CN106685979A - Security terminal identifier based on STiP model and authentication method and system - Google Patents

Security terminal identifier based on STiP model and authentication method and system Download PDF

Info

Publication number
CN106685979A
CN106685979A CN201710013800.0A CN201710013800A CN106685979A CN 106685979 A CN106685979 A CN 106685979A CN 201710013800 A CN201710013800 A CN 201710013800A CN 106685979 A CN106685979 A CN 106685979A
Authority
CN
China
Prior art keywords
binding
security host
host identifier
source
local
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710013800.0A
Other languages
Chinese (zh)
Other versions
CN106685979B (en
Inventor
蒋文保
朱国库
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Information Science and Technology University
Original Assignee
Beijing Information Science and Technology University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Information Science and Technology University filed Critical Beijing Information Science and Technology University
Priority to CN201710013800.0A priority Critical patent/CN106685979B/en
Publication of CN106685979A publication Critical patent/CN106685979A/en
Application granted granted Critical
Publication of CN106685979B publication Critical patent/CN106685979B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a security terminal identifier based on an STiP model and an authentication method and system. The authentication method comprises the steps that a home terminal mainframe conducts signature on data packet original texts containing active and target security mainframe identifiers to obtain data packets to be sent and send the data packets to an access authentication server, the access authentication server does not look up binding information bound with the active security mainframe identifier in a local mapping cache table and sends a query request to a local mapping resolver, wherein the binding information includes at least the active security mainframe identifier, a public key bound with the active security mainframe identifier and a routing position identifier of a home terminal access router; the local mapping resolver does not look up the binding information and performs iterative query towards root, top-level and authority mapping resolvers sequentially, an access authentication server verifies the data packets to be sent and forwards the data packets to the home terminal access router if verification is yes, and a Hash algorithm is further used for conducting operation on the active and target security mainframe identifiers to obtain active and target security mainframe identifier labels for replacing the active and target security mainframe identifiers in the data packet original texts.

Description

Security terminal mark and authentication method and system based on STiP models
Technical field
The present invention relates to the communications field, more particularly to it is a kind of based on STiP (secure and trusted procotol, Secure and Trusted internet Protocol) model communication means and system.
Background technology
As people are growing for the demand of terminal mobility, movable equipment is more and more widely made With such as equipment such as notebook computer, smart mobile phone and panel computer.Meanwhile, in order to avoid the limitation of cable network connection Property, wireless network also becomes increasingly popular.And as movable equipment is more and more widely used, incident is removable setting For the potential safety hazard brought due to its mobility, simultaneously as existing ICP/IP protocol does not possess address verity discriminating etc. Inherent security mechanism, causes to attack source and attacker's identity is difficult to trace.
The content of the invention
It is contemplated that at least overcoming one of drawbacks described above to provide a kind of security terminal mark based on STiP models and recognize Card method and system, to ensure the safety that local terminal end host is accessed.
To reach above-mentioned purpose, what technical scheme was specifically realized in:
One aspect of the present invention provides a kind of security terminal mark based on STiP models and authentication method, including: Local terminal end host will be identified using the private key of local terminal end host comprising active security host identifier and purpose security host The packet original text of symbol is signed, and obtains packet to be sent, and packet to be sent is sent to access authentication server, its In, packet to be sent includes packet original text and signature, and source security host identifier is unique mark of local terminal end host Know, purpose security host identifier is the unique mark of distant terminal main frame;Access authentication server receives packet to be sent, In the case of the binding information with source security host identifier binding is not found in local mapped cache table, to local mapping Resolver sends the request of inquiry and the binding information of source security host identifier binding, wherein, with source security host identifier The binding information of binding at least includes public key and the local terminal end of source security host identifier and source security host identifier binding The route location mark of the local terminal couple in router that end main frame is accessed;Local Mapping Resolution device parsing inquiry and source security host mark Know the request of the binding information of symbol binding, in local search and the binding information of source security host identifier binding, locally reflecting In the case that radiolysis parser does not find the binding information with the binding of source security host identifier, successively to root Mapping Resolution device, Top level map resolver and permissions mapping resolver make iterative queries into, and obtain main safely with source from permissions mapping resolver The binding information of machine identifier binding, and will send to access authentication service with the binding information of source security host identifier binding Device;Access authentication server receives the binding information with source security host identifier binding, utilizes and source security host identifier The true and false of the public key verifications packet to be sent of binding, if upchecking, data to be forwarded bag is sent to local terminal and accesses route Device, wherein, data to be forwarded bag at least includes packet original text;Local terminal couple in router receives data to be forwarded bag, local In the case of the binding information with the binding of purpose security host identifier is not found in mapped cache table, to local Mapping Resolution Device sends the request of inquiry and the binding information of purpose security host identifier binding, wherein, with purpose security host identifier The binding information of binding at least includes the public key that purpose security host identifier and purpose security host identifier bind and right The route location mark of the opposite end couple in router that end end host is accessed;Local Mapping Resolution device parsing inquiry and purpose safety The request of the binding information of hostid binding, in local search and the binding letter with the binding of purpose security host identifier Breath, local Mapping Resolution device do not find with purpose security host identifier binding binding information in the case of, successively to Root Mapping Resolution device, top level map resolver and permissions mapping resolver make iterative queries into, and from permissions mapping resolver Obtain the binding information with the binding of purpose security host identifier, and the binding information that will be bound with purpose security host identifier Send to local terminal couple in router;Local terminal couple in router is encapsulated into source routing station location marker and purpose route location mark Data to be forwarded bag, the data to be forwarded bag after encapsulation is sent to opposite end couple in router, wherein, source routing station location marker is The route location mark of local terminal couple in router, purpose route location is designated the route location mark of opposite end couple in router; Opposite end couple in router receives the data to be forwarded bag after encapsulation, and the data to be forwarded bag after encapsulation is decapsulated, and obtains Data to be forwarded bag, and data to be forwarded bag is sent to distant terminal main frame.
In addition, access authentication server is received after the binding information with source security host identifier binding, method is also wrapped Include:Access authentication server will be stored in local mapped cache table with the binding information of source security host identifier binding.
In addition, during the caching of the binding information bound with source security host identifier that is also stored with local mapped cache table Between length;Method also includes:Access authentication server cache-time length then after, deletion tie up with source security host identifier Fixed binding information.
In addition, source security host identifier and purpose security host identifier are named according to preset structure.
In addition, root Mapping Resolution device, top level map resolver and permissions mapping resolver constitute tree-shaped topological structure.
In addition, root Mapping Resolution device, top level map resolver and permissions mapping resolver constitute the topology of decentration Structure.
In addition, access authentication server is received after packet to be sent, data to be forwarded bag is sent to local terminal and is accessed Before router, method also includes:Access authentication server is using hash algorithm to source security host identifier and purpose safety Hostid carries out computing, source security host identification (RFID) tag and purpose security host identification (RFID) tag is obtained, by source security host Source security host identifier and purpose in identification (RFID) tag and purpose security host identification (RFID) tag replacement data bag original text is main safely Machine identifier.
Another aspect of the present invention provides a kind of security terminal mark based on STiP models and Verification System, including:This End end host, for will be comprising active security host identifier and purpose security host mark using the private key of local terminal end host The packet original text for knowing symbol is signed, and obtains packet to be sent, and packet to be sent is sent to access authentication server, Wherein, packet to be sent includes packet original text and signature, and source security host identifier is the unique of local terminal end host Mark, purpose security host identifier is the unique mark of distant terminal main frame;Access authentication server, it is to be sent for receiving Packet, in the case of the binding information with source security host identifier binding is not found in local mapped cache table, to Local Mapping Resolution device sends the request of inquiry and the binding information of source security host identifier binding, wherein, it is main safely with source The binding information of machine identifier binding at least include the public key of source security host identifier and the binding of source security host identifier with And the route location mark of the local terminal couple in router of local terminal end host access;Local Mapping Resolution device, for parsing inquiry The request of the binding information bound with source security host identifier, in local search and the binding of source security host identifier binding Information, in the case of the binding information that local Mapping Resolution device is not found with the binding of source security host identifier, successively to Root Mapping Resolution device, top level map resolver and permissions mapping resolver make iterative queries into, and from permissions mapping resolver The binding information with source security host identifier binding is obtained, and will be sent with the binding information of source security host identifier binding To access authentication server;Access authentication server, is additionally operable to receive the binding information with source security host identifier binding, profit With the true and false with the public key verifications packet to be sent of source security host identifier binding, if upchecking, by data to be forwarded Bag is sent to local terminal couple in router, wherein, data to be forwarded bag at least includes packet original text;Local terminal couple in router, uses In data to be forwarded bag is received, the binding letter with the binding of purpose security host identifier is not found in local mapped cache table In the case of breath, the request of inquiry and the binding information of purpose security host identifier binding is sent to local Mapping Resolution device, Wherein, purpose security host identifier and purpose safety are at least included with the binding information of purpose security host identifier binding The route location mark of the opposite end couple in router that the public key and distant terminal main frame of hostid binding is accessed;Locally reflect Radiolysis parser, be additionally operable to parse inquiry with purpose security host identifier binding binding information request, local search with With the binding information of purpose security host identifier binding, do not find and purpose security host mark in local Mapping Resolution device In the case of the binding information of symbol binding, successively to root Mapping Resolution device, top level map resolver and permissions mapping resolver Make iterative queries into, and the binding information with the binding of purpose security host identifier is obtained from permissions mapping resolver, and will be with The binding information of purpose security host identifier binding is sent to local terminal couple in router;Local terminal couple in router, be additionally operable to by Source routing station location marker and purpose route location mark are encapsulated into data to be forwarded bag, and the data to be forwarded bag after encapsulation is sent out Opposite end couple in router is delivered to, wherein, source routing station location marker is identified for the route location of local terminal couple in router, purpose route Station location marker is identified for the route location of opposite end couple in router;Opposite end couple in router, it is to be forwarded after encapsulating for receiving Packet, the data to be forwarded bag after encapsulation is decapsulated, and obtains data to be forwarded bag, and data to be forwarded bag is sent To distant terminal main frame.
In addition, access authentication server, is additionally operable to after the binding information with source security host identifier binding is received, To be stored in local mapped cache table with the binding information of source security host identifier binding.
In addition, during the caching of the binding information bound with source security host identifier that is also stored with local mapped cache table Between length;Access authentication server, be additionally operable to cache-time length then after, delete and the binding of source security host identifier Binding information.
In addition, source security host identifier and purpose security host identifier are named according to preset structure.
In addition, root Mapping Resolution device, top level map resolver and permissions mapping resolver constitute tree-shaped topological structure.
In addition, root Mapping Resolution device, top level map resolver and permissions mapping resolver constitute the topology of decentration Structure.
In addition, access authentication server, be additionally operable to after packet to be sent is received, by data to be forwarded bag send to Before local terminal couple in router, source security host identifier and purpose security host identifier are transported using hash algorithm Calculate, obtain source security host identification (RFID) tag and purpose security host identification (RFID) tag, source security host identification (RFID) tag and purpose are pacified Source security host identifier and purpose security host identifier in full host identification label replacement data bag original text.
As seen from the above technical solution provided by the invention, by provided in an embodiment of the present invention based on STiP models Security terminal mark and authentication method and system, the network securitys such as source address spoofing, identity security can be solved from source Problem, so as to be conducive to building autonomous controllable, safe and reliable internet environment.
Description of the drawings
In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, below will be to use needed for embodiment description Accompanying drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for this For the those of ordinary skill in field, on the premise of not paying creative work, can be obtaining other according to these accompanying drawings Accompanying drawing.
Fig. 1 is the structural representation of the security terminal mark based on STiP models provided in an embodiment of the present invention and Verification System Figure;
Fig. 2 is the flow chart of the security terminal mark based on STiP models provided in an embodiment of the present invention and authentication method.
Specific embodiment
Embodiments of the present invention are described in detail below in conjunction with the accompanying drawings.
Fig. 1 shows a kind of security terminal mark and Verification System based on STiP models provided in an embodiment of the present invention Structural representation, referring to Fig. 1, the security terminal mark and Verification System based on STiP models provided in an embodiment of the present invention, bag Include:The separate access network 10 of IP address and backbone network 20, wherein, access network 10 includes multiple end hosts (wherein extremely Include local terminal end host 101 and distant terminal main frame 103 less) and at least one access authentication server (wherein at least Local terminal access authentication server 102 including being connected with local terminal end host 101).Certainly as a kind of optional reality of the present invention Mode is applied, at least one access authentication server can also include the opposite end access authentication being connected with distant terminal main frame 103 Server (not shown).Backbone network 20 include multiple couple in routers (wherein at least include local terminal couple in router 201 with And opposite end couple in router 202), local Mapping Resolution device 203, root Mapping Resolution device 204, top level map resolver 205 and Permissions mapping resolver 206, the connection local terminal access authentication of local terminal couple in router 201 server 102, opposite end couple in router (in the case of with opposite end access authentication server, opposite end couple in router 202 connects 202 peer end of the connection end hosts 103 Opposite end access authentication server), local Mapping Resolution device 203, root Mapping Resolution device 204, top level map resolver 205 and power Limit Mapping Resolution device 206 is sequentially connected.It will be appreciated by persons skilled in the art that above-mentioned connection can also may be used for wired connection Think wireless connection, this is not particularly limited in the present invention.Hereinafter, to provided in an embodiment of the present invention based on STiP models Security terminal is identified and Verification System is described in detail:
Local terminal end host 101, for using the private key of local terminal end host will comprising active security host identifier and The packet original text of purpose security host identifier is signed, and obtains packet to be sent, by packet to be sent send to Access authentication server 102, wherein, packet to be sent includes packet original text and signature, and source security host identifier is The unique mark of local terminal end host 101, purpose security host identifier is the unique mark of distant terminal main frame 103;
Access authentication server 102, for receiving packet to be sent, does not find and source in local mapped cache table In the case of the binding information of security host identifier binding, to local Mapping Resolution device 203 inquiry and source security host are sent The request of the binding information of identifier binding, wherein, at least pacify including source with the binding information of source security host identifier binding The local terminal couple in router that full hostid and the public key and local terminal end host of source security host identifier binding are accessed 201 route location mark;
Local Mapping Resolution device 203, the request of the binding information bound with source security host identifier for parsing inquiry, In local search and the binding information of source security host identifier binding, do not find in local Mapping Resolution device main safely with source In the case of the binding information of machine identifier binding, successively to root Mapping Resolution device 204, top level map resolver 205 and power Limit Mapping Resolution device 206 makes iterative queries into, and obtains and source security host identifier binding from permissions mapping resolver 206 Binding information, and will send to access authentication server 102 with the binding information of source security host identifier binding;
Access authentication server 102, is additionally operable to receive the binding information with source security host identifier binding, utilizes and source The true and false of the public key verifications packet to be sent of security host identifier binding, if upchecking, data to be forwarded bag is sent To local terminal couple in router 201, wherein, data to be forwarded bag at least includes packet original text;
Local terminal couple in router 201, for receiving data to be forwarded bag, does not find and mesh in local mapped cache table Security host identifier binding binding information in the case of, to local Mapping Resolution device 203 send inquiry with purpose safety The request of the binding information of hostid binding, wherein, at least wrap with the binding information of purpose security host identifier binding Include public key and the opposite end of distant terminal main frame access of purpose security host identifier and the binding of purpose security host identifier The route location mark of couple in router;
Local Mapping Resolution device 203, is additionally operable to parse inquiry with the binding information of purpose security host identifier binding Request, in local search and the binding information with the binding of purpose security host identifier, does not find in local Mapping Resolution device In the case of the binding information bound with purpose security host identifier, parse to root Mapping Resolution device 204, top level map successively Device 205 and permissions mapping resolver 206 make iterative queries into, and obtain and purpose security host mark from permissions mapping resolver Know the binding information of symbol binding, and the binding information bound with purpose security host identifier is sent to local terminal couple in router 201;
Local terminal couple in router 201, is additionally operable to that source routing station location marker and purpose route location mark are encapsulated into and are treated Forwarding packet, the data to be forwarded bag after encapsulation is sent to opposite end couple in router 202, wherein, source routing station location marker Route location for local terminal couple in router 201 is identified, and purpose route location is designated the route position of opposite end couple in router 202 Put mark;
Opposite end couple in router 202, for receiving the data to be forwarded bag after encapsulating, by the data to be forwarded bag after encapsulation Decapsulated, obtained data to be forwarded bag, and data to be forwarded bag is sent to distant terminal main frame 103.
As can be seen here, by the security terminal mark based on STiP models provided in an embodiment of the present invention and Verification System, The network security problems such as source address spoofing, identity security can be solved from source, so as to be conducive to building autonomous controllable, safety Believable internet environment.
Specifically, access network 10 can complete the access of end host, in STiP models base provided in an embodiment of the present invention On plinth, using globally unique SHI (security host identifier, Secure Host Identifier) to identify network in access Every station terminal main frame, security host mark is not involved in global route.Backbone network 20 can realize that data route, local mapping Resolver 203, root Mapping Resolution device 204, top level map resolver 205 and permissions mapping resolver 206 are configurable to one Individual server, such as one mapping server, it is also possible to be configured to a server cluster, this is not limited in the present invention.
Meanwhile, access network 10 uses independent address space with backbone network 20:Access network 10 uses security terminal identifier Forwarding data, backbone network 20 route and forwards packet using IP address.Because end host can not directly access access route Device, therefore, can effectively prevent attack of the end host to couple in router.So that STiP moulds provided in an embodiment of the present invention Access network 10 and the separation architecture of backbone network 20 this design in type can ensure that future terminal access technology is distinguished with backbone network framework Independently evolution.
In access network 10, the verity of end host is verified by access authentication server.Specifically, using front, Each end host can distribute a pair public and private keys by such as mapping server, and the public and private key is bound with end host mark, I.e. public and private key is bound with SHI, meanwhile, also by the RLOC of SHI and couple in router, (route location is identified, Routing Locator) bound, i.e. mapping server can be recorded as the tlv triple of each end host binding, the tlv triple includes The public key of SHI and SHI bindings, the RLOC of the couple in router that SHI is accessed.Source terminal main frame is carried out using private key to packet Signature, access authentication server can pass through the public key of inquiry such as mapping server acquisition and source SHI bindings, to from source end The packet of end main frame is differentiated.A kind of specific implementation presented below, but this is the invention is not limited in, in STiP moulds In type, when the end host of a website sends data to the end host of another website, i.e., when local terminal end host 101 to distant terminal main frame 103 send data when, when data reach access authentication server 102 after, if local terminal access recognize SHI-to-RLOC (i.e. security host identifiers of local terminal end host are not found in the local mapped cache table of card server With local terminal access route route location mark mapping relations) mapping item, can to LMR (local Mapping Resolution device, Local Map Resolver) send message, the mapping relations of acquisition request SHI-to-RLOC;LMR receives access authentication service Start to parse the request message after the request of device 102, first in the local binding letter searched and bound with the SHI of local terminal end host Breath, if SHI records are not present, LMR can initiate iterative query to RMR (root Mapping Resolution device, Root Map Resolver), Local Mapping Resolution device through root Mapping Resolution device, TMR (top level map resolver, Top-level Map Resolver) and Parse from permissions mapping after three iterative querys of AMR (permissions mapping resolver, Authoritative Map Resolver) Device obtains the binding information of the SHI of the inquiry of access authentication server 102, i.e. SHI-Public Key-RLOC are (with SHI bindings Public key).After access authentication server 102 sends data packets to local terminal couple in router 201, local terminal couple in router 201 The RLOC addresses of the SHI bindings of distant terminal main frame 103 are obtained, then local terminal couple in router 201 is with the RLOC of oneself as source Address, with the RLOC of opposite end couple in router 202 as purpose address encapsulated message.Opposite end couple in router 202 receives data Message is decapsulated after bag, then message is sent to into distant terminal main frame 103.
In access network 20 access authentication server 102 to verify the end host of access be not forge and pretend to be it is concrete can To realize in the following way:Message X is obtained very short message digest H1 by local terminal end host 101 after computing of making a summary, Again D computings, i.e. digital signature are carried out to H1 with the private key of oneself.After drawing signature D (H1), it is attached to behind message X and is sent out See off, access authentication server 102 received and after message signature D (H1) is separated with message X first, then uses local terminal end host 101 public key carries out E computings to D (H1), draws message digest H1, then carries out summary computing to message X, draws message digest H2.If H1 is equal to H2, access authentication server 102 can just conclude that the message for receiving is real;Otherwise it is not just.
As an optional embodiment of the embodiment of the present invention, access authentication server 102, it is additionally operable in reception and source After the binding information of security host identifier binding, will be stored in locally with the binding information of source security host identifier binding In mapped cache table.Specifically, after each inquiry request of access authentication server 102 meets with a response, will can take in response message The binding information of band is stored in local mapped cache table, go again inquiry to facilitate subsequently be employed without, and is improved and is processed effect Rate.
As an optional embodiment of the embodiment of the present invention, also it is stored with local mapped cache table main safely with source The cache-time length of the binding information of machine identifier binding;Access authentication server, is additionally operable in cache-time length then Afterwards, the binding information with source security host identifier binding is deleted.Specifically, in the caching record of local mapped cache table storage One TTL (Time-To-Live) value, i.e., the time span of one binding information caching, so as to ensure in a timing can be set While interior raising efficiency, needing to reacquire binding information within the time to improve safety.
Used as an optional embodiment of the embodiment of the present invention, source security host identifier and purpose security host are identified Symbol is named according to preset structure.Specifically, security host identifier provided in an embodiment of the present invention can be adopted layer The host identification nomenclature scheme of secondary structure thereby may be ensured that the global uniqueness and polymerism of SHI naming.
As an optional embodiment of the embodiment of the present invention, root Mapping Resolution device 204, top level map resolver 205 And permissions mapping resolver 206 constitutes tree-shaped topological structure.Thus, the iterative query from top under can ensure each time Mapping Resolution is all most short searching route, so both can ensure that the global uniqueness and polymerism of SHI, it is also possible to control each The mapping table scale of layer Mapping Resolution device.
As an optional embodiment of the embodiment of the present invention, root Mapping Resolution device 204, top level map resolver 205 And permissions mapping resolver 206 constitutes the topological structure of decentration.Because the renewal frequency of mapping relations mainly receives terminal Position of host machine moves the impact with reachable state, and the present invention can quickly be rung by the tree-shaped Mapping Resolution system of the level set up Registration, renewal, inquiry and the removal request of mapping relations are answered, the renewal frequency of mapping relations and the traffic of new information will not Become the performance bottleneck of each layer Mapping Resolution device, because the maintenance of mapping relations is state convergence, map locating postpones and reflects The state scale of penetrating is controllable.
Specifically, for example SHI names topology example is as follows:Facility.scheme.bistu.edu.cn, parsing The iterative query step of the mapping relations of facility.scheme.bistu.edu.cn is as follows:
A, local Mapping Resolution device analyze full name, it is determined that the server of the control that needs to have authoritative weight cn Mapping Resolution utensils Position, ask and obtain response;
The reference information for obtaining edu.cn servers is inquired about cn Mapping Resolutions device in B, request;
The reference information for obtaining bistu.edu.cn servers is inquired about edu.cn Mapping Resolutions device in C, request;
D, request bistu.edu.cn Mapping Resolution devices, obtain the reference letter of the server of scheme.bistu.edu.cn Breath;
E, request scheme.bistu.edu.cn Mapping Resolution devices, obtain facility.scheme.bistu.edu.cn Binding information response.
As an optional embodiment of the embodiment of the present invention, access authentication server 102, it is additionally operable to receiving pending After sending packet, data to be forwarded bag is sent to before local terminal couple in router 201, it is main safely to source using hash algorithm Machine identifier and purpose security host identifier carry out computing, obtain source security host identification (RFID) tag and purpose security host mark Label, by the source security host mark in source security host identification (RFID) tag and purpose security host identification (RFID) tag replacement data bag original text Know symbol and purpose security host identifier.Because security host identifier SHI is globally unique, in order to increase in backbone network 20 The privacy of source host identifier in the packet of transmission, can consider to be used in access authentication server 102 in implementing Hash algorithm generates SHIT (security host identification (RFID) tag, the Secure of regular length to the security host identifier of random length Host Identifier Tag), then the source host identifier in raw data packets is replaced with into the cryptographic Hash.
Fig. 2 shows a kind of security terminal mark and authentication method based on STiP models provided in an embodiment of the present invention Flow chart, the security terminal mark and authentication method based on STiP models provided in an embodiment of the present invention is applied to said system, Hereinafter only the security terminal mark based on STiP models provided in an embodiment of the present invention and authentication method are briefly described, its His unaccomplished matter, referring specifically to the related description of said system.It is provided in an embodiment of the present invention based on STiP models referring to Fig. 2 Security terminal mark and authentication method include:
S201, local terminal end host will be comprising active security host identifier and purpose using the private key of local terminal end host The packet original text of security host identifier is signed, and obtains packet to be sent, and packet to be sent is sent to access Certificate server, wherein, packet to be sent includes packet original text and signature, and source security host identifier is local terminal terminal The unique mark of main frame, purpose security host identifier is the unique mark of distant terminal main frame;
S202, access authentication server receives packet to be sent, does not find in local mapped cache table and source peace In the case of the binding information of full hostid binding, to local Mapping Resolution device inquiry and source security host identifier are sent The request of the binding information of binding, wherein, at least include source security host with the binding information of source security host identifier binding The route of the local terminal couple in router that identifier and the public key and local terminal end host of source security host identifier binding are accessed Station location marker;
S203, the request of the binding information that local Mapping Resolution device parsing inquiry is bound with source security host identifier, Local search and the binding information of source security host identifier binding, do not find and source security host in local Mapping Resolution device In the case of the binding information of identifier binding, successively to root Mapping Resolution device, top level map resolver and permissions mapping solution Parser makes iterative queries into, and obtains the binding information with source security host identifier binding from permissions mapping resolver, and will Send to access authentication server with the binding information of source security host identifier binding;
S204, access authentication server receives the binding information with source security host identifier binding, utilizes and source safety The true and false of the public key verifications packet to be sent of hostid binding, if upchecking, data to be forwarded bag is sent to this End couple in router, wherein, data to be forwarded bag at least includes packet original text;
S205, local terminal couple in router receives data to be forwarded bag, does not find and purpose in local mapped cache table In the case of the binding information of security host identifier binding, to local Mapping Resolution device inquiry and purpose security host mark are sent Know the request of the binding information of symbol binding, wherein, at least include purpose with the binding information of purpose security host identifier binding The opposite end access road that security host identifier and the public key and distant terminal main frame of the binding of purpose security host identifier are accessed Identified by the route location of device;
S206, the request of the binding information that local Mapping Resolution device parsing inquiry is bound with purpose security host identifier, In local search and the binding information with the binding of purpose security host identifier, do not find and purpose in local Mapping Resolution device In the case of the binding information of security host identifier binding, successively to root Mapping Resolution device, top level map resolver and power Limit Mapping Resolution device makes iterative queries into, and obtains the binding with the binding of purpose security host identifier from permissions mapping resolver Information, and the binding information bound with purpose security host identifier is sent to local terminal couple in router;
Source routing station location marker and purpose route location mark are encapsulated into number to be forwarded by S207, local terminal couple in router According to bag, the data to be forwarded bag after encapsulation is sent to opposite end couple in router, wherein, source routing station location marker is local terminal access The route location mark of router, purpose route location is designated the route location mark of opposite end couple in router;
S208, opposite end couple in router receives the data to be forwarded bag after encapsulation, and the data to be forwarded bag after encapsulation is entered Row decapsulation, obtains data to be forwarded bag, and data to be forwarded bag is sent to distant terminal main frame.
As can be seen here, by the security terminal mark based on STiP models provided in an embodiment of the present invention and authentication method, The network security problems such as source address spoofing, identity security can be solved from source, so as to be conducive to building autonomous controllable, safety Believable internet environment.
Used as an optional embodiment of the embodiment of the present invention, access authentication server is received and source security host mark After the binding information of symbol binding, method also includes:The binding that access authentication server will be bound with source security host identifier Information is stored in local mapped cache table.Specifically, after each inquiry request of access authentication server meets with a response, can be by sound Answer the binding information carried in message to be stored in local mapped cache table, go again inquiry to facilitate subsequently be employed without, Improve treatment effeciency.
As an optional embodiment of the embodiment of the present invention, also it is stored with local mapped cache table main safely with source The cache-time length of the binding information of machine identifier binding;Method also includes:Access authentication server is in cache-time length After then, the binding information with source security host identifier binding is deleted.Specifically, in the caching of local mapped cache table storage Record can arrange TTL (Time-To-Live) value, i.e., the time span of one binding information caching, so as to ensure While interior raising efficiency of fixing time, needing to reacquire binding information within the time to improve safety.
Used as an optional embodiment of the embodiment of the present invention, source security host identifier and purpose security host are identified Symbol is named according to preset structure.Specifically, security host identifier provided in an embodiment of the present invention can be adopted layer The host identification nomenclature scheme of secondary structure thereby may be ensured that the global uniqueness and polymerism of SHI naming.
As an optional embodiment of the embodiment of the present invention, root Mapping Resolution device, top level map resolver and power Limit Mapping Resolution device constitutes tree-shaped topological structure.Thus, the iterative query from top under can ensure Mapping Resolution each time All it is most short searching route, had so both can ensure that the global uniqueness and polymerism of SHI, it is also possible to controls each layer of mapping solution The mapping table scale of parser.
As an optional embodiment of the embodiment of the present invention, root Mapping Resolution device, top level map resolver and power Limit Mapping Resolution device constitutes the topological structure of decentration.Because the renewal frequency of mapping relations is mainly moved by end host position The impact of dynamic and reachable state, the present invention can be with quick response mapping relations by the tree-shaped Mapping Resolution system of the level set up Registration, renewal, inquiry and removal request, the renewal frequency of mapping relations and the traffic of new information will not become each layer and reflect The performance bottleneck of radiolysis parser, because the maintenance of mapping relations is state convergence, map locating postpones and mapping status scale It is controllable.
As an optional embodiment of the embodiment of the present invention, access authentication server receive packet to be sent it Afterwards, data to be forwarded bag is sent to before local terminal couple in router, method also includes:Access authentication server is calculated using Hash Method carries out computing to source security host identifier and purpose security host identifier, obtains source security host identification (RFID) tag and purpose Security host identification (RFID) tag, by source security host identification (RFID) tag and purpose security host identification (RFID) tag replacement data bag original text Source security host identifier and purpose security host identifier.Because security host identifier SHI is globally unique, in order to increase Plus backbone network 20 in transmission packet in source host identifier privacy, can consider in implementing access authentication take Business device 102 generates SHIT (the security host mark marks of regular length using hash algorithm to the security host identifier of random length Sign, Secure Host Identifier Tag), then the source host identifier in raw data packets is replaced with into the Hash Value.
In flow chart or here any process described otherwise above or method description are construed as, expression includes It is one or more for realizing specific logical function or process the step of the module of code of executable instruction, fragment or portion Point, and the scope of the preferred embodiment of the present invention includes other realization, wherein can not press shown or discussion suitable Sequence, including according to involved function by it is basic simultaneously in the way of or in the opposite order, carry out perform function, this should be of the invention Embodiment person of ordinary skill in the field understood.
Those skilled in the art are appreciated that to realize all or part of step that above-described embodiment method is carried Suddenly the hardware that can be by program to instruct correlation is completed, and described program can be stored in a kind of computer-readable storage medium In matter, the program upon execution, including one or a combination set of the step of embodiment of the method.
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show The description of example " or " some examples " etc. means to combine specific features, structure, material or spy that the embodiment or example are described Point is contained at least one embodiment of the present invention or example.In this manual, to the schematic representation of above-mentioned term not Necessarily refer to identical embodiment or example.And, the specific features of description, structure, material or feature can be any One or more embodiments or example in combine in an appropriate manner.
Embodiment above is only that the preferred embodiment of the present invention is described, and not the scope of the present invention is carried out Limit, on the premise of without departing from design spirit of the present invention, this area ordinary skill technical staff is to technical scheme The various modifications made and improvement, all should fall in the protection domain of claims of the present invention determination.

Claims (14)

1. a kind of security terminal based on STiP models is identified and authentication method, it is characterised in that included:
Local terminal end host will be comprising active security host identifier and purpose safety using the private key of the local terminal end host The packet original text of hostid is signed, and obtains packet to be sent, and the packet to be sent is sent to access Certificate server, wherein, the packet to be sent includes the packet original text and the signature, the source security host Identifier is the unique mark of the local terminal end host, and the purpose security host identifier is unique for distant terminal main frame Mark;
The access authentication server receives the packet to be sent, does not find in local mapped cache table and the source In the case of the binding information of security host identifier binding, to local Mapping Resolution device inquiry and the source security host are sent The request of the binding information of identifier binding, wherein, the binding information bound with the source security host identifier is at least Including the source security host identifier and the public key and the local terminal end host of source security host identifier binding The route location mark of the local terminal couple in router of access;
The local Mapping Resolution device parses the request of the inquiry and the binding information of source security host identifier binding, In the binding information bound with the source security host identifier described in local search, in local Mapping Resolution device institute is not found In the case of stating the binding information with source security host identifier binding, successively to root Mapping Resolution device, top level map solution Parser and permissions mapping resolver make iterative queries into, and obtain described with the source safety from the permissions mapping resolver The binding information of hostid binding, and the binding information with source security host identifier binding is sent to institute State access authentication server;
The access authentication server receives the binding information with source security host identifier binding, using it is described with The true and false of packet to be sent described in the public key verifications of the source security host identifier binding, if upchecking, will be to be forwarded Packet is sent to local terminal couple in router, wherein, the data to be forwarded bag at least includes the packet original text;
The local terminal couple in router receives the data to be forwarded bag, does not find in local mapped cache table and the mesh Security host identifier binding binding information in the case of, to local Mapping Resolution device send inquiry and the purpose safety The request of the binding information of hostid binding, wherein, the binding letter with purpose security host identifier binding Breath at least includes the public key that the purpose security host identifier and the purpose security host identifier bind and described right The route location mark of the opposite end couple in router that end end host is accessed;
The local Mapping Resolution device parses asking for the binding information that the inquiry is bound with the purpose security host identifier Ask, in local search and the binding information of the binding with the purpose security host identifier, in local Mapping Resolution device not In the case of finding the binding information with purpose security host identifier binding, successively to root Mapping Resolution device, Top level map resolver and permissions mapping resolver make iterative queries into, and from the permissions mapping resolver obtain it is described with The binding information of purpose security host identifier binding, and by the tying up with purpose security host identifier binding Determine information to send to the local terminal couple in router;
Source routing station location marker and purpose route location mark are encapsulated into the number to be forwarded by the local terminal couple in router According to bag, the data to be forwarded bag after encapsulation is sent to the opposite end couple in router, wherein, the source routing station location marker is The route location mark of the local terminal couple in router, the purpose route location is designated the road of the opposite end couple in router By station location marker;
The opposite end couple in router receives the data to be forwarded bag after the encapsulation, by the data to be forwarded bag after the encapsulation Decapsulated, obtained the data to be forwarded bag, and the data to be forwarded bag is sent to the distant terminal main frame.
2. method according to claim 1, it is characterised in that the access authentication server receives described with source peace After the binding information of full hostid binding, methods described also includes:The access authentication server by it is described with it is described The binding information of source security host identifier binding is stored in the local mapped cache table.
3. method according to claim 2, it is characterised in that be also stored with described and institute in the local mapped cache table State the cache-time length of the binding information of source security host identifier binding;Methods described also includes:
The access authentication server the cache-time length then after, delete described with the source security host identifier The binding information of binding.
4. method according to claim 1, it is characterised in that the source security host identifier and the purpose are main safely Machine identifier is named according to preset structure.
5. the method according to any one of Claims 1-4, it is characterised in that described Mapping Resolution device, described top reflect Radiolysis parser and the permissions mapping resolver constitute tree-shaped topological structure.
6. method according to claim 5, it is characterised in that described Mapping Resolution device, the top level map resolver And the permissions mapping resolver constitutes the topological structure of decentration.
7. method according to claim 1, it is characterised in that the access authentication server receives the data to be sent After bag, data to be forwarded bag is sent to before local terminal couple in router, methods described also includes:
The access authentication server is using hash algorithm to the source security host identifier and the purpose security host mark Knowing symbol carries out computing, obtains the source security host identification (RFID) tag and purpose security host identification (RFID) tag, and the source is main safely Machine identification (RFID) tag and the purpose security host identification (RFID) tag replace the source security host identifier in the packet original text and The purpose security host identifier.
8. a kind of security terminal based on STiP models is identified and Verification System, it is characterised in that included:
Local terminal end host, for will be comprising active security host identifier and purpose using the private key of the local terminal end host The packet original text of security host identifier is signed, and obtains packet to be sent, by the packet to be sent send to Access authentication server, wherein, the packet to be sent includes the packet original text and the signature, the source safety Hostid is the unique mark of the local terminal end host, and the purpose security host identifier is distant terminal main frame Unique mark;
The access authentication server, for receiving the packet to be sent, do not find in local mapped cache table with In the case of the binding information of the source security host identifier binding, inquiry is sent with source peace to local Mapping Resolution device The request of the binding information of full hostid binding, wherein, the binding letter with source security host identifier binding Breath at least includes public key and the local terminal end of the source security host identifier and source security host identifier binding The route location mark of the local terminal couple in router that end main frame is accessed;
The local Mapping Resolution device, for parsing the inquiry with the binding information of source security host identifier binding Request, in the binding information bound with the source security host identifier described in local search, does not look in local Mapping Resolution device In the case of finding the binding information with source security host identifier binding, successively to root Mapping Resolution device, top Mapping Resolution device and permissions mapping resolver make iterative queries into, and from the permissions mapping resolver obtain it is described with it is described The binding information of source security host identifier binding, and the binding information with source security host identifier binding is sent out Deliver to the access authentication server;
The access authentication server, is additionally operable to receive the binding information with source security host identifier binding, profit With the true and false of packet to be sent described in the public key verifications with source security host identifier binding, if upchecking, Data to be forwarded bag is sent to local terminal couple in router, wherein, the data to be forwarded bag at least includes that the packet is former Text;
The local terminal couple in router, for receiving the data to be forwarded bag, do not find in local mapped cache table with In the case of the binding information of the purpose security host identifier binding, to local Mapping Resolution device inquiry and the mesh are sent The binding of security host identifier binding information request, wherein, the binding with the purpose security host identifier Binding information at least include the public key that the purpose security host identifier and the purpose security host identifier bind and The route location mark of the opposite end couple in router that the distant terminal main frame is accessed;
The local Mapping Resolution device, is additionally operable to parse the binding letter of the inquiry and purpose security host identifier binding The request of breath, in local search and the binding information with purpose security host identifier binding, in local mapping solution In the case that parser does not find the binding information with purpose security host identifier binding, solve to root mapping successively Parser, top level map resolver and permissions mapping resolver make iterative queries into, and obtain from the permissions mapping resolver The binding information with purpose security host identifier binding, and tie up described with the purpose security host identifier Fixed binding information is sent to the local terminal couple in router;
The local terminal couple in router, is additionally operable to for source routing station location marker and purpose route location mark to be encapsulated into described treating Forwarding packet, the data to be forwarded bag after encapsulation is sent to the opposite end couple in router, wherein, the source routing position The route location mark of the local terminal couple in router is designated, the purpose route location is designated the opposite end and accesses route The route location mark of device;
The opposite end couple in router, for receiving the encapsulation after data to be forwarded bag, by the encapsulation after it is to be forwarded Packet is decapsulated, and obtains the data to be forwarded bag, and the data to be forwarded bag is sent to the distant terminal Main frame.
9. system according to claim 8, it is characterised in that the access authentication server, is additionally operable to receiving described After the binding information of source security host identifier binding, by tying up for the binding with the source security host identifier Determine information to be stored in the local mapped cache table.
10. system according to claim 9, it is characterised in that be also stored with the local mapped cache table it is described with The cache-time length of the binding information of the source security host identifier binding;The access authentication server, is additionally operable to The cache-time length then after, delete the binding information with source security host identifier binding.
11. systems according to claim 8, it is characterised in that the source security host identifier and the purpose safety Hostid is named according to preset structure.
12. systems according to any one of claim 8 to 11, it is characterised in that described Mapping Resolution device, described top Mapping Resolution device and the permissions mapping resolver constitute tree-shaped topological structure.
13. systems according to claim 12, it is characterised in that described Mapping Resolution device, top level map parsing Device and the permissions mapping resolver constitute the topological structure of decentration.
14. systems according to claim 8, it is characterised in that the access authentication server, are additionally operable to receiving described After packet to be sent, data to be forwarded bag is sent to before local terminal couple in router, using hash algorithm to the source Security host identifier and the purpose security host identifier carry out computing, obtain source security host identification (RFID) tag and purpose peace Full host identification label, replaces the packet former by source security host identification (RFID) tag and the purpose security host identification (RFID) tag Source security host identifier and the purpose security host identifier in text.
CN201710013800.0A 2017-01-09 2017-01-09 Security terminal mark and authentication method and system based on STiP model Active CN106685979B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710013800.0A CN106685979B (en) 2017-01-09 2017-01-09 Security terminal mark and authentication method and system based on STiP model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710013800.0A CN106685979B (en) 2017-01-09 2017-01-09 Security terminal mark and authentication method and system based on STiP model

Publications (2)

Publication Number Publication Date
CN106685979A true CN106685979A (en) 2017-05-17
CN106685979B CN106685979B (en) 2019-05-28

Family

ID=58849294

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710013800.0A Active CN106685979B (en) 2017-01-09 2017-01-09 Security terminal mark and authentication method and system based on STiP model

Country Status (1)

Country Link
CN (1) CN106685979B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108243190A (en) * 2018-01-09 2018-07-03 北京信息科技大学 The credible management method and system of a kind of network identity
CN111817854A (en) * 2020-06-04 2020-10-23 中国电子科技集团公司第三十研究所 Security authentication method and system based on centerless identification mapping synchronous management
CN113114616A (en) * 2021-01-18 2021-07-13 北京信息科技大学 Method and device for constructing and analyzing terminal protocol stack and terminal

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102265581A (en) * 2008-12-22 2011-11-30 高通股份有限公司 Secure node identifier assignment in a distributed hash table for peer-to-peer networks
CN102696045A (en) * 2009-07-10 2012-09-26 塞尔蒂卡姆公司 System and method for performing serialization of devices
CN103124981A (en) * 2010-07-08 2013-05-29 情报通信产业振兴院 Electronic document distribution system and electronic document distribution method
WO2013111192A1 (en) * 2012-01-26 2013-08-01 National Institute Of Information And Communications Technology Method for securing name registries, network access and data communication in id/locator split-base networks
US20140051381A1 (en) * 2012-08-15 2014-02-20 Telecommunication Systems, Inc. Device Independent Caller Data Access for Emergency Calls
CN105376212A (en) * 2014-08-15 2016-03-02 帕洛阿尔托研究中心公司 System and method for performing key resolution over a content centric network

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102265581A (en) * 2008-12-22 2011-11-30 高通股份有限公司 Secure node identifier assignment in a distributed hash table for peer-to-peer networks
CN102696045A (en) * 2009-07-10 2012-09-26 塞尔蒂卡姆公司 System and method for performing serialization of devices
CN103124981A (en) * 2010-07-08 2013-05-29 情报通信产业振兴院 Electronic document distribution system and electronic document distribution method
WO2013111192A1 (en) * 2012-01-26 2013-08-01 National Institute Of Information And Communications Technology Method for securing name registries, network access and data communication in id/locator split-base networks
US20140051381A1 (en) * 2012-08-15 2014-02-20 Telecommunication Systems, Inc. Device Independent Caller Data Access for Emergency Calls
CN105376212A (en) * 2014-08-15 2016-03-02 帕洛阿尔托研究中心公司 System and method for performing key resolution over a content centric network

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108243190A (en) * 2018-01-09 2018-07-03 北京信息科技大学 The credible management method and system of a kind of network identity
CN111817854A (en) * 2020-06-04 2020-10-23 中国电子科技集团公司第三十研究所 Security authentication method and system based on centerless identification mapping synchronous management
CN111817854B (en) * 2020-06-04 2022-03-18 中国电子科技集团公司第三十研究所 Security authentication method and system based on centerless identification mapping synchronous management
CN113114616A (en) * 2021-01-18 2021-07-13 北京信息科技大学 Method and device for constructing and analyzing terminal protocol stack and terminal

Also Published As

Publication number Publication date
CN106685979B (en) 2019-05-28

Similar Documents

Publication Publication Date Title
EP3258663B1 (en) Verification method, apparatus and system for network application access
CN102769529B (en) Dnssec signing server
US20090172156A1 (en) Address security in a routed access network
CN104040964B (en) Method, device and data center network across service area communication
WO2008116416A1 (en) Method, device and system for domain name system to update dynamically
CN108881308A (en) A kind of user terminal and its authentication method, system, medium
CN104618369A (en) Method, device and system for unique authorization of Internet-of-Things equipment based on OAuth
CN102437946B (en) Access control method, network access server (NAS) equipment and authentication server
CN108243413B (en) Method and system for wireless access to railway information network
KR20130087932A (en) Method and apparatus for mapping locator and identifier of mobile host
CN111885604B (en) Authentication method, device and system based on heaven and earth integrated network
CN104683306A (en) Safe and controllable internet real-name certification mechanism
CN106685979A (en) Security terminal identifier based on STiP model and authentication method and system
CN109495583B (en) Data security interaction method based on host characteristic confusion
CN109819068A (en) User terminal and its block chain domain name analytic method
CN101834864A (en) Method and device for preventing attack in three-layer virtual private network
CN103067411B (en) Prevent the DoS attack method and apparatus in DS-Lite networking
CN106936945A (en) Distributed domain name analysis method and device
CN105049546B (en) A kind of Dynamic Host Configuration Protocol server is the method and device of client distribution IP address
CN102546523B (en) Security certification method, system and equipment for internet access
CN107948124A (en) A kind of arp entry renewal management method, apparatus and system
CN109120611A (en) User authen method, equipment, system and the medium of server are generated for address
WO2014206152A1 (en) Network safety monitoring method and system
CN101594339B (en) Method for managing and querying mapping information, device and communication system
CN108243190A (en) The credible management method and system of a kind of network identity

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant