CN107682473A - A kind of IP address distribution method and device - Google Patents
A kind of IP address distribution method and device Download PDFInfo
- Publication number
- CN107682473A CN107682473A CN201711043047.6A CN201711043047A CN107682473A CN 107682473 A CN107682473 A CN 107682473A CN 201711043047 A CN201711043047 A CN 201711043047A CN 107682473 A CN107682473 A CN 107682473A
- Authority
- CN
- China
- Prior art keywords
- client
- address
- customer waiting
- access customer
- priority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/503—Internet protocol [IP] addresses using an authentication, authorisation and accounting [AAA] protocol, e.g. remote authentication dial-in user service [RADIUS] or Diameter
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5061—Pools of addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
- H04L67/61—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources taking into account QoS or priority requirements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of IP address distribution method and device, and applied to SSL vpn gateway equipment, this method includes:When receiving the authentication request packet that access customer waiting is sent using the first client, the authority information of the access customer waiting is obtained;If the quantity of unappropriated IP address is less than default number of addresses threshold value in IP address pond, the authority information based on the access customer waiting determines the priority of the access customer waiting;If the priority of the access customer waiting is higher than default User Priority, IP address is distributed for first client.The present invention can preferentially ensure that high-priority users access in IP address inadequate resource.
Description
Technical field
The present invention relates to network communication technology field, more particularly to a kind of IP address distribution method and device.
Background technology
SSL VPN are with the VPN (Virtual based on SSL (Secure Sockets Layer, security socket layer)
Private Network, Virtual Private Network) technology.SSL VPN take full advantage of authentication of the ssl protocol based on certificate, number
According to encryption and message integrity verification mechanism, connection setup secure connection that can be between application layer.
In the SSL VPN accessed in a manner of IP, SSL VPN clients that the equipment utilization of SSL vpn gateways and user use
SSL VPN protocol interactions between end, complete authentication to user, using authorizing and for by the user's of certification
The operations such as SSL VPN clients distribution IP address.
SSL vpn client point of the SSL vpn gateways equipment according to user authentication order for each by the user of certification
With IP address, once IP address resource is used up, will be unable to as subsequently through the SSL VPN clients of the user of certification distribution IP
Location, i.e., it can not be accessed subsequently through the user of certification.
The content of the invention
It is an object of the invention to provide a kind of IP address distribution method and device, in IP address inadequate resource,
The preferential access for ensureing high-priority users.
For achieving the above object, the invention provides following technical scheme:
On the one hand, the present invention provides a kind of IP address distribution method, applied to SSL vpn gateway equipment, methods described bag
Include:
When receiving the authentication request packet that access customer waiting is sent using the first client, the use to be accessed is obtained
The authority information at family;
If the quantity of unappropriated IP address is less than default number of addresses threshold value in IP address pond, based on described waiting
The authority information of access customer determines the priority of the access customer waiting;
If the priority of the access customer waiting is higher than default User Priority, IP is distributed for first client
Address.
On the other hand, the present invention provides a kind of IP address distributor, applied to SSL vpn gateway equipment, described device
Including:
Acquiring unit, for when receiving the authentication request packet that access customer waiting is sent using the first client, obtaining
Take the authority information of the access customer waiting;
Determining unit, if the quantity for unappropriated IP address in IP address pond is less than default number of addresses threshold value,
Authority information then based on the access customer waiting determines the priority of the access customer waiting;
Allocation unit, if the priority for the access customer waiting is higher than default User Priority, for described
One client distributes IP address.
The present invention can determine the excellent of access customer waiting based on the authority information of access customer waiting it can be seen from above description
First level, in IP address inadequate resource, for SSL VPN client of the priority higher than the access customer waiting of pre-set user priority
IP address is distributed, is forbidden as priority less than the SSL VPN clients of the access customer waiting of pre-set user priority with distributing IP
Location, so as to ensure high-priority users priority access.
Brief description of the drawings
Technical scheme in order to illustrate the embodiments of the present invention more clearly, make required in being described below to embodiment
Accompanying drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for
For those of ordinary skill in the art, on the premise of not paying creative work, other can also be obtained according to these accompanying drawings
Accompanying drawing.
Fig. 1 is a kind of IP address distribution method flow chart shown in the embodiment of the present invention;
Fig. 2 is a kind of networking schematic diagram shown in the embodiment of the present invention;
Fig. 3 is the structural representation of the SSL vpn gateway equipment shown in the embodiment of the present invention;
Fig. 4 is a kind of structural representation of IP address distributor shown in the embodiment of the present invention.
Embodiment
Here exemplary embodiment will be illustrated in detail, its example is illustrated in the accompanying drawings.Following description is related to
During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodiment
Described in embodiment do not represent and the consistent all embodiments of the present invention.On the contrary, they be only with it is such as appended
The example of the consistent apparatus and method of some aspects being described in detail in claims, of the invention.
It is only merely for the purpose of description specific embodiment in terminology used in the present invention, and is not intended to be limiting the present invention.
It is also intended in " one kind " of the singulative of the invention with used in appended claims, " described " and "the" including majority
Form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein refers to and wrapped
Containing the associated list items purpose of one or more, any or all may be combined.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the present invention
A little information should not necessarily be limited by these terms.These terms are only used for same type of information being distinguished from each other out.For example, do not departing from
In the case of the scope of the invention, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determining ".
The embodiment of the present invention proposes a kind of IP address distribution method, and in this method, SSL vpn gateways equipment is (hereinafter referred to as
Gateway device) authority information based on access customer waiting determines the priority of access customer waiting, so as in IP address inadequate resource
When, for SSL VPN client (hereinafter referred to as client) distribution of the priority higher than the access customer waiting of pre-set user priority
IP address.
It is one embodiment flow chart of IP address distribution method of the present invention referring to Fig. 1, the embodiment is from gateway device side
IP address assigning process is described.
Step 101, when receiving the authentication request packet that access customer waiting is sent using the first client, described in acquisition
The authority information of access customer waiting.
By SSL VPN protocol interactions between gateway device and client based on SSL VPN agreements, complete to user's
Authentication, using authorizing and to distribute the operation such as IP address by the client of the user of certification.Gateway is set in this step
The standby authentication stage using SSL VPN agreements obtains the authority information of access customer waiting, at least may include following two realities
Apply mode:
In one embodiment, user right information can be obtained by remote authentication mode.Specifically, gateway device turns
Sending out access customer waiting please to certificate server, the certification by the authentication request packet that client (being designated as the first client) is sent
The information such as the user name that access customer waiting is carried in message, password are sought, certificate server is based on the user profile pair being pre-configured with
Access customer waiting is authenticated, if access customer waiting by certification, to gateway device return authentication response message, with to gateway
It is legal that equipment notices the user identity to be accessed.The present invention carries to be accessed in the authentication response message that certificate server returns
(authority information is one that certificate server is the user profile that each validated user is pre-configured with to the authority information of user
Point), for example, the authority information can be that (user for belonging to same user's group generally has phase to user's owning user group to be accessed
Same authority), or the rules of competence of the access customer waiting, the authentication response that gateway device is returned by receiving certificate server
Message, obtain the authority information for carrying the access customer waiting in authentication response message.
In another embodiment, user right information can be obtained by local authentication mode.Specifically, gateway device
On be pre-configured with local user's information (including user name, password, authority information etc.), gateway device receives access customer waiting and led to
After crossing the authentication request packet of the first client transmission, direct local authentication, if user identity to be accessed is legal, this is retrieved as
The authority information that access customer waiting is pre-configured with.
Step 102, if the quantity of unappropriated IP address is less than default number of addresses threshold value in IP address pond, it is based on
The authority information of the access customer waiting determines the priority of access customer waiting.
Gateway device is pre-configured with the scope (i.e. IP address pond) of the IP address available for distribution, when user passes through client
During access, IP address is distributed for the client that user uses in gateway device secondary IP address pond.
The amount threshold (abbreviation number of addresses threshold value) of preset IP address of the present invention, if unappropriated IP in IP address pond
The quantity of location is less than default number of addresses threshold value, illustrates that the remaining IP address available for distribution is less in IP address pond, i.e. IP
Address resource deficiency, now, gateway device by the authority information locally prestored and the corresponding relation of priority, search with
Priority corresponding to the authority information of access customer waiting.The authority of user is higher, and it is higher to represent its priority, for example, network pipe
Reason person generally has the authorities such as create, delete, and domestic consumer only has access right, therefore, the priority of network manager
Usually above the priority of domestic consumer.
Step 103, if the priority of the access customer waiting is higher than default User Priority, for first client
End distribution IP address.
Pre-set user priority of the present invention, if the priority of the access customer waiting determined by step 102 is higher than default
User Priority, illustrate that the priority of current access customer waiting is higher.For example, priority limit is 1~7, the bigger representative of numerical value
Priority is lower, if pre-set user priority is 4, when the priority of access customer waiting is 2, illustrates current access customer waiting
Priority it is higher, at this time, it may be necessary to which the first client used for the higher access customer waiting of the priority distributes IP address, i.e.,
In the case of IP address inadequate resource, the preferential client for ensureing to use for high-priority users distributes IP address.
Specific assigning process is, if unappropriated IP address in IP address pond be present, to be from unappropriated IP address
Priority is higher than the first client distribution IP address that the access customer waiting of pre-set user priority uses;If in IP address pond not
Unappropriated IP address be present, then selection target client in the second client used from current online user, reclaim target
The IP address of client distributes to priority higher than the first client that the access customer waiting of pre-set user priority uses.
Wherein, the process of selection target client is count the second client that each online user uses online
Total flow in duration and the online hours, wherein, online hours are time span online after client accesses;Total stream
Measure and business caused by intranet server is accessed by the SSL vpn tunnelings between gateway device in online hours for client
Flow.Online hours and total flow based on each the second client, it is determined that the average discharge of corresponding second client.If
The 3rd client (the less client of bearer service flow that average discharge is less than default flow threshold in second client be present
End), then the selection target client from the 3rd client, i.e., the selection target client from bearer service flow less client
End.
Further, selection target client specifically may include from the 3rd client, count each the 3rd client
Total connection quantity in online hours, wherein, total quantity that connects is that client is visited in online hours by SSL vpn tunnelings
Ask the connection quantity of intranet server;Online hours based on each the 3rd client and quantity is always connected, it is determined that corresponding
The average connection quantity of 3rd client;If averagely connection quantity in the 3rd client be present is less than default connection amount threshold
The 4th client (the less client of bearer service species), then the selection target client from the 4th client, i.e., from holding
Carry selection target client in the client that service traffics are smaller and class of business is less.If it is not present in the 3rd client average
The 4th client that quantity is less than default connection amount threshold is connected, although the service traffics of i.e. carrying are smaller, carrying
When class of business is more, then any client is selected as target customer from less 3rd client of bearer service flow
End.
The present invention reclaims to the IP address by the destination client determined with upper type, the IP address distribution of recovery
First client of the waiting access customer higher to priority.
Certainly, if that average discharge is less than default flow threshold is not present in the second client that online user uses
Three clients, i.e., in the absence of the less client of bearer service flow, destination client just also is not present, therefore, it is impossible to carry out
IP address reclaims.
The present invention is reclaimed by IP address, and the not high IP address of some utilization rates can be distributed to the higher user of priority
The client used, so as to be further ensured that high-priority users priority access.IP address resource for consuming gateway device
Attack without producing practical business flow, by the IP address take-back strategy of the present invention, can effectively suppress to attack
User ties up IP address resource, so as to reduce influence of the network attack to gateway device.
It can be seen from the above description that of the invention in IP address inadequate resource, the authority information based on access customer waiting
The priority of access customer waiting is determined, so as to which the client used for the higher access customer waiting of priority distributes IP address, is protected
Demonstrate,prove high-priority users priority access.
Now by taking networking shown in Fig. 2 as an example, IP address assigning process is discussed in detail.
Network includes shown in Fig. 2:Terminal device PC1~PC13 (wherein, not shown in PC2~PC7 figures), SSL VPN nets
Equipment GW, certificate server AAA, Resource Server Server1~ServerN are closed (wherein, in Server2~ServerN-1 figures
It is not shown).Each user User can be by the SSL VPN clients (Client) and GW that start on corresponding terminal device PC
SSL vpn tunnelings are established, access Resource Server.
It is assumed that the address realm in the IP address pond being pre-configured with GW is IP1~IP10;Preset address amount threshold is 3.
Currently online user is User1~User8 (wherein, not shown in User2~User7 figures), is set respectively by counterpart terminal
The SSL vpn tunnelings that the SSL VPN clients (Client1~Client8) started on standby PC1~PC8 are established with GW, access money
Source server.GW has been respectively Client1~Client8 distribution IP address IP1~IP8.
When the certification for the username and password that user User9 carries User9 by the Client9 transmissions started on PC9 please
When seeking message, authentication request packet is transmitted to certificate server AAA by GW, and certificate server AAA is based on username and password etc.
After validation of information User9 is validated user, to GW return authentication response messages, User9 authority is carried in authentication response message
Information, for example, the authority information is User9 owning user group informations Group5, GW obtains User9's from authentication response message
Authority information.
Due to the quantity of the unappropriated IP address of current residual in IP address pond is 2 (unallocated IP address be IP9 and
IP10), less than default number of addresses threshold value 3, i.e. current IP address inadequate resource, therefore, GW needs the authority based on User9
Information determines User9 priority.
Referring to table 1, for the authority information and the corresponding relation of priority prestored on GW.
Authority information (user's group) | Priority |
Group1 | 1 |
Group2 | 2 |
Group3 | 3 |
Group4 | 4 |
Group5 | 5 |
Table 1
Wherein, smaller to represent priority higher for numerical value.GW searches that to belong to user's group Group5 with User9 corresponding from table 1
Priority be 5, it is assumed that the User Priority pre-set on GW be 4, then understand User9 priority be less than default use
Family priority, therefore, the Client9 used for User9 is forbidden to distribute IP address, User9 can not use network.
When recognizing for the username and password that user User10 passes through the Client10 transmission carryings User10 started on PC10
When demonstrate,proving request message, authentication request packet is transmitted to certificate server AAA by GW, and certificate server AAA is based on user name and close
Code etc. validation of information User10 be validated user after, to GW return authentication response messages, carried in authentication response message
User10 authority information, for example, User10 owning user group informations Group1, GW obtain User10 from authentication response message
Authority information.
The quantity of remaining unappropriated IP address is 2 (unallocated IP address is IP9 and IP10) in current IP address pond, small
In default number of addresses threshold value 3, IP address inadequate resource, GW is it needs to be determined that User10 priority.As shown in Table 1,
Priority corresponding to User10 owning user groups Group1 is 1, higher than default User Priority, therefore, it is necessary to is User10
The Client10 distribution IP address used.Due to unappropriated IP address also be present in current IP address pond, therefore, from unallocated
IP address in for Client10 select an IP address, for example, IP9 is distributed into Client10.
When recognizing for the username and password that user User11 passes through the Client11 transmission carryings User11 started on PC11
When demonstrate,proving request message, authentication request packet is transmitted to certificate server AAA by GW, and certificate server AAA is based on user name and close
Code etc. validation of information User11 be validated user after, to GW return authentication response messages, carried in authentication response message
User11 authority information, for example, User11 owning user group informations Group2, GW obtain User11 from authentication response message
Authority information.
The quantity of remaining unappropriated IP address is 1 (unallocated IP address is IP10) in current IP address pond, less than pre-
If number of addresses threshold value 3, IP address inadequate resource, GW is it needs to be determined that User11 priority.As shown in Table 1, User11 institutes
To belong to priority corresponding to user's group Group2 be 2, higher than default User Priority, therefore, it is necessary to is used for User11
Client11 distributes IP address.Due to unappropriated IP address (IP10) in current IP address pond also be present, therefore, by IP10 points
Dispensing Client11.
When recognizing for the username and password that user User12 passes through the Client12 transmission carryings User12 started on PC12
When demonstrate,proving request message, authentication request packet is transmitted to certificate server AAA by GW, and certificate server AAA is based on user name and close
Code etc. validation of information User12 be validated user after, to GW return authentication response messages, carried in authentication response message
User12 authority information, for example, User11 owning user group informations Group3, GW obtain User12 from authentication response message
Authority information.
Without unappropriated IP address in current IP address pond, IP address inadequate resource, GW is it needs to be determined that User12's is excellent
First level.As shown in Table 1, priority corresponding to User12 owning users group Group3 is 3, higher than default User Priority, because
This for the Client12 that User12 is used, it is necessary to distribute IP address.
Because, without unappropriated IP address, therefore, GW needs to confirm the IP being being currently used in current IP address pond
Whether recuperable IP address is had in address.Specially:
GW counts online user User1~User8 Client1~Client8 (corresponding IP1~IP8), User10 respectively
Client10 (corresponding IP9), User11 Client11 (corresponding IP10) online hours, total flow and always connect number
Amount, as shown in table 2.
User name | IP address | Online hours (minute) | Total flow (byte) | Total connection quantity (secondary) |
User1 | IP1 | 10 | 1000 | 40 |
User2 | IP2 | 9 | 810 | 45 |
User3 | IP3 | 8 | 640 | 48 |
User4 | IP4 | 7 | 105 | 28 |
User5 | IP5 | 6 | 420 | 18 |
User6 | IP6 | 5 | 50 | 5 |
User7 | IP7 | 4 | 360 | 16 |
User8 | IP8 | 3 | 300 | 12 |
User10 | IP9 | 2 | 180 | 10 |
User11 | IP10 | 1 | 80 | 6 |
Table 2
Each Client average discharge (total flow/online hours) in computational chart 2, for example, Client1 is (corresponding
IP1 average discharge) is 1000/10=100, similarly, can respectively obtain Client2~Client8, Client10,
Client11 average discharge, as shown in table 3.
IP address | Average discharge (byte) |
IP1 | 100 |
IP2 | 90 |
IP3 | 80 |
IP4 | 15 |
IP5 | 70 |
IP6 | 10 |
IP7 | 90 |
IP8 | 100 |
IP9 | 90 |
IP10 | 80 |
Table 3
Wherein, Client corresponding to the representative of each IP address.It is assumed that default flow threshold is 20, then can from table 3
Know, Client4 (corresponding IP4) average discharge is less than preset flow threshold value 20 for 15;Client6 (corresponding IP6) mean flow
Measure and be less than preset flow threshold value 20 for 10, be i.e. Client4 and Client6 service traffics are smaller;Other Client mean flow
Amount is all higher than default flow threshold 20, and corresponding service traffics are larger.
Further, it is determined that Client4 and Client6 average connection quantity (always connecting quantity/online hours), by table
2 understand that Client4 average connection quantity is 28/7=4, and Client6 average connection quantity is 5/5=1, it is assumed that default
Connection amount threshold be 3, then understand Client6 average connection quantity 1 be less than it is default connection amount threshold 3, therefore, return
Contracture dispensing Client6 IP6, that is, force Client6 offline, IP6 is distributed into the Client12 that User12 uses.
When recognizing for the username and password that user User13 passes through the Client13 transmission carryings User13 started on PC13
When demonstrate,proving request message, authentication request packet is transmitted to certificate server AAA by GW, and certificate server AAA is based on user name and close
Code etc. validation of information User13 be validated user after, to GW return authentication response messages, carried in authentication response message
User13 authority information, for example, User13 owning user group informations Group1, GW obtain User13 from authentication response message
Authority information.
Without unappropriated IP address in current IP address pond, IP address inadequate resource, GW is it needs to be determined that User13's is preferential
Level.As shown in Table 1, priority corresponding to User13 owning users group Group1 is 1, higher than default User Priority, therefore,
The Client13 used for User13 is needed to distribute IP address.
Whether there is recuperable IP address in the IP address that GW needs to confirm to be being currently used.Specially:Unite respectively
Client1~Client5 (corresponding IP1~IP5), the User7 Client7 for counting online user User1~User5 are (corresponding
IP7), User8 Client8 (corresponding IP8), User10~User12 Client10~Client12 (corresponding IP9, IP10,
IP6 online hours), total flow and quantity is always connected, as shown in table 4.
User name | IP address | Online hours (minute) | Total flow (byte) | Total connection quantity (secondary) |
User1 | IP1 | 11 | 1100 | 44 |
User2 | IP2 | 10 | 900 | 50 |
User3 | IP3 | 9 | 720 | 54 |
User4 | IP4 | 8 | 120 | 32 |
User5 | IP5 | 7 | 490 | 21 |
User7 | IP7 | 5 | 450 | 20 |
User8 | IP8 | 4 | 400 | 16 |
User10 | IP9 | 3 | 270 | 15 |
User11 | IP10 | 2 | 160 | 12 |
User12 | IP6 | 1 | 80 | 6 |
Table 4
Each Client average discharge in computational chart 4, as shown in table 5.
IP address | Average discharge (byte) |
IP1 | 100 |
IP2 | 90 |
IP3 | 80 |
IP4 | 15 |
IP5 | 70 |
IP7 | 90 |
IP8 | 100 |
IP9 | 90 |
IP10 | 80 |
IP6 | 80 |
Table 5
As shown in Table 5, Client4 (corresponding IP4) average discharge is less than preset flow threshold value 20, i.e. Client4 for 15
Service traffics it is smaller;Other Client average discharge is all higher than preset flow threshold value 20, that is, it is larger to correspond to service traffics.
Although Client4 average connection quantity is 32/8=4 as shown in Table 4, not less than default connection amount threshold
3, but due to not having flow small in current network and connecting quantity few Client again, therefore, this is based only upon flow judgement, will
Average discharge is less than the Client4 of preset flow threshold value IP4 recovery, that is, forces Client4 offline, IP4 is distributed to
The Client13 that User13 is used.
Corresponding with the embodiment of foregoing IP address distribution method, present invention also offers the implementation of IP address distributor
Example.
The embodiment of IP address distributor of the present invention can be applied in SSL vpn gateway equipment.Device embodiment can
To be realized by software, can also be realized by way of hardware or software and hardware combining.Exemplified by implemented in software, as one
Device on logical meaning, it is that corresponding computer program instructions are formed in the processor run memory by equipment where it
's.For hardware view, as shown in figure 3, for a kind of hardware structure diagram of IP address distributor of the present invention place equipment, remove
Outside processor and nonvolatile memory shown in Fig. 3, the equipment in embodiment where device is generally according to the equipment
Actual functional capability, other hardware can also be included, this is repeated no more.
Fig. 4 is refer to, is the structural representation of the IP address distributor in one embodiment of the invention.The IP address point
Include acquiring unit 401, determining unit 402 and allocation unit 403 with device, wherein:
Acquiring unit 401, for receive access customer waiting using the first client send authentication request packet when,
Obtain the authority information of the access customer waiting;
Determining unit 402, if the quantity for unappropriated IP address in IP address pond is less than default number of addresses threshold
Value, the then authority information based on the access customer waiting determine the priority of the access customer waiting;
Allocation unit 403, if the priority for the access customer waiting is higher than default User Priority, to be described
First client distributes IP address.
Further,
The acquiring unit 401, specifically for forwarding the authentication request packet to certificate server;Receive the certification
The certification of the authority information for the carrying access customer waiting that server returns after confirming the access customer waiting by certification
Response message;The authority information of the access customer waiting is obtained from the authentication response message.
Further,
The determining unit 402, specifically in the authority information and the corresponding relation of priority being locally stored, searching
Priority corresponding with the authority information of the access customer waiting.
Further,
The allocation unit 403, if specifically for unappropriated IP address be present in the IP address pond, from unallocated
IP address in be first client distribution IP address;If unappropriated IP address is not present in the IP address pond,
Selection target client in the second client used from current online user, reclaim the IP address of the destination client;Will
The IP address of recovery distributes to first client.
Further, selection target client in the second client that the allocation unit 403 uses from current online user
End, including:
Count the online hours of the second client that each online user uses and total in the online hours
Flow;Online hours and total flow based on each the second client, it is determined that the average discharge of corresponding second client;If
The 3rd client that average discharge is less than default flow threshold in second client be present, then select mesh from the 3rd client
Mark client.
Further, the allocation unit 403 selection target client from the 3rd client, including:
Count total connection quantity of each the 3rd client in online hours;Existed based on each the 3rd client
Line duration and quantity is always connected, it is determined that the average connection quantity of corresponding 3rd client;If exist in the 3rd client average
The 4th client that quantity is less than default connection amount threshold is connected, then the selection target client from the 4th client
End.
The function of unit and the implementation process of effect specifically refer to and step are corresponded in the above method in said apparatus
Implementation process, it will not be repeated here.
For device embodiment, because it corresponds essentially to embodiment of the method, so related part is real referring to method
Apply the part explanation of example.Device embodiment described above is only schematical, wherein described be used as separating component
The unit of explanation can be or may not be physically separate, can be as the part that unit is shown or can also
It is not physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to reality
Need to select some or all of module therein to realize the purpose of the present invention program.Those of ordinary skill in the art are not paying
In the case of going out creative work, you can to understand and implement.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present invention
God any modification, equivalent substitution and improvements done etc., should be included within the scope of protection of the invention with principle.
Claims (12)
1. a kind of Internet protocol IP address distribution method, applied to security socket layer SSL vpn gateway equipment, its feature exists
In methods described includes:
When receiving the authentication request packet that access customer waiting is sent using the first client, the access customer waiting is obtained
Authority information;
If the quantity of unappropriated IP address is less than default number of addresses threshold value in IP address pond, based on the use to be accessed
The authority information at family determines the priority of the access customer waiting;
If the priority of the access customer waiting is higher than default User Priority, for first client with distributing IP
Location.
2. the method as described in claim 1, it is characterised in that the authority information for obtaining the access customer waiting, including:
The authentication request packet is forwarded to certificate server;
Receive the carrying access customer waiting that the certificate server returns after confirming the access customer waiting by certification
Authority information authentication response message;
The authority information of the access customer waiting is obtained from the authentication response message.
3. the method as described in claim 1, it is characterised in that the authority information based on the access customer waiting determines institute
The priority of access customer waiting is stated, including:
In the authority information and the corresponding relation of priority being locally stored, the authority information pair with the access customer waiting is searched
The priority answered.
4. the method as described in claim 1, it is characterised in that it is described to distribute IP address for first client, including:
It is first client point from unappropriated IP address if unappropriated IP address be present in the IP address pond
With IP address;
If unappropriated IP address is not present in the IP address pond, selected in the second client used from current online user
Destination client is selected, reclaims the IP address of the destination client;
The IP address of recovery is distributed into first client.
5. method as claimed in claim 4, it is characterised in that selected in second client used from current online user
Destination client is selected, including:
Count the online hours for the second client that each online user uses and the total flow in the online hours;
Online hours and total flow based on each the second client, it is determined that the average discharge of corresponding second client;
If the 3rd client that average discharge is less than default flow threshold in the second client be present, from the 3rd client
Selection target client.
6. method as claimed in claim 5, it is characterised in that the selection target client from the 3rd client, including:
Count total connection quantity of each the 3rd client in online hours;
Online hours based on each the 3rd client and quantity is always connected, it is determined that the average connection of corresponding 3rd client
Quantity;
The 4th client that quantity is less than default connection amount threshold is averagely connected if existing in the 3rd client, from described
Selection target client in 4th client.
7. a kind of Internet protocol IP address distributor, applied to security socket layer SSL vpn gateway equipment, its feature exists
In described device includes:
Acquiring unit, for when receiving the authentication request packet that access customer waiting is sent using the first client, obtaining institute
State the authority information of access customer waiting;
Determining unit, if the quantity for unappropriated IP address in IP address pond is less than default number of addresses threshold value, base
The priority of the access customer waiting is determined in the authority information of the access customer waiting;
Allocation unit, if the priority for the access customer waiting is higher than default User Priority, for the described first visitor
IP address is distributed at family end.
8. device as claimed in claim 7, it is characterised in that:
The acquiring unit, specifically for forwarding the authentication request packet to certificate server;Receive the certificate server
The authentication response report of the authority information of the carrying access customer waiting returned after confirming the access customer waiting by certification
Text;The authority information of the access customer waiting is obtained from the authentication response message.
9. device as claimed in claim 7, it is characterised in that:
The determining unit, specifically in the authority information and the corresponding relation of priority being locally stored, search with it is described
Priority corresponding to the authority information of access customer waiting.
10. device as claimed in claim 7, it is characterised in that:
The allocation unit, if specifically for unappropriated IP address be present in the IP address pond, from unappropriated IP
It is the first client distribution IP address in location;If unappropriated IP address is not present in the IP address pond, from current
Selection target client in the second client that online user uses, reclaim the IP address of the destination client;By recovery
IP address distributes to first client.
11. device as claimed in claim 10, it is characterised in that the allocation unit used from current online user second
Selection target client in client, including:
Count the online hours for the second client that each online user uses and the total flow in the online hours;
Online hours and total flow based on each the second client, it is determined that the average discharge of corresponding second client;If second
The 3rd client that average discharge is less than default flow threshold in client be present, then the selection target visitor from the 3rd client
Family end.
12. device as claimed in claim 11, it is characterised in that allocation unit selection target visitor from the 3rd client
Family end, including:
Count total connection quantity of each the 3rd client in online hours;During online based on each the 3rd client
Grow and always connect quantity, it is determined that the average connection quantity of corresponding 3rd client;If average connection in the 3rd client be present
Quantity is less than the 4th client of default connection amount threshold, then the selection target client from the 4th client.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711043047.6A CN107682473A (en) | 2017-10-31 | 2017-10-31 | A kind of IP address distribution method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711043047.6A CN107682473A (en) | 2017-10-31 | 2017-10-31 | A kind of IP address distribution method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107682473A true CN107682473A (en) | 2018-02-09 |
Family
ID=61143082
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711043047.6A Pending CN107682473A (en) | 2017-10-31 | 2017-10-31 | A kind of IP address distribution method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107682473A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019158010A1 (en) * | 2018-02-13 | 2019-08-22 | 华为技术有限公司 | Resource management method, device and system |
CN110225145A (en) * | 2019-03-07 | 2019-09-10 | 山石网科通信技术股份有限公司 | Distribute the methods, devices and systems of address |
CN114189469A (en) * | 2021-12-09 | 2022-03-15 | 重庆紫光华山智安科技有限公司 | Public cloud multi-node device access routing method and system |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1744531A (en) * | 2004-09-02 | 2006-03-08 | 中兴通讯股份有限公司 | Off-flow monitoring method for accessing server |
CN102932501A (en) * | 2012-11-08 | 2013-02-13 | 杭州迪普科技有限公司 | Address pool resource protecting method and device thereof |
CN106209838A (en) * | 2016-07-08 | 2016-12-07 | 杭州迪普科技有限公司 | The IP cut-in method of SSL VPN and device |
-
2017
- 2017-10-31 CN CN201711043047.6A patent/CN107682473A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1744531A (en) * | 2004-09-02 | 2006-03-08 | 中兴通讯股份有限公司 | Off-flow monitoring method for accessing server |
CN102932501A (en) * | 2012-11-08 | 2013-02-13 | 杭州迪普科技有限公司 | Address pool resource protecting method and device thereof |
CN106209838A (en) * | 2016-07-08 | 2016-12-07 | 杭州迪普科技有限公司 | The IP cut-in method of SSL VPN and device |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019158010A1 (en) * | 2018-02-13 | 2019-08-22 | 华为技术有限公司 | Resource management method, device and system |
CN110166580A (en) * | 2018-02-13 | 2019-08-23 | 华为技术有限公司 | Method, equipment and the system of resource management |
CN110166580B (en) * | 2018-02-13 | 2021-12-24 | 华为技术有限公司 | Resource management method, equipment and system |
CN110225145A (en) * | 2019-03-07 | 2019-09-10 | 山石网科通信技术股份有限公司 | Distribute the methods, devices and systems of address |
CN114189469A (en) * | 2021-12-09 | 2022-03-15 | 重庆紫光华山智安科技有限公司 | Public cloud multi-node device access routing method and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7539193B2 (en) | System and method for facilitating communication between a CMTS and an application server in a cable network | |
CN102845027B (en) | For the mthods, systems and devices of priority route are provided at DIAMETER Nodes | |
US7472411B2 (en) | Method for stateful firewall inspection of ICE messages | |
KR101130448B1 (en) | Method for updating a table of correspondence between a logical address and an indentification number | |
US6895511B1 (en) | Method and apparatus providing for internet protocol address authentication | |
CN101110847B (en) | Method, device and system for obtaining medium access control address | |
EP1942629A1 (en) | Method and system for object-based multi-level security in a service oriented architecture | |
CN103039038A (en) | Method and system for efficient use of a telecommunication network and the connection between the telecommunications network and a customer premises equipment | |
US8832816B2 (en) | Authentication tokens for use in voice over internet protocol methods | |
CN107682473A (en) | A kind of IP address distribution method and device | |
CN102611597A (en) | Method for accessing internet through broadband in free of inputting account and password in different family environments | |
CN101834864A (en) | Method and device for preventing attack in three-layer virtual private network | |
CN105592046A (en) | Authentication-free access method and device | |
CN102893579B (en) | For provide method, node and the equipment of bill in communication system | |
CN103069750A (en) | Method and system for efficient use of a telecommunications network and the connection between the telecommunications network and a customer premises equipment | |
CN100365591C (en) | Network address distributing method based on customer terminal | |
CN106603435A (en) | Method and device for distributing port block resource | |
CN100450011C (en) | Device for mediating in management orders | |
CN104902497B (en) | A kind of method and device of managing mobile phone hot spot connection | |
US8868745B1 (en) | Method and system for providing configurable route table limits in a service provider for managing VPN resource usage | |
CN104702612B (en) | A kind of user authentication process method and device | |
US7353405B2 (en) | Method and systems for sharing network access capacities across internet service providers | |
EP1039724A2 (en) | Method and apparatus providing for internet protocol address authentication | |
CN100477609C (en) | Method for implementing dedicated network access | |
MXPA01013117A (en) | System and method for local policy enforcement for internet service providers. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180209 |
|
RJ01 | Rejection of invention patent application after publication |