CN109936515A - Access configuration method, information providing method and device - Google Patents

Access configuration method, information providing method and device Download PDF

Info

Publication number
CN109936515A
CN109936515A CN201711365123.5A CN201711365123A CN109936515A CN 109936515 A CN109936515 A CN 109936515A CN 201711365123 A CN201711365123 A CN 201711365123A CN 109936515 A CN109936515 A CN 109936515A
Authority
CN
China
Prior art keywords
cpe
information
controller
configuration information
gateway
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711365123.5A
Other languages
Chinese (zh)
Other versions
CN109936515B (en
Inventor
季叶一
臧亮
朱宏浩
张玉磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
XFusion Digital Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201711365123.5A priority Critical patent/CN109936515B/en
Priority to PCT/CN2018/121448 priority patent/WO2019120160A1/en
Publication of CN109936515A publication Critical patent/CN109936515A/en
Application granted granted Critical
Publication of CN109936515B publication Critical patent/CN109936515B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Present disclose provides a kind of access configuration method, information providing method and devices, belong to field of communication technology.The described method includes: gateway receives access request, the access request carries the identification information and auth type information of customer premises equipment, CPE;The gateway sends information acquisition request to controller, and the information acquisition request is used to indicate the controller and returns to configuration information;The gateway receives the configuration information that the controller is sent;The gateway is that the customer premises equipment, CPE carries out access configuration according to the configuration information.When the disclosure receives the access request of customer premises equipment, CPE by gateway, the configuration information with timeliness is obtained from controller in real time, access configuration is carried out for customer premises equipment, CPE, therefore it is possible to prevente effectively from the configuration information due to customer premises equipment, CPE in gateway can not the access failure phenomenon that may cause of real-time update.

Description

Access configuration method, information providing method and device
Technical field
This disclosure relates to field of communication technology, in particular to a kind of access configuration method, information providing method and device.
Background technique
With the development of communication technology, customer premises equipment, CPE (Customer Premises Equipment, CPE) can be with By network security protocol (Internet Protocol Security, IPSec) access gateway (Gateway, GW), it is by GW CPE establishes ipsec tunnel, convenient for being communicated between CPE and GW.
Currently, the configuration information for generally thering is each CPE and gateway to need when establishing ipsec tunnel in static configuration on GW. For example, authentication key CPE required when being communicated with GW by establishing the ipsec tunnel completed, service quality (Quality Of Service, Qos), to other GW forward data needed for Virtual Private Network (Virtual Private Network, VPN) information, auth type, key, keep-alive time etc., wherein authentication key, Qos and VPN information are related to the communication of CPE Safety, communication quality, thus this three is the key configuration information of the CPE.When CPE needs to access GW, CPE can be sent out to GW Access request is sent, the CPE access request sent is distributed to some in real time by load balancer (Load Balance, LB) GW, then GW can extract the configuration information of the CPE when receiving access request, access configuration be carried out for CPE, in CPE and GW Between set up ipsec tunnel, to realize the communication between CPE and GW.
In implementing the present disclosure, the inventor finds that the existing technology has at least the following problems:
In a large number due to GW, CPE is distributed when can be in fact by load balancer when wanting access GW, thus The GW of CPE access is not fixed, and under this scene, once the configuration information of CPE is updated, can not accomplish should on each GW The configuration information real-time perfoming of CPE updates, and may cause access failure when CPE accesses the GW that non-real-time perfoming updates.
Summary of the invention
The embodiment of the present disclosure provides a kind of access configuration method, information providing method and device, can solve existing skill In art the problem of access failure.The technical solution is as follows:
In a first aspect, providing a kind of access configuration method, which comprises
GW receives access request, and the access request carries the identification information of UE;
The GW sends information acquisition request to controller, and the information acquisition request is used to indicate the controller and returns Configuration information;
The GW receives the configuration information that the controller is sent;
The GW is that the UE carries out access configuration according to the configuration information.
Wherein, the access request carry CPE identification information can be network protocol (Internet Protocol, IP) address, is also possible to the subscriber identity information of CPE, and the disclosure is not construed as limiting this.
The configuration information may include static configuration information and key configuration information, wherein static configuration information can be General access template may include above-mentioned negotiation mode, encryption identifying algorithm, auth type, key in the general access template And keep-alive time etc., key configuration information are authentication key, Qos and VPN information.
When the embodiment of the present disclosure is by the access request that receives CPE, matching for the CPE stored in controller is obtained in real time Confidence breath carries out access configuration for CPE, and since the configuration information of the centrally stored CPE of controller can be with real-time update, then GW is obtained The configuration information got have timeliness, therefore it is possible to prevente effectively from due to CPE in GW configuration information can not real-time update can Access failure phenomenon caused by energy.Wherein, the key configuration information in the configuration information of controller centralized management CPE, further Ground can also reduce the risk of the key configuration information leakage of CPE, so that the safety of CPE access is improved, and, centralized management Mode be more convenient for reasonable distribution bandwidth, management user's access.
It is described to carry out the corresponding access configuration of the configuration information for UE in a kind of possible design, comprising:
Static configuration information in the GW configuration information and the GW;
When update has occurred in the static configuration information, the GW modifies to the static configuration information, with institute The identification information for stating UE carries out corresponding storage.
The static configuration information that the embodiment of the present disclosure can make up CPE is updated, and GW does not have lacking for real-time update It falls into, thus GW can carry out access configuration according to updated static configuration information and key configuration information, be effectively prevented from Because static configuration information in GW can not real-time update due to the access failure phenomenon that may cause.
In a kind of possible design, after the GW sends information acquisition request to controller, the method also includes:
When receiving the authentification failure message of controller transmission, the GW sends access failure message to UE.
The embodiment of the present disclosure can carry out authentication to CPE by controller, to CPE by setting authentification failure mechanism Access situation is managed concentratedly.
In a kind of possible design, after the GW sends information acquisition request to controller, the method also includes:
When not receiving the configuration information in preset duration, the GW sends access failure message to UE.
The embodiment of the present disclosure, can be when request obtain response for a long time, really by the way that overtime authentification failure mechanism is arranged Determine authentification failure, can but occupy always resource extremely to avoid treatment progress.
It is described after the GW carries out access configuration according to the configuration information for the UE in a kind of possible design Method further include:
After the completion of access configuration, the GW sends response message to controller, and the response message is for informing the control Device processed has received the configuration information, and completes access configuration.
It is described after the GW carries out access configuration according to the configuration information for the UE in a kind of possible design Method further include:
When receiving disconnection request, the GW is according to the identification information for disconnecting the UE that request carries, from caching The configuration information is deleted, connection resource is discharged;Or,
When detecting that the UE has been disconnected, the GW is removed from the cache institute according to the identification information of the UE Configuration information is stated, connection resource is discharged.
The embodiment of the present disclosure is normally disconnected or is protected in CPE by setting keepalive mechanism and the mechanism for deleting dynamic configuration Biopsy measure CPE within the defined keep-alive time without it is any interactive when, delete dynamic configuration information, so as to avoid network Choking phenomenon, reduces the storage burden of GW, and the above-mentioned configuration information got from controller and connection resource are properly termed as the CPE Dynamic configuration information.
In a kind of possible design, the access request exchanges (Internet Key by netkey by UE Exchange, IKE) agreement is sent to the GW, and the information acquisition request passes through network configuration (Network by the GW Configuration, Netconf) or Yang agreement be sent to the controller.
In a kind of possible design, the configuration information includes authentication key, quality of service Qos and Virtual Private Network VPN information.
In a kind of possible design, when the current configuration information of GW, which is able to satisfy certification access, to be required, the GW is according to institute Stating the current configuration information of GW is that the UE carries out access configuration.
Second aspect provides a kind of information providing method, which comprises
Controller receives the information acquisition request that GW is sent, and the information acquisition request carries the identification information of UE;
The controller carries out authentication to the UE according to the identification information of the UE;
When the authentication is successful, the controller obtains the UE's according to the corresponding relationship of identification information and configuration information The corresponding configuration information of identification information;
The controller sends the configuration information to GW.
In a kind of possible design, the controller carries out authentication to the UE according to the identification information of the UE, Include:
The identification information of controller UE described in user data library lookup;
When in the customer data base including the identification information of the UE, the controller is from the customer data base Extract the corresponding user data of identification information of the UE;
When the user data indicates that the UE has access authority, the controller determination is authenticated successfully;
When the identification information for not finding the UE in the customer data base or the user data indicate the UE When not having access authority, the controller determines authentification failure.
In a kind of possible design, the method also includes: when the authentication fails, the controller sends certification to GW and loses Lose message.
In a kind of possible design, after the controller sends the configuration information to GW, the method also includes: it connects Receive the response message that the GW is returned.
In a kind of possible design, the certification request is sent to the GW, the acquisition of information by IKE agreement by UE Request is sent to the controller by Netconf or Yang agreement by the GW.
In a kind of possible design, the acquisition process of the configuration information of the UE includes:
The controller is stored at least one described server of acquisition by interacting at least one server The identification information and configuration information of UE;
The controller by the identification information of the UE it is corresponding with configuration information storage.
The third aspect provides a kind of access configuration device, is applied to GW, and described device includes multiple functional modules, with Realize the access configuration method of any possible design of above-mentioned first aspect and first aspect.
Fourth aspect provides a kind of information provider unit, is applied to controller, described device includes multiple function moulds Block, to realize the information providing method of any possible design of above-mentioned second aspect and second aspect.
5th aspect, provides a kind of GW, the GW includes memory and processor, is stored on the memory a plurality of Instruction, a plurality of instruction are suitable for being used to load and execute by the processor any of above-mentioned first aspect and first aspect The access configuration method that kind may design.
6th aspect, provides a kind of controller, the controller includes memory and processor, is deposited on the memory A plurality of instruction is contained, a plurality of instruction is suitable for being used to load by the processor and executes above-mentioned second aspect and second party The information providing method of any possible design in face.
7th aspect, provides a kind of computer readable storage medium, is stored on the computer readable storage medium Instruction, described instruction are executed by processor to complete the access of any possible design of above-mentioned first aspect and first aspect The information providing method of any possible design of configuration method or second aspect and second aspect.
Eighth aspect, provides a kind of communication system, and the communication system includes GW and controller, wherein the GW is used Access configuration method in any possible design for executing first aspect and first aspect, the controller is for executing Information providing method in any possible design of second aspect and second aspect.
Detailed description of the invention
Fig. 1 is the implementation environment signal of a kind of access configuration method and information providing method that the embodiment of the present disclosure provides Figure;
Fig. 2 is a kind of structural block diagram for GW200 that the embodiment of the present disclosure provides;
Fig. 3 is a kind of structural block diagram for controller 300 that the embodiment of the present disclosure provides;
Fig. 4 is a kind of access configuration method flow chart that the embodiment of the present disclosure provides;
Fig. 5 is the schematic diagram of message transmissions in a kind of access configuration flow of embodiment of the present disclosure offer;
Fig. 6 is a kind of access configuration method flow chart that the embodiment of the present disclosure provides;
Fig. 7 is a kind of access configuration method flow chart that the embodiment of the present disclosure provides;
Fig. 8 is a kind of access configuration method flow chart that the embodiment of the present disclosure provides;
Fig. 9 is a kind of access configuration method flow chart that the embodiment of the present disclosure provides;
Figure 10 is a kind of structural schematic diagram for access configuration device that the embodiment of the present disclosure provides;
Figure 11 is a kind of structural schematic diagram for access configuration device that the embodiment of the present disclosure provides;
Figure 12 is a kind of structural schematic diagram for information provider unit that the embodiment of the present disclosure provides;
Figure 13 is a kind of structural schematic diagram for information provider unit that the embodiment of the present disclosure provides.
Specific embodiment
For the ease of understanding of this disclosure, herein to the implementation environment of the access configuration method and information providing method It is introduced, includes customer premises equipment, CPE CPE, gateway GW and controller (Controller) in the implementation environment referring to Fig. 1.
CPE is a kind of customer premises equipment, CPE, and the IPSec interface and GW that it may be usually based on static configuration carry out IKE association Quotient is ipsec tunnel needed for CPE configures normal communication as IPSec interface of the GW based on static configuration, thus by should Ipsec tunnel accesses GW, so as to obtain a large amount of cloud data in cloud data center, to provide network communication clothes for user Business.
GW is a kind of access device, it is located at software and changes the edge access layer in framework, is provided with access interface for CPE. The basic function of GW is data forwarding, also has the function of to carry out access authentication for CPE, establish communication tunnel etc., specifically, GW is also Traffic management etc. can be carried out to CPE, do not repeated herein.
Controller is a kind of network management device, it can be deployed in each data center, GW can by with control Device processed carries out communication and obtains information, what controller can also be communicated to the GW information sent or between other controllers Information is analyzed, and realizes network-control management.In the embodiments of the present disclosure, which can be software defined network (SoftwareDefined Network, SDN) controller, is also possible to other servers for being equipped with Network Management System, this It is open that this is not especially limited.
Referring to Fig. 1, CPE can carry out ike negotiation by the IPSec interface and GW of static configuration, and be that the CPE matches by GW Ipsec tunnel is set, on the ipsec tunnel after configuration successful, CPE is one end of the ipsec tunnel, and GW is the ipsec tunnel The other end.It can also include LB between the CPE and GW, be that CPE distributes GW by LB.It can be carried out by IKE between CPE and GW Interaction, can be interacted between GW and controller by Netconf or Yang agreement.Certainly, between CPE and GW or GW and control Interaction protocol between device processed includes but is not limited to above-mentioned several agreements, and the disclosure is not especially limited this.
Fig. 2 is a kind of structural block diagram for GW200 that the embodiment of the present disclosure provides.Referring to fig. 2, which includes: transceiver 201, memory 202 and processor 203, the transceiver 201, the memory 202 are connect with the processor 203 respectively, the storage Device 202 is stored with program code, which realizes the access configuration side in following embodiments for calling the program code Method.
For example, the transceiver 201 can be a physical interface card, GW can receive other equipment by the physical interface card The request or message of transmission, and request or message can be sent to other equipment by the physical interface card.
The processor 203 can be a network processing unit or central processing unit, can be with after physical interface card receives request Request or message are sent in the network processing unit, network processing unit carries out checking treatment to request, searches and distributes list item To central processing unit, the request is handled by central processing unit.
The memory 202 can be a forwarding-table item memory, for storing the list item of above-mentioned network processing unit forwarding.
Fig. 3 is a kind of structural block diagram for controller 300 that the embodiment of the present disclosure provides.For example, device 300 can be provided For a server.Referring to Fig. 3, controller 300 includes: transceiver 301, memory 302 and processor 303, the transceiver 301, The memory 302 is connect with the processor 303 respectively, which is stored with program code, and the processor 303 is for adjusting With the program code, the information providing method in following embodiments is realized.
For example, the transceiver 301 can be a physical interface card, other equipment can be received by the physical interface card and sent out The request or message sent, and request or message can be sent to other equipment by the physical interface card.
The processor 303 can be a network processing unit or central processing unit, can be with after physical interface card receives request Request or message are sent in the network processing unit, network processing unit carries out checking treatment to request, searches and distributes list item To central processing unit, the request is handled by central processing unit.
The memory 302 can be a forwarding-table item memory, for storing the list item of above-mentioned network processing unit forwarding.
In the exemplary embodiment, a kind of computer readable storage medium is additionally provided, the memory for example including instruction, Above-metioned instruction can be executed by the processor in GW to complete access configuration method in following embodiments or by controller Device is managed to execute to complete the information providing method in following embodiments.For example, the computer readable storage medium can be ROM, Random access memory (RAM), CD-ROM, tape, floppy disk and optical data storage devices etc..
In the exemplary embodiment, a kind of communication system is additionally provided, which includes above-mentioned shown in Fig. 2 GW200 and controller shown in Fig. 3 300, wherein the GW200 and the controller 300 pass through above-mentioned transceiver 201 and transceiver 301 are communicated, and the memory 202 on the GW200 is stored with program code, and the processor 203 on GW200 is for calling the journey Sequence code realizes the method and step of the side GW in the access configuration method in following embodiments.Memory on the controller 300 302 are stored with program code, when the processor 303 on controller 300 calls the program code, realize connecing in following embodiments Enter the method and step of controller side in configuration method.
In the embodiments of the present disclosure, ike negotiation is carried out between the IPSec interface and GW that CPE passes through static configuration, and is passed through The ike negotiation process, configures ipsec tunnel between CPE and GW, in order to carry out normal communication between subsequent CPE and GW, passes Defeated communication data.The ike negotiation process can use IKEV1 agreement, can also use IKEV2 agreement, and use IKEV1 agreement When, it can also include holotype and the two different negotiation modes of Aggressive Mode, the embodiment of the present disclosure is only to use IKEV2 agreement It is illustrated for holding consultation.And during above-mentioned ike negotiation, GW needs configuration information and CPE based on the CPE to carry out Ike negotiation, to set up ipsec tunnel.The configuration information of the CPE includes static configuration information and key configuration information, In, static configuration information can be general access template, may include above-mentioned negotiation mode in the general access template, encrypts and recognize Algorithm, auth type, key and keep-alive time etc. are demonstrate,proved, key configuration information is authentication key, Qos and VPN information.
Fig. 4 is a kind of access configuration method flow chart that the embodiment of the present disclosure provides, which is applied to GW, Such as can be applied to above-mentioned GW shown in Fig. 2, GW can get from controller match in real time by interacting with controller Confidence breath, to carry out access configuration for CPE, in the process, controller is used for the execution information in the access configuration method Providing method provides the configuration information of its demand for GW, referring to fig. 4, the access configuration process specifically includes the following steps:
401, CPE sends access request to GW, which carries the identification information of CPE.
In a specific embodiment, before the step 401, CPE can complete initial exchange between elder generation and GW, should Negotiated encryption identifying algorithm, auth type and key during initial exchange, between CPE and GW, the key be used for CPE with The request of transmission or message carry out encryption or decryption process when carrying out subsequent negotiations between GW.The auth type is to be pre-configured in The auth type of CPE, the auth type can be PSK, be also possible to Public Key Infrastructure (Public Key Infrastructure, PKI), it can also be other auth types, the embodiment of the present disclosure is only carried out by taking PSK authentication type as an example Explanation.
After completing initial exchange, CPE sends access request to GW, and the identification information for the CPE which carries can be with It is IP address, is also possible to the subscriber identity information of CPE, the disclosure is not construed as limiting this.For example, the access request carries The identification information of CPE: CPE fully qualified domain name (Fully Qualified Domain Name, FQDN)/user is completely qualified Domain name (User-Fully Qualified Domain Name, U-FQDN), wherein CPE FQDN/U-FQDN is the domain of CPE Name is used for the unique identification CPE.
402, when receiving access request, GW determines whether current configuration information meets certification access and require, if not, Execute step 403.
The upper usual static configuration of GW has general access template, but may also be provided with the key of the CPE on the GW having in advance Configuration information, thus GW receives access request, can determine in configuration information current in the GW whether included this The information of the information that secondary certification access procedure needs to exchange, needs exchange is the configuration information of the CPE.If in the GW when Preceding configuration information has included static configuration information and key configuration information, i.e., recognizes when the current configuration information of GW is able to satisfy When requiring, GW can be directly that the CPE carry out access configuration according to the configuration information of the CPE for card access, be not necessarily to and controller into Row interaction, similarly with access configuration method in the prior art, does not repeat herein.
And if configuration information current in the GW does not include the key configurations information such as authentication key, Qos, VPN information, i.e., Current configuration information only has static configuration information, is not able to satisfy certification access and requires, GW can execute following step 403.
In a specific embodiment, when GW receives access request, above-mentioned steps 401 can be based on to the access request The key of middle exchange is decrypted, and carries out completeness check, when successful decryption and determine request include content intact when, can To execute the step 402.Certainly, GW can also carry out other legitimacy verifies etc. to it, and the disclosure is not construed as limiting this.
403, when GW current configuration information, which is not able to satisfy certification access, to be required, GW sends acquisition of information to controller and asks It asks.
In a specific embodiment, which carries the identification information of CPE, which uses In instruction, the controller returns to configuration information.The configuration information then may include above-mentioned key configuration information, that is to say that certification is close Key, Qos, VPN information.For example, the information acquisition request can be Netconf standard message or Yang standard message, then report Information in text may include the identification information of CPE.
It should be noted that in the prior art, GW sends response message to CPE in step 402, continue to assist Quotient, and in the embodiment of the present disclosure, since GW lacks key configuration information, thus need to send information acquisition request to controller, Key configuration information is obtained, and if GW does not send information acquisition request to server, continuation is held consultation with CPE, then can Because lacking key configuration information, cause finally to negotiate failure.
The step 403 is in above-mentioned steps 402 if current configuration information is unsatisfactory for the case where certification access requires, and If it is satisfied, the certification access executed in above-mentioned steps 402 when this access request requires the information of exchange to deposit in GW When correlation technique step.
404, when receiving information acquisition request, the identification information for the CPE that controller is carried according to information acquisition request, Authentication is carried out to the CPE.
In a specific embodiment, controller can be with the outer configuration information for obtaining CPE, and specifically, controller can be with By interacting at least one server, identification information and the configuration of the CPE stored at least one server are obtained Information, then by the identification information of the CPE it is corresponding with configuration information storage.For example, working as user to service provider one IP of application When location, which can distribute an IP address for it, and be distributed according to the demand of the user for it, Qos, VPN information Deng, and the configuration information and IP address are stored in server, which can be obtained by interacting with the server The IP address and configuration information are got, and the IP address and configuration information are corresponded into storage.
It should be noted that when the controller obtains the configuration information of CPE, the key configuration information of the available CPE, Also the key configuration information and static configuration information of the available CPE.The controller can be by the configuration information of each CPE The corresponding customer data base being stored in controller of user data with the corresponding relationship of the identification information of CPE as each CPE In.When update has occurred in the configuration information of CPE, controller can obtain updated configuration information in real time, and to number of users It is updated according to user data corresponding in library.
In a specific embodiment, controller is after the identification information for extracting CPE in information acquisition request, can be with It executes following step (1) to (4) and authentication is carried out to CPE, it is determined whether the CPE is allowed to access:
(1), identification information of the controller in the user data library lookup CPE.
(2), when in customer data base including the identification information of the CPE, controller is extracted from the customer data base should The corresponding user data of the identification information of CPE.
(3), when the user data indicates that the CPE has access authority, controller determination is authenticated successfully.
(4), when the identification information or the user data that do not find the CPE in the customer data base indicate that the CPE does not have When having access authority, authentification failure is determined.
In specific implementation, which can also recognize including legitimate verification, the certificate verification of information etc. of CPE Card mode, the disclosure are not construed as limiting this.
405, when the authentication is successful, controller obtains the mark of the CPE according to the corresponding relationship of identification information and configuration information Know the corresponding configuration information of information.
When authenticating successfully, controller, which determines, allows the CPE to access GW, then the configuration information of the CPE can be sent to GW, And subsequent access is carried out by GW and is configured.Configuration information includes authentication key, quality of service Qos and Virtual Private Network VPN letter Breath, that is to say the key configuration information of the CPE.
In a specific embodiment, which can also obtain other than the key configuration information for obtaining the CPE The static configuration information of the CPE.
406, controller sends configuration information to GW.
Consistent with step 405, when the configuration information that the controller is got is key configuration information, then controller is to GW Send key configuration information;When the configuration information that the controller is got is key configuration information and static configuration information, then Controller sends key configuration information and static configuration information to GW.
In a specific embodiment, in transmission process, the form of the configuration information can also use above-mentioned Netconf standard message or Yang standard message, the information in message includes the configuration information of the CPE and the mark of the CPE Know information, the agreement interacted between controller and GW is also possible to other agreements, and the embodiment of the present disclosure is not construed as limiting this.
407, when receiving the configuration information of controller transmission, GW carries out access according to the configuration information for the CPE and matches It sets.
When the configuration information received is key configuration information, GW can carry out routing configuration, band width configuration etc. for CPE Access configuration.
In a kind of specific embodiment, when the configuration information received is key configuration information and static configuration information When, which can compare the static configuration information in the configuration information and the GW, when update has occurred in the static configuration information, GW can modify to static configuration information, and the identification information of the modified static configuration information and the CPE are carried out pair It should store, be updated so as to make up the static configuration information of CPE, and GW does not have a defect of real-time update, GW can be with Access configuration is carried out according to updated static configuration information and key configuration information, is efficiently avoided because of the static state in GW Configuration information can not real-time update and the access failure phenomenon that may cause.
In specific implementation, when GW receives configuration information, it can send and receive the response to controller, inform controller It has been successfully received configuration information.
408, GW completes access with postponing, and sends response message to controller.
The response message has received the configuration information for tell the server, and completes access configuration.
409, GW completes access with postponing, and sends access configuration successful message to CPE.
The access configuration successful message is for informing that CPE completes corresponding access configuration according to the configuration information.In reality In, which can also continue to negotiate with CPE, finally establish ipsec tunnel, realize CPE being linked into GW.
In specific implementation, above-mentioned steps 408 and step 409 can carry out simultaneously, can also first carry out step 409, then Step 408 is executed, that is to say, GW completes above-mentioned access with postponing, and response message can be sent to controller, while sending out to CPE Access configuration successful message is sent, GW completes above-mentioned access with postponing, first can also send access configuration successful message to CPE, then Response message is sent to controller, it is not limited in this embodiment of the present disclosure.
410, controller receives the response message.
411, CPE receives the access configuration successful message.
Above-mentioned is the process description for accessing configuration method, is configured below by embodiment shown in fig. 5 to the access The concrete condition that request in journey is transmitted with message is described in detail.Fig. 5 is that a kind of access that the embodiment of the present disclosure provides is matched The schematic diagram of message transmissions in process is set, the both sides of the message transmissions shown in fig. 5 can be above-mentioned GW shown in Fig. 2 and figure Controller shown in 3, the Fig. 5 primarily illustrate message transmissions situation, and the disclosure is not made to have to the format of message with particular content Body limits.Referring to Fig. 5, explanation of nouns involved in the Fig. 5 is as shown in table 1 below:
Table 1
CPE sends IKE_SA_INIT:HDR, Sai1, KEi to GW, and Ni, GW are receiving the message, and return to IKE_SA_ INIT:HDR, Sar1, KEr, Nr complete initial exchange, have negotiated decryption identifying algorithm, key and auth type, then CPE sends first message of authenticated exchange to GW, that is to say and sends IKE_AUTH:HDR, SK Idi, AUTH, Sai2, TSi, TSr }, the interior of the message has: IDi=CPE FQDN/U-FQDN, then the identity information (ID) of the CPE is CPEFQDN/U- FQDN, which is the identification information of CPE, after GW receives the message identifying, is sent to controller Notification message, with notification controller ID be CPE FQDN/U-FQDN user it is online, then controller can to its into Row access control, the specific control process that accesses are are as follows: using the ID of CPE as keyword, from the information of storage, search this ID pairs Authentication key, Qos and the VPN information answered carry out authentication to the CPE, and certification is when passing through, to GW send authentication key, Qos and VPN information.GW then carries out access configuration when receiving these configuration informations, and after configuration, replys and rings Message is answered, that is to say REPLY message, the content of the REPLY message is OK.GW sends the first of above-mentioned message identifying to CPE again The response message IKE_AUTH:HDR, SK { Idr, AUTH, Sar2, TSi, TSr } of message complete AUTH certification at this time and hand over It changes, subsequent to carry out other negotiations process, the disclosure does not illustrate later negotiations excessively.
When the embodiment of the present disclosure is by the access request that receives CPE, matching for the CPE stored in controller is obtained in real time Confidence breath carries out access configuration for CPE, since the configuration information of the centrally stored CPE of controller can be obtained with real-time update, GW The configuration information arrived has timeliness, therefore it is possible to prevente effectively from the configuration information due to CPE in GW can not real-time update possibility Caused access failure phenomenon.Wherein, the key configuration information in the configuration information of controller centralized management CPE, further The risk of the key configuration information leakage of CPE can also be reduced, so that the safety of CPE access is improved, and, centralized management Mode is more convenient for reasonable distribution bandwidth, management user's access.
Above-described embodiment is only illustrated in case where the certification success in step in step 404 (3), in above-mentioned step In step (4) in rapid 404, controller determines authentification failure, that is, determining does not allow the CPE to access GW, thus also with regard to nothing Configuration information need to be sent to GW, in the case where this authentification failure, controller then no longer executes above-mentioned steps 405, does not also just have There is subsequent step 406 to 410, the case where authentification failure will be described in detail with embodiment illustrated in fig. 6 below.
Fig. 6 is a kind of access configuration method flow chart that the embodiment of the present disclosure provides, which is applied to GW, Such as can be applied to above-mentioned GW shown in Fig. 2, the embodiment of the present disclosure provides access configuration side when a kind of authentication failure Method process, referring to Fig. 6, the access configure detailed process the following steps are included:
601, CPE sends access request to GW, which carries the identification information of CPE.
602, when receiving access request, GW determines whether current configuration information meets certification access and require, if not, Execute step 603.
603, when GW current configuration information, which is not able to satisfy certification access, to be required, GW sends acquisition of information to controller and asks It asks.
604, when receiving information acquisition request, the identification information for the CPE that controller is carried according to information acquisition request, Authentication is carried out to the CPE.
The step 601 to 604 with above-mentioned steps 401 to 404 similarly, do not repeat herein.
605, when the authentication fails, controller sends authentification failure message to GW.
When the authentication fails, controller determine do not allow the CPE access, because without to GW transmission configuration information, but to GW sends authentification failure message, has informed that GW is not necessarily the CPE and carries out access configuration.
606, when receiving the authentification failure message, GW sends access failure message to CPE.
607, CPE receives the access failure message.
The access failure message is for informing this access failure of CPE, and in practical application, which can be with Carry access failure reason: authentication failure.
The embodiment of the present disclosure can carry out authentication to CPE by controller, to CPE by setting authentification failure mechanism Access situation is managed concentratedly.
It is possibility scene when GW receives configuration information, practical application in the step 407 of above-mentioned embodiment illustrated in fig. 4 In, it is also possible to there is alternatively possible scene: not receiving configuration information in preset duration.The scene is also a kind of authentification failure The case where, the scene will be illustrated in the embodiment shown in fig. 7 below.
Fig. 7 is a kind of access configuration method flow chart that the embodiment of the present disclosure provides, which is applied to GW, Such as can be applied to above-mentioned GW shown in Fig. 2, the embodiment of the present disclosure provides access configuration side when a kind of overtime authentification failure Method process, referring to Fig. 7, method includes the following steps:
701, CPE sends access request to GW, which carries the identification information of CPE.
702, when receiving access request, GW determines whether current configuration information meets certification access and require, if not, Execute step 703.
703, when GW current configuration information, which is not able to satisfy certification access, to be required, GW sends acquisition of information to controller and asks It asks.
704, when receiving information acquisition request, the identification information for the CPE that controller is carried according to information acquisition request, Authentication is carried out to the CPE.
705, when the authentication is successful, controller obtains the mark of the CPE according to the corresponding relationship of identification information and configuration information Know the corresponding configuration information of information.
706, controller sends configuration information to GW.
The step 701 similarly, does not repeat herein to 706 and step 401 to 406.
707, when not receiving the configuration information in preset duration, GW sends access failure message to CPE.
Overtime authentification failure mechanism can be set in GW: when do not received in preset duration controller transmission with confidence Breath, it may be considered that this access failure due to without crucial configuration information.The access failure message is for informing this access of CPE Unsuccessfully, in practical applications, the reason of which can also carry this access failure: time-out does not respond.
708, CPE receives the access failure message.
The embodiment of the present disclosure, can be when request obtain response for a long time, really by the way that overtime authentification failure mechanism is arranged Determine authentification failure, can but occupy always resource extremely to avoid treatment progress.
GW is after CPE carries out access configuration, and CPE successfully passes the ipsec tunnel access GW being successfully established, can be from connecing The cloud data center entered obtains data, can also upload data to cloud data center.And CPE can also be disconnected actively or Detected by keepalive mechanism when having disconnected, the access carried out for the CPE can also be configured and be deleted by GW, specifically include with Lower two specific embodiments:
First specific embodiment, when GW receive disconnection request when, according to the disconnection request carry CPE mark believe Breath is removed from the cache the configuration information, discharges connection resource.
Second specific embodiment, when GW detects that the CPE has been disconnected, according to the identification information of the CPE, postpone Middle deletion configuration information is deposited, connection resource is discharged.
The two specific embodiments are described in detail respectively below by Fig. 8 and Fig. 9:
Fig. 8 is a kind of access configuration method flow chart that the embodiment of the present disclosure provides, which is applied to GW, Such as it can be applied to above-mentioned GW shown in Fig. 2.The embodiment of the present disclosure is above-mentioned first specific embodiment, that is to say that GW is CPE Access configuration is carried out, so that CPE is normally linked into GW, and after a period of time, when CPE is actively disconnected, GW deletes access and matches The detailed process set, referring to Fig. 8, method includes the following steps:
801, CPE sends access request to GW, which carries the identification information of CPE.
802, when receiving access request, GW determines whether current configuration information meets certification access and require, if not, Execute step 803.
803, when GW current configuration information, which is not able to satisfy certification access, to be required, GW sends acquisition of information to controller and asks It asks.
804, when receiving information acquisition request, the identification information for the CPE that controller is carried according to information acquisition request, Authentication is carried out to the CPE.
805, when the authentication is successful, controller obtains the mark of the CPE according to the corresponding relationship of identification information and configuration information Know the corresponding configuration information of information.
806, controller sends configuration information to GW.
807, when receiving the configuration information of controller transmission, GW carries out access according to the configuration information for the CPE and matches It sets.
808, GW completes access with postponing, and sends response message to controller.
809, GW completes access with postponing, and sends access configuration successful message to CPE.
810, controller receives the response message.
811, CPE receives access configuration successful message.
The step 801 similarly, does not repeat herein to 811 and step 401 to 411.
812, CPE is sent to GW disconnects request, which requests to carry the identification information of CPE.
When CPE wishes to disconnect, (for example, CPE is normally offline) can then send to GW and disconnect request, which asks It asks and is used to indicate GW by the ipsec tunnel established for CPE deletion, so that CPE can not carry out normal communication by GW.
813, when receiving disconnection request, GW is removed from the cache configuration information according to the identification information of the CPE, releases Put connection resource.
The configuration information is what GW was got from controller, when the CPE is disconnected, then can delete the configuration information, And discharging GW is that CPE establishes the connection resource generated during ipsec tunnel, and the corresponding configuration of the CPE is reverted to CPE and is sent Static configuration before access request.
It should be noted that the above-mentioned configuration information got from controller and connection resource are properly termed as the dynamic of the CPE State configuration information, the dynamic configuration information are generally stored in caching.GW deletes configuration information, discharges connection resource, can keep away Exempt from the network congestion that may cause due to occupying connection resource, the storage burden of GW can also be reduced.
814, GW is sent to CPE disconnects response message, and the disconnection response message is for informing that CPE has been disconnected.
The embodiment of the present disclosure is by deleting dynamic configuration information, so as to avoid network when CPE is normally disconnected Choking phenomenon reduces the storage burden of GW.
Fig. 9 is a kind of access configuration method flow chart that the embodiment of the present disclosure provides, which is applied to GW, Such as it can be applied to above-mentioned GW shown in Fig. 2.The embodiment of the present disclosure is above-mentioned second specific embodiment, that is to say that GW is CPE Carry out access configuration so that CPE is normally linked into GW, and later within the defined keep-alive time, GW detect the CPE and with this When not having any interactive between the CPE that CPE is communicated, GW deletes the detailed process of access configuration, referring to Fig. 9, this method packet Include following steps:
901, CPE sends access request to GW, which carries the identification information of CPE.
902, when receiving access request, GW determines whether current configuration information meets certification access and require, if not, Execute step 903.
903, when GW current configuration information, which is not able to satisfy certification access, to be required, GW sends acquisition of information to controller and asks It asks.
904, when receiving information acquisition request, the identification information for the CPE that controller is carried according to information acquisition request, Authentication is carried out to the CPE.
905, when the authentication is successful, controller obtains the mark of the CPE according to the corresponding relationship of identification information and configuration information Know the corresponding configuration information of information.
906, controller sends configuration information to GW.
907, when receiving the configuration information of controller transmission, GW carries out access according to the configuration information for the CPE and matches It sets.
908, GW completes access with postponing, and sends response message to controller.
909, GW completes access with postponing, and sends access configuration successful message to CPE.
910, controller receives the response message.
911, CPE receives the access configuration successful message.
The step 901 to 911 with step 401 to 411 or step 801 to 811 similarly, do not repeat herein.
912, when detecting that CPE has been disconnected, GW is removed from the cache this with confidence according to the identification information of CPE Breath discharges connection resource.
Keepalive mechanism has can be set in GW, and whether the CPE that it can be connected with periodic detection by the GW has in defined guarantor Without the situation of any interaction in live time, when detect the CPE within the defined keep-alive time without it is any interactive when, then may be used To think the already off connection of the CPE, thus GW can will be established for the CPE dynamic configuration information of ipsec tunnel generation into Row is deleted.
The embodiment of the present disclosure but occupies the dynamic of the CPE of connection resource by setting keepalive mechanism, by no data interaction demand State configuration information is deleted, and the network congestion phenomenon that excessively may cause so as to avoid connection resource from occupying reduces GW's Storage burden.
All the above alternatives can form the alternative embodiment of the disclosure, herein no longer using any combination It repeats one by one.
Figure 10 is a kind of structural schematic diagram for access configuration device that the embodiment of the present disclosure provides, a kind of specific embodiment In, which is GW described in above-described embodiment, and referring to Figure 10, which includes:
Receiving module 1001 connects for executing in above-mentioned steps 402, step 602, step 702, step 802 or step 902 Receive the process of access request;
Sending module 1002, for executing above-mentioned steps 403, step 603, step 703, step 803 or step 903;
The receiving module 1001 is also used to execute in above-mentioned steps 407, step 807 or step 907 and receives controller transmission Configuration information process;
Configuration module 1003, for executing above-mentioned steps 407, step 807, in step 907 according to configuration information be CPE into The process of row access configuration.
In a kind of specific embodiment, the configuration module 1003, for executing above-mentioned steps 407, step 807 or step The process of static configuration information is modified in 907.
In a kind of specific embodiment, which is also used to execute above-mentioned steps 606.
In a kind of specific embodiment, which is also used to execute above-mentioned steps 707.
In a kind of specific embodiment, which is also used to execute above-mentioned steps 408, step 808 or step Rapid 908.
In a kind of specific embodiment, as shown in figure 11, the device further include:
Removing module 1004, for executing above-mentioned steps 813 or above-mentioned steps 912.
In a kind of specific embodiment, which is sent to the GW by IKE agreement by CPE, the acquisition of information Request is sent to the controller by Netconf or Yang agreement by the GW.
In a specific embodiment, which includes authentication key, quality of service Qos and Virtual Private Network VPN information.
In a specific embodiment, the configuration module 1003 is also used to execute in above-mentioned steps 402 and matches when GW is current It is the process that CPE carries out access configuration according to the configuration information of CPE when confidence breath satisfaction certification access requires.
The device that the embodiment of the present disclosure provides when by the access request that receives CPE, obtains store in controller in real time The CPE configuration information, access configuration is carried out for CPE, since the configuration information of the centrally stored CPE of controller can be real-time It updates, the configuration information that GW is got has timeliness, therefore it is possible to prevente effectively from the configuration information due to CPE in GW can not be real The access failure phenomenon that Shi Gengxin may cause.
It should be understood that access configuration device provided by the above embodiment is when carrying out access configuration, only with above-mentioned each The division progress of functional module can according to need and for example, in practical application by above-mentioned function distribution by different function Energy module is completed, i.e., the internal structure of device is divided into different functional modules, to complete whole described above or portion Divide function.In addition, access configuration device provided by the above embodiment and access configuration method embodiment belong to same design, have Body realizes that process is detailed in embodiment of the method, and which is not described herein again.
Figure 12 is a kind of structural schematic diagram for information provider unit that the embodiment of the present disclosure provides, a kind of specific embodiment In, which is controller described in above-described embodiment, and referring to Figure 12, which includes:
Receiving module 1201 connects for executing in above-mentioned steps 404, step 604, step 704, step 804 or step 904 Receive the process of information acquisition request;
Authentication module 1202, it is right in above-mentioned steps 404, step 604, step 704, step 804 or step 904 for executing The process of CPE progress authentication;
Module 1203 is obtained, for executing above-mentioned steps 405, step 705, step 805 or step 905;
Sending module 1204, for executing above-mentioned steps 406, step 706, step 806 or step 906.
In a kind of specific embodiment, as shown in figure 13, the device further include:
Searching module 1205, for execute in above-mentioned steps 404, step 604, step 704, step 804 or step 904 The process of the identification information of the user data library lookup CPE;
Extraction module 1206 is mentioned for executing in above-mentioned steps 404, step 604, step 704, step 804 or step 904 Take the process of user data;
Determining module 1207, for executing in above-mentioned steps 404, step 604, step 704, step 804 or step 904 really Surely successful process is authenticated;
The determining module 1207, is also used to execute above-mentioned steps 404, step 604, step 704, step 804 or step 904 The process of middle determining authentification failure.
In a kind of specific embodiment, which is also used to execute above-mentioned steps 605.
In a kind of specific embodiment, which is also used to execute above-mentioned steps 410, step 810 or step Rapid 910.
In a kind of specific embodiment, which is sent to the GW by IKE agreement by CPE, the acquisition of information Request is sent to the controller by Netconf or Yang agreement by the GW.
In a kind of specific embodiment, which is also used to execute shown in above-mentioned steps 404 with outer acquisition The process of the configuration information of CPE.
The device that the embodiment of the present disclosure provides by managing the configuration information of CPE concentratedly, and mentions whenever necessary for GW in GW For configuration information, the risk of the configuration information leakage of CPE can be reduced, so that the safety of CPE access is improved, and, it concentrates The mode of management is more convenient for reasonable distribution bandwidth, management user's access.
It should be understood that information provider unit provided by the above embodiment is when providing information, only with above-mentioned each function The division progress of module can according to need and for example, in practical application by above-mentioned function distribution by different function moulds Block is completed, i.e., the internal structure of device is divided into different functional modules, to complete all or part of function described above Energy.In addition, the information providing method for including in information provider unit provided by the above embodiment and access configuration method embodiment Embodiment belongs to same design, and specific implementation process is detailed in embodiment of the method, and which is not described herein again.
Those of ordinary skill in the art will appreciate that realizing that all or part of the steps of above-described embodiment can pass through hardware It completes, relevant hardware can also be instructed to complete by program, which can store in a kind of computer-readable storage In medium, storage medium mentioned above can be read-only memory, disk or CD etc..
It above are only the alternative embodiment of the disclosure, not to limit the disclosure, all spirit and principle in the disclosure Within, any modification, equivalent replacement, improvement and so on should be included within the protection scope of the disclosure.

Claims (31)

1. a kind of access configuration method, which is characterized in that the described method includes:
Gateway receives access request, and the access request carries the identification information of customer premises equipment, CPE;
The gateway sends information acquisition request to controller, and the information acquisition request is used to indicate the controller return and matches Confidence breath;
The gateway receives the configuration information that the controller is sent;
The gateway is that the customer premises equipment, CPE carries out access configuration according to the configuration information.
2. the method according to claim 1, wherein the method also includes:
Static configuration information in the gateway configuration information and the gateway;
When update has occurred in the static configuration information, the gateway modifies to the static configuration information, and described The identification information of customer premises equipment, CPE carries out corresponding storage.
3. the method according to claim 1, wherein the gateway to controller send information acquisition request it Afterwards, the method also includes:
When receiving the authentification failure message of controller transmission, the gateway sends access failure to customer premises equipment, CPE and disappears Breath.
4. the method according to claim 1, wherein the gateway to controller send information acquisition request it Afterwards, the method also includes:
When not receiving the configuration information in preset duration, the gateway sends access failure to customer premises equipment, CPE and disappears Breath.
5. the method according to claim 1, wherein the gateway is that the user stays according to the configuration information After ground equipment carries out access configuration, the method also includes:
After the completion of access configuration, the gateway sends response message to controller, and the response message is for informing the control Device has received the configuration information, and completes access configuration.
6. the method according to claim 1, wherein the gateway is that the user stays according to the configuration information After ground equipment carries out access configuration, the method also includes:
When the gateway receives disconnection request, the gateway is according to the mark for disconnecting the customer premises equipment, CPE that request carries Know information, be removed from the cache the configuration information, discharges connection resource;Or,
When the gateway detects that the customer premises equipment, CPE has disconnected, the gateway is according to the customer premises equipment, CPE Identification information, be removed from the cache the configuration information, discharge connection resource.
7. the method according to claim 1, wherein the access request is close by network by customer premises equipment, CPE Key exchange IKE agreement is sent to the gateway, the information acquisition request by the gateway by network configuration Netconf or Yang agreement is sent to the controller.
8. the method according to claim 1, wherein the configuration information includes authentication key, quality of service Qos And Virtual Private Network VPN information.
9. the method according to claim 1, wherein the method also includes:
When the current configuration information of gateway, which is able to satisfy certification access, to be required, the gateway according to the gateway it is current match confidence Breath is that the customer premises equipment, CPE carries out access configuration.
10. a kind of information providing method, which is characterized in that the described method includes:
Controller receives the information acquisition request that gateway is sent, and the information acquisition request carries the mark of customer premises equipment, CPE Information;
The controller carries out authentication to the customer premises equipment, CPE according to the identification information of the customer premises equipment, CPE;
When the authentication is successful, the controller obtains the user resident according to the corresponding relationship of identification information and configuration information The corresponding configuration information of the identification information of equipment;
The controller sends the configuration information to gateway.
11. according to the method described in claim 10, it is characterized in that, the controller is according to the mark of the customer premises equipment, CPE Know information, authentication carried out to the customer premises equipment, CPE, comprising:
The identification information of controller customer premises equipment, CPE described in user data library lookup;
When in the customer data base including the identification information of the customer premises equipment, CPE, the controller is from the number of users According to the corresponding user data of the identification information for extracting the customer premises equipment, CPE in library;
When the user data indicates that the customer premises equipment, CPE has access authority, the controller determination is authenticated successfully;
When the controller do not found in the customer data base customer premises equipment, CPE identification information or the use When user data indicates that the customer premises equipment, CPE does not have access authority, the controller determines authentification failure.
12. method described in 0 or 11 according to claim 1, which is characterized in that the method also includes:
When the authentication fails, the controller sends authentification failure message to gateway.
13. according to the method described in claim 10, it is characterized in that, the controller to gateway send the configuration information it Afterwards, the method also includes: the controllers to receive the response message that the gateway returns.
14. according to the method described in claim 10, it is characterized in that, the certification request passes through IKE by customer premises equipment, CPE Agreement is sent to the gateway, and the information acquisition request is sent to by the gateway by Netconf or Yang agreement described Controller.
15. according to the method described in claim 10, it is characterized in that, the acquisition of the configuration information of the customer premises equipment, CPE Journey includes:
The controller obtains the user stored at least one described server by interacting at least one server The identification information and configuration information of premises equipment;
The controller by the identification information of the customer premises equipment, CPE it is corresponding with configuration information storage.
16. a kind of access configuration device, which is characterized in that be applied to gateway, described device includes:
Receiving module, for receiving access request, the access request carries identification information and the certification of customer premises equipment, CPE Type information;
Sending module, for sending information acquisition request to controller, the information acquisition request is used to indicate the controller Return to configuration information;
The receiving module is also used to receive the configuration information that the controller is sent;
Configuration module carries out access configuration according to the configuration information for the gateway for the customer premises equipment, CPE.
17. device according to claim 16, which is characterized in that the configuration module is used for:
Compare the static configuration information in the configuration information and the gateway;
It when update has occurred in the static configuration information, modifies to the static configuration information, with the user resident The identification information of equipment carries out corresponding storage.
18. device according to claim 16, which is characterized in that the sending module is also used to that controller ought be received When the authentification failure message of transmission, access failure message is sent to customer premises equipment, CPE.
19. device according to claim 16, which is characterized in that the sending module is also used in preset duration The configuration information is not received, sends access failure message to customer premises equipment, CPE.
20. device according to claim 16, which is characterized in that the sending module is also used to access after the completion of configuration, Response message is sent to controller, the response message is used to inform that the controller has received the configuration information, and complete It is configured at access.
21. device according to claim 16, which is characterized in that described device further include:
Removing module, for requesting the mark of the customer premises equipment, CPE carried according to the disconnection when receiving disconnection request Information is removed from the cache the configuration information, discharges connection resource;Or,
Removing module, for when detecting that the customer premises equipment, CPE has disconnected, according to the customer premises equipment, CPE Identification information is removed from the cache the configuration information, discharges connection resource.
22. device according to claim 16, which is characterized in that the access request passes through IKE by customer premises equipment, CPE Agreement is sent to the gateway, and the information acquisition request is sent to by the gateway by Netconf or Yang agreement described Controller.
23. device according to claim 16, which is characterized in that the configuration information includes authentication key, service quality Qos and Virtual Private Network VPN information.
24. device according to claim 16, which is characterized in that the configuration module is also used to when the gateway is current Configuration information be able to satisfy certification access when requiring, according to the current configuration information of the gateway be the customer premises equipment, CPE into Row access configuration.
25. a kind of information provider unit, which is characterized in that be applied to controller, described device includes:
Receiving module, for receiving information acquisition request, the information acquisition request carries the mark letter of customer premises equipment, CPE Breath;
Authentication module carries out identity to the customer premises equipment, CPE and recognizes for the identification information according to the customer premises equipment, CPE Card;
Module is obtained, for when the authentication is successful, according to the corresponding relationship of the identification information and configuration information, obtaining the mark Know the corresponding configuration information of information;
Sending module, for sending the configuration information to gateway.
26. device according to claim 25, which is characterized in that described device further include:
Searching module, the identification information for the customer premises equipment, CPE described in user data library lookup;
Extraction module, for when in the customer data base include the customer premises equipment, CPE identification information when, from the use The corresponding user data of identification information of the customer premises equipment, CPE is extracted in user data library;
Determining module, for when the user data indicates that the customer premises equipment, CPE has access authority, determine certification at Function;
The determining module is also used to when the mark letter for not finding the customer premises equipment, CPE in the customer data base When breath or the user data indicate that the customer premises equipment, CPE does not have access authority, authentification failure is determined.
27. the device according to claim 25 or 26, which is characterized in that the sending module is also used to work as authentification failure When, authentification failure message is sent to gateway.
28. device according to claim 25, which is characterized in that the receiving module is also used to receive the gateway and returns The response message returned.
29. device according to claim 25, which is characterized in that the certification request passes through IKE by customer premises equipment, CPE Agreement is sent to the gateway, and the information acquisition request is sent to by the gateway by Netconf or Yang agreement described Controller.
30. device according to claim 25, which is characterized in that the acquisition module, be also used to by at least one Server interacts, and obtains the identification information of the customer premises equipment, CPE stored at least one described server and with confidence Breath;By the storage corresponding with configuration information of the identification information of the customer premises equipment, CPE.
31. a kind of communication system, which is characterized in that the communication system includes gateway and controller, wherein the gateway is used for Perform claim requires the described in any item method and steps of 1-9, and the controller requires described in any one of 10-15 for perform claim Method and step.
CN201711365123.5A 2017-12-18 2017-12-18 Access configuration method, information providing method and device Active CN109936515B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201711365123.5A CN109936515B (en) 2017-12-18 2017-12-18 Access configuration method, information providing method and device
PCT/CN2018/121448 WO2019120160A1 (en) 2017-12-18 2018-12-17 Method and device for data storage, and distributed storage system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711365123.5A CN109936515B (en) 2017-12-18 2017-12-18 Access configuration method, information providing method and device

Publications (2)

Publication Number Publication Date
CN109936515A true CN109936515A (en) 2019-06-25
CN109936515B CN109936515B (en) 2021-06-04

Family

ID=66982589

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711365123.5A Active CN109936515B (en) 2017-12-18 2017-12-18 Access configuration method, information providing method and device

Country Status (2)

Country Link
CN (1) CN109936515B (en)
WO (1) WO2019120160A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111314355A (en) * 2020-02-20 2020-06-19 深信服科技股份有限公司 Authentication method, device, equipment and medium of VPN (virtual private network) server
CN112399130A (en) * 2019-08-16 2021-02-23 北京紫荆视通科技有限公司 Processing method and device of cloud video conference information, storage medium and communication equipment
CN114006807A (en) * 2020-07-14 2022-02-01 青岛海信电子产业控股股份有限公司 Client terminal equipment, configuration method thereof and configuration server

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113794583B (en) * 2021-08-15 2023-12-29 新华三信息安全技术有限公司 Configuration method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101227415A (en) * 2008-02-04 2008-07-23 华为技术有限公司 Multi business resource allocation method, system, gateway equipment and authentication server
CN101621433A (en) * 2008-07-02 2010-01-06 上海华为技术有限公司 Method, device and system for configuring access equipment
CN104917849A (en) * 2014-03-11 2015-09-16 华为技术有限公司 Message processing method, access controller and network node
KR20170017860A (en) * 2016-12-30 2017-02-15 주식회사 모바일컨버전스 Network virtualization system based of network vpn
CN106713057A (en) * 2015-07-30 2017-05-24 华为技术有限公司 Method for performing tunnel detection and device and system thereof

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114500135B (en) * 2012-02-22 2023-03-24 华为技术有限公司 Access method, device and system of user terminal equipment
EP2887580A1 (en) * 2013-12-23 2015-06-24 Telefonica S.A. Method and system for modifying configuration parameters on a user equipment and an Auto Configuration Server-Gateway

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101227415A (en) * 2008-02-04 2008-07-23 华为技术有限公司 Multi business resource allocation method, system, gateway equipment and authentication server
CN101621433A (en) * 2008-07-02 2010-01-06 上海华为技术有限公司 Method, device and system for configuring access equipment
CN104917849A (en) * 2014-03-11 2015-09-16 华为技术有限公司 Message processing method, access controller and network node
CN106713057A (en) * 2015-07-30 2017-05-24 华为技术有限公司 Method for performing tunnel detection and device and system thereof
KR20170017860A (en) * 2016-12-30 2017-02-15 주식회사 모바일컨버전스 Network virtualization system based of network vpn

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112399130A (en) * 2019-08-16 2021-02-23 北京紫荆视通科技有限公司 Processing method and device of cloud video conference information, storage medium and communication equipment
CN112399130B (en) * 2019-08-16 2023-04-07 北京紫荆视通科技有限公司 Processing method and device of cloud video conference information, storage medium and communication equipment
CN111314355A (en) * 2020-02-20 2020-06-19 深信服科技股份有限公司 Authentication method, device, equipment and medium of VPN (virtual private network) server
CN114006807A (en) * 2020-07-14 2022-02-01 青岛海信电子产业控股股份有限公司 Client terminal equipment, configuration method thereof and configuration server

Also Published As

Publication number Publication date
WO2019120160A1 (en) 2019-06-27
CN109936515B (en) 2021-06-04

Similar Documents

Publication Publication Date Title
US11089479B2 (en) Signaling attack prevention method and apparatus
US20220104112A1 (en) Methods, systems, and computer readable media for mitigating spoofing attacks on security edge protection proxy (sepp) inter-public land mobile network (inter-plmn) forwarding interface
US8327129B2 (en) Method, apparatus and system for internet key exchange negotiation
CN101335692B (en) Method for negotiating security capability between PCC and PCE and network system thereof
EP3633949B1 (en) Method and system for performing ssl handshake
CN109936515A (en) Access configuration method, information providing method and device
EP2850770A1 (en) Transport layer security traffic control using service name identification
CN107438074A (en) The means of defence and device of a kind of ddos attack
CN110191052B (en) Cross-protocol network transmission method and system
Rodrigues et al. Evaluating a blockchain-based cooperative defense
EP3932044B1 (en) Automatic distribution of dynamic host configuration protocol (dhcp) keys via link layer discovery protocol (lldp)
CN114173332B (en) Data encryption transmission method and device suitable for 5G intelligent power grid inspection robot
WO2020248368A1 (en) Intranet accessing method, system, and related device
EP1914960B1 (en) Method for transmission of DHCP messages
CN112887278A (en) Interconnection system and method of private cloud and public cloud
CN114710388B (en) Campus network security system and network monitoring system
CN111163465B (en) Method and device for connecting user terminal and local terminal and call center system
Kuptsov et al. Distributed user authentication in wireless LANs
CN111163466A (en) Method for 5G user terminal to access block chain, user terminal equipment and medium
Njeru An APN Authentication Model For A Secure Enterprise Wireless Local Area Network
Kabir et al. Customer Edge Switching: A Security Framework for 5G
CN116530053A (en) Method, system and computer readable medium for mitigating counterfeit attacks on Secure Edge Protection Proxy (SEPP) public land mobile network-to-PLMN (inter-PLMN) forwarding interfaces
CN117134933A (en) Encryption communication method, device, electronic equipment and storage medium
CN117914525A (en) Data message processing method and system
Goodloe et al. L3A: A protocol for layer three accounting

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20211222

Address after: 450046 Floor 9, building 1, Zhengshang Boya Plaza, Longzihu wisdom Island, Zhengdong New Area, Zhengzhou City, Henan Province

Patentee after: xFusion Digital Technologies Co., Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right