CN107454051A - Access control method and home gateway - Google Patents

Access control method and home gateway Download PDF

Info

Publication number
CN107454051A
CN107454051A CN201610387240.0A CN201610387240A CN107454051A CN 107454051 A CN107454051 A CN 107454051A CN 201610387240 A CN201610387240 A CN 201610387240A CN 107454051 A CN107454051 A CN 107454051A
Authority
CN
China
Prior art keywords
domain name
target
address
home gateway
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201610387240.0A
Other languages
Chinese (zh)
Inventor
方明勇
朱磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201610387240.0A priority Critical patent/CN107454051A/en
Priority to PCT/CN2017/084310 priority patent/WO2017206701A1/en
Publication of CN107454051A publication Critical patent/CN107454051A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Abstract

The embodiment of the present invention provides a kind of access control method and home gateway, domain name white list configuration is carried out on home gateway, in the domain name white list configured each Lawful access equipment can be assigned to comprising the target domain name for being allowed to conduct interviews to home gateway, these target domain names;When each Lawful access equipment needs to conduct interviews to home gateway, no matter it is current somewhere, it need to obtain target ip address of the IP address as target domain name in current local IP address section, and be uploaded to name server and preserved.Home gateway gets each target domain name currently corresponding target ip address by name server can, and with this control that conducted interviews to each access equipment for accessing itself.So the physical location region of access equipment is not just limited, when being applied to Operation and Maintenance field, the convenience to home gateway Operation and Maintenance, flexibility and promptness can be lifted.

Description

Access control method and home gateway
Technical field
The present invention relates to the communications field, more particularly to a kind of access control method and home gateway.
Background technology
Various types of home network terminals, i.e. home gateway, pass through DHCP (Dynamic Host Configuration Protocol, DHCP)/PPPOE (PPP over Ethernet, on Ethernet Point-to-point protocol) dial mode obtain operator distribution public network IP v4 addresses.Family's disparate networks equipment, Such as mobile phone, PC, ipad etc., it is connected by wired lan or wireless WLAN with home network terminal After obtaining private net address, public network is accessed via NAT modes, completes disparate networks business.As ordinary terminal User, the account number that operator provides are assigned with less authority, and user passes through private network registration terminal WEB page Or TELNET ports carry out business function and the basic operation such as check;As operator Operation and Maintenance personnel, Then possess the account number of more authority, can by private network either public network registration terminal WEB page or TELNET ports carry out the complex operations such as business function configuration, diagnosis.Particularly when public network is safeguarded, family Front yard gateway needs to provide access control function in itself, avoids attack, the register of disabled user, enhancing peace Quan Xing.
Home gateway access control function at present, a kind of way are to close all public network to access, but this are done Method causes attendant to be conducted interviews by public network to it.Therefore more than the comparison used at present is another A kind of mode, i.e., controlled using the mode of IP address white list.Allowed by being configured in home gateway in public affairs Net side accesses the IP address of itself, there is provided security.Way can have problems with this:IP address and thing It is related to manage position networking, such as Shenzhen, then has the address field in corresponding Shenzhen, for this address field IP address can only use in Shenzhen, just not all right elsewhere.Therefore, when configuring IP address white list, It is as complete as possible comprising all IP address for allowing access for safeguarding with regard to needing.Namely before configuration All IP address for having claim are predicted as far as possible.And IP address is inherently difficult to limit, and the scale of networking now Expansion and networking mode flexible change, it is necessary to flexibly in different places by IP address to family The demand that gateway is safeguarded is with regard to more and more.Such as assume IP address white list in only for Shenzhen, Shanghai, Three, Beijing place has carried out the configuration of IP white lists.But according to networking requirements or other factors, it may be necessary to face When in the place such as Chongqing, Chengdu home gateway accessed by IP address.Due to no pair in current IP white lists Answer these local areas that IP address is set, can all be prohibited in the access that these places are initiated.
Therefore, existing home gateway by IP address white list conduct interviews control when, access equipment is only capable of Local area corresponding to each IP address could be accessed normally in the IP address white list, to the physics of access equipment Band of position limitation is big, it is impossible to meets flexibly the needs of safeguarding to home gateway.
The content of the invention
The embodiment of the present invention is solution:Home gateway by IP address white list conduct interviews control when, to visit Ask the problem of physical location region limitation of the access equipment of home gateway is big, there is provided a kind of access control side Method and home gateway.
The access control method that one embodiment of the invention provides includes:
Receive the configuration of domain name white list, domain name white list includes being allowed to visit the home gateway The target domain name asked, the target domain name are assigned to Lawful access equipment;
The target domain name currently corresponding target ip address, domain name service are obtained by name server Device preserves target domain name and the corresponding target ip address that the Lawful access equipment currently uploads;
Each IP address for accessing the home gateway is conducted interviews control according to the target ip address currently obtained System.
The home gateway that one embodiment of the invention provides includes:
List dispensing unit, for receiving the configuration of domain name white list, domain name white list is included and is allowed to pair Each target domain name that the home gateway conducts interviews, the target domain name are assigned to Lawful access equipment;
Address acquisition unit, for obtaining the target domain name currently corresponding Target IP by name server Address, domain name server preserve the target domain name that the Lawful access equipment currently uploads and corresponding Target ip address;
Access control unit, for according to the target ip address that currently obtains to accessing each IP of home gateway Location conducts interviews control.
One embodiment of the invention additionally provides home gateway, including processor and memory;The processor is used Module in control memory performs following act:
Receive the configuration of domain name white list, domain name white list includes and is allowed to visit the home gateway The target domain name asked, the target domain name are assigned to Lawful access equipment;
The target domain name currently corresponding target ip address, domain name service are obtained by name server Device preserves target domain name and the corresponding target ip address that the Lawful access equipment currently uploads;
Each IP address for accessing home gateway is conducted interviews control according to the target ip address currently obtained.
A technical scheme in above-mentioned technical proposal has the advantages that:
The configuration of domain name white list is received by home gateway, includes and is allowed to family in the domain name white list configured The target domain name that front yard gateway conducts interviews, these target domain names can be assigned to each Lawful access equipment;It is each to close When method access equipment needs to conduct interviews to home gateway, no matter it is current somewhere, such as Chongqing or Chengdu, it need to obtain target ip address of the IP address as target domain name in current local IP address section, And it is uploaded to name server and is preserved.Home gateway is got respectively by name server can Target domain name currently corresponding target ip address, and with this control that conducted interviews to the orientation equipment for accessing itself. So the physical location region of access equipment is not just limited, access equipment can be according to itself current place Target ip address is set to pass to home gateway by name server.So when the embodiment of the present invention is applied to During Operation and Maintenance field, the convenience to home gateway Operation and Maintenance, flexibility and promptness can be lifted.
Brief description of the drawings
Fig. 1 is the access control method schematic flow sheet that first embodiment of the invention provides;
Fig. 2 is the schematic flow sheet for the acquisition target ip address that first embodiment of the invention provides;
Fig. 3 is the home gateway structural representation that second embodiment of the invention provides;
Fig. 4 is the home gateway structural representation that third embodiment of the invention provides;
Fig. 5 is the communication system architecture schematic diagram that fourth embodiment of the invention provides;
Fig. 6 is the access control method schematic flow sheet that fourth embodiment of the invention provides.
Embodiment
The embodiment of the present invention is described in further detail below by embodiment combination accompanying drawing.
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear Chu, it is fully described by, it is clear that described embodiment is part of the embodiment in the present invention, rather than Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creation Property work under the premise of the every other embodiment that is obtained, belong to the scope of protection of the invention.
Further annotation explanation is now made to the present invention by way of embodiment combination accompanying drawing.
Embodiment one:
Shown in Figure 1, the access control method that the present embodiment provides includes:
S101:Receive the configuration of domain name white list.
Home gateway can be set according to the input of user or attendant progress domain name white list in the present embodiment Put, domain name white list directly can also be completed by producer when dispatching from the factory and set, and set by the present embodiment Domain name entry form such as supports to delete the target domain name of the inside, changes, increase at the renewal operation.This implementation Domain name white list in example includes the target domain name for being allowed to conduct interviews to home gateway, namely legitimate domain name. Each target domain name configured is assigned to each Lawful access equipment.Lawful access equipment in the present embodiment can To be the maintained equipment of operating personnel, such as safeguard PC etc. or other equipment for accessing personnel, bag Include but be not limited to mobile phone, PC, IPAD communication equipment.Certainly, domain name white list can include in the present embodiment One target domain name, multiple target domain names can also be included according to the actual requirements.
S102:Each target domain name currently corresponding target ip address is obtained by name server.
In the present embodiment, being assigned with each Lawful access equipment of target domain name needs to conduct interviews to home gateway When, IP address in the corresponding IP address section in itself current position side need to be obtained as the Target IP of target domain name Location, then it is uploaded to name server and is preserved.So name server is just preserved each Lawful access and set The standby target domain name currently uploaded and corresponding target ip address.Each Lawful access equipment in the present embodiment Reporting for IP address specifically can be carried out using dynamic-dns function.Specifically, Lawful access equipment by oneself The target domain name being assigned to is issued service provider's dynamic domain name server and preserved, and then it is getting currently IP address after, then the IP address is issued into service provider's dynamic domain name server, such service provider's dynamic domain Name server just saves the target domain name and the current corresponding IP of the target domain name of the Lawful access equipment Location (namely target ip address).To name server, (name server is based on home gateway for home gateway Operator domain name server corresponding to the public network being currently accessed) send target domain name parsed.The domain name takes After business device receives target domain name, obtained for each domain name from corresponding service provider's dynamic domain name server Complete to parse to corresponding target ip address, then feed back to home gateway.
After name server can wait all target domain name mappings complete in the present embodiment, to home gateway in the lump Feed back all target ip address matched.Can also after the parsing of a target domain name is not completed, The target ip address that parsing obtains just is fed back into home gateway in real time.
In addition, it is to be understood that the name server in the present embodiment solves to some target domain name During analysis, effective IP address when its obtained target ip address is possible, it is also possible to for sky.
S103:The orientation equipment for accessing home gateway is conducted interviews control according to the target ip address currently obtained System.
Conducted interviews control by the scheme shown in the present embodiment Fig. 1, to the physical location region of access equipment Just do not limit, access equipment can set target ip address and the mesh for its distribution according to itself current place Mark domain name reports name server after being bound, name server carries out domain name mapping and obtains corresponding mesh Mark IP address feeds back to home gateway, and the target ip address is arranged to legal by such home gateway can IP address and and then complete access rule configuration realize access control.The scheme of the present embodiment is particularly for behaviour When making area of maintenance, the convenience to home gateway Operation and Maintenance, flexibility and promptness can be lifted.
In the present embodiment, home gateway obtains each target domain name currently corresponding Target IP by name server The process of address is shown in Figure 2, including:
S201:Home gateway access public network IP address (such as IPv4 addresses or IPv6 addresses), and get Corresponding name server, the name server are operator domain name server.
S202:Each target domain name in domain name white list is issued name server and carries out domain name solution by home gateway Analysis.
Each target domain name one by one or can be issued name server in batches and entered by home gateway according to certain rule Row parsing, disposably can also directly issue name server by domain name white list and be parsed.
S203:Home gateway receives the target fed back after name server currently parses to each target domain name IP address.
After name server receives the target domain name of home gateway transmission, domain is carried out according to above-mentioned resolving Name parsing simultaneously feeds back analysis result to home gateway.
In addition, in the present embodiment, the public network IP address that home gateway is accessed may change.Family When gateway detects the public network IP address change being currently accessed, then corresponding new name server is got, And each target domain name in domain name white list is issued into the new name server and carries out domain name mapping.
In the present embodiment, the physical location residing for each Lawful access equipment is probably dynamic change.On such as Noon may in Chongqing, on the same day afternoon or the next morning arrived Chengdu or Shenzhen etc..Work as physical location After changing, IP address can then be changed accordingly used by the Lawful access equipment.It is now legal IP address in the IP address section in the current place of access equipment acquisition as target ip address and distributes to oneself The binding of target domain name report corresponding to service provider dynamic domain name server.The now target of the access equipment Target IP corresponding to domain name is just changed.For the situation, home gateway in the present embodiment is by domain Each target domain name in name white list issues name server (operator domain name server) and carries out domain name mapping When, by the way of poll sends parsing, namely it is spaced at preset timed intervals and each target domain name is issued into domain name clothes Business device is parsed.Name server does not receive once just to be parsed once again.So can be timely right Answer the change in location just corresponding adjustment of access equipment, can further be lifted access control accuracy, Reliability and promptness.
It should be appreciated that the specific value of prefixed time interval can be according to trans-regional required in the present embodiment Minimum time or other factors flexibly set.Such as when the most accurately controlled to pursue realization, The time interval value can take the second or minute is unit, such as 10 seconds, 1 minute etc..In order to balance resource Utilization rate and control precision, the time interval can hour, day be unit, such as 1 hour, 1 day etc..
In the present embodiment, home gateway is according to the target ip address currently obtained to accessing each IP address of itself The control process that conducts interviews includes:
Home gateway each target ip address of acquisition is conducted interviews rule configuration obtain IP access list. Each IP address for accessing itself is conducted interviews control according to obtained IP access list.
Access rule in the present embodiment includes the access rights for being singly not limited to each target ip address and corresponding ports Set.Such as target ip address A, shown in its access control rule table 1 below configured:
Table 1
Because the home gateway in the present embodiment can be using to obtaining Target IP by the way of name server poll Address, home gateway may receive multiple feedback result for each target domain name.Therefore, the present embodiment In, it is right in a manner described when home gateway gets target ip address corresponding to each target domain name for the first time Each target ip address conduct interviews rule configuration.When home gateway (refers to each time of acquisition for the first time below again Obtain) when receiving target ip address corresponding to each target domain name, judge each target domain name currently corresponding target Whether IP address has difference compared with the target ip address that the last time obtains, and in this way, then the target domain name is worked as The access rule of each target ip address is updated configuration corresponding to preceding.Otherwise, keep constant.
It should be appreciated that in the present embodiment, when the physical location of a certain Lawful access equipment changes, Then found in time by above-mentioned polling mechanism and get the newest target ip address of the equipment, and carried out correspondingly Renewal.For example, it is assumed that the target domain name A in the entitled above-mentioned table 1 of aiming field of equipment distribution, in t1 Its corresponding target ip address of moment is target ip address B.Found by poll in t2 moment equipment Target ip address becomes for target ip address B, then as shown in table 2 below to the access control list that it is updated.
Table 2
After home gateway has configured access rule control table, when there is WAN-side access, then the access is judged IP address whether be one in target ip address, if not, forbidding its access.In this way, then one can be entered Whether the content (such as port) of access required by step judges the access has permission, if any then allowing it Access, otherwise, equally forbid its access.
It can be seen that the present embodiment does not have the domain name of High relevancy white by being configured on home gateway with physical region List, it is allowed to which Lawful access equipment distributes to the target domain name pair of oneself according to physical region change is presently in The target ip address answered timely is updated with passing to home gateway.Both the control of access safety had been ensure that, Do not limited again by physical region.
Embodiment two:
A kind of home gateway is present embodiments provided, it is shown in Figure 3, including:
List dispensing unit 31, for carrying out domain name white list configuration.List dispensing unit 31 can according to The input of family or attendant carry out domain name entry form setting, directly can also complete domain by producer when dispatching from the factory Name white list is set, and domain name entry form set in the present embodiment is supported to carry out the target domain name of the inside The renewal operation such as deletion, modification, increase.Domain name white list in the present embodiment, which includes, to be allowed to home network Close the target domain name to conduct interviews, namely legitimate domain name.It is each legal that each target domain name configured is assigned to Access equipment.It should be appreciated that the list dispensing unit 31 in the present embodiment specifically can be corresponding by home gateway Man Machine Interface/interface and memory realize.
Address acquisition unit 32, for obtaining each target domain name currently corresponding Target IP by name server Address.
When Lawful access equipment needs to conduct interviews to home gateway, the corresponding IP in itself current position side need to be obtained Target ip address of the IP address as target domain name in the section of location, is then passed to name server.This implementation Legal orientation equipment in example can specifically use dynamic-dns function to carry out reporting for IP address.Specifically, close The target domain name that oneself is assigned to by method access equipment is issued service provider's dynamic domain name server and preserved, so The IP address is then issued service provider's dynamic domain name server by it after current IP address is got afterwards, So service provider's dynamic domain name server just saves the target domain name and the aiming field of the Lawful access equipment IP address (namely target ip address) corresponding to name is current.Domain name service is received when carrying out domain name mapping Device (name server is home gateway based on operator domain name server corresponding to the public network being currently accessed) Analysis request when, you can by corresponding target ip address feed back to the name server complete to target domain name Complete parsing.So name server can be got by domain name mapping in the current institute of each Lawful access equipment The target domain name of biography and corresponding target ip address.Address acquisition unit 32 in the present embodiment can pass through house Communication module combination processor in the gateway of front yard is realized.Processor in the present embodiment can be various hardware knots The process chip of structure.
The public network IP address that address acquisition unit 32 is specifically used for being currently accessed in home gateway is waited, and gets phase The name server of operator is answered, each target domain name in domain name white list is issued into name server carries out domain Name parsing, and receive the target ip address fed back after name server currently parses to each target domain name. And when being additionally operable to detect that the public network IP address that home gateway is currently accessed changes, get new domain name clothes Business device, and each target domain name is issued into the new name server and carries out domain name mapping as implied above.
Because the physical location residing for each Lawful access equipment is probably dynamic change.Such as the morning may be Guangzhou, Shenzhen etc. of having arrived afternoon on the same day.After physical location changes, the Lawful access equipment institute The IP address of use can then be changed accordingly.Now Lawful access equipment obtains the IP address in current place IP address in section reports domain name service as target domain name binding of the target ip address with distributing to oneself Device.Now the Target IP corresponding to the target domain name of the access equipment is just changed.For the situation, Each target domain name in domain name white list is issued name server and entered by the address acquisition unit 32 in the present embodiment During row domain name mapping, by the way of poll sends parsing, namely it is spaced each target domain name at preset timed intervals Name server is issued to be parsed.Name server does not receive once just to be parsed once again.So may be used Timely to correspond to the just corresponding adjustment of the change in location of access equipment, access control can be further lifted Accuracy, reliability and promptness.
Access control unit 33, for according to the target ip address that currently obtains to accessing the access equipment of itself (each access equipment may be conducted interviews using different IP address) conduct interviews control.In the present embodiment Access control unit 33 can also be realized by the processor of home gateway.
Access control unit 33 obtains IP for the rule configuration that conducted interviews to each target ip address of acquisition and visited Ask control list.Each IP address for accessing itself is conducted interviews control according to obtained IP access list.
Access rule in the present embodiment includes the access rights for being singly not limited to each target ip address and corresponding ports Set.
Because the address acquisition unit 32 in the present embodiment can be using to obtaining by the way of name server poll Target ip address, access control unit 33 may receive multiple feedback result for each target domain name. Therefore, in the present embodiment, access control unit 33 is used to get each target domain name for the first time in home gateway During corresponding target ip address, the rule that conducted interviews in a manner described to each target ip address configuration.Work as access Control unit 33 (refers to each acquisition obtained for the first time below) again below and receives mesh corresponding to each target domain name When marking IP address, each target domain name currently corresponding target ip address and the last Target IP obtained are judged Whether address is compared to having difference, in this way, then the access of corresponding each target ip address current to the target domain name Rule is updated configuration.Otherwise, keep constant.
After access control unit 33 has configured access rule control table, when there is WAN-side access, then sentence Whether the IP address of the fixed access is one in target ip address, if not, forbidding its access.In this way, It then can further judge whether the content (such as port) of the access required by the access has permission, if any, Then allow its access, otherwise, equally forbid its access.
It can be seen that the configuration of the present embodiment home gateway does not have the domain name white list of High relevancy with physical region, permit Perhaps Lawful access equipment according to be presently in physical region change distribute to the target domain name of oneself corresponding to target IP address is timely updated with passing to home gateway.Both the control of access safety had been can guarantee that, had been caused again Access equipment is not limited by physical region.
It should be appreciated that each module or each step of the embodiments of the present invention can be filled with general calculating Put to realize, they can be concentrated on single computing device, or are distributed in multiple computing device institutes group Into network on, alternatively, they can be realized with the program code that computing device can perform, so as to, It can be stored in storage medium (ROM/RAM, magnetic disc, CD) and be performed by computing device, And in some cases, can to perform shown or described step different from order herein, or They are fabricated to each integrated circuit modules respectively, or the multiple modules or step in them are fabricated to Single integrated circuit module is realized.So the embodiment of the present invention is not restricted to any specific hardware and soft Part combines.
Embodiment three:
It is shown in Figure 4, present embodiments provide a kind of home gateway, including processor 41 and memory 42;Memory is used to store various modules, including various software modules.Processor 41 is used for control memory At least one module in 42 performs procedure below:
Domain name white list configuration is carried out, domain name white list includes the target for being allowed to conduct interviews to home gateway Domain name, target domain name are assigned to Lawful access equipment;
Each target domain name currently corresponding target ip address is obtained by name server, name server preserves There are the target domain name and corresponding target ip address that each Lawful access equipment currently uploads;
Each access equipment for accessing home gateway is conducted interviews control according to the target ip address currently obtained.
The control memory 42 of processor 41 realizes that the concrete mode of above steps is referred to shown in embodiment one, It will not be repeated here.
Example IV:
A kind of communication system is present embodiments provided, it is shown in Figure 5, including home gateway 51, domain name clothes Business device 52 and Lawful access equipment 53 and user equipment 54;Wherein Lawful access equipment 53 can be various dimensions Protect equipment.
Home gateway 51 is used to carry out domain name white list configuration, and the domain name white list of configuration, which includes, to be allowed to institute The target domain name that home gateway conducts interviews is stated, and these target domain names are assigned to Lawful access equipment 53, Each target domain name is issued into name server 52 and obtains each target domain name currently corresponding target ip address;
Name server 52 is used for each target domain name for receiving the transmission of home gateway 51, and each target domain name is entered Row is analyzed and acquired by corresponding target ip address, and is fed back to home gateway.
User equipment 54 can realize communication connection by the modes such as LAN, WLAN and home gateway 51, Data interaction is completed by home gateway 51 and public network.
In order to be better understood from the scheme of the embodiment of the present invention, it is using Lawful access equipment to safeguard PC below Example, further illustration is done to the embodiment of the present invention.Referring specifically to shown in Fig. 6, including:
S601:Home gateway normally starts, and first sets all access for forbidding WAN-side, completes the white name of domain name Target domain name forexample.dtdns.com is included in single configuration, such as configuration domain name white list.By the target Domain name, which is distributed to, safeguards PC;And set the prefixed time interval of poll.
S602:Home gateway accesses public network IP address, and gets the name server of corresponding operator;Example As assumed to get public network IP address 111.111.111.111 and name server (8.8.8.8).
S603:Each target domain name in domain name white list is issued domain name by home gateway according to prefixed time interval Server is parsed to obtain target ip address;Such as target domain name forexample.dtdns.com is issued into domain Name server (8.8.8.8) is parsed, and now name server is from corresponding service provider's dynamic domain name server Target ip address corresponding to upper inquiry target domain name forexample.dtdns.com, Query Result may be sky, It also likely to be present effective volume IP address.
S604:The target ip address obtained for parsing is shown to be the IP address allowed access for, also To be added into white list IP lists, and the access rule of each target ip address is arranged to access control Rule list processed.
S605:When WAN-side has access, the IP address of access equipment user is white list IP lists in this way In target ip address, it is allowed to access, it is accessed using to access rule be controlled.
S606:The public network IP address change that home gateway is connected with internet, then operation new corresponding to acquisition The name server of business, goes to S603.
S607:After safeguarding that PC changes physical location region, the IP address in current region IP address section is obtained Binding, which is carried out, as new target ip address and target domain name (such as forexample.dtdns.com) passes through clothes Business business's dynamic domain name server passes to name server;
S608:Timing sends target domain name, domain to home gateway to name server at set time intervals Name server often receives a target domain name and just completes one parsing, finds to safeguard PC mesh in resolving When target ip address corresponding to mark domain name changes, home gateway is fed back to.
S609:Target ip address corresponding to the target domain name is updated to new target ip address by home gateway, And the corresponding config update for completing access rule.So safeguard PC because place change cause IP address ( Safeguard PC public network IP address) when changing, also normally the home gateway can be conducted interviews.Cause This access control scheme provided in an embodiment of the present invention can solve existing to be controlled by IP address white list When existing the problem of having limited physical location where access equipment.During especially for use in area of maintenance, The promptness, convenience and flexibility of maintenance can be lifted, lifts the satisfaction of Consumer's Experience.
Above content is to combine the further description that specific embodiment is made to the embodiment of the present invention, The specific implementation of the invention is not to be limited to these illustrations.For the general of the technical field of the invention For logical technical staff, without departing from the inventive concept of the premise, can also make it is some it is simple deduce or Replace, should all be considered as belonging to protection scope of the present invention.

Claims (10)

1. a kind of access control method, including:
Receive the configuration of domain name white list, domain name white list includes being allowed to visit the home gateway The target domain name asked, the target domain name are assigned to Lawful access equipment;
The target domain name currently corresponding target ip address, domain name service are obtained by name server Device preserves target domain name and the corresponding target ip address that the Lawful access equipment currently uploads;
The access equipment for accessing the home gateway is conducted interviews control according to the target ip address currently obtained System.
2. access control method as claimed in claim 1, it is characterised in that described to pass through name server Obtaining the target domain name, currently corresponding target ip address includes:
After public network IP address is accessed, name server corresponding to acquisition;
The target domain name is issued into domain name server and carries out domain name mapping;
Receive the target ip address fed back after domain name server currently parses to the target domain name.
3. access control method as claimed in claim 2, it is characterised in that described to pass through name server Obtaining the target domain name, currently corresponding target ip address also includes:
In the case where detecting the public network IP address being currently accessed change, corresponding new name server is obtained, And the target domain name is issued into the new name server and carries out domain name mapping.
4. access control method as claimed in claim 2 or claim 3, it is characterised in that described by the target Domain name, which issues the progress domain name mapping of domain name server, to be included:
It is spaced at preset timed intervals and the target domain name is issued into domain name server is parsed.
5. access control method as claimed in claim 4, it is characterised in that what the basis currently obtained The target ip address control that conducted interviews to each IP address for accessing itself includes:
In the case of getting target ip address corresponding to each target domain name for the first time, to each Target IP of acquisition The address rule configuration that conducts interviews obtains IP access list, and the access rule is with including each Target IP The access rights of location and corresponding ports are set;
Each IP address for accessing itself is conducted interviews control according to the IP access list.
6. access control method as claimed in claim 5, it is characterised in that what the basis currently obtained Target ip address conducts interviews to control to each IP address for accessing itself also to be included:
In the case of getting target ip address corresponding to each target domain name again, judge that each target domain name is current Whether corresponding target ip address and the target ip address that the last time obtains are identical;
In the case where judged result is no, then the visit of corresponding each target ip address current to the target domain name Ask that rule is updated configuration.
A kind of 7. home gateway, it is characterised in that including:
List dispensing unit, for receiving the configuration of domain name white list, domain name white list is included and is allowed to pair The target domain name that the home gateway conducts interviews, the target domain name are assigned to Lawful access equipment;
Address acquisition unit, for obtaining the target domain name currently corresponding Target IP by name server Address, domain name server preserve the target domain name that the Lawful access equipment currently uploads and corresponding Target ip address;
Access control unit, for being set according to the target ip address currently obtained to the access for accessing home gateway The standby control that conducts interviews.
8. home gateway as claimed in claim 7, it is characterised in that the address acquisition unit is in family After the public network IP address of gateway accessing, corresponding name server is obtained, the target domain name is issued described Name server carries out domain name mapping, and receives domain name server and currently each target domain name is parsed The target ip address fed back afterwards.
9. home gateway as claimed in claim 8, it is characterised in that the address acquisition unit is additionally operable to When detecting the public network IP address change that the home gateway is currently accessed, new domain name corresponding to reacquisition Server, and the target domain name is issued into the new name server and carries out domain name mapping.
10. home gateway as claimed in claim 8 or 9, it is characterised in that the address acquisition unit The target domain name is issued into the progress domain name mapping of domain name server includes:It is spaced institute at preset timed intervals State target domain name and issue domain name server and parsed.
CN201610387240.0A 2016-06-01 2016-06-01 Access control method and home gateway Withdrawn CN107454051A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201610387240.0A CN107454051A (en) 2016-06-01 2016-06-01 Access control method and home gateway
PCT/CN2017/084310 WO2017206701A1 (en) 2016-06-01 2017-05-15 Access control method and home gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610387240.0A CN107454051A (en) 2016-06-01 2016-06-01 Access control method and home gateway

Publications (1)

Publication Number Publication Date
CN107454051A true CN107454051A (en) 2017-12-08

Family

ID=60479719

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610387240.0A Withdrawn CN107454051A (en) 2016-06-01 2016-06-01 Access control method and home gateway

Country Status (2)

Country Link
CN (1) CN107454051A (en)
WO (1) WO2017206701A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111131538A (en) * 2019-12-20 2020-05-08 国久大数据有限公司 Access control method and access control system
CN112073439A (en) * 2020-10-13 2020-12-11 中国联合网络通信集团有限公司 Secure Internet access control method, gateway equipment and storage medium
CN114650216A (en) * 2022-03-22 2022-06-21 阿里云计算有限公司 Safety protection method and device
CN115396398A (en) * 2022-07-29 2022-11-25 中国电信股份有限公司 Derived domain name access method, system, device, storage medium and program product

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112995046B (en) * 2019-12-12 2023-05-26 上海云盾信息技术有限公司 Content distribution network traffic management method and device
CN113992414A (en) * 2021-10-28 2022-01-28 马上消费金融股份有限公司 Data access method, device and equipment
CN114157555B (en) * 2021-11-12 2023-05-26 杭州迪普科技股份有限公司 Access information synchronization method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060167871A1 (en) * 2004-12-17 2006-07-27 James Lee Sorenson Method and system for blocking specific network resources
CN101702724A (en) * 2009-11-02 2010-05-05 中国农业大学 Safe control method and device of network access
CN102571956A (en) * 2012-01-09 2012-07-11 华为技术有限公司 Correlation identification table updating method, correlation identification method, device and system
CN103546434A (en) * 2012-07-13 2014-01-29 中国电信股份有限公司 Network access control method, device and system
CN104506525A (en) * 2014-12-22 2015-04-08 北京奇虎科技有限公司 Method for preventing malicious grabbing and protection device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060167871A1 (en) * 2004-12-17 2006-07-27 James Lee Sorenson Method and system for blocking specific network resources
CN101702724A (en) * 2009-11-02 2010-05-05 中国农业大学 Safe control method and device of network access
CN102571956A (en) * 2012-01-09 2012-07-11 华为技术有限公司 Correlation identification table updating method, correlation identification method, device and system
CN103546434A (en) * 2012-07-13 2014-01-29 中国电信股份有限公司 Network access control method, device and system
CN104506525A (en) * 2014-12-22 2015-04-08 北京奇虎科技有限公司 Method for preventing malicious grabbing and protection device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111131538A (en) * 2019-12-20 2020-05-08 国久大数据有限公司 Access control method and access control system
CN112073439A (en) * 2020-10-13 2020-12-11 中国联合网络通信集团有限公司 Secure Internet access control method, gateway equipment and storage medium
CN114650216A (en) * 2022-03-22 2022-06-21 阿里云计算有限公司 Safety protection method and device
CN115396398A (en) * 2022-07-29 2022-11-25 中国电信股份有限公司 Derived domain name access method, system, device, storage medium and program product

Also Published As

Publication number Publication date
WO2017206701A1 (en) 2017-12-07

Similar Documents

Publication Publication Date Title
CN107454051A (en) Access control method and home gateway
US7904712B2 (en) Service licensing and maintenance for networks
CN101090324B (en) Network system and server
CN106936804B (en) Access control method and authentication equipment
EP2733909B1 (en) Terminal control method and device, and terminal
CN102316153B (en) VPN network client for mobile device having dynamically constructed display for native access to web mail
US20130136126A1 (en) Data center network system and packet forwarding method thereof
CN101141304B (en) Management method and equipment of ACL regulation
US20090199291A1 (en) Communication apparatus, a firewall control method, and a firewall control program
CN101039310B (en) Link sharing service apparatus and communication method thereof
CN104158767B (en) A kind of network admittance device and method
US20120173727A1 (en) Internet Access Control Apparatus, Method and Gateway Thereof
WO2008045616A1 (en) System and method for assigning virtual local area networks
CN103188107A (en) Automatic finding and configured deployment system and method of terminal devices
CN104468619B (en) A kind of method and authentication gateway for realizing double stack web authentications
CN100499590C (en) Message access controlling method and a network apparatus
CN101674232A (en) Server, method and system of access control
CN102035703A (en) Family wireless network and implementation method thereof
CN105262800B (en) A kind of authority control method and system applied to cluster NAS file system
ES2451269T3 (en) Method and system to manage remote devices
CN101083594A (en) Method and system for managing network appliance
CN101599834B (en) Method for identification and deployment and management equipment thereof
EP2656590A1 (en) Dns forwarder for multi-core platforms
CN100454825C (en) Static user access network control method based on MAC address
EP2077018B1 (en) Method for controlling access to a network in a communication system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20171208