has VID, and VID whether with The safe mode received is negotiated identical in request.If identical, directly selecting safe mode is VLAN;If it is different, then straight The process for initiating to establish IPSec to the first equipment is connect, or the mark of IPSec is supported in addition in security mode response;The peace Syntype response is sent to the first equipment by initial communication response message.
Step 403: the first equipment receives initial communication response message, if the message includes that safe mode negotiates response, Message according to response initiates the subsequent communications with the second equipment, it may be assumed that if VID in response comprising the second equipment and with the The VID of one equipment is identical, then the first equipment carries out subsequent communications by VLAN and the second equipment;If in response including IPSec Mark, the first equipment initiate the process that IPSec is established with the second equipment;Otherwise, the first equipment is straight according to the response of the second equipment It connects and starts subsequent IPSec process with second equipment.
As soon as it should be understood that, ability that above-mentioned first equipment default support safe mode negotiate identical with scene.Such as Fruit is not supported, then above-mentioned process would not be initiated by the first equipment.A second equipment either traditional physical equipment is also It is virtualization network element, is both needed to the ability for supporting safe mode to negotiate, the peace for selecting first equipment and the second equipment all to support Syntype.The safe mode of this selection does not allow to have empty safe mode, i.e. the safe mode that the second equipment returns does not allow not having There is any safe mode of selection, negotiates then the first equipment will re-initiate safe mode and record failure information.Thus may be used To guarantee that the communication between the first equipment and the second equipment is certain to be kept safe, prevent rogue device from deliberately selecting sky Safe mode, so that the communication between the first equipment and the second equipment may cannot get any protection, so as to cause Content of Communication The security threats such as be tampered, intercept.
Scene three
In above-mentioned scene one, two, negotiating request and initial current request message due to safe mode is unprotected, institute With there are the security threat that the safe mode of the first equipment is tampered, moreover, safe mode negotiate response be also it is unprotected, So there are the security threats that the safe mode of the second equipment selection is tampered.This scene prevents above-mentioned peace using digital signature It is complete to threaten, it is a kind of safety enhancing to above two scene scheme.
As shown in figure 5, this scene scheme and the difference of above-mentioned scene scheme are:
Step 501: safe mode is negotiated request and is digitally signed using the private key of the first equipment, and within the message Band takes the certificate of first equipment;
Step 502: the second equipment is using digital signature described in the public key verifications in the first device certificate, after being verified, It checks and selects a kind of safe mode;Otherwise, if verifying is not over returning to error message;
Step 503: response being negotiated to safe mode using the private key of the second equipment and is digitally signed, and within the message Carry the certificate of the second equipment;After first equipment receives response message, number described in the certification authentication using the second equipment is needed Signature, subsequent process could be carried out with the second equipment by being verified;Otherwise, error message is returned to the second equipment.
In the embodiment of the present invention, the safe mode negotiation request and safe mode negotiation response may be individually to disappear It ceases, situation described in civil division scape one as above, it is also possible to it is separately contained in initial communication request message and initially logical response message, Situation described in civil division scape two as above.
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer program Product.Therefore, the shape of hardware embodiment, software implementation or embodiment combining software and hardware aspects can be used in the present invention Formula.Moreover, the present invention, which can be used, can use storage in the computer that one or more wherein includes computer usable program code The form for the computer program product implemented on medium (including but not limited to magnetic disk storage and optical memory etc.).
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.
The foregoing is only a preferred embodiment of the present invention, is not intended to limit the scope of the present invention.

Claims (10)

1. safe mode machinery of consultation under a kind of mobile network cloud scene, which is characterized in that this method comprises:
When before communicating or communication starts, the safe mode that itself is supported is reported to the second equipment by the first equipment, and described second Equipment inspection simultaneously judges the safe mode itself supported, and the peace for selecting the safe mode supported with first equipment to match Syntype is sent to first equipment;First equipment and the second equipment are as follows: physical equipment or Virtual NE;
Wherein, before communicating the second equipment inspection and judge itself support safe mode, comprising:
Second equipment receive safe mode negotiate request after, check itself whether there is VID, and the VID of itself whether with peace The VID that syntype negotiates the first equipment described in request is identical;If identical, select VLAN as safe mode, and will choosing The safe mode addition selected is negotiated to be sent to first equipment in response in safe mode;If it is not the same, then selecting IPSec As safe mode, and the mark for supporting IPSec addition is negotiated to be sent to first equipment in response in safe mode;Institute State the ID that VID is virtual LAN VLAN.
2. the method according to claim 1, wherein first equipment reports the safe mode that itself is supported To the second equipment, comprising:
Before communicating, first equipment sends safe mode to the second equipment and negotiates to request, and the safe mode negotiates request The middle safe mode for carrying first equipment and being supported;Alternatively,
When communicating beginning, first equipment sends initial communication request message to the second equipment, includes safety in the message Mode negotiation request, the safe mode negotiate to carry the safe mode that first equipment is supported in request.
3. the method according to claim 1, wherein the safe mode includes at least following one kind:
The VID of equipment, equipment support the mark of IPSec;
The VID of the equipment, are as follows: the ID for the virtual LAN VLAN that equipment is belonged to.
4. according to the method described in claim 3, it is characterized in that, the second equipment inspection simultaneously judges when communicating beginning The safe mode that itself is supported, and the safe mode for selecting the safe mode supported with first equipment to match is sent to institute State the first equipment, comprising:
After second equipment receives initial communication request message, check itself whether there is VID, and the VID of itself whether with just The VID that in beginning communication request message, safe mode negotiates the first equipment described in request is identical, if identical, selects VLAN negotiates the addition of the VLAN safe mode of selection in safe mode to be sent to described first in response as safe mode Equipment;Negotiate in response if it is not the same, will then the mark of IPSec be supported to add in safe mode, and the safe mould will be carried The initial communication response message that formula negotiates response is sent to first equipment, or directly initiates to first equipment The Establishing process of IPSec.
5. the method according to claim 1, wherein this method further include:
In the second equipment inspection and when judging the safe mode of itself support, supported if there is no with first equipment Safe mode match safe mode when, safe mode negotiation failure news is then sent to described by second equipment First equipment.
6. the method according to claim 1, wherein this method further include:
First equipment negotiates safe mode after requesting to be digitally signed, and is reported to second equipment;Second equipment The digital signature is verified, after being verified, selects the peace to match with the safe mode of first equipment support Syntype, and response is negotiated to safe mode and is digitally signed, the safe mode with digital signature is negotiated later Response is sent to first equipment.
7. safe mode consulting device under a kind of mobile network cloud scene, which is characterized in that the device includes: that safe mode is sent Module, inspection judge selecting module and safe mode receiving module;Wherein, before communicating or communication start when,
The safe mode sending module, the safe mode for supporting itself corresponding device are reported to opposite equip.,
The inspection judges selecting module, for check and judge itself corresponding device support safe mode, and select with it is right The safe mode that the safe mode that end equipment is supported matches is sent to the opposite equip.;
The safe mode receiving module, the safe mode supported for receiving the opposite equip. that opposite equip. reports;
The equipment and opposite equip. are as follows: physical equipment or Virtual NE;
Wherein, the inspection judges selecting module inspection and judges the safe mode that itself corresponding device is supported before communicating, packet It includes:
Receive after safe mode negotiates request, check whether itself corresponding device has a VID, and the VID of itself corresponding device whether It is identical to negotiate the VID of opposite equip. described in request with safe mode;If identical, select VLAN as safe mode, and Notify the safe mode sending module that the safe mode addition of selection is sent to opposite end in safe mode negotiation response and is set It is standby;If it is not the same, then selecting IPSec as safe mode, and notify the safe mode sending module that will support IPSec's Mark addition is negotiated to be sent to opposite equip. in response in safe mode.
8. device according to claim 7, which is characterized in that
The inspection judges selecting module, when checking and judging the safe mode of itself corresponding device support, is also used to determine When the safe mode to match there is no the safe mode supported with the opposite equip., triggers the safe mode and send mould Block;Correspondingly,
The safe mode sending module is also used to safe mode negotiation failure news being sent to the opposite equip..
9. device according to claim 7, which is characterized in that
The safe mode sending module is also used to the safe mode of itself corresponding device negotiating request to be digitally signed Afterwards, it is reported to opposite equip.;The safe mode that the safe mode that selection is supported with opposite equip. matches, and safe mode is assisted Quotient's response is digitally signed, and the safe mode negotiation response with digital signature is sent to the opposite end later and is set It is standby;Accordingly;
The inspection judges selecting module, is also used to verify the digital signature that the opposite equip. is sent, be verified Afterwards, the safe mode sending module is triggered.
10. safe mode consulting device under a kind of mobile network cloud scene, which is characterized in that the equipment includes: claim 7-9 Any one of described in device.
CN201510059653.1A 2015-02-04 2015-02-04 Safe mode machinery of consultation, device and equipment under a kind of mobile network cloud scene Active CN105991558B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510059653.1A CN105991558B (en) 2015-02-04 2015-02-04 Safe mode machinery of consultation, device and equipment under a kind of mobile network cloud scene

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510059653.1A CN105991558B (en) 2015-02-04 2015-02-04 Safe mode machinery of consultation, device and equipment under a kind of mobile network cloud scene

Publications (2)

Publication Number Publication Date
CN105991558A CN105991558A (en) 2016-10-05
CN105991558B true CN105991558B (en) 2019-09-17

Family

ID=57037705

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510059653.1A Active CN105991558B (en) 2015-02-04 2015-02-04 Safe mode machinery of consultation, device and equipment under a kind of mobile network cloud scene

Country Status (1)

Country Link
CN (1) CN105991558B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1764196A (en) * 2005-11-15 2006-04-26 中兴通讯股份有限公司 Safety grade arranging method
CN101192922A (en) * 2006-11-17 2008-06-04 中兴通讯股份有限公司 A method for establishing secure channel between both communication parties
CN102571698A (en) * 2010-12-17 2012-07-11 中国移动通信集团公司 Access authority control method, system and device for virtual machine
CN103780630A (en) * 2014-02-18 2014-05-07 迈普通信技术股份有限公司 Method and system for isolating ports of virtual local area network
CN104092708A (en) * 2014-08-06 2014-10-08 汉柏科技有限公司 Method and equipment for encrypting forwarded messages and method and equipment for forwarding messages

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1764196A (en) * 2005-11-15 2006-04-26 中兴通讯股份有限公司 Safety grade arranging method
CN101192922A (en) * 2006-11-17 2008-06-04 中兴通讯股份有限公司 A method for establishing secure channel between both communication parties
CN102571698A (en) * 2010-12-17 2012-07-11 中国移动通信集团公司 Access authority control method, system and device for virtual machine
CN103780630A (en) * 2014-02-18 2014-05-07 迈普通信技术股份有限公司 Method and system for isolating ports of virtual local area network
CN104092708A (en) * 2014-08-06 2014-10-08 汉柏科技有限公司 Method and equipment for encrypting forwarded messages and method and equipment for forwarding messages

Also Published As

Publication number Publication date
CN105991558A (en) 2016-10-05

Similar Documents

Publication Publication Date Title
KR101722631B1 (en) Secured access to resources using a proxy
CN108462710B (en) Authentication and authorization method, device, authentication server and machine-readable storage medium
WO2017129016A1 (en) Resource access method, apparatus and system
US9218173B2 (en) System, method, and computer program product for collaboratively installing a computer application
EP3416333B1 (en) Seamless provision of secret token to cloud-based assets on demand
CN111600906B (en) Data processing method, device, system, medium, and program
WO2013086968A1 (en) Method, device and system for network security protection
CN101841525A (en) Secure access method, system and client
US9524394B2 (en) Method and apparatus for providing provably secure user input/output
WO2014190853A1 (en) Service locking method, apparatuses and systems thereof
CN111726328B (en) Method, system and related device for remotely accessing a first device
CN106162607A (en) The management method of a kind of virtual SIM card, device and system
CN105991558B (en) Safe mode machinery of consultation, device and equipment under a kind of mobile network cloud scene
CN109583182A (en) Start method, apparatus, electronic equipment and the computer storage medium of remote desktop
CN110493175A (en) A kind of information processing method, electronic equipment and storage medium
CN113472737B (en) Data processing method and device of edge equipment and electronic equipment
CN115278671A (en) Network element authentication method, device, storage medium and electronic equipment
CN112350982B (en) Resource authentication method and device
CN104113511A (en) IMS network access method, system, and correlative device
CN114024978A (en) Cloud resource synchronization method, device, node and storage medium
JP6010672B2 (en) Security setting system, security setting method and program
CN115174200B (en) Third party authentication method, device and equipment
EP3662640B1 (en) Data communication with devices having no direct access or only restricted access to communication networks
CN113742711A (en) Container access method and device
CN105323287A (en) Method and system for logging in third-party application program

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant