CN109936515A - Access configuration method, information providing method and device - Google Patents
Access configuration method, information providing method and device Download PDFInfo
- Publication number
- CN109936515A CN109936515A CN201711365123.5A CN201711365123A CN109936515A CN 109936515 A CN109936515 A CN 109936515A CN 201711365123 A CN201711365123 A CN 201711365123A CN 109936515 A CN109936515 A CN 109936515A
- Authority
- CN
- China
- Prior art keywords
- cpe
- information
- controller
- configuration information
- gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 122
- 238000004891 communication Methods 0.000 claims abstract description 18
- 230000003068 static effect Effects 0.000 claims description 38
- 230000004044 response Effects 0.000 claims description 25
- 230000005540 biological transmission Effects 0.000 claims description 16
- 238000000605 extraction Methods 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 abstract description 4
- 230000008569 process Effects 0.000 description 29
- 238000013461 design Methods 0.000 description 23
- 238000012545 processing Methods 0.000 description 14
- 238000010586 diagram Methods 0.000 description 12
- 238000007726 management method Methods 0.000 description 12
- 230000006870 function Effects 0.000 description 10
- 230000007246 mechanism Effects 0.000 description 10
- 230000003993 interaction Effects 0.000 description 5
- 230000002452 interceptive effect Effects 0.000 description 3
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 101000995861 Arabidopsis thaliana Regulatory protein NPR1 Proteins 0.000 description 1
- 101000637625 Cricetulus griseus GTP-binding protein SAR1b Proteins 0.000 description 1
- 238000001574 biopsy Methods 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000007599 discharging Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Present disclose provides a kind of access configuration method, information providing method and devices, belong to field of communication technology.The described method includes: gateway receives access request, the access request carries the identification information and auth type information of customer premises equipment, CPE;The gateway sends information acquisition request to controller, and the information acquisition request is used to indicate the controller and returns to configuration information;The gateway receives the configuration information that the controller is sent;The gateway is that the customer premises equipment, CPE carries out access configuration according to the configuration information.When the disclosure receives the access request of customer premises equipment, CPE by gateway, the configuration information with timeliness is obtained from controller in real time, access configuration is carried out for customer premises equipment, CPE, therefore it is possible to prevente effectively from the configuration information due to customer premises equipment, CPE in gateway can not the access failure phenomenon that may cause of real-time update.
Description
Technical field
This disclosure relates to field of communication technology, in particular to a kind of access configuration method, information providing method and device.
Background technique
With the development of communication technology, customer premises equipment, CPE (Customer Premises Equipment, CPE) can be with
By network security protocol (Internet Protocol Security, IPSec) access gateway (Gateway, GW), it is by GW
CPE establishes ipsec tunnel, convenient for being communicated between CPE and GW.
Currently, the configuration information for generally thering is each CPE and gateway to need when establishing ipsec tunnel in static configuration on GW.
For example, authentication key CPE required when being communicated with GW by establishing the ipsec tunnel completed, service quality (Quality
Of Service, Qos), to other GW forward data needed for Virtual Private Network (Virtual Private Network,
VPN) information, auth type, key, keep-alive time etc., wherein authentication key, Qos and VPN information are related to the communication of CPE
Safety, communication quality, thus this three is the key configuration information of the CPE.When CPE needs to access GW, CPE can be sent out to GW
Access request is sent, the CPE access request sent is distributed to some in real time by load balancer (Load Balance, LB)
GW, then GW can extract the configuration information of the CPE when receiving access request, access configuration be carried out for CPE, in CPE and GW
Between set up ipsec tunnel, to realize the communication between CPE and GW.
In implementing the present disclosure, the inventor finds that the existing technology has at least the following problems:
In a large number due to GW, CPE is distributed when can be in fact by load balancer when wanting access GW, thus
The GW of CPE access is not fixed, and under this scene, once the configuration information of CPE is updated, can not accomplish should on each GW
The configuration information real-time perfoming of CPE updates, and may cause access failure when CPE accesses the GW that non-real-time perfoming updates.
Summary of the invention
The embodiment of the present disclosure provides a kind of access configuration method, information providing method and device, can solve existing skill
In art the problem of access failure.The technical solution is as follows:
In a first aspect, providing a kind of access configuration method, which comprises
GW receives access request, and the access request carries the identification information of UE;
The GW sends information acquisition request to controller, and the information acquisition request is used to indicate the controller and returns
Configuration information;
The GW receives the configuration information that the controller is sent;
The GW is that the UE carries out access configuration according to the configuration information.
Wherein, the access request carry CPE identification information can be network protocol (Internet Protocol,
IP) address, is also possible to the subscriber identity information of CPE, and the disclosure is not construed as limiting this.
The configuration information may include static configuration information and key configuration information, wherein static configuration information can be
General access template may include above-mentioned negotiation mode, encryption identifying algorithm, auth type, key in the general access template
And keep-alive time etc., key configuration information are authentication key, Qos and VPN information.
When the embodiment of the present disclosure is by the access request that receives CPE, matching for the CPE stored in controller is obtained in real time
Confidence breath carries out access configuration for CPE, and since the configuration information of the centrally stored CPE of controller can be with real-time update, then GW is obtained
The configuration information got have timeliness, therefore it is possible to prevente effectively from due to CPE in GW configuration information can not real-time update can
Access failure phenomenon caused by energy.Wherein, the key configuration information in the configuration information of controller centralized management CPE, further
Ground can also reduce the risk of the key configuration information leakage of CPE, so that the safety of CPE access is improved, and, centralized management
Mode be more convenient for reasonable distribution bandwidth, management user's access.
It is described to carry out the corresponding access configuration of the configuration information for UE in a kind of possible design, comprising:
Static configuration information in the GW configuration information and the GW;
When update has occurred in the static configuration information, the GW modifies to the static configuration information, with institute
The identification information for stating UE carries out corresponding storage.
The static configuration information that the embodiment of the present disclosure can make up CPE is updated, and GW does not have lacking for real-time update
It falls into, thus GW can carry out access configuration according to updated static configuration information and key configuration information, be effectively prevented from
Because static configuration information in GW can not real-time update due to the access failure phenomenon that may cause.
In a kind of possible design, after the GW sends information acquisition request to controller, the method also includes:
When receiving the authentification failure message of controller transmission, the GW sends access failure message to UE.
The embodiment of the present disclosure can carry out authentication to CPE by controller, to CPE by setting authentification failure mechanism
Access situation is managed concentratedly.
In a kind of possible design, after the GW sends information acquisition request to controller, the method also includes:
When not receiving the configuration information in preset duration, the GW sends access failure message to UE.
The embodiment of the present disclosure, can be when request obtain response for a long time, really by the way that overtime authentification failure mechanism is arranged
Determine authentification failure, can but occupy always resource extremely to avoid treatment progress.
It is described after the GW carries out access configuration according to the configuration information for the UE in a kind of possible design
Method further include:
After the completion of access configuration, the GW sends response message to controller, and the response message is for informing the control
Device processed has received the configuration information, and completes access configuration.
It is described after the GW carries out access configuration according to the configuration information for the UE in a kind of possible design
Method further include:
When receiving disconnection request, the GW is according to the identification information for disconnecting the UE that request carries, from caching
The configuration information is deleted, connection resource is discharged;Or,
When detecting that the UE has been disconnected, the GW is removed from the cache institute according to the identification information of the UE
Configuration information is stated, connection resource is discharged.
The embodiment of the present disclosure is normally disconnected or is protected in CPE by setting keepalive mechanism and the mechanism for deleting dynamic configuration
Biopsy measure CPE within the defined keep-alive time without it is any interactive when, delete dynamic configuration information, so as to avoid network
Choking phenomenon, reduces the storage burden of GW, and the above-mentioned configuration information got from controller and connection resource are properly termed as the CPE
Dynamic configuration information.
In a kind of possible design, the access request exchanges (Internet Key by netkey by UE
Exchange, IKE) agreement is sent to the GW, and the information acquisition request passes through network configuration (Network by the GW
Configuration, Netconf) or Yang agreement be sent to the controller.
In a kind of possible design, the configuration information includes authentication key, quality of service Qos and Virtual Private Network
VPN information.
In a kind of possible design, when the current configuration information of GW, which is able to satisfy certification access, to be required, the GW is according to institute
Stating the current configuration information of GW is that the UE carries out access configuration.
Second aspect provides a kind of information providing method, which comprises
Controller receives the information acquisition request that GW is sent, and the information acquisition request carries the identification information of UE;
The controller carries out authentication to the UE according to the identification information of the UE;
When the authentication is successful, the controller obtains the UE's according to the corresponding relationship of identification information and configuration information
The corresponding configuration information of identification information;
The controller sends the configuration information to GW.
In a kind of possible design, the controller carries out authentication to the UE according to the identification information of the UE,
Include:
The identification information of controller UE described in user data library lookup;
When in the customer data base including the identification information of the UE, the controller is from the customer data base
Extract the corresponding user data of identification information of the UE;
When the user data indicates that the UE has access authority, the controller determination is authenticated successfully;
When the identification information for not finding the UE in the customer data base or the user data indicate the UE
When not having access authority, the controller determines authentification failure.
In a kind of possible design, the method also includes: when the authentication fails, the controller sends certification to GW and loses
Lose message.
In a kind of possible design, after the controller sends the configuration information to GW, the method also includes: it connects
Receive the response message that the GW is returned.
In a kind of possible design, the certification request is sent to the GW, the acquisition of information by IKE agreement by UE
Request is sent to the controller by Netconf or Yang agreement by the GW.
In a kind of possible design, the acquisition process of the configuration information of the UE includes:
The controller is stored at least one described server of acquisition by interacting at least one server
The identification information and configuration information of UE;
The controller by the identification information of the UE it is corresponding with configuration information storage.
The third aspect provides a kind of access configuration device, is applied to GW, and described device includes multiple functional modules, with
Realize the access configuration method of any possible design of above-mentioned first aspect and first aspect.
Fourth aspect provides a kind of information provider unit, is applied to controller, described device includes multiple function moulds
Block, to realize the information providing method of any possible design of above-mentioned second aspect and second aspect.
5th aspect, provides a kind of GW, the GW includes memory and processor, is stored on the memory a plurality of
Instruction, a plurality of instruction are suitable for being used to load and execute by the processor any of above-mentioned first aspect and first aspect
The access configuration method that kind may design.
6th aspect, provides a kind of controller, the controller includes memory and processor, is deposited on the memory
A plurality of instruction is contained, a plurality of instruction is suitable for being used to load by the processor and executes above-mentioned second aspect and second party
The information providing method of any possible design in face.
7th aspect, provides a kind of computer readable storage medium, is stored on the computer readable storage medium
Instruction, described instruction are executed by processor to complete the access of any possible design of above-mentioned first aspect and first aspect
The information providing method of any possible design of configuration method or second aspect and second aspect.
Eighth aspect, provides a kind of communication system, and the communication system includes GW and controller, wherein the GW is used
Access configuration method in any possible design for executing first aspect and first aspect, the controller is for executing
Information providing method in any possible design of second aspect and second aspect.
Detailed description of the invention
Fig. 1 is the implementation environment signal of a kind of access configuration method and information providing method that the embodiment of the present disclosure provides
Figure;
Fig. 2 is a kind of structural block diagram for GW200 that the embodiment of the present disclosure provides;
Fig. 3 is a kind of structural block diagram for controller 300 that the embodiment of the present disclosure provides;
Fig. 4 is a kind of access configuration method flow chart that the embodiment of the present disclosure provides;
Fig. 5 is the schematic diagram of message transmissions in a kind of access configuration flow of embodiment of the present disclosure offer;
Fig. 6 is a kind of access configuration method flow chart that the embodiment of the present disclosure provides;
Fig. 7 is a kind of access configuration method flow chart that the embodiment of the present disclosure provides;
Fig. 8 is a kind of access configuration method flow chart that the embodiment of the present disclosure provides;
Fig. 9 is a kind of access configuration method flow chart that the embodiment of the present disclosure provides;
Figure 10 is a kind of structural schematic diagram for access configuration device that the embodiment of the present disclosure provides;
Figure 11 is a kind of structural schematic diagram for access configuration device that the embodiment of the present disclosure provides;
Figure 12 is a kind of structural schematic diagram for information provider unit that the embodiment of the present disclosure provides;
Figure 13 is a kind of structural schematic diagram for information provider unit that the embodiment of the present disclosure provides.
Specific embodiment
For the ease of understanding of this disclosure, herein to the implementation environment of the access configuration method and information providing method
It is introduced, includes customer premises equipment, CPE CPE, gateway GW and controller (Controller) in the implementation environment referring to Fig. 1.
CPE is a kind of customer premises equipment, CPE, and the IPSec interface and GW that it may be usually based on static configuration carry out IKE association
Quotient is ipsec tunnel needed for CPE configures normal communication as IPSec interface of the GW based on static configuration, thus by should
Ipsec tunnel accesses GW, so as to obtain a large amount of cloud data in cloud data center, to provide network communication clothes for user
Business.
GW is a kind of access device, it is located at software and changes the edge access layer in framework, is provided with access interface for CPE.
The basic function of GW is data forwarding, also has the function of to carry out access authentication for CPE, establish communication tunnel etc., specifically, GW is also
Traffic management etc. can be carried out to CPE, do not repeated herein.
Controller is a kind of network management device, it can be deployed in each data center, GW can by with control
Device processed carries out communication and obtains information, what controller can also be communicated to the GW information sent or between other controllers
Information is analyzed, and realizes network-control management.In the embodiments of the present disclosure, which can be software defined network
(SoftwareDefined Network, SDN) controller, is also possible to other servers for being equipped with Network Management System, this
It is open that this is not especially limited.
Referring to Fig. 1, CPE can carry out ike negotiation by the IPSec interface and GW of static configuration, and be that the CPE matches by GW
Ipsec tunnel is set, on the ipsec tunnel after configuration successful, CPE is one end of the ipsec tunnel, and GW is the ipsec tunnel
The other end.It can also include LB between the CPE and GW, be that CPE distributes GW by LB.It can be carried out by IKE between CPE and GW
Interaction, can be interacted between GW and controller by Netconf or Yang agreement.Certainly, between CPE and GW or GW and control
Interaction protocol between device processed includes but is not limited to above-mentioned several agreements, and the disclosure is not especially limited this.
Fig. 2 is a kind of structural block diagram for GW200 that the embodiment of the present disclosure provides.Referring to fig. 2, which includes: transceiver
201, memory 202 and processor 203, the transceiver 201, the memory 202 are connect with the processor 203 respectively, the storage
Device 202 is stored with program code, which realizes the access configuration side in following embodiments for calling the program code
Method.
For example, the transceiver 201 can be a physical interface card, GW can receive other equipment by the physical interface card
The request or message of transmission, and request or message can be sent to other equipment by the physical interface card.
The processor 203 can be a network processing unit or central processing unit, can be with after physical interface card receives request
Request or message are sent in the network processing unit, network processing unit carries out checking treatment to request, searches and distributes list item
To central processing unit, the request is handled by central processing unit.
The memory 202 can be a forwarding-table item memory, for storing the list item of above-mentioned network processing unit forwarding.
Fig. 3 is a kind of structural block diagram for controller 300 that the embodiment of the present disclosure provides.For example, device 300 can be provided
For a server.Referring to Fig. 3, controller 300 includes: transceiver 301, memory 302 and processor 303, the transceiver 301,
The memory 302 is connect with the processor 303 respectively, which is stored with program code, and the processor 303 is for adjusting
With the program code, the information providing method in following embodiments is realized.
For example, the transceiver 301 can be a physical interface card, other equipment can be received by the physical interface card and sent out
The request or message sent, and request or message can be sent to other equipment by the physical interface card.
The processor 303 can be a network processing unit or central processing unit, can be with after physical interface card receives request
Request or message are sent in the network processing unit, network processing unit carries out checking treatment to request, searches and distributes list item
To central processing unit, the request is handled by central processing unit.
The memory 302 can be a forwarding-table item memory, for storing the list item of above-mentioned network processing unit forwarding.
In the exemplary embodiment, a kind of computer readable storage medium is additionally provided, the memory for example including instruction,
Above-metioned instruction can be executed by the processor in GW to complete access configuration method in following embodiments or by controller
Device is managed to execute to complete the information providing method in following embodiments.For example, the computer readable storage medium can be ROM,
Random access memory (RAM), CD-ROM, tape, floppy disk and optical data storage devices etc..
In the exemplary embodiment, a kind of communication system is additionally provided, which includes above-mentioned shown in Fig. 2
GW200 and controller shown in Fig. 3 300, wherein the GW200 and the controller 300 pass through above-mentioned transceiver 201 and transceiver
301 are communicated, and the memory 202 on the GW200 is stored with program code, and the processor 203 on GW200 is for calling the journey
Sequence code realizes the method and step of the side GW in the access configuration method in following embodiments.Memory on the controller 300
302 are stored with program code, when the processor 303 on controller 300 calls the program code, realize connecing in following embodiments
Enter the method and step of controller side in configuration method.
In the embodiments of the present disclosure, ike negotiation is carried out between the IPSec interface and GW that CPE passes through static configuration, and is passed through
The ike negotiation process, configures ipsec tunnel between CPE and GW, in order to carry out normal communication between subsequent CPE and GW, passes
Defeated communication data.The ike negotiation process can use IKEV1 agreement, can also use IKEV2 agreement, and use IKEV1 agreement
When, it can also include holotype and the two different negotiation modes of Aggressive Mode, the embodiment of the present disclosure is only to use IKEV2 agreement
It is illustrated for holding consultation.And during above-mentioned ike negotiation, GW needs configuration information and CPE based on the CPE to carry out
Ike negotiation, to set up ipsec tunnel.The configuration information of the CPE includes static configuration information and key configuration information,
In, static configuration information can be general access template, may include above-mentioned negotiation mode in the general access template, encrypts and recognize
Algorithm, auth type, key and keep-alive time etc. are demonstrate,proved, key configuration information is authentication key, Qos and VPN information.
Fig. 4 is a kind of access configuration method flow chart that the embodiment of the present disclosure provides, which is applied to GW,
Such as can be applied to above-mentioned GW shown in Fig. 2, GW can get from controller match in real time by interacting with controller
Confidence breath, to carry out access configuration for CPE, in the process, controller is used for the execution information in the access configuration method
Providing method provides the configuration information of its demand for GW, referring to fig. 4, the access configuration process specifically includes the following steps:
401, CPE sends access request to GW, which carries the identification information of CPE.
In a specific embodiment, before the step 401, CPE can complete initial exchange between elder generation and GW, should
Negotiated encryption identifying algorithm, auth type and key during initial exchange, between CPE and GW, the key be used for CPE with
The request of transmission or message carry out encryption or decryption process when carrying out subsequent negotiations between GW.The auth type is to be pre-configured in
The auth type of CPE, the auth type can be PSK, be also possible to Public Key Infrastructure (Public Key
Infrastructure, PKI), it can also be other auth types, the embodiment of the present disclosure is only carried out by taking PSK authentication type as an example
Explanation.
After completing initial exchange, CPE sends access request to GW, and the identification information for the CPE which carries can be with
It is IP address, is also possible to the subscriber identity information of CPE, the disclosure is not construed as limiting this.For example, the access request carries
The identification information of CPE: CPE fully qualified domain name (Fully Qualified Domain Name, FQDN)/user is completely qualified
Domain name (User-Fully Qualified Domain Name, U-FQDN), wherein CPE FQDN/U-FQDN is the domain of CPE
Name is used for the unique identification CPE.
402, when receiving access request, GW determines whether current configuration information meets certification access and require, if not,
Execute step 403.
The upper usual static configuration of GW has general access template, but may also be provided with the key of the CPE on the GW having in advance
Configuration information, thus GW receives access request, can determine in configuration information current in the GW whether included this
The information of the information that secondary certification access procedure needs to exchange, needs exchange is the configuration information of the CPE.If in the GW when
Preceding configuration information has included static configuration information and key configuration information, i.e., recognizes when the current configuration information of GW is able to satisfy
When requiring, GW can be directly that the CPE carry out access configuration according to the configuration information of the CPE for card access, be not necessarily to and controller into
Row interaction, similarly with access configuration method in the prior art, does not repeat herein.
And if configuration information current in the GW does not include the key configurations information such as authentication key, Qos, VPN information, i.e.,
Current configuration information only has static configuration information, is not able to satisfy certification access and requires, GW can execute following step 403.
In a specific embodiment, when GW receives access request, above-mentioned steps 401 can be based on to the access request
The key of middle exchange is decrypted, and carries out completeness check, when successful decryption and determine request include content intact when, can
To execute the step 402.Certainly, GW can also carry out other legitimacy verifies etc. to it, and the disclosure is not construed as limiting this.
403, when GW current configuration information, which is not able to satisfy certification access, to be required, GW sends acquisition of information to controller and asks
It asks.
In a specific embodiment, which carries the identification information of CPE, which uses
In instruction, the controller returns to configuration information.The configuration information then may include above-mentioned key configuration information, that is to say that certification is close
Key, Qos, VPN information.For example, the information acquisition request can be Netconf standard message or Yang standard message, then report
Information in text may include the identification information of CPE.
It should be noted that in the prior art, GW sends response message to CPE in step 402, continue to assist
Quotient, and in the embodiment of the present disclosure, since GW lacks key configuration information, thus need to send information acquisition request to controller,
Key configuration information is obtained, and if GW does not send information acquisition request to server, continuation is held consultation with CPE, then can
Because lacking key configuration information, cause finally to negotiate failure.
The step 403 is in above-mentioned steps 402 if current configuration information is unsatisfactory for the case where certification access requires, and
If it is satisfied, the certification access executed in above-mentioned steps 402 when this access request requires the information of exchange to deposit in GW
When correlation technique step.
404, when receiving information acquisition request, the identification information for the CPE that controller is carried according to information acquisition request,
Authentication is carried out to the CPE.
In a specific embodiment, controller can be with the outer configuration information for obtaining CPE, and specifically, controller can be with
By interacting at least one server, identification information and the configuration of the CPE stored at least one server are obtained
Information, then by the identification information of the CPE it is corresponding with configuration information storage.For example, working as user to service provider one IP of application
When location, which can distribute an IP address for it, and be distributed according to the demand of the user for it, Qos, VPN information
Deng, and the configuration information and IP address are stored in server, which can be obtained by interacting with the server
The IP address and configuration information are got, and the IP address and configuration information are corresponded into storage.
It should be noted that when the controller obtains the configuration information of CPE, the key configuration information of the available CPE,
Also the key configuration information and static configuration information of the available CPE.The controller can be by the configuration information of each CPE
The corresponding customer data base being stored in controller of user data with the corresponding relationship of the identification information of CPE as each CPE
In.When update has occurred in the configuration information of CPE, controller can obtain updated configuration information in real time, and to number of users
It is updated according to user data corresponding in library.
In a specific embodiment, controller is after the identification information for extracting CPE in information acquisition request, can be with
It executes following step (1) to (4) and authentication is carried out to CPE, it is determined whether the CPE is allowed to access:
(1), identification information of the controller in the user data library lookup CPE.
(2), when in customer data base including the identification information of the CPE, controller is extracted from the customer data base should
The corresponding user data of the identification information of CPE.
(3), when the user data indicates that the CPE has access authority, controller determination is authenticated successfully.
(4), when the identification information or the user data that do not find the CPE in the customer data base indicate that the CPE does not have
When having access authority, authentification failure is determined.
In specific implementation, which can also recognize including legitimate verification, the certificate verification of information etc. of CPE
Card mode, the disclosure are not construed as limiting this.
405, when the authentication is successful, controller obtains the mark of the CPE according to the corresponding relationship of identification information and configuration information
Know the corresponding configuration information of information.
When authenticating successfully, controller, which determines, allows the CPE to access GW, then the configuration information of the CPE can be sent to GW,
And subsequent access is carried out by GW and is configured.Configuration information includes authentication key, quality of service Qos and Virtual Private Network VPN letter
Breath, that is to say the key configuration information of the CPE.
In a specific embodiment, which can also obtain other than the key configuration information for obtaining the CPE
The static configuration information of the CPE.
406, controller sends configuration information to GW.
Consistent with step 405, when the configuration information that the controller is got is key configuration information, then controller is to GW
Send key configuration information;When the configuration information that the controller is got is key configuration information and static configuration information, then
Controller sends key configuration information and static configuration information to GW.
In a specific embodiment, in transmission process, the form of the configuration information can also use above-mentioned
Netconf standard message or Yang standard message, the information in message includes the configuration information of the CPE and the mark of the CPE
Know information, the agreement interacted between controller and GW is also possible to other agreements, and the embodiment of the present disclosure is not construed as limiting this.
407, when receiving the configuration information of controller transmission, GW carries out access according to the configuration information for the CPE and matches
It sets.
When the configuration information received is key configuration information, GW can carry out routing configuration, band width configuration etc. for CPE
Access configuration.
In a kind of specific embodiment, when the configuration information received is key configuration information and static configuration information
When, which can compare the static configuration information in the configuration information and the GW, when update has occurred in the static configuration information,
GW can modify to static configuration information, and the identification information of the modified static configuration information and the CPE are carried out pair
It should store, be updated so as to make up the static configuration information of CPE, and GW does not have a defect of real-time update, GW can be with
Access configuration is carried out according to updated static configuration information and key configuration information, is efficiently avoided because of the static state in GW
Configuration information can not real-time update and the access failure phenomenon that may cause.
In specific implementation, when GW receives configuration information, it can send and receive the response to controller, inform controller
It has been successfully received configuration information.
408, GW completes access with postponing, and sends response message to controller.
The response message has received the configuration information for tell the server, and completes access configuration.
409, GW completes access with postponing, and sends access configuration successful message to CPE.
The access configuration successful message is for informing that CPE completes corresponding access configuration according to the configuration information.In reality
In, which can also continue to negotiate with CPE, finally establish ipsec tunnel, realize CPE being linked into GW.
In specific implementation, above-mentioned steps 408 and step 409 can carry out simultaneously, can also first carry out step 409, then
Step 408 is executed, that is to say, GW completes above-mentioned access with postponing, and response message can be sent to controller, while sending out to CPE
Access configuration successful message is sent, GW completes above-mentioned access with postponing, first can also send access configuration successful message to CPE, then
Response message is sent to controller, it is not limited in this embodiment of the present disclosure.
410, controller receives the response message.
411, CPE receives the access configuration successful message.
Above-mentioned is the process description for accessing configuration method, is configured below by embodiment shown in fig. 5 to the access
The concrete condition that request in journey is transmitted with message is described in detail.Fig. 5 is that a kind of access that the embodiment of the present disclosure provides is matched
The schematic diagram of message transmissions in process is set, the both sides of the message transmissions shown in fig. 5 can be above-mentioned GW shown in Fig. 2 and figure
Controller shown in 3, the Fig. 5 primarily illustrate message transmissions situation, and the disclosure is not made to have to the format of message with particular content
Body limits.Referring to Fig. 5, explanation of nouns involved in the Fig. 5 is as shown in table 1 below:
Table 1
CPE sends IKE_SA_INIT:HDR, Sai1, KEi to GW, and Ni, GW are receiving the message, and return to IKE_SA_
INIT:HDR, Sar1, KEr, Nr complete initial exchange, have negotiated decryption identifying algorithm, key and auth type, then
CPE sends first message of authenticated exchange to GW, that is to say and sends IKE_AUTH:HDR, SK Idi, AUTH, Sai2, TSi,
TSr }, the interior of the message has: IDi=CPE FQDN/U-FQDN, then the identity information (ID) of the CPE is CPEFQDN/U-
FQDN, which is the identification information of CPE, after GW receives the message identifying, is sent to controller
Notification message, with notification controller ID be CPE FQDN/U-FQDN user it is online, then controller can to its into
Row access control, the specific control process that accesses are are as follows: using the ID of CPE as keyword, from the information of storage, search this ID pairs
Authentication key, Qos and the VPN information answered carry out authentication to the CPE, and certification is when passing through, to GW send authentication key,
Qos and VPN information.GW then carries out access configuration when receiving these configuration informations, and after configuration, replys and rings
Message is answered, that is to say REPLY message, the content of the REPLY message is OK.GW sends the first of above-mentioned message identifying to CPE again
The response message IKE_AUTH:HDR, SK { Idr, AUTH, Sar2, TSi, TSr } of message complete AUTH certification at this time and hand over
It changes, subsequent to carry out other negotiations process, the disclosure does not illustrate later negotiations excessively.
When the embodiment of the present disclosure is by the access request that receives CPE, matching for the CPE stored in controller is obtained in real time
Confidence breath carries out access configuration for CPE, since the configuration information of the centrally stored CPE of controller can be obtained with real-time update, GW
The configuration information arrived has timeliness, therefore it is possible to prevente effectively from the configuration information due to CPE in GW can not real-time update possibility
Caused access failure phenomenon.Wherein, the key configuration information in the configuration information of controller centralized management CPE, further
The risk of the key configuration information leakage of CPE can also be reduced, so that the safety of CPE access is improved, and, centralized management
Mode is more convenient for reasonable distribution bandwidth, management user's access.
Above-described embodiment is only illustrated in case where the certification success in step in step 404 (3), in above-mentioned step
In step (4) in rapid 404, controller determines authentification failure, that is, determining does not allow the CPE to access GW, thus also with regard to nothing
Configuration information need to be sent to GW, in the case where this authentification failure, controller then no longer executes above-mentioned steps 405, does not also just have
There is subsequent step 406 to 410, the case where authentification failure will be described in detail with embodiment illustrated in fig. 6 below.
Fig. 6 is a kind of access configuration method flow chart that the embodiment of the present disclosure provides, which is applied to GW,
Such as can be applied to above-mentioned GW shown in Fig. 2, the embodiment of the present disclosure provides access configuration side when a kind of authentication failure
Method process, referring to Fig. 6, the access configure detailed process the following steps are included:
601, CPE sends access request to GW, which carries the identification information of CPE.
602, when receiving access request, GW determines whether current configuration information meets certification access and require, if not,
Execute step 603.
603, when GW current configuration information, which is not able to satisfy certification access, to be required, GW sends acquisition of information to controller and asks
It asks.
604, when receiving information acquisition request, the identification information for the CPE that controller is carried according to information acquisition request,
Authentication is carried out to the CPE.
The step 601 to 604 with above-mentioned steps 401 to 404 similarly, do not repeat herein.
605, when the authentication fails, controller sends authentification failure message to GW.
When the authentication fails, controller determine do not allow the CPE access, because without to GW transmission configuration information, but to
GW sends authentification failure message, has informed that GW is not necessarily the CPE and carries out access configuration.
606, when receiving the authentification failure message, GW sends access failure message to CPE.
607, CPE receives the access failure message.
The access failure message is for informing this access failure of CPE, and in practical application, which can be with
Carry access failure reason: authentication failure.
The embodiment of the present disclosure can carry out authentication to CPE by controller, to CPE by setting authentification failure mechanism
Access situation is managed concentratedly.
It is possibility scene when GW receives configuration information, practical application in the step 407 of above-mentioned embodiment illustrated in fig. 4
In, it is also possible to there is alternatively possible scene: not receiving configuration information in preset duration.The scene is also a kind of authentification failure
The case where, the scene will be illustrated in the embodiment shown in fig. 7 below.
Fig. 7 is a kind of access configuration method flow chart that the embodiment of the present disclosure provides, which is applied to GW,
Such as can be applied to above-mentioned GW shown in Fig. 2, the embodiment of the present disclosure provides access configuration side when a kind of overtime authentification failure
Method process, referring to Fig. 7, method includes the following steps:
701, CPE sends access request to GW, which carries the identification information of CPE.
702, when receiving access request, GW determines whether current configuration information meets certification access and require, if not,
Execute step 703.
703, when GW current configuration information, which is not able to satisfy certification access, to be required, GW sends acquisition of information to controller and asks
It asks.
704, when receiving information acquisition request, the identification information for the CPE that controller is carried according to information acquisition request,
Authentication is carried out to the CPE.
705, when the authentication is successful, controller obtains the mark of the CPE according to the corresponding relationship of identification information and configuration information
Know the corresponding configuration information of information.
706, controller sends configuration information to GW.
The step 701 similarly, does not repeat herein to 706 and step 401 to 406.
707, when not receiving the configuration information in preset duration, GW sends access failure message to CPE.
Overtime authentification failure mechanism can be set in GW: when do not received in preset duration controller transmission with confidence
Breath, it may be considered that this access failure due to without crucial configuration information.The access failure message is for informing this access of CPE
Unsuccessfully, in practical applications, the reason of which can also carry this access failure: time-out does not respond.
708, CPE receives the access failure message.
The embodiment of the present disclosure, can be when request obtain response for a long time, really by the way that overtime authentification failure mechanism is arranged
Determine authentification failure, can but occupy always resource extremely to avoid treatment progress.
GW is after CPE carries out access configuration, and CPE successfully passes the ipsec tunnel access GW being successfully established, can be from connecing
The cloud data center entered obtains data, can also upload data to cloud data center.And CPE can also be disconnected actively or
Detected by keepalive mechanism when having disconnected, the access carried out for the CPE can also be configured and be deleted by GW, specifically include with
Lower two specific embodiments:
First specific embodiment, when GW receive disconnection request when, according to the disconnection request carry CPE mark believe
Breath is removed from the cache the configuration information, discharges connection resource.
Second specific embodiment, when GW detects that the CPE has been disconnected, according to the identification information of the CPE, postpone
Middle deletion configuration information is deposited, connection resource is discharged.
The two specific embodiments are described in detail respectively below by Fig. 8 and Fig. 9:
Fig. 8 is a kind of access configuration method flow chart that the embodiment of the present disclosure provides, which is applied to GW,
Such as it can be applied to above-mentioned GW shown in Fig. 2.The embodiment of the present disclosure is above-mentioned first specific embodiment, that is to say that GW is CPE
Access configuration is carried out, so that CPE is normally linked into GW, and after a period of time, when CPE is actively disconnected, GW deletes access and matches
The detailed process set, referring to Fig. 8, method includes the following steps:
801, CPE sends access request to GW, which carries the identification information of CPE.
802, when receiving access request, GW determines whether current configuration information meets certification access and require, if not,
Execute step 803.
803, when GW current configuration information, which is not able to satisfy certification access, to be required, GW sends acquisition of information to controller and asks
It asks.
804, when receiving information acquisition request, the identification information for the CPE that controller is carried according to information acquisition request,
Authentication is carried out to the CPE.
805, when the authentication is successful, controller obtains the mark of the CPE according to the corresponding relationship of identification information and configuration information
Know the corresponding configuration information of information.
806, controller sends configuration information to GW.
807, when receiving the configuration information of controller transmission, GW carries out access according to the configuration information for the CPE and matches
It sets.
808, GW completes access with postponing, and sends response message to controller.
809, GW completes access with postponing, and sends access configuration successful message to CPE.
810, controller receives the response message.
811, CPE receives access configuration successful message.
The step 801 similarly, does not repeat herein to 811 and step 401 to 411.
812, CPE is sent to GW disconnects request, which requests to carry the identification information of CPE.
When CPE wishes to disconnect, (for example, CPE is normally offline) can then send to GW and disconnect request, which asks
It asks and is used to indicate GW by the ipsec tunnel established for CPE deletion, so that CPE can not carry out normal communication by GW.
813, when receiving disconnection request, GW is removed from the cache configuration information according to the identification information of the CPE, releases
Put connection resource.
The configuration information is what GW was got from controller, when the CPE is disconnected, then can delete the configuration information,
And discharging GW is that CPE establishes the connection resource generated during ipsec tunnel, and the corresponding configuration of the CPE is reverted to CPE and is sent
Static configuration before access request.
It should be noted that the above-mentioned configuration information got from controller and connection resource are properly termed as the dynamic of the CPE
State configuration information, the dynamic configuration information are generally stored in caching.GW deletes configuration information, discharges connection resource, can keep away
Exempt from the network congestion that may cause due to occupying connection resource, the storage burden of GW can also be reduced.
814, GW is sent to CPE disconnects response message, and the disconnection response message is for informing that CPE has been disconnected.
The embodiment of the present disclosure is by deleting dynamic configuration information, so as to avoid network when CPE is normally disconnected
Choking phenomenon reduces the storage burden of GW.
Fig. 9 is a kind of access configuration method flow chart that the embodiment of the present disclosure provides, which is applied to GW,
Such as it can be applied to above-mentioned GW shown in Fig. 2.The embodiment of the present disclosure is above-mentioned second specific embodiment, that is to say that GW is CPE
Carry out access configuration so that CPE is normally linked into GW, and later within the defined keep-alive time, GW detect the CPE and with this
When not having any interactive between the CPE that CPE is communicated, GW deletes the detailed process of access configuration, referring to Fig. 9, this method packet
Include following steps:
901, CPE sends access request to GW, which carries the identification information of CPE.
902, when receiving access request, GW determines whether current configuration information meets certification access and require, if not,
Execute step 903.
903, when GW current configuration information, which is not able to satisfy certification access, to be required, GW sends acquisition of information to controller and asks
It asks.
904, when receiving information acquisition request, the identification information for the CPE that controller is carried according to information acquisition request,
Authentication is carried out to the CPE.
905, when the authentication is successful, controller obtains the mark of the CPE according to the corresponding relationship of identification information and configuration information
Know the corresponding configuration information of information.
906, controller sends configuration information to GW.
907, when receiving the configuration information of controller transmission, GW carries out access according to the configuration information for the CPE and matches
It sets.
908, GW completes access with postponing, and sends response message to controller.
909, GW completes access with postponing, and sends access configuration successful message to CPE.
910, controller receives the response message.
911, CPE receives the access configuration successful message.
The step 901 to 911 with step 401 to 411 or step 801 to 811 similarly, do not repeat herein.
912, when detecting that CPE has been disconnected, GW is removed from the cache this with confidence according to the identification information of CPE
Breath discharges connection resource.
Keepalive mechanism has can be set in GW, and whether the CPE that it can be connected with periodic detection by the GW has in defined guarantor
Without the situation of any interaction in live time, when detect the CPE within the defined keep-alive time without it is any interactive when, then may be used
To think the already off connection of the CPE, thus GW can will be established for the CPE dynamic configuration information of ipsec tunnel generation into
Row is deleted.
The embodiment of the present disclosure but occupies the dynamic of the CPE of connection resource by setting keepalive mechanism, by no data interaction demand
State configuration information is deleted, and the network congestion phenomenon that excessively may cause so as to avoid connection resource from occupying reduces GW's
Storage burden.
All the above alternatives can form the alternative embodiment of the disclosure, herein no longer using any combination
It repeats one by one.
Figure 10 is a kind of structural schematic diagram for access configuration device that the embodiment of the present disclosure provides, a kind of specific embodiment
In, which is GW described in above-described embodiment, and referring to Figure 10, which includes:
Receiving module 1001 connects for executing in above-mentioned steps 402, step 602, step 702, step 802 or step 902
Receive the process of access request;
Sending module 1002, for executing above-mentioned steps 403, step 603, step 703, step 803 or step 903;
The receiving module 1001 is also used to execute in above-mentioned steps 407, step 807 or step 907 and receives controller transmission
Configuration information process;
Configuration module 1003, for executing above-mentioned steps 407, step 807, in step 907 according to configuration information be CPE into
The process of row access configuration.
In a kind of specific embodiment, the configuration module 1003, for executing above-mentioned steps 407, step 807 or step
The process of static configuration information is modified in 907.
In a kind of specific embodiment, which is also used to execute above-mentioned steps 606.
In a kind of specific embodiment, which is also used to execute above-mentioned steps 707.
In a kind of specific embodiment, which is also used to execute above-mentioned steps 408, step 808 or step
Rapid 908.
In a kind of specific embodiment, as shown in figure 11, the device further include:
Removing module 1004, for executing above-mentioned steps 813 or above-mentioned steps 912.
In a kind of specific embodiment, which is sent to the GW by IKE agreement by CPE, the acquisition of information
Request is sent to the controller by Netconf or Yang agreement by the GW.
In a specific embodiment, which includes authentication key, quality of service Qos and Virtual Private Network
VPN information.
In a specific embodiment, the configuration module 1003 is also used to execute in above-mentioned steps 402 and matches when GW is current
It is the process that CPE carries out access configuration according to the configuration information of CPE when confidence breath satisfaction certification access requires.
The device that the embodiment of the present disclosure provides when by the access request that receives CPE, obtains store in controller in real time
The CPE configuration information, access configuration is carried out for CPE, since the configuration information of the centrally stored CPE of controller can be real-time
It updates, the configuration information that GW is got has timeliness, therefore it is possible to prevente effectively from the configuration information due to CPE in GW can not be real
The access failure phenomenon that Shi Gengxin may cause.
It should be understood that access configuration device provided by the above embodiment is when carrying out access configuration, only with above-mentioned each
The division progress of functional module can according to need and for example, in practical application by above-mentioned function distribution by different function
Energy module is completed, i.e., the internal structure of device is divided into different functional modules, to complete whole described above or portion
Divide function.In addition, access configuration device provided by the above embodiment and access configuration method embodiment belong to same design, have
Body realizes that process is detailed in embodiment of the method, and which is not described herein again.
Figure 12 is a kind of structural schematic diagram for information provider unit that the embodiment of the present disclosure provides, a kind of specific embodiment
In, which is controller described in above-described embodiment, and referring to Figure 12, which includes:
Receiving module 1201 connects for executing in above-mentioned steps 404, step 604, step 704, step 804 or step 904
Receive the process of information acquisition request;
Authentication module 1202, it is right in above-mentioned steps 404, step 604, step 704, step 804 or step 904 for executing
The process of CPE progress authentication;
Module 1203 is obtained, for executing above-mentioned steps 405, step 705, step 805 or step 905;
Sending module 1204, for executing above-mentioned steps 406, step 706, step 806 or step 906.
In a kind of specific embodiment, as shown in figure 13, the device further include:
Searching module 1205, for execute in above-mentioned steps 404, step 604, step 704, step 804 or step 904
The process of the identification information of the user data library lookup CPE;
Extraction module 1206 is mentioned for executing in above-mentioned steps 404, step 604, step 704, step 804 or step 904
Take the process of user data;
Determining module 1207, for executing in above-mentioned steps 404, step 604, step 704, step 804 or step 904 really
Surely successful process is authenticated;
The determining module 1207, is also used to execute above-mentioned steps 404, step 604, step 704, step 804 or step 904
The process of middle determining authentification failure.
In a kind of specific embodiment, which is also used to execute above-mentioned steps 605.
In a kind of specific embodiment, which is also used to execute above-mentioned steps 410, step 810 or step
Rapid 910.
In a kind of specific embodiment, which is sent to the GW by IKE agreement by CPE, the acquisition of information
Request is sent to the controller by Netconf or Yang agreement by the GW.
In a kind of specific embodiment, which is also used to execute shown in above-mentioned steps 404 with outer acquisition
The process of the configuration information of CPE.
The device that the embodiment of the present disclosure provides by managing the configuration information of CPE concentratedly, and mentions whenever necessary for GW in GW
For configuration information, the risk of the configuration information leakage of CPE can be reduced, so that the safety of CPE access is improved, and, it concentrates
The mode of management is more convenient for reasonable distribution bandwidth, management user's access.
It should be understood that information provider unit provided by the above embodiment is when providing information, only with above-mentioned each function
The division progress of module can according to need and for example, in practical application by above-mentioned function distribution by different function moulds
Block is completed, i.e., the internal structure of device is divided into different functional modules, to complete all or part of function described above
Energy.In addition, the information providing method for including in information provider unit provided by the above embodiment and access configuration method embodiment
Embodiment belongs to same design, and specific implementation process is detailed in embodiment of the method, and which is not described herein again.
Those of ordinary skill in the art will appreciate that realizing that all or part of the steps of above-described embodiment can pass through hardware
It completes, relevant hardware can also be instructed to complete by program, which can store in a kind of computer-readable storage
In medium, storage medium mentioned above can be read-only memory, disk or CD etc..
It above are only the alternative embodiment of the disclosure, not to limit the disclosure, all spirit and principle in the disclosure
Within, any modification, equivalent replacement, improvement and so on should be included within the protection scope of the disclosure.
Claims (31)
1. a kind of access configuration method, which is characterized in that the described method includes:
Gateway receives access request, and the access request carries the identification information of customer premises equipment, CPE;
The gateway sends information acquisition request to controller, and the information acquisition request is used to indicate the controller return and matches
Confidence breath;
The gateway receives the configuration information that the controller is sent;
The gateway is that the customer premises equipment, CPE carries out access configuration according to the configuration information.
2. the method according to claim 1, wherein the method also includes:
Static configuration information in the gateway configuration information and the gateway;
When update has occurred in the static configuration information, the gateway modifies to the static configuration information, and described
The identification information of customer premises equipment, CPE carries out corresponding storage.
3. the method according to claim 1, wherein the gateway to controller send information acquisition request it
Afterwards, the method also includes:
When receiving the authentification failure message of controller transmission, the gateway sends access failure to customer premises equipment, CPE and disappears
Breath.
4. the method according to claim 1, wherein the gateway to controller send information acquisition request it
Afterwards, the method also includes:
When not receiving the configuration information in preset duration, the gateway sends access failure to customer premises equipment, CPE and disappears
Breath.
5. the method according to claim 1, wherein the gateway is that the user stays according to the configuration information
After ground equipment carries out access configuration, the method also includes:
After the completion of access configuration, the gateway sends response message to controller, and the response message is for informing the control
Device has received the configuration information, and completes access configuration.
6. the method according to claim 1, wherein the gateway is that the user stays according to the configuration information
After ground equipment carries out access configuration, the method also includes:
When the gateway receives disconnection request, the gateway is according to the mark for disconnecting the customer premises equipment, CPE that request carries
Know information, be removed from the cache the configuration information, discharges connection resource;Or,
When the gateway detects that the customer premises equipment, CPE has disconnected, the gateway is according to the customer premises equipment, CPE
Identification information, be removed from the cache the configuration information, discharge connection resource.
7. the method according to claim 1, wherein the access request is close by network by customer premises equipment, CPE
Key exchange IKE agreement is sent to the gateway, the information acquisition request by the gateway by network configuration Netconf or
Yang agreement is sent to the controller.
8. the method according to claim 1, wherein the configuration information includes authentication key, quality of service Qos
And Virtual Private Network VPN information.
9. the method according to claim 1, wherein the method also includes:
When the current configuration information of gateway, which is able to satisfy certification access, to be required, the gateway according to the gateway it is current match confidence
Breath is that the customer premises equipment, CPE carries out access configuration.
10. a kind of information providing method, which is characterized in that the described method includes:
Controller receives the information acquisition request that gateway is sent, and the information acquisition request carries the mark of customer premises equipment, CPE
Information;
The controller carries out authentication to the customer premises equipment, CPE according to the identification information of the customer premises equipment, CPE;
When the authentication is successful, the controller obtains the user resident according to the corresponding relationship of identification information and configuration information
The corresponding configuration information of the identification information of equipment;
The controller sends the configuration information to gateway.
11. according to the method described in claim 10, it is characterized in that, the controller is according to the mark of the customer premises equipment, CPE
Know information, authentication carried out to the customer premises equipment, CPE, comprising:
The identification information of controller customer premises equipment, CPE described in user data library lookup;
When in the customer data base including the identification information of the customer premises equipment, CPE, the controller is from the number of users
According to the corresponding user data of the identification information for extracting the customer premises equipment, CPE in library;
When the user data indicates that the customer premises equipment, CPE has access authority, the controller determination is authenticated successfully;
When the controller do not found in the customer data base customer premises equipment, CPE identification information or the use
When user data indicates that the customer premises equipment, CPE does not have access authority, the controller determines authentification failure.
12. method described in 0 or 11 according to claim 1, which is characterized in that the method also includes:
When the authentication fails, the controller sends authentification failure message to gateway.
13. according to the method described in claim 10, it is characterized in that, the controller to gateway send the configuration information it
Afterwards, the method also includes: the controllers to receive the response message that the gateway returns.
14. according to the method described in claim 10, it is characterized in that, the certification request passes through IKE by customer premises equipment, CPE
Agreement is sent to the gateway, and the information acquisition request is sent to by the gateway by Netconf or Yang agreement described
Controller.
15. according to the method described in claim 10, it is characterized in that, the acquisition of the configuration information of the customer premises equipment, CPE
Journey includes:
The controller obtains the user stored at least one described server by interacting at least one server
The identification information and configuration information of premises equipment;
The controller by the identification information of the customer premises equipment, CPE it is corresponding with configuration information storage.
16. a kind of access configuration device, which is characterized in that be applied to gateway, described device includes:
Receiving module, for receiving access request, the access request carries identification information and the certification of customer premises equipment, CPE
Type information;
Sending module, for sending information acquisition request to controller, the information acquisition request is used to indicate the controller
Return to configuration information;
The receiving module is also used to receive the configuration information that the controller is sent;
Configuration module carries out access configuration according to the configuration information for the gateway for the customer premises equipment, CPE.
17. device according to claim 16, which is characterized in that the configuration module is used for:
Compare the static configuration information in the configuration information and the gateway;
It when update has occurred in the static configuration information, modifies to the static configuration information, with the user resident
The identification information of equipment carries out corresponding storage.
18. device according to claim 16, which is characterized in that the sending module is also used to that controller ought be received
When the authentification failure message of transmission, access failure message is sent to customer premises equipment, CPE.
19. device according to claim 16, which is characterized in that the sending module is also used in preset duration
The configuration information is not received, sends access failure message to customer premises equipment, CPE.
20. device according to claim 16, which is characterized in that the sending module is also used to access after the completion of configuration,
Response message is sent to controller, the response message is used to inform that the controller has received the configuration information, and complete
It is configured at access.
21. device according to claim 16, which is characterized in that described device further include:
Removing module, for requesting the mark of the customer premises equipment, CPE carried according to the disconnection when receiving disconnection request
Information is removed from the cache the configuration information, discharges connection resource;Or,
Removing module, for when detecting that the customer premises equipment, CPE has disconnected, according to the customer premises equipment, CPE
Identification information is removed from the cache the configuration information, discharges connection resource.
22. device according to claim 16, which is characterized in that the access request passes through IKE by customer premises equipment, CPE
Agreement is sent to the gateway, and the information acquisition request is sent to by the gateway by Netconf or Yang agreement described
Controller.
23. device according to claim 16, which is characterized in that the configuration information includes authentication key, service quality
Qos and Virtual Private Network VPN information.
24. device according to claim 16, which is characterized in that the configuration module is also used to when the gateway is current
Configuration information be able to satisfy certification access when requiring, according to the current configuration information of the gateway be the customer premises equipment, CPE into
Row access configuration.
25. a kind of information provider unit, which is characterized in that be applied to controller, described device includes:
Receiving module, for receiving information acquisition request, the information acquisition request carries the mark letter of customer premises equipment, CPE
Breath;
Authentication module carries out identity to the customer premises equipment, CPE and recognizes for the identification information according to the customer premises equipment, CPE
Card;
Module is obtained, for when the authentication is successful, according to the corresponding relationship of the identification information and configuration information, obtaining the mark
Know the corresponding configuration information of information;
Sending module, for sending the configuration information to gateway.
26. device according to claim 25, which is characterized in that described device further include:
Searching module, the identification information for the customer premises equipment, CPE described in user data library lookup;
Extraction module, for when in the customer data base include the customer premises equipment, CPE identification information when, from the use
The corresponding user data of identification information of the customer premises equipment, CPE is extracted in user data library;
Determining module, for when the user data indicates that the customer premises equipment, CPE has access authority, determine certification at
Function;
The determining module is also used to when the mark letter for not finding the customer premises equipment, CPE in the customer data base
When breath or the user data indicate that the customer premises equipment, CPE does not have access authority, authentification failure is determined.
27. the device according to claim 25 or 26, which is characterized in that the sending module is also used to work as authentification failure
When, authentification failure message is sent to gateway.
28. device according to claim 25, which is characterized in that the receiving module is also used to receive the gateway and returns
The response message returned.
29. device according to claim 25, which is characterized in that the certification request passes through IKE by customer premises equipment, CPE
Agreement is sent to the gateway, and the information acquisition request is sent to by the gateway by Netconf or Yang agreement described
Controller.
30. device according to claim 25, which is characterized in that the acquisition module, be also used to by at least one
Server interacts, and obtains the identification information of the customer premises equipment, CPE stored at least one described server and with confidence
Breath;By the storage corresponding with configuration information of the identification information of the customer premises equipment, CPE.
31. a kind of communication system, which is characterized in that the communication system includes gateway and controller, wherein the gateway is used for
Perform claim requires the described in any item method and steps of 1-9, and the controller requires described in any one of 10-15 for perform claim
Method and step.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711365123.5A CN109936515B (en) | 2017-12-18 | 2017-12-18 | Access configuration method, information providing method and device |
PCT/CN2018/121448 WO2019120160A1 (en) | 2017-12-18 | 2018-12-17 | Method and device for data storage, and distributed storage system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711365123.5A CN109936515B (en) | 2017-12-18 | 2017-12-18 | Access configuration method, information providing method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109936515A true CN109936515A (en) | 2019-06-25 |
CN109936515B CN109936515B (en) | 2021-06-04 |
Family
ID=66982589
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711365123.5A Active CN109936515B (en) | 2017-12-18 | 2017-12-18 | Access configuration method, information providing method and device |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN109936515B (en) |
WO (1) | WO2019120160A1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111314355A (en) * | 2020-02-20 | 2020-06-19 | 深信服科技股份有限公司 | Authentication method, device, equipment and medium of VPN (virtual private network) server |
CN112399130A (en) * | 2019-08-16 | 2021-02-23 | 北京紫荆视通科技有限公司 | Processing method and device of cloud video conference information, storage medium and communication equipment |
CN114006807A (en) * | 2020-07-14 | 2022-02-01 | 青岛海信电子产业控股股份有限公司 | Client terminal equipment, configuration method thereof and configuration server |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113794583B (en) * | 2021-08-15 | 2023-12-29 | 新华三信息安全技术有限公司 | Configuration method and device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101227415A (en) * | 2008-02-04 | 2008-07-23 | 华为技术有限公司 | Multi business resource allocation method, system, gateway equipment and authentication server |
CN101621433A (en) * | 2008-07-02 | 2010-01-06 | 上海华为技术有限公司 | Method, device and system for configuring access equipment |
CN104917849A (en) * | 2014-03-11 | 2015-09-16 | 华为技术有限公司 | Message processing method, access controller and network node |
KR20170017860A (en) * | 2016-12-30 | 2017-02-15 | 주식회사 모바일컨버전스 | Network virtualization system based of network vpn |
CN106713057A (en) * | 2015-07-30 | 2017-05-24 | 华为技术有限公司 | Method for performing tunnel detection and device and system thereof |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114500135B (en) * | 2012-02-22 | 2023-03-24 | 华为技术有限公司 | Access method, device and system of user terminal equipment |
EP2887580A1 (en) * | 2013-12-23 | 2015-06-24 | Telefonica S.A. | Method and system for modifying configuration parameters on a user equipment and an Auto Configuration Server-Gateway |
-
2017
- 2017-12-18 CN CN201711365123.5A patent/CN109936515B/en active Active
-
2018
- 2018-12-17 WO PCT/CN2018/121448 patent/WO2019120160A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101227415A (en) * | 2008-02-04 | 2008-07-23 | 华为技术有限公司 | Multi business resource allocation method, system, gateway equipment and authentication server |
CN101621433A (en) * | 2008-07-02 | 2010-01-06 | 上海华为技术有限公司 | Method, device and system for configuring access equipment |
CN104917849A (en) * | 2014-03-11 | 2015-09-16 | 华为技术有限公司 | Message processing method, access controller and network node |
CN106713057A (en) * | 2015-07-30 | 2017-05-24 | 华为技术有限公司 | Method for performing tunnel detection and device and system thereof |
KR20170017860A (en) * | 2016-12-30 | 2017-02-15 | 주식회사 모바일컨버전스 | Network virtualization system based of network vpn |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112399130A (en) * | 2019-08-16 | 2021-02-23 | 北京紫荆视通科技有限公司 | Processing method and device of cloud video conference information, storage medium and communication equipment |
CN112399130B (en) * | 2019-08-16 | 2023-04-07 | 北京紫荆视通科技有限公司 | Processing method and device of cloud video conference information, storage medium and communication equipment |
CN111314355A (en) * | 2020-02-20 | 2020-06-19 | 深信服科技股份有限公司 | Authentication method, device, equipment and medium of VPN (virtual private network) server |
CN114006807A (en) * | 2020-07-14 | 2022-02-01 | 青岛海信电子产业控股股份有限公司 | Client terminal equipment, configuration method thereof and configuration server |
Also Published As
Publication number | Publication date |
---|---|
WO2019120160A1 (en) | 2019-06-27 |
CN109936515B (en) | 2021-06-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11089479B2 (en) | Signaling attack prevention method and apparatus | |
US20220104112A1 (en) | Methods, systems, and computer readable media for mitigating spoofing attacks on security edge protection proxy (sepp) inter-public land mobile network (inter-plmn) forwarding interface | |
US8327129B2 (en) | Method, apparatus and system for internet key exchange negotiation | |
CN101335692B (en) | Method for negotiating security capability between PCC and PCE and network system thereof | |
EP3633949B1 (en) | Method and system for performing ssl handshake | |
CN109936515A (en) | Access configuration method, information providing method and device | |
EP2850770A1 (en) | Transport layer security traffic control using service name identification | |
CN107438074A (en) | The means of defence and device of a kind of ddos attack | |
CN110191052B (en) | Cross-protocol network transmission method and system | |
Rodrigues et al. | Evaluating a blockchain-based cooperative defense | |
EP3932044B1 (en) | Automatic distribution of dynamic host configuration protocol (dhcp) keys via link layer discovery protocol (lldp) | |
CN114173332B (en) | Data encryption transmission method and device suitable for 5G intelligent power grid inspection robot | |
WO2020248368A1 (en) | Intranet accessing method, system, and related device | |
EP1914960B1 (en) | Method for transmission of DHCP messages | |
CN112887278A (en) | Interconnection system and method of private cloud and public cloud | |
CN114710388B (en) | Campus network security system and network monitoring system | |
CN111163465B (en) | Method and device for connecting user terminal and local terminal and call center system | |
Kuptsov et al. | Distributed user authentication in wireless LANs | |
CN111163466A (en) | Method for 5G user terminal to access block chain, user terminal equipment and medium | |
Njeru | An APN Authentication Model For A Secure Enterprise Wireless Local Area Network | |
Kabir et al. | Customer Edge Switching: A Security Framework for 5G | |
CN116530053A (en) | Method, system and computer readable medium for mitigating counterfeit attacks on Secure Edge Protection Proxy (SEPP) public land mobile network-to-PLMN (inter-PLMN) forwarding interfaces | |
CN117134933A (en) | Encryption communication method, device, electronic equipment and storage medium | |
CN117914525A (en) | Data message processing method and system | |
Goodloe et al. | L3A: A protocol for layer three accounting |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20211222 Address after: 450046 Floor 9, building 1, Zhengshang Boya Plaza, Longzihu wisdom Island, Zhengdong New Area, Zhengzhou City, Henan Province Patentee after: xFusion Digital Technologies Co., Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd. |
|
TR01 | Transfer of patent right |