CN106998327A - A kind of connection control method and device - Google Patents
A kind of connection control method and device Download PDFInfo
- Publication number
- CN106998327A CN106998327A CN201710184741.3A CN201710184741A CN106998327A CN 106998327 A CN106998327 A CN 106998327A CN 201710184741 A CN201710184741 A CN 201710184741A CN 106998327 A CN106998327 A CN 106998327A
- Authority
- CN
- China
- Prior art keywords
- interface
- acl rule
- message
- authentication response
- response message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/85—Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Small-Scale Networks (AREA)
Abstract
The application provides a kind of connection control method and device, and this method includes:During the interface UP being connected with opposite equip. on local device is detected, message identifying is sent to the opposite equip. by the interface;If the legal authentication response message not returned by the interface to the opposite equip., it is determined that the opposite equip. is illegality equipment, and carries out limitation operation to the interface;If the legal authentication response message returned by the interface to the opposite equip., it is determined that the opposite equip. is legitimate device, and carries out access operation to the interface.By the technical scheme of the application, local device can be protected, improve the process performance of local device, it is ensured that the normal work of local device, it is to avoid attack of the attacker to local device, lift the security of local device, reliability, stability.
Description
Technical field
The application is related to communication technical field, more particularly to a kind of connection control method and device.
Background technology
At present, communication equipment generally has multiple interfaces, and these interfaces can provide multilink backup, so as to improve logical
Believe the reliability of equipment.But, in the case where these interfaces are exposed into user, user may maloperation, interface is connected
An illegality equipment is connected to, for example, the interface A of communication equipment is connected to illegality equipment by user.Based on this, illegality equipment will
A large amount of invalid packets or attack message are sent to communication equipment by interface A, so as to influence the process performance of communication equipment, made
Into the potential safety hazard of communication equipment.
The content of the invention
The application provides a kind of connection control method, applied to local device, and methods described is used to pair set with the local terminal
The opposite equip. of standby connection carries out legitimacy detection, and methods described includes:
During the interface UP being connected with the opposite equip. on the local device is detected, by the interface to institute
State opposite equip. and send message identifying;
If the legal authentication response message not returned by the interface to the opposite equip., it is determined that described
Opposite equip. is illegality equipment, and carries out limitation operation to the interface;
If the legal authentication response message returned by the interface to the opposite equip., it is determined that described right
End equipment is legitimate device, and carries out access operation to the interface.
The application provides a kind of access control apparatus, applied to local device, and described device is used to pair set with the local terminal
The opposite equip. of standby connection carries out legitimacy detection, and described device includes:
Sending module, during for the interface UP being connected with the opposite equip. on the local device is detected, leads to
Cross the interface and send message identifying to the opposite equip.;
Processing module, for the legal authentication response report that ought do not returned by the interface to the opposite equip.
Wen Shi, it is determined that the opposite equip. is illegality equipment, and carries out limitation operation to the interface;
When the legal authentication response message returned by the interface to the opposite equip., it is determined that described
Opposite equip. is legitimate device, and carries out access operation to the interface.
Based on above-mentioned technical proposal, in the embodiment of the present application, in interface UP (normal) being connected with opposite equip., local terminal
Whether equipment can be illegality equipment with active detecting opposite equip., if opposite equip. is illegality equipment, and the interface is carried out
Limitation operation, so, can be protected to local device, prevent illegality equipment to be linked into local device, improve local device
Process performance, it is ensured that the normal work of local device, it is to avoid attack of the attacker to local device, lifted local device peace
Quan Xing, reliability, stability.
Brief description of the drawings
, below will be to the application in order to clearly illustrate the embodiment of the present application or technical scheme of the prior art
The accompanying drawing used required in embodiment or description of the prior art is briefly described, it should be apparent that, in describing below
Accompanying drawing is only some embodiments described in the application, for those of ordinary skill in the art, can also be according to this Shen
Please these accompanying drawings of embodiment obtain other accompanying drawings.
Fig. 1 is the flow chart of the connection control method in a kind of embodiment of the application;
Fig. 2 is the application scenarios schematic diagram in a kind of embodiment of the application;
Fig. 3 is the hardware structure diagram of the local device in a kind of embodiment of the application;
Fig. 4 is the structure chart of the access control apparatus in a kind of embodiment of the application.
Embodiment
In purpose of the term used in this application merely for the sake of description specific embodiment, and unrestricted the application.This Shen
Please " one kind ", " described " and "the" with the singulative used in claims are also intended to including most forms, unless
Context clearly shows that other implications.It is also understood that term "and/or" used herein refers to comprising one or more
Associated any or all of project listed may be combined.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application
A little information should not necessarily be limited by these terms.These terms are only used for same type of information being distinguished from each other out.For example, not departing from
In the case of the application scope, the first information can also be referred to as the second information, similarly, and the second information can also be referred to as
One information.Depending on linguistic context, in addition, used word " if " can be construed to " ... when " or " when ... "
Or " in response to determining ".
The embodiment of the present application proposes a kind of connection control method, can apply to local device (such as router, interchanger
Communication equipment), and this method be used for pair opposite equip. being connected with local device progress legitimacy detection, i.e. local device with it is right
End equipment is directly connected to, rather than is attached by other third party devices.It is shown in Figure 1, for the connection control method
Flow chart, this method may comprise steps of:
Step 101, during the interface UP being connected with opposite equip. on local device is detected, by the interface to opposite end
Equipment sends message identifying.For example, local device is connected by interface A with opposite equip., then interface A UP are being detected
When, message identifying is sent to opposite equip. by interface A.
Step 102, judge whether the authentication response message that is returned by the interface to opposite equip. (message identifying
Response message).If the authentication response message not returned by the interface to opposite equip., step 105 is performed;If by this
The authentication response message that interface is returned to opposite equip., performs step 103.
Wherein, after message identifying is sent to opposite equip. by the interface, local device can start one for the interface
Individual timer.If local device is before timer expiry, the authentication response report returned by the interface to opposite equip.
Text, then perform step 103.If local device is in timer expiry, still do not returned by the interface to opposite equip.
Authentication response message, then perform step 105.
Step 103, whether the authentication response message that judgement is arrived by the interface is legal.If the authentication response message is closed
Method, then perform step 104;If the authentication response message is illegal, step 105 is performed.
In one example, the message identifying sent for local device by the interface to opposite equip., the certification report
Text can carry the first character string of local device generation, the character string 123456 that such as local device is generated at random.If right
End equipment is legitimate device, then opposite equip. is after message identifying is received, it is possible to use preset algorithm is in message identifying
First character string is encrypted, and the character string after encryption is carried in authentication response message, and by the authentication response message
Return to local device.If opposite equip. is illegality equipment, opposite equip. can not know preset algorithm, and also not knowing needs profit
The first character string is encrypted with preset algorithm, therefore, opposite equip., will not return authentication sound after message identifying is received
The character string after being encrypted using preset algorithm will not be carried by answering in message, or the authentication response message of opposite equip. return.
Based on above-mentioned principle, if local device does not pass through the interface to authentication response message, it may be determined that opposite end is set
Standby is illegality equipment.If local device, to authentication response message, can be solved by the interface from the authentication response message
Separate out the second character string.In order to distinguish conveniently, the character string carried in message identifying can be referred to as the first character string, by certification
The character string carried in response message is referred to as the second character string.Afterwards, local device utilizes preset algorithm (with matching somebody with somebody in legitimate device
The preset algorithm put is identical) the second character string is decrypted.If the character string after decryption is with the first string matching (such as the two
It is identical), it is determined that authentication response message is legal, and authentication response message now is the authentication response message that legitimate device is returned;
If the character string after decryption is mismatched (as the two is different) from the first character string, it is determined that authentication response message is illegal, now
Authentication response message be illegality equipment return authentication response message.
Step 104, it is legitimate device to determine opposite equip., and carries out access operation to the interface.
Step 105, it is illegality equipment to determine opposite equip., and carries out limitation operation to the interface.
In one example, local device docking port, which carries out access operation, to refer to:Local device processing is connect by this
The message that mouth is received.Local device docking port, which carries out limitation operation, to be referred to:Local device, which is abandoned, passes through the interface
The message arrived, i.e., do not handle the message arrived by the interface.
In one example, before it is determined that opposite equip. is illegality equipment or legitimate device, before such as step 101,
Local device can also enable the first ACL (Access Control List, accesses control list) rules and second for the interface
Acl rule.Wherein, the first acl rule is used to indicate that local device abandons the message received, and the second acl rule is used to indicate
The authentication response message that local device processing is received.Moreover, the priority of the second acl rule is excellent higher than the first acl rule
When first level, i.e. local device receive the message for matching the first acl rule and the second acl rule simultaneously, according to the second acl rule
Processing.
In summary, local device by the interface to all messages can match the first acl rule, this
End equipment by the interface to authentication response message can match the second acl rule.Therefore, local device passes through this
When interface is to authentication response message, the authentication response message can match the first acl rule and the second acl rule simultaneously,
Now handled according to the second acl rule;Local device passes through other type reports outside the interface to authentication response message
Wen Shi, other type messages only match the first acl rule, and the second acl rule is not matched, now according to the first acl rule at
Reason.
Specifically, based on the first acl rule and the second acl rule, local device is passing through the interface to the first kind
After message, if first kind message is authentication response message, first kind message can match the first acl rule and the 2nd ACL rule
Then, but because the priority of the second acl rule is higher than the priority of the first acl rule, therefore, based on the second acl rule, local terminal
Equipment needs to handle first kind message, that is, analyzes whether first kind message is legal authentication response message, that is, perform above-mentioned step
Rapid 103.If first kind message is not authentication response message, first kind message can match the first acl rule, based on first
Acl rule, local device directly abandons first kind message, and no longer first kind message is handled.
In one example, for the process of " carrying out limitation operation to the interface ", it can include but is not limited to:Go to enable
Second acl rule, but do not go to enable the first acl rule.The first acl rule is not carried out due to go to enable, therefore the first ACL is advised
Then still come into force, and because the first acl rule is used to indicate that local device abandons the message received, therefore, based on the first ACL
Rule, local device can abandon all Equations of The Second Kind messages arrived by the interface, so as to realize the limitation behaviour to the interface
Make.
For the process of " carrying out access operation to the interface ", it can include but is not limited to:Go to enable the first acl rule.
Due to carrying out going to enable to the first acl rule, therefore the first acl rule not revival.Local device is passing through the interface
During to Equations of The Second Kind message, because the Equations of The Second Kind message will not match the first acl rule, therefore the first ACL would not be also based on
Rule abandons Equations of The Second Kind message, and now, local device can handle the Equations of The Second Kind message using traditional approach, for example, being based on turning
Forwarding list item sends the Equations of The Second Kind message, or Equations of The Second Kind message up sending is handled etc. to CPU, and this processing mode is not limited
System.
During access operation is carried out to the interface, local device can also go to enable the second acl rule, or not
Second acl rule is carried out to go to enable, the processing mode to the second acl rule is not limited.
The difference of first kind message and Equations of The Second Kind message is:It is legitimate device/illegality equipment that opposite equip., which will be determined,
Before, by the interface to all messages be referred to as first kind message, opposite equip. will be determined for legitimate device/illegal
After equipment, by the interface to all messages be referred to as Equations of The Second Kind message.
In one example, before it is determined that opposite equip. is illegality equipment or legitimate device, before such as step 101,
Local device can also enable the first acl rule, the second acl rule and the 3rd acl rule for the interface.First acl rule is used
In indicating the message that local device discarding is received, the second acl rule is used to indicate that the certification that local device processing is received rings
Message is answered, the 3rd acl rule is used for the broadcasting packet for indicating that local device processing is received.The priority of second acl rule is high
In the priority of the first acl rule, the priority of the 3rd acl rule is higher than the priority of the first acl rule.Therefore, local terminal is set
During for the message for receiving the first acl rule of matching and the second acl rule, handled according to the second acl rule;Receive matching
During the message of one acl rule and the 3rd acl rule, handled according to the 3rd acl rule.
In summary, local device by the interface to all messages can match the first acl rule, this
End equipment by the interface to authentication response message can match the second acl rule, local device passes through the interface
The broadcasting packet received can match the 3rd acl rule.Therefore, local device passes through the interface to authentication response report
Wen Shi, the authentication response message can match the first acl rule and the second acl rule simultaneously, now according to the second acl rule at
Reason;Local device by the interface to broadcasting packet when, the broadcasting packet can match the first acl rule and the 3rd simultaneously
Acl rule, is now handled according to the 3rd acl rule;Local device passes through the interface to authentication response message, broadcasting packet
Outside other type messages when, other type messages only match the first acl rule, and the second acl rule and the 3rd are not matched
Acl rule, is now handled according to the first acl rule.
Specifically, based on the first acl rule, the second acl rule and the 3rd acl rule, local device is passing through the interface
Receive after first kind message, if first kind message is authentication response message, based on the second acl rule, local device needs place
First kind message is managed, that is, analyzes whether first kind message is legal authentication response message, that is, performs step 103.If the first kind
Message is broadcasting packet, based on the 3rd acl rule, and local device needs to handle first kind message, i.e., true using first kind message
Opposite equip. is made for illegality equipment, and limitation operation is carried out to the interface.If first kind message be not authentication response message and
Broadcasting packet, based on the first acl rule, local device directly abandons first kind message, and no longer first kind message is handled.
In one example, for the process of " carrying out limitation operation to the interface ", it can include but is not limited to:Go to enable
Second acl rule and the 3rd acl rule, but do not go to enable the first acl rule.The first acl rule is not carried out due to go to enable,
Therefore the first acl rule still comes into force, and because the first acl rule is used to indicate that local device abandons the message received, because
This, based on the first acl rule, local device can abandon all Equations of The Second Kind messages arrived by the interface, so as to realize pair
The limitation operation of the interface.
For the process of " carrying out access operation to the interface ", it can include but is not limited to:Go to enable the first acl rule.
Due to carrying out going to enable to the first acl rule, therefore the first acl rule not revival.Local device is passing through the interface
During to Equations of The Second Kind message, because the Equations of The Second Kind message will not match the first acl rule, therefore the first ACL would not be also based on
Rule abandons Equations of The Second Kind message, and now, local device can handle the Equations of The Second Kind message using traditional approach, for example, being based on turning
Forwarding list item sends the Equations of The Second Kind message, or Equations of The Second Kind message up sending is handled etc. to CPU, and this processing mode is not limited
System.Moreover, during access operation is carried out to the interface, local device can also go to enable the second acl rule and/or the
Three acl rules or the second acl rule and/or the 3rd acl rule are not carried out going to enable.
Based on above-mentioned technical proposal, in the embodiment of the present application, in interface UP (normal) being connected with opposite equip., local terminal
Whether equipment can be illegality equipment with active detecting opposite equip., if opposite equip. is illegality equipment, and the interface is carried out
Limitation operation, so, can be protected to local device, prevent illegality equipment to be linked into local device, improve local device
Process performance, it is ensured that the normal work of local device, it is to avoid attack of the attacker to local device, lifted local device peace
Quan Xing, reliability, stability.
Below in conjunction with the application scenarios shown in Fig. 2, the such scheme of the embodiment of the present application is illustrated.As shown in Fig. 2
Assuming that device A is local device, equipment B and equipment C are opposite equip., and equipment B is legitimate device, and equipment C is illegality equipment.
In fig. 2, device A is connected by interface 1 with equipment B, and device A is connected by interface 2 with equipment C.In one example, equipment
A, equipment B and equipment C can be independent equipment, or the equipment in same cluster.In for same cluster
During equipment, device A can be CCU (Control Connection Unit, exchange frame control connection unit), equipment B and equipment
C can be MPU (Main Processing Unit, master control processing unit).
In one example, device A and equipment B are legitimate device, can be handled using technical scheme, and
Equipment C is illegality equipment, will not be handled using technical scheme.Device A can verify miscellaneous equipment (such as equipment B,
Equipment C) legitimacy, equipment B can also verify the legitimacy of miscellaneous equipment (such as device A), subsequently be set so that device A checking is other
Illustrated exemplified by standby legitimacy.
In one example, device A on startup, can enable acl rule 11, acl rule 12, acl rule for interface 1
13, and enable acl rule 21, acl rule 22, acl rule 23 for interface 2.Wherein, the matching of acl rule 11/ACL rules 21
Item is the interface 2 of interface 1/, and action item is discard processing, therefore, and acl rule 11/ACL rules 21 are used for instruction equipment A discardings and led to
Cross all messages that the interface 2 of interface 1/ is received.In addition, the occurrence of acl rule 12/ACL rules 22 be the interface 2 of interface 1/,
The type (such as AAA, for representing that message is authentication response message) of authentication response message, action item is transmitted to CPU (Central
Processing Unit, central processing unit) processing, therefore, acl rule 12/ACL rules 22 are used for instruction equipment A and handle reception
The authentication response message arrived.In addition, the occurrence of acl rule 13/ACL rules 23 is the interface 2 of interface 1/, purpose MAC (Media
Access Control, media access control) address is full F (be used for represent that message is broadcasting packet), action item is transmitted to CPU
Processing, therefore, acl rule 13/ACL rules 23 are used for the broadcasting packet that instruction equipment A processing is received.
According to most long matching preference strategy, and acl rule 12/ACL rules 22, of acl rule 13/ACL rules 23
Be 2 with item quantity, the occurrence quantity of acl rule 11/ACL rules 21 is 1, therefore, acl rule 12/ACL rules 22 it is preferential
Level is higher than the priority of acl rule 11/ACL rules 21, that is, receives matching acl rule 12/ACL rules 22, acl rule 11/
During the message of acl rule 21, handled according to acl rule 12/ACL rules 22.The priority of acl rule 13/ACL rules 23 is higher than
The priority of acl rule 11/ACL rules 21, that is, receive matching acl rule 13/ACL rules 23, acl rule 11/ACL rules
During 21 message, handled according to acl rule 13/ACL rules 23.
In one example, equipment B is that interface 3 enables acl rule 3, the occurrence of acl rule 3 is interface on startup
3rd, message identifying type (such as BBB, for representing that message is message identifying), action item is that transmitted to CPU is handled, therefore acl rule 3
The message identifying received for instruction equipment B processing.
Based on above-mentioned application scenarios, the connection control method that the embodiment of the present application is proposed may comprise steps of:
When step 1, device A detect interface 1 for UP, message identifying is sent to equipment B by interface 1.
In one example, device A can detect the state of interface 1, and the state of interface 1 can include UP or DOWN
(failure).When the state that device A detects interface 1 is switched to UP from DOWN, it is possible to construct message identifying, it is possible to pass through
Interface 1 sends the message identifying of construction to equipment B.
In one example, the message identifying can include but is not limited to one of following field or any combination:
Version (version) field, Type (type) field, Data Length (data length) field, Type Map (type map) word
Section, Board Type (device type) field, Auth Text (character string) field.
Wherein, the type field is used to represent that current message is message identifying, and such as BBB, Type Map fields can be 1,
Board the type fields can be the type of device A, and Auth Text fields are the character string that device A is generated at random, in order to distinguish
It is convenient, the character string of Auth Text fields is referred to as the first character string.Certainly, above-mentioned numerical value is an example, practical application
In can also be other numerical value, such as Type Map fields be 2, it is without limitation, moreover, Version, Data Length
Etc. field, it is not limited herein.
Step 2, equipment B are after message identifying is received, and because incoming interface is interface 3, the type field represents current message
For message identifying, therefore acl rule 3 is matched, equipment B needs to handle message identifying.
Step 3, equipment B are using preset algorithm (such as preset algorithm A) to the first character string (i.e. Auth in the message identifying
The character string of Text fields carrying) it is encrypted, obtain the second character string.
Step 4, equipment B generation authentication response messages, the authentication response message carries the second character string, and passes through interface 3
The authentication response message is sent to device A.
In one example, authentication response message can include but is not limited to one of following field or any combination:
Version fields, the type field, Data Length fields, Type Map fields, Board the type fields, Auth Text words
Section.Wherein, the type field is used to represent that current message is authentication response message, and such as AAA, Type Map fields can be 2,
Board the type fields can be equipment B type, and Auth Text fields are the second character string.Certainly, above-mentioned numerical value is one
Can also be other numerical value in individual example, practical application, it is without limitation, moreover, the word such as Version, Data Length
Section, is not limited herein.
Step 5, device A are after authentication response message is received, and because incoming interface is interface 1, the type field represents that certification rings
Message is answered, therefore matches acl rule 12, device A needs to handle authentication response message.
Step 6, device A parse the second character string (character that i.e. Auth Text fields are carried from authentication response message
String), and the second character string is decrypted using preset algorithm (such as preset algorithm A).
In one example, identical preset algorithm, such as preset algorithm a can be configured in device A and equipment B, simply
Equipment B can be encrypted using the preset algorithm, and processing can be decrypted using the preset algorithm in device A.Wherein, should
Preset algorithm can include but is not limited to hash algorithm, MD5 algorithms, radix-minus-one complement sequence algorithm (being used for the reversed order of character string)
Deng the type to this preset algorithm is not limited.
If character string and the first string matching after step 7, decryption, device A determine that authentication response message is legal, and
It is legitimate device to determine equipment B, and docking port 1 carries out access operation.In one example, device A docking port 1 carries out access behaviour
Work refers to:The message that device A processing is received by interface 1.
In one example, device A docking port 1 carries out the process of access operation, can include:Go to enable acl rule 11,
Due to carrying out going to enable to acl rule 11, therefore the not revival of acl rule 11, device A will not be abandoned logical based on acl rule 11
The message that interface 1 is received is crossed, the message (all types of messages) received by interface 1 can be thus handled, specifically
Processing mode can be traditional approach, no longer repeat in detail herein.Moreover, device A can also go to enable the He of acl rule 12
Acl rule 13, or acl rule 12 and acl rule 13 are not carried out to go to enable.
In one example, before device A determines that equipment B is legitimate device, and the progress access operation of docking port 1, if
Device A receives broadcasting packet by interface 1, and because broadcasting packet can match acl rule 13, therefore device A needs place
Broadcasting packet is managed, i.e., it is illegality equipment that equipment B is directly determined according to broadcasting packet, and docking port 1 carries out limitation operation.This
Outside, equipment B is determined for legitimate device in device A, and after the progress access operation of docking port 1, if device A is received by interface 1
To broadcasting packet, because device A can handle all messages received by interface 1, therefore device A needs to handle broadcast report
Text, i.e., it is illegality equipment that equipment B is directly determined according to broadcasting packet, and docking port 1 carries out limitation operation.
Wherein, device A docking port 1 carries out the process of limitation operation, can include:Device A enables acl rule 11, and goes
Acl rule 12 and acl rule 13 are enabled, because acl rule 11 comes into force, therefore, device A can abandon logical based on acl rule 11
Cross all messages that interface 1 is received.
In one example, before device A determines that equipment B is legitimate device, and the progress access operation of docking port 1, if
Device A receives other type messages outside broadcasting packet, authentication response message by interface 1, due to the message can only
Acl rule 11 is fitted on, therefore device A directly abandons the message.
When step 8, device A detect interface 2 for UP, message identifying is sent to equipment C by interface 2.
Wherein, the processing procedure of step 8 may refer to the processing of step 1, and it is no longer repeated herein.
Step 9, equipment C will not send authentication response message, or equipment C hairs after message identifying is received to device A
The character string after being encrypted using preset algorithm will not be carried in the authentication response message sent.
Step 10, device A judge whether to receive authentication response message by interface 2.If receiving authentication response message,
Then perform step 11.If not receiving authentication response message, step 13 is performed.
Step 11, device A judge whether the authentication response message received is legal.If the authentication response message received is closed
Method, then perform step 12;If the authentication response message received is illegal, step 13 is performed.
Step 12, device A determine that equipment C is legitimate device, and docking port 2 carries out access operation.
Step 13, device A determine that equipment C is illegality equipment, and docking port 2 carries out limitation operation.
In one example, because equipment C will not send authentication response message, or the certification that equipment C is sent to device A
The character string after being encrypted using preset algorithm will not be carried in response message, therefore, device A will not be received by interface 2 recognizes
Response message is demonstrate,proved, or, the authentication response message that device A is received is illegal, therefore, and device A determines equipment C illegally to set
It is standby, and docking port 2 carries out limitation operation.Wherein, the progress of device A docking port 2 limitation operation refers to:Device A, which is abandoned, passes through interface 2
The message received.
In one example, device A can also connect after message identifying is sent by the interface 2 of interface 1/ for interface 1/
Mouth 2 starts timers;If before timer expiry, receiving authentication response message by the interface 2 of interface 1/, meaning that reception
To authentication response message;If in timer expiry, still authentication response message is not received by the interface 2 of interface 1/, with regard to table
Show and be not received by authentication response message.
Further, give out a contract for a project cycle and number of times of giving out a contract for a project can also be set, and this is continuously transmitted according to the cycle of giving out a contract for a project and given out a contract for a project
Secondary several message identifyings.If before timer expiry, receiving authentication response message by the interface 2 of interface 1/, meaning that and connect
Receive authentication response message;If in timer expiry, still not receiving authentication response message by the interface 2 of interface 1/, just
Expression is not received by authentication response message.
In one example, device A docking port 2 carries out the process of limitation operation, can include:Device A enables acl rule
21, and go to enable acl rule 22 and acl rule 23, because acl rule 21 comes into force, therefore, device A can be based on acl rule 21
Abandon all messages received by interface 2.
In one example, device A, can be with print log information (i.e. equipment C when it is determined that equipment C is illegality equipment
For the daily record of illegality equipment), to point out manager device C as illegality equipment.
In one example, before device A determines that equipment C is illegality equipment, and the progress limitation operation of docking port 2, if
Device A receives broadcasting packet by interface 2, and because broadcasting packet can match acl rule 23, therefore device A processing is wide
Text is reported, i.e., determines that equipment C is illegality equipment according to broadcasting packet, and docking port 2 carries out limitation operation.If device A is by connecing
Mouth 2 receives other type messages outside broadcasting packet, authentication response message, because message matches acl rule 21, therefore
Device A dropping packets.
In one example, when the state that device A detects the interface 2 of interface 1/ is switched to DOWN from UP, then device A can
With the init state of the interface 2 of restoration interface 1/, i.e.,:Device A will not the progress access operation of the interface 2 of docking port 1/ and limitation behaviour
Make, moreover, enabling acl rule 11/ACL rules 21, acl rule 12/ACL rules 22, acl rule 13/ for the interface 2 of interface 1/
Acl rule 23.
Certainly, in actual applications, when the state that device A detects the interface 2 of interface 1/ is switched to DOWN from UP, also may be used
Not to be that the interface 2 of interface 1/ enables acl rule 11/ACL rules 21, acl rule 12/ACL rules 22, acl rule 13/ACL are advised
Then 23, but be just that the interface 2 of interface 1/ enables ACL when the state for detecting the interface 2 of interface 1/ is switched to UP again from DOWN
Regular 11/ACL rules 21, acl rule 12/ACL rules 22, acl rule 13/ACL rules 23.
Conceived based on the application same with the above method, a kind of access control apparatus additionally provided in the embodiment of the present application,
The access control apparatus can be applied in local device.Wherein, the access control apparatus can be realized by software, can also be led to
The mode for crossing hardware or software and hardware combining is realized.It is to pass through as the device on a logical meaning exemplified by implemented in software
Corresponding computer program instructions formation in the processor of local device where it, reading non-volatile storage.From hard
For part aspect, as shown in figure 3, a kind of hardware configuration of the local device where the access control apparatus proposed for the application
Figure, in addition to the processor shown in Fig. 3, nonvolatile memory, local device can also include other hardware, such as be responsible for processing
Forwarding chip, network interface, internal memory of message etc.;For from hardware configuration, the local device is also possible to be distributed apparatus,
Multiple interface cards are potentially included, to carry out the extension of Message processing in hardware view.
As shown in figure 4, for the application propose access control apparatus structure chart, described device be used for pair with the local terminal
The opposite equip. of equipment connection carries out legitimacy detection, and described device includes:
Sending module 11, during for the interface UP being connected with the opposite equip. on the local device is detected,
Message identifying is sent to the opposite equip. by the interface;
Processing module 12, for the legal authentication response that ought do not returned by the interface to the opposite equip.
During message, it is determined that the opposite equip. is illegality equipment, and carries out limitation operation to the interface;
When the legal authentication response message returned by the interface to the opposite equip., it is determined that described
Opposite equip. is legitimate device, and carries out access operation to the interface.
In one example, the access control apparatus also includes (not embodied in figure):Configuration module, for described
It is that the interface enables the first access control row before processing module 12 determines opposite equip. for illegality equipment or legitimate device
Table A CL rules and the second acl rule;Wherein, the priority of second acl rule is preferential higher than first acl rule
Level, first acl rule is used for the message for indicating that discarding is received, and second acl rule is used for instruction processing and received
Authentication response message;
The processing module 12, is additionally operable to after by the interface to first kind message, if the first kind report
Text is authentication response message, then based on second acl rule, analyzes whether the first kind message is legal authentication response
Message;If the first kind message is not authentication response message, based on first acl rule, the first kind report is abandoned
Text.
In one example, the processing module 12, specifically for:To the interface limit the process of operation
In, go to enable second acl rule, based on first acl rule, abandon the Equations of The Second Kind report arrived by the interface
Text;During access operation is carried out to the interface, go to enable first acl rule, the interface is passed through to handle
The Equations of The Second Kind message received.
In one example, the configuration module, is additionally operable to determine that the opposite equip. is non-in the processing module 12
It is that the interface enables the 3rd acl rule before method equipment or legitimate device;Wherein, the priority of the 3rd acl rule
Higher than the priority of first acl rule, the 3rd acl rule is used for instruction and handles the broadcasting packet received;
In one example, the processing module 12, is additionally operable to after by the interface to first kind message, if
The first kind message is broadcasting packet, based on the 3rd acl rule, determines that the opposite end is set using the first kind message
Standby is illegality equipment;
In one example, the processing module 12, specifically for:To the interface limit the process of operation
In, go to enable second acl rule and the 3rd acl rule, and based on first acl rule, abandon and pass through institute
State the Equations of The Second Kind message that interface is arrived.
In one example, the message identifying that the sending module 11 is sent to the opposite equip. by the interface is also
Carry the first character string of the local device generation;If the opposite equip. is legitimate device, preset algorithm pair is utilized
First character string is encrypted, and the character string carrying after encryption is returned into local device in authentication response message;
The processing module 12, is additionally operable to after authentication response message is received, and is parsed from the authentication response message
Go out the second character string;Second character string is decrypted using preset algorithm, if the character string and described first after decryption
String matching, it is determined that the authentication response message is legal;If the character string after decryption is mismatched with first character string,
Then determine that the authentication response message is illegal.
System, device, module or unit that above-described embodiment is illustrated, can specifically be realized by computer chip or entity,
Or realized by the product with certain function.A kind of typically to realize that equipment is computer, the concrete form of computer can
To be personal computer, laptop computer, cell phone, camera phone, smart phone, personal digital assistant, media play
In device, navigation equipment, E-mail receiver/send equipment, game console, tablet PC, wearable device or these equipment
The combination of any several equipment.
For convenience of description, it is divided into various units during description apparatus above with function to describe respectively.Certainly, this is being implemented
The function of each unit can be realized in same or multiple softwares and/or hardware during application.
It should be understood by those skilled in the art that, embodiments herein can be provided as method, system or computer program
Product.Therefore, the application can be using the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware
Apply the form of example.Moreover, the embodiment of the present application can be used wherein includes computer usable program code one or more
The computer that computer-usable storage medium is implemented on (including but is not limited to magnetic disk storage, CD-ROM, optical memory etc.)
The form of program product.
The application is the flow with reference to method, equipment (system) and computer program product according to the embodiment of the present application
Figure and/or block diagram are described.It is generally understood that by each in computer program instructions implementation process figure and/or block diagram
Flow and/or the flow in square frame and flow chart and/or block diagram and/or the combination of square frame.These computer journeys can be provided
Sequence instruction to all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices processor with
Produce a machine so that being produced by the instruction of computer or the computing device of other programmable data processing devices is used for
Realize the dress for the function of being specified in one flow of flow chart or multiple flows and/or one square frame of block diagram or multiple square frames
Put.
Moreover, these computer program instructions can also be stored in computer or the processing of other programmable datas can be guided to set
In the standby computer-readable memory worked in a specific way so that the instruction being stored in the computer-readable memory is produced
Manufacture including command device, the command device is realized in one flow of flow chart or multiple flows and/or block diagram one
The function of being specified in individual square frame or multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that in meter
Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented processing, so that in computer
Or the instruction performed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram
The step of function of being specified in one square frame or multiple square frames.
It will be understood by those skilled in the art that embodiments herein can be provided as method, system or computer program product.
Therefore, the application can be using the implementation in terms of complete hardware embodiment, complete software embodiment or combination software and hardware
The form of example.Moreover, the application can be used wherein includes the calculating of computer usable program code at one or more
The computer that machine usable storage medium is implemented on (can include but is not limited to magnetic disk storage, CD-ROM, optical memory etc.)
The form of program product.
Embodiments herein is the foregoing is only, the application is not limited to.For those skilled in the art
For, the application can have various modifications and variations.It is all any modifications made within spirit herein and principle, equivalent
Replace, improve etc., it should be included within the scope of claims hereof.
Claims (10)
1. a kind of connection control method, applied to local device, it is characterised in that methods described is used for pair and the local device
The opposite equip. of connection carries out legitimacy detection, and methods described includes:
During the interface UP being connected with the opposite equip. on the local device is detected, by the interface to described right
End equipment sends message identifying;
If the legal authentication response message not returned by the interface to the opposite equip., it is determined that the opposite end
Equipment is illegality equipment, and carries out limitation operation to the interface;
If the legal authentication response message returned by the interface to the opposite equip., it is determined that the opposite end is set
Standby is legitimate device, and carries out access operation to the interface.
2. according to the method described in claim 1, it is characterised in that methods described also includes:
It is that the interface enables the first access control row before it is determined that the opposite equip. is illegality equipment or legitimate device
Table A CL rules and the second acl rule;Wherein, the priority of second acl rule is preferential higher than first acl rule
Level, first acl rule is used for the message for indicating that discarding is received, and second acl rule is used for instruction processing and received
Authentication response message;
After by the interface to first kind message, if the first kind message is authentication response message, based on described
Second acl rule, analyzes whether the first kind message is legal authentication response message;If the first kind message is not recognized
Response message is demonstrate,proved, based on first acl rule, the first kind message is abandoned.
3. method according to claim 2, it is characterised in that
The process for the interface limit operation, is specifically included:Go to enable second acl rule, based on described
First acl rule, abandons the Equations of The Second Kind message arrived by the interface;
The process that access operation is carried out to the interface, is specifically included:Go to enable first acl rule, it is logical to handle
Cross the Equations of The Second Kind message that the interface is arrived.
4. method according to claim 2, it is characterised in that methods described also includes:
It is that the interface enables the 3rd acl rule before it is determined that the opposite equip. is illegality equipment or legitimate device;Its
In, the priority of the 3rd acl rule is higher than the priority of first acl rule, and the 3rd acl rule is used to indicate
Handle the broadcasting packet received;
After by the interface to first kind message, if the first kind message is broadcasting packet, based on the described 3rd
Acl rule, determines that the opposite equip. is illegality equipment using the first kind message;
The process for the interface limit operation, is specifically included:
Go to enable second acl rule and the 3rd acl rule, and based on first acl rule, abandon and pass through institute
State the Equations of The Second Kind message that interface is arrived.
5. method according to claim 1 or 2, it is characterised in that methods described also includes:
The message identifying sent by the interface to the opposite equip. also carries the first word of the local device generation
Symbol string;If the opposite equip. is legitimate device, first character string is encrypted using preset algorithm, and will encryption
Character string afterwards carries and returns to local device in authentication response message;
After authentication response message is received, the second character string is parsed from the authentication response message;Utilize preset algorithm
Second character string is decrypted, if the character string after decryption and first string matching, it is determined that the certification
Response message is legal;Otherwise, it determines the authentication response message is illegal.
6. a kind of access control apparatus, applied to local device, it is characterised in that described device is used for pair and the local device
The opposite equip. of connection carries out legitimacy detection, and described device includes:
Sending module, during for the interface UP being connected with the opposite equip. on the local device is detected, passes through institute
State interface and send message identifying to the opposite equip.;
Processing module, for the legal authentication response message that ought do not returned by the interface to the opposite equip.
When, it is determined that the opposite equip. is illegality equipment, and carries out limitation operation to the interface;
When the legal authentication response message returned by the interface to the opposite equip., it is determined that the opposite end
Equipment is legitimate device, and carries out access operation to the interface.
7. device according to claim 6, it is characterised in that also include:Configuration module, for true in the processing module
It is that the interface enables the first access control list ACL rule before the fixed opposite equip. is illegality equipment or legitimate device
Then with the second acl rule;Wherein, the priority of second acl rule is higher than the priority of first acl rule, described
First acl rule is used for the message for indicating that discarding is received, and second acl rule handles the certification received for instruction and rung
Answer message;
The processing module, is additionally operable to after by the interface to first kind message, if the first kind message is to recognize
Response message is demonstrate,proved, then based on second acl rule, analyzes whether the first kind message is legal authentication response message;
If the first kind message is not authentication response message, based on first acl rule, the first kind message is abandoned.
8. device according to claim 7, it is characterised in that
The processing module, specifically for:During limitation operation is carried out to the interface, go to enable the 2nd ACL
Rule, based on first acl rule, abandons the Equations of The Second Kind message arrived by the interface;Carried out to the interface
During access is operated, go to enable first acl rule, to handle the Equations of The Second Kind message arrived by the interface.
9. device according to claim 7, it is characterised in that the configuration module, is additionally operable to true in the processing module
It is that the interface enables the 3rd acl rule before the fixed opposite equip. is illegality equipment or legitimate device;Wherein, it is described
The priority of 3rd acl rule is higher than the priority of first acl rule, and the 3rd acl rule is used for instruction processing and connect
The broadcasting packet received;
The processing module, is additionally operable to after by the interface to first kind message, if the first kind message is wide
Text is reported, based on the 3rd acl rule, determines that the opposite equip. is illegality equipment using the first kind message;
The processing module, specifically for:During limitation operation is carried out to the interface, go to enable the 2nd ACL
Regular and described 3rd acl rule, and based on first acl rule, abandon the Equations of The Second Kind arrived by the interface
Message.
10. the device according to claim 6 or 7, it is characterised in that the sending module is by the interface to described right
The message identifying that end equipment is sent also carries the first character string of the local device generation;If the opposite equip. is legal
Equipment, then first character string is encrypted using preset algorithm, and the character string after encryption is carried in authentication response
Local device is returned in message;
The processing module, is additionally operable to after authentication response message is received, and second is parsed from the authentication response message
Character string;Second character string is decrypted using preset algorithm, if the character string after decryption and first character string
Matching, it is determined that the authentication response message is legal;If the character string after decryption is mismatched with first character string, it is determined that
The authentication response message is illegal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710184741.3A CN106998327A (en) | 2017-03-24 | 2017-03-24 | A kind of connection control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710184741.3A CN106998327A (en) | 2017-03-24 | 2017-03-24 | A kind of connection control method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106998327A true CN106998327A (en) | 2017-08-01 |
Family
ID=59431453
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710184741.3A Pending CN106998327A (en) | 2017-03-24 | 2017-03-24 | A kind of connection control method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106998327A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108011932A (en) * | 2017-11-22 | 2018-05-08 | 新华三技术有限公司 | Access processing method and device |
| CN112910831A (en) * | 2019-12-04 | 2021-06-04 | 中兴通讯股份有限公司 | Message matching method and device, firewall equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7657940B2 (en) * | 2004-10-28 | 2010-02-02 | Cisco Technology, Inc. | System for SSL re-encryption after load balance |
| CN102185840A (en) * | 2011-04-22 | 2011-09-14 | 上海华为技术有限公司 | Authentication method, authentication equipment and authentication system |
| CN102790775A (en) * | 2012-08-01 | 2012-11-21 | 北京映翰通网络技术有限公司 | Method and system for enhancing network safety performance |
| CN104113548A (en) * | 2014-07-24 | 2014-10-22 | 杭州华三通信技术有限公司 | Authentication message processing method and device |
| CN106453409A (en) * | 2016-11-28 | 2017-02-22 | 迈普通信技术股份有限公司 | Packet processing method and access device |
-
2017
- 2017-03-24 CN CN201710184741.3A patent/CN106998327A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7657940B2 (en) * | 2004-10-28 | 2010-02-02 | Cisco Technology, Inc. | System for SSL re-encryption after load balance |
| CN102185840A (en) * | 2011-04-22 | 2011-09-14 | 上海华为技术有限公司 | Authentication method, authentication equipment and authentication system |
| CN102790775A (en) * | 2012-08-01 | 2012-11-21 | 北京映翰通网络技术有限公司 | Method and system for enhancing network safety performance |
| CN104113548A (en) * | 2014-07-24 | 2014-10-22 | 杭州华三通信技术有限公司 | Authentication message processing method and device |
| CN106453409A (en) * | 2016-11-28 | 2017-02-22 | 迈普通信技术股份有限公司 | Packet processing method and access device |
Non-Patent Citations (1)
| Title |
|---|
| 叶清 等: "《网络安全原理》", 31 May 2014 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108011932A (en) * | 2017-11-22 | 2018-05-08 | 新华三技术有限公司 | Access processing method and device |
| CN112910831A (en) * | 2019-12-04 | 2021-06-04 | 中兴通讯股份有限公司 | Message matching method and device, firewall equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106060796B (en) | The backup destroying method and device of terminal | |
| US9432360B1 (en) | Security-aware split-server passcode verification for one-time authentication tokens | |
| JP6215934B2 (en) | Login verification method, client, server, and system | |
| CN107683489A (en) | For performing the systems, devices and methods of cryptographic operation in trust performing environment | |
| CN108345806A (en) | A kind of hardware encryption card and encryption method | |
| CN108009825A (en) | A kind of identity management system and method based on block chain technology | |
| CN106797317A (en) | Secure shared key shared system and method | |
| KR100985857B1 (en) | Device and method for detecting and preventing sensitive information leakage in portable terminal | |
| CN104767713B (en) | Account binding method, server and system | |
| CN105262773B (en) | A kind of verification method and device of Internet of things system | |
| CN106612180A (en) | Method and device for realizing session identifier synchronization | |
| CN116980230B (en) | Information security protection method and device | |
| US11102006B2 (en) | Blockchain intelligent security implementation | |
| CN108965222A (en) | Identity identifying method, system and computer readable storage medium | |
| CN110198297A (en) | Data on flows monitoring method, device, electronic equipment and computer-readable medium | |
| CN109831311A (en) | A kind of server validation method, system, user terminal and readable storage medium storing program for executing | |
| CN105592459B (en) | Safety certification device based on wireless communication | |
| CN107196972A (en) | A kind of authentication method and system, terminal and server | |
| Chen et al. | A full lifecycle authentication scheme for large-scale smart IoT applications | |
| CN106559386B (en) | A kind of authentication method and device | |
| CN114662135A (en) | Data access method, computer device and readable storage medium | |
| CN110619022B (en) | Node detection method, device, equipment and storage medium based on block chain network | |
| CN104410580A (en) | Trusted security WiFi (Wireless Fidelity) router and data processing method thereof | |
| CN110581835A (en) | Vulnerability detection method and device and terminal equipment | |
| CN106998327A (en) | A kind of connection control method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170801 |
|
| RJ01 | Rejection of invention patent application after publication |