CN112637154B - Equipment authentication method and device, electronic equipment and storage medium - Google Patents

Equipment authentication method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN112637154B
CN112637154B CN202011462741.3A CN202011462741A CN112637154B CN 112637154 B CN112637154 B CN 112637154B CN 202011462741 A CN202011462741 A CN 202011462741A CN 112637154 B CN112637154 B CN 112637154B
Authority
CN
China
Prior art keywords
authentication
equipment
message
information
authentication information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011462741.3A
Other languages
Chinese (zh)
Other versions
CN112637154A (en
Inventor
严林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Maipu Communication Technology Co Ltd
Original Assignee
Maipu Communication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Maipu Communication Technology Co Ltd filed Critical Maipu Communication Technology Co Ltd
Priority to CN202011462741.3A priority Critical patent/CN112637154B/en
Publication of CN112637154A publication Critical patent/CN112637154A/en
Application granted granted Critical
Publication of CN112637154B publication Critical patent/CN112637154B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • H04L67/125Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/30Control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/08Protocols for interworking; Protocol conversion
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Abstract

The application provides a device authentication method, a device, an electronic device and a storage medium, and relates to the technical field of communication. According to the method, the edge device packages the device authentication information into the load of the message to obtain an authentication request message, the device authentication information comprises device authentication information, the device authentication information comprises information of a transmission layer of the edge device, the authentication request message is sent to the center end device, and the center end device analyzes the authentication request message to obtain the device authentication information and verifies the device authentication information. Therefore, the equipment authentication information is authenticated under the condition that a Software Defined Network (SDN) controller is not required to be configured and a user does not sense, the center-end equipment returns the authentication result to the edge equipment so that the edge equipment can realize cross-network communication with the center-end equipment through the equipment authentication information, and the complexity of equipment access configuration and management is reduced.

Description

Equipment authentication method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to a device authentication method and apparatus, an electronic device, and a storage medium.
Background
In network architectures of organizations such as many companies and enterprises, a headquarter-branch architecture exists, a headquarter needs to uniformly manage branch devices, and the headquarter and the branches need to communicate across the internet first and then can be discovered and managed by a control platform of the headquarter. If each device in the branched local area network needs to be configured first and then goes online, a lot of burden is caused to the network management, such as the configuration of an IP address, and the problem caused by the difficulty in allocating and managing the IP address is the problem, thereby causing the problem of high complexity of the access configuration and management of the network device.
Disclosure of Invention
In view of this, embodiments of the present application provide a device authentication method, an apparatus, an electronic device, and a storage medium, so as to solve the problem in the prior art that complexity of access configuration and management of a network device is large.
The application provides a device authentication method, which is applied to edge devices and comprises the following steps: sniffing a message received by an interface connected with a user network; packaging equipment authentication information into the load of the message to obtain an authentication request message, wherein the equipment authentication information comprises equipment authentication information which comprises information of a transmission layer of the edge equipment; sending the authentication request message to a central terminal device; and when receiving an authentication response message sent by the center end equipment, determining an authentication result based on the authentication response message, and when the authentication result is authentication passing, the edge equipment can communicate with the center end equipment across networks through the equipment authentication information.
In the implementation mode, the edge device sniffs the message without affecting user service, and sends the authentication request message encapsulated with the device authentication information to the center-end device so as to be verified by the SDN controller, so that the message can be discovered and authenticated by the SDN controller through the Internet without network configuration, and zero-configuration edge device authentication and cross-network communication are realized.
Optionally, after sending the authentication request packet to the center-end device, the method further includes: when the authentication response message sent by the central terminal equipment is not received after a preset time length, re-sniffing a message received by an interface connected with the user network; packaging the equipment authentication information of the re-sniffed message into the load of the re-sniffed message; and sending the encapsulated re-sniffed message to the central terminal equipment.
In the implementation mode, when the preset time length is not received by the authentication response message, the message sniffing and sending are carried out again, and the authentication of the edge equipment can be initiated again when the authentication fails due to network congestion and the like, so that the success rate of the authentication of the edge equipment and the cross-network communication is ensured.
Optionally, the method further comprises: receiving an inquiry message sent by the center end equipment, wherein the inquiry message comprises an equipment inquiry message and/or a link inquiry message; and sending a query response message to the center-end device based on the query message so as to enable the center-end device to send the query response message to a Software Defined Network (SDN) controller, wherein the query response message comprises a device information response message and/or a link response message.
In the implementation manner, a query response message is returned to the center device based on the query message, so that the SDN controller can implement zero-configuration cross-network communication with the edge device based on the query response message of the center device.
The embodiment of the application provides an equipment authentication method, which is applied to center-end equipment and comprises the following steps: receiving an authentication request message sent by edge equipment; analyzing the authentication request message to obtain equipment authentication information; when the equipment authentication information of the authentication request message passes authentication, sending the equipment authentication information to an SDN controller; saving the equipment authentication information in the equipment authentication information; receiving an authentication result returned by the SDN controller based on the equipment authentication information; and sending an authentication response message to the edge equipment based on the authentication result.
In the implementation manner, the center-end device processes and forwards the interactive data of the edge device and the SDN controller, such as the authentication request message, the device authentication information, the authentication result, the authentication response message and the like, so that zero-configuration cross-network communication between the edge device and the SDN controller is realized.
Optionally, the method further comprises: packaging a query message through the equipment authentication information and sending the query message to the edge equipment, wherein the query message comprises an equipment query message and/or a link query message; receiving a query response message sent by the edge device, wherein the query response message comprises a device information response message and/or a link response message; determining equipment management information based on the query response message, wherein the equipment management information comprises equipment information and/or a network topological graph; sending the device management information to the SDN controller through a network configuration protocol to enable the SDN controller to manage the edge device based on the device management information.
In the implementation mode, the central device forwards the query message and the query response message, so that the SDN controller can discover and manage the edge device without manual configuration, thereby conveniently and quickly managing the edge device.
The embodiment of the application further provides an equipment authentication method, which is applied to the SDN controller, and the method comprises the following steps: receiving equipment authentication information sent by center end equipment, wherein the equipment authentication information is obtained by analyzing an authentication request message by the center end equipment, the equipment authentication information comprises equipment authentication information, and the equipment authentication information comprises information of a transmission layer of the edge equipment; verifying the equipment authentication information; and when the equipment authentication information passes verification, sending an authentication result to the center end equipment.
In the implementation manner, the SDN controller receives and processes the device authentication information of the edge device through the center-end device, and returns an authentication result to the center-end device, thereby implementing zero-configuration authentication and cross-network communication of the SDN controller on the edge device.
Optionally, the method further comprises: receiving device management information sent by the center-end device, wherein the device management information comprises device information and/or a network topology map; managing the edge device based on the device management information.
In the implementation manner, the central device forwards the device management information and the subsequent management instruction, so that the SDN controller can manage the edge device without manual configuration, thereby conveniently and quickly managing the edge device.
The embodiment of the present application further provides an apparatus authentication device, which is applied to an edge device, and the apparatus includes: the sniffing module is used for sniffing the message received by an interface connected with a user network; an encapsulation module, configured to encapsulate device authentication information into a load of the packet to obtain an authentication request packet, where the device authentication information includes device authentication information, and the device authentication information includes information of a transport layer of the edge device; the edge sending module is used for sending the authentication request message to the center-end equipment; and the authentication result determining module is used for determining an authentication result based on the authentication response message when receiving the authentication response message sent by the center end equipment, and the edge equipment can communicate with the center end equipment across networks through the equipment authentication information when the authentication result is authentication passing.
In the implementation mode, the edge device sniffs the message without affecting user service, and sends the authentication request message encapsulated with the device authentication information to the center-end device so as to be verified by the SDN controller, so that the message can be discovered and authenticated by the SDN controller through the Internet without network configuration, and zero-configuration edge device authentication and cross-network communication are realized.
Optionally, the sniffing module is further configured to: when the authentication response message sent by the central terminal equipment is not received after a preset time length, re-sniffing a message received by an interface connected with the user network; packaging the equipment authentication information of the re-sniffed message into the load of the re-sniffed message; and sending the encapsulated re-sniffed message to the central terminal equipment.
In the implementation mode, when the preset time length is not received by the authentication response message, the message sniffing and sending are carried out again, and the authentication of the edge equipment can be initiated again when the authentication fails due to network congestion and the like, so that the success rate of the authentication of the edge equipment and the cross-network communication is ensured.
Optionally, the device authentication apparatus further includes: the query module is used for receiving a query message sent by the center-end equipment, wherein the query message comprises an equipment query message and/or a link query message; and sending a query response message to the center-end device based on the query message so as to enable the center-end device to send the query response message to a Software Defined Network (SDN) controller, wherein the query response message comprises a device information response message and/or a link response message.
In the implementation manner, a query response message is returned to the center device based on the query message, so that the SDN controller can implement zero-configuration cross-network communication with the edge device based on the query response message of the center device.
The embodiment of the present application further provides an apparatus authentication device, which is applied to a center-end device, and the apparatus includes: the middle receiving module is used for receiving an authentication request message sent by the edge equipment; the analysis module is used for analyzing the authentication request message to obtain equipment authentication information; the intermediate sending module is used for sending the equipment authentication information to the SDN controller when the equipment authentication information of the authentication request message passes authentication; the storage module is used for storing the equipment authentication information in the equipment authentication information; the intermediate receiving module is configured to receive an authentication result returned by the SDN controller based on the device authentication information; and the intermediate sending module is used for sending an authentication response message to the edge equipment based on the authentication result.
In the implementation manner, the center-end device processes and forwards the interactive data of the edge device and the SDN controller, such as the authentication request message, the device authentication information, the authentication result, the authentication response message and the like, so that zero-configuration cross-network communication between the edge device and the SDN controller is realized.
Optionally, the device authentication apparatus further includes: the query forwarding module is used for packaging a query message through the equipment authentication information and sending the query message to the edge equipment, wherein the query message comprises an equipment query message and/or a link query message; receiving a query response message sent by the edge device, wherein the query response message comprises a device information response message and/or a link response message; determining equipment management information based on the query response message, wherein the equipment management information comprises equipment information and/or a network topological graph; sending the device management information to the SDN controller through a network configuration protocol to enable the SDN controller to manage the edge device based on the device management information.
In the implementation mode, the central device forwards the query message and the query response message, so that the SDN controller can discover and manage the edge device without manual configuration, thereby conveniently and quickly managing the edge device.
An embodiment of the present application further provides an apparatus for authenticating a device, which is applied to an SDN controller, and the apparatus includes: the authentication module is used for receiving equipment authentication information sent by center end equipment, wherein the equipment authentication information is obtained by analyzing an authentication request message by the center end equipment, the equipment authentication information comprises equipment authentication information, and the equipment authentication information comprises information of a transmission layer of the edge equipment; the verification module is used for verifying the equipment authentication information; and the control sending module is used for sending an authentication result to the center-end equipment when the equipment authentication information passes verification.
In the implementation manner, the SDN controller receives and processes the device authentication information of the edge device through the center-end device, and returns an authentication result to the center-end device, thereby implementing zero-configuration authentication and cross-network communication of the SDN controller on the edge device.
Optionally, the device authentication apparatus further includes: the management module is used for receiving equipment management information sent by the center-end equipment, wherein the equipment management information comprises equipment information and/or a network topological graph; managing the edge device based on the device management information.
In the implementation manner, the central device forwards the device management information and the subsequent management instruction, so that the SDN controller can manage the edge device without manual configuration, thereby conveniently and quickly managing the edge device.
An embodiment of the present application further provides an electronic device, where the electronic device includes a memory and a processor, where the memory stores program instructions, and the processor executes the steps in any one of the foregoing implementation manners when reading and executing the program instructions.
The embodiment of the present application further provides a readable storage medium, in which computer program instructions are stored, and the computer program instructions are read by a processor and executed to perform the steps in any of the above implementation manners.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of an apparatus authentication method according to an embodiment of the present application.
Fig. 2 is a schematic flowchart of a topology obtaining step according to an embodiment of the present application.
Fig. 3 is a schematic flowchart of a step of deleting an edge device according to an embodiment of the present application.
Fig. 4 is a block diagram of an apparatus authentication device applied to an edge device according to an embodiment of the present disclosure.
Fig. 5 is a schematic block diagram of an apparatus authentication device applied to a center-end device according to an embodiment of the present disclosure.
Fig. 6 is a schematic block diagram of a device authentication apparatus applied to an SDN controller according to an embodiment of the present application.
Icon: 11-edge devices; 12-a central end device; 13-an SDN controller; 20-a device authentication means; 21-sniffing module; 22-packaging the module; 23-an edge sending module; 24-an authentication result determination module; 30-a device authentication means; 31-an intermediate receiving module; 32-a resolution module; 33-an intermediate sending module; 34-a storage module; 40-a device authentication means; 41-authentication module; 42-authentication Module.
Detailed Description
The technical solution in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
An apparatus authentication method is provided in an embodiment of the present application, and is applied to a network structure formed by an edge device 11, a center device 12, and an SDN controller 13, please refer to fig. 1, where fig. 1 is a schematic flow diagram of an apparatus authentication method provided in an embodiment of the present application, where execution order of each step is sequentially arranged from top to bottom.
The SDN controller 13 is an application in a software defined network, and is responsible for flow control to ensure an intelligent network. The SDN controller 13 is based on a protocol like OpenFlow, allowing the server to tell the switch where to send the packet.
Under the condition that the service of the user is not influenced, the edge device 11 sniffs the message received by the interface of the edge device 11 connected with the user network. The interface is usually a Local Area Network (LAN) interface, and the message may be a Transmission Control Protocol (TCP) or a User Datagram Protocol (UDP) message.
Specifically, the sniffing of the packet by the edge device 11 may be sniffing the header feature of the user data packet, so as to obtain the packet.
After sniffing to obtain the message, the edge device 11 encapsulates the device authentication information of the message into the load of the message to obtain an authentication request message.
The above-mentioned device authentication information may include device authentication information of the edge device 11, which includes information of a transport layer of the edge device 11. The device authentication information may further include information of a link layer of the edge device 11 and/or information of a network layer of the edge device 11 as needed, and is not particularly limited.
Specifically, the present embodiment may encapsulate the device authentication information into the payload of the packet based on the authentication information of the edge device 11, so as to obtain the authentication request packet. The device authentication information may include unique identification information of the edge device 11 and information of a transport layer, where the unique identification information may be, for example, sn (serial number) information, device ID information, and the like of the edge device 11, and the device authentication information may further include information of a data link layer, a network layer, and the like.
After the edge device 11 sends the authentication request message to the center-end device, the center-end device 12 is finally required to forward the authentication request message to the SDN controller 13 for authentication of the edge device 11.
Alternatively, the authentication request packet of the edge device 11 may be encrypted based on a certificate authentication of a hash algorithm and a Nonce (a non-repeated random Number value used once), a shared key authentication method, and the like, and the hash algorithm and the Nonce encryption method are predetermined by the edge device 11 and the SDN controller 13.
The center-end device 12 receives the authentication request message sent by the edge device 11, then identifies the device authentication information in the authentication request message, analyzes the device authentication information, and then sends the device authentication information to the SDN controller 13.
Specifically, when receiving the authentication request message sent by the edge device 11, the center device 12 creates a temporary three-layer adjacent table entry, and then analyzes the authentication request message to obtain the authentication request parameter in the device authentication information.
It should be understood that, in order for the central end device 12 to maintain communication with the edge device 11, the central end device 12 should record the device authentication information of the authentication request message while sending the authentication request message.
Optionally, the center-end device 12 of this embodiment may send the device authentication information to the SDN controller 13 through a Network Configuration Protocol (NETCONF). The network configuration protocol is a network management protocol based on XML (Extensible Markup Language), and provides a programmable method for configuring and managing network devices. The user can set parameters, obtain parameter values, obtain statistical information and the like through the protocol, so that the development of third-party software is very convenient, and specially customized network management software under the environment of mixing different manufacturers and different devices is easily developed.
After receiving the device authentication information sent by the center-end device 12, the SDN controller 13 verifies the device authentication information, and sends an authentication result to the center-end device 12 when the device authentication information passes the verification.
The SDN controller 13 should verify the device authentication information according to certificate authentication based on a hash algorithm and Nonce agreed with the edge device 11, and a shared key authentication method. Meanwhile, the authentication result sent by the SDN controller 13 to the center-end device 12 may be encrypted again according to an agreed certificate authentication and shared key authentication method based on a hash algorithm and Nonce.
Optionally, in this embodiment, the SDN controller 13 may send the authentication result to the central end device 12 through a network configuration protocol.
After receiving the authentication result sent by the SDN controller 13, the center-end device 12 generates an authentication response packet, and sends the authentication response packet to the edge device 11 based on the recorded device authentication information of the edge device 11. It should be understood that the authentication information sent by the central end device 12 to the edge device 11 is an authentication response message across the internet.
After receiving the authentication response message sent by the center-end device 12, the edge device 11 authenticates the re-encrypted content in a decryption manner agreed with the SDN controller 13, and after the authentication is successful, it indicates that the edge device 11 and the center-end device 12 can perform cross-network communication based on the device authentication information.
Specifically, the edge device 11 identifies a packet received by a WAN (Wide Area Network) interface through feature identification, and sends the packet to the control plane for processing when the packet is an authentication response packet, and discards other packets.
When the authentication response message is identified and the authentication is passed, switching to an online state, creating three layers of adjacent table entries, thereby completing cross-network authentication with the center end device 12 to realize communication, and switching to an offline state if the message authentication fails.
Optionally, after the authentication response message is successfully authenticated, the edge device 11 may further send an authentication success confirmation message to the SDN controller 13 through the center-end device 12, so that the SDN controller 13 determines that the authentication is successful, where the authentication success confirmation message may include SN code information, device ID information, and the like of the edge device 11.
Further, in order to ensure the stability and the connection rate of the inter-network communication request performed by the edge device 11, in this embodiment, when the edge device 11 does not receive the authentication response packet sent by the center device 12 after a preset time period, the packet sniffing is performed again, the device authentication information of the re-sniffed packet is encapsulated into the load of the re-sniffed packet, and then the re-sniffed packet is sent to the center device 12 to reinitiate the inter-network authentication.
Optionally, the preset time duration may be flexibly selected according to the specific inter-network communication speed and connectivity requirement, for example, 2 seconds, 3 seconds, 5 seconds, and the like, and the interval time re-sniffing may be implemented based on a timer, and is directly discarded if other messages are received in the authentication state.
After the inter-network communication between the edge device 11 and the center-end device 12 is completed, the present embodiment may further perform operations such as topology acquisition or management on the edge device 11 through the SDN controller 13.
Referring to fig. 2, fig. 2 is a schematic flowchart illustrating a topology obtaining step according to an embodiment of the present disclosure.
The central device 12 sends the query message to the edge device 11 through the recorded device authentication information of the edge device 11.
Optionally, the central device 12 may send the query message to the edge device 11 at regular intervals, where the regular intervals may be flexibly selected according to specific requirements, for example, 4 seconds, 5 seconds, 8 seconds, and the like.
The query message may be a device information query message and/or a link query message.
After receiving the query message sent by the central device 12 through the WAN interface, the edge device 11 sends a query response message to the edge device 11. The query response packet carries the network information and the device identifier connected to the edge device 11.
The query response message may be a device information response message and/or a link response message corresponding to the query message.
Meanwhile, the edge device 11 keeps the LAN interface forwarding normally and keeps online.
After receiving the query response message, the center-end device 12 may generate device management information of the edge device 11 based on the query response message, where the device management information may include device information and/or a network topology map generated based on network information connected to the edge device 11.
Then, when the SDN controller 13 needs to acquire the device information and the topology information, the central device 12 may be triggered to send the device management information to the SDN controller 13 through a network configuration protocol, so that the user whole network topology map may be displayed on the SDN controller 13 through an image interface.
The specific steps of the configuration issuing of the SDN controller 13 to the edge device 11 may be similar to the above topology obtaining steps.
It should be understood that, after the edge device 11 and the center-end device 12 implement zero-configuration cross-network communication, after a communication task is completed, the edge device 11 may also need to be deleted by the SDN controller 13, in this embodiment, device management is performed by edge device deletion, for example, please refer to fig. 3, and fig. 3 is a schematic flowchart of an edge device deletion step provided in this embodiment of the present application.
Under the condition that the edge device 11 and the center device 12 perform interaction between the query message and the query response message, the SDN controller 13 sends an edge device deletion message to the center device 12, where the edge device deletion message includes unique identification information of the edge device 11 and a corresponding LAN interface.
The central device 12 sends an edge device logout message to the edge device 11 based on the edge device deletion message, and deletes the connection information of the edge device 11.
After receiving the edge device logout message, the edge device 11 notifies the forwarding layer to perform message sniffing again, and meanwhile, the normal forwarding and online state of the LAN interface is maintained.
Based on the device authentication method provided by the embodiment, the TCP/UDP message header of the existing network is borrowed, authentication and management data information is borne in the TCP/UDP message, the TCP/UDP message passes through an IP network with a firewall network, and the characteristic of sniffing the head of the user data message is adopted, so that the function of controlling the channel parameter self-learning is realized. Specifically, the center-end device 12 may traverse the internet and initiate authentication of the edge device 11 without any configuration, and may traverse the internet so that the edge device 11 is discovered by the SDN controller 13 without user awareness and without affecting user traffic, and at the same time, may perform mutual authentication and manage the edge device 11 for the discovered edge device 11 after the edge device 11 is discovered.
In order to cooperate with the above device authentication method, the embodiment of the present application further provides a device authentication apparatus 20 applied to the edge device 11.
Referring to fig. 4, fig. 4 is a block diagram of an apparatus authentication device applied to an edge device according to an embodiment of the present disclosure.
The device authentication apparatus 20 applied to the edge device 11 includes:
a sniffing module 21, configured to sniff a message received by an interface connected to a user network;
an encapsulating module 22, configured to encapsulate device authentication information of the packet into a load of the packet to obtain an authentication request packet, where the device authentication information includes device authentication information, and the device authentication information includes information of a transport layer of the edge device;
the edge sending module 23 is configured to send the authentication request message to the center-end device;
and the authentication result determining module 24 is configured to determine an authentication result based on the authentication response message when receiving the authentication response message sent by the center end device, and when the authentication result is that the authentication is passed, the edge device can perform cross-network communication with the center end device through the device authentication information.
Optionally, the sniffing module 21 is further configured to: when the authentication response message sent by the central terminal equipment is not received after the preset time length, re-sniffing the message received by the interface connected with the user network; packaging the equipment authentication information of the re-sniffed message into the load of the re-sniffed message; and sending the encapsulated re-sniffed message to the central terminal equipment.
Optionally, the device authentication apparatus 20 further includes: the query module is used for receiving a query message sent by the center-end equipment, wherein the query message comprises an equipment query message and/or a link query message; and sending a query response message to the central terminal device based on the query message so that the central terminal device sends the query response message to the SDN controller, wherein the query response message comprises a device information response message and/or a link response message.
In order to cooperate with the above-mentioned device authentication method, the embodiment of the present application further provides a device authentication apparatus 30 applied to the center-end device 12.
Referring to fig. 5, fig. 5 is a block diagram of an apparatus authentication device applied to a center device according to an embodiment of the present disclosure.
The device authentication apparatus 30 applied to the center-side device 12 includes:
the intermediate receiving module 31 is configured to receive an authentication request message sent by an edge device;
the analysis module 32 is configured to analyze the authentication request packet to obtain device authentication information;
the intermediate sending module 33 is configured to send the device authentication information to the SDN controller when the device authentication information of the authentication request packet passes authentication;
a storage module 34, configured to store device authentication information in the device authentication information;
an intermediate receiving module 31, configured to receive an authentication result returned by the SDN controller based on the device authentication information;
and an intermediate sending module 33, configured to send an authentication response message to the edge device based on the authentication result.
Optionally, the intermediate sending module 33 is specifically configured to: and sending the equipment authentication information to the SDN controller through a network configuration protocol.
Optionally, the device authentication apparatus 30 further includes: the query forwarding module is used for packaging a query message through the equipment authentication information and sending the query message to the edge equipment, wherein the query message comprises an equipment query message and/or a link query message; receiving a query response message sent by the edge device, wherein the query response message comprises a device information response message and/or a link response message; determining equipment management information based on the query response message, wherein the equipment management information comprises equipment information and/or a network topological graph; and sending the device management information to the SDN controller through a network configuration protocol so that the SDN controller manages the edge device based on the device management information.
In order to cooperate with the above device authentication method, an embodiment of the present application further provides a device authentication apparatus 40 applied to the SDN controller 13.
Referring to fig. 6, fig. 6 is a schematic block diagram of a device authentication apparatus applied to an SDN controller according to an embodiment of the present disclosure.
The device authentication apparatus 40 applied to the SDN controller 13 includes:
the authentication module 41 is configured to receive device authentication information sent by the center device, where the device authentication information is obtained by the center device analyzing the authentication request packet, the device authentication information includes device authentication information, and the device authentication information includes information of a transmission layer of the edge device;
a verification module 42, configured to verify the device authentication information; and the control sending module is used for sending the authentication result to the central terminal equipment when the equipment authentication information passes the verification.
Optionally, the device authentication apparatus 40 further includes: the management module is used for receiving equipment management information sent by the center-end equipment, and the equipment management information comprises equipment information and/or a network topological graph; the edge device is managed based on the device management information.
An embodiment of the present application further provides an electronic device, where the electronic device includes a memory and a processor, where the memory stores program instructions, and when the processor reads and runs the program instructions, the processor executes steps in any one of the method for authenticating a device provided in this embodiment.
It should be understood that the electronic device may be an electronic device with a logic calculation function, such as a Personal Computer (PC), a tablet PC, a smart phone, a Personal Digital Assistant (PDA), or a communication device with a logic calculation function, such as a gateway or a router. For example, the electronic devices corresponding to the edge device 11 and the center-end device 12 may be routers, routing switches, and the like.
The embodiment of the application also provides a readable storage medium, wherein the readable storage medium stores computer program instructions, and the computer program instructions are read by a processor and run to execute the steps in the equipment authentication method.
To sum up, the embodiment of the present application provides a device authentication method, an apparatus, an electronic device, and a storage medium, where the method applied to an edge device includes: sniffing a message received by an interface connected with a user network; packaging equipment authentication information into the load of the message to obtain an authentication request message, wherein the equipment authentication information comprises equipment authentication information which comprises information of a transmission layer of the edge equipment; sending the authentication request message to a central terminal device; and when receiving an authentication response message sent by the center end equipment, determining an authentication result based on the authentication response message, and when the authentication result is authentication passing, the edge equipment can communicate with the center end equipment across networks through the equipment authentication information.
In the implementation mode, the edge device sniffs the message without affecting user service, and sends the authentication request message encapsulated with the device authentication information to the center-end device so as to be verified by the SDN controller, so that the message can be discovered and authenticated by the SDN controller through the Internet without network configuration, and zero-configuration edge device authentication and cross-network communication are realized.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus may be implemented in other manners. The apparatus embodiments described above are merely illustrative, and for example, the block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of devices according to various embodiments of the present application. In this regard, each block in the block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams, and combinations of blocks in the block diagrams, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Therefore, the present embodiment further provides a readable storage medium, in which computer program instructions are stored, and when the computer program instructions are read and executed by a processor, the computer program instructions perform the steps of any of the block data storage methods. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a RanDom Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (11)

1. A device authentication method applied to an edge device, the method comprising:
sniffing a message received by an interface connected with a user network;
packaging equipment authentication information into the load of the message to obtain an authentication request message, wherein the equipment authentication information comprises information of a transmission layer of the edge equipment;
sending the authentication request message to a center-end device, so that the center-end device sends device authentication information analyzed from the authentication request message to an SDN controller connected to the center-end device, and after receiving an authentication result returned by the SDN controller based on the device authentication information, returning an authentication response message based on the authentication result, wherein the authentication result is obtained by verifying the device authentication information by the SDN controller;
when receiving an authentication response message sent by the center-end device, determining an authentication result based on the authentication response message, and when the authentication result is that authentication is passed, the edge device can perform zero-configuration cross-network communication with the SDN controller through the device authentication information.
2. The method according to claim 1, wherein after the sending the authentication request packet to a center-end device, the method further comprises:
when the authentication response message sent by the central terminal equipment is not received after a preset time length, re-sniffing a message received by an interface connected with the user network;
packaging the equipment authentication information of the re-sniffed message into the load of the re-sniffed message;
and sending the encapsulated re-sniffed message to the central terminal equipment.
3. The method of claim 1, further comprising:
receiving an inquiry message sent by the center end equipment, wherein the inquiry message comprises an equipment inquiry message and/or a link inquiry message;
and sending a query response message to the central terminal device based on the query message so as to enable the central terminal device to send the query response message to a Software Defined Network (SDN) controller, wherein the query response message comprises a device information response message and/or a link response message.
4. A device authentication method is applied to a center-end device, and the method comprises the following steps:
receiving an authentication request message sent by edge equipment, wherein the authentication request message is a message received by an interface connected with a user network by sniffing of the edge equipment, and equipment authentication information is packaged into a load of the message to obtain the message;
analyzing the authentication request message to obtain the equipment authentication information;
after the device authentication information of the authentication request message is analyzed, sending the device authentication information to an SDN controller so that the SDN controller verifies the device authentication information and returns an authentication result corresponding to the device authentication information;
saving the equipment authentication information;
receiving the authentication result returned by the SDN controller based on the equipment authentication information;
and sending an authentication response message to the edge device based on the authentication result, wherein the authentication response message is used for zero configuration cross-network communication between the edge device and the SDN controller.
5. The method of claim 4, further comprising:
packaging a query message through the equipment authentication information and sending the query message to the edge equipment, wherein the query message comprises an equipment query message and/or a link query message;
receiving a query response message sent by the edge device, wherein the query response message comprises a device information response message and/or a link response message;
determining equipment management information based on the query response message, wherein the equipment management information comprises equipment information and/or a network topological graph;
sending the device management information to the SDN controller through a network configuration protocol to enable the SDN controller to manage the edge device based on the device management information.
6. A device authentication method applied to an SDN controller is characterized by comprising the following steps:
receiving equipment authentication information sent by center end equipment, wherein the equipment authentication information is obtained by analyzing an authentication request message sent by edge equipment by the center end equipment, the equipment authentication information comprises equipment authentication information, the equipment authentication information comprises information of a transmission layer of the edge equipment, and the authentication request message is obtained by the edge equipment sniffing an interface connected with a user network and packaging the equipment authentication information into a load of the message;
verifying the equipment authentication information;
when the device authentication information passes verification, sending an authentication result to the center-end device, so that the center-end device sends an authentication response message to the edge device based on the authentication result after receiving the authentication result, wherein the authentication response message is used for zero-configuration cross-network communication between the edge device and the SDN controller.
7. The method of claim 6, further comprising:
receiving device management information sent by the center-end device, wherein the device management information comprises device information and/or a network topology map;
managing the edge device based on the device management information.
8. An apparatus for authenticating a device, the apparatus being applied to an edge device, the apparatus comprising:
the sniffing module is used for sniffing the message received by an interface connected with a user network;
an encapsulation module, configured to encapsulate device authentication information into a load of the packet to obtain an authentication request packet, where the device authentication information includes information of a transport layer of the edge device;
an edge sending module, configured to send the authentication request packet to a center device, so that the center device sends device authentication information analyzed from the authentication request packet to an SDN controller connected to the center device, and after receiving an authentication result returned by the SDN controller based on the device authentication information, returns an authentication response packet based on the authentication result, where the authentication result is obtained by verifying the device authentication information by the SDN controller;
and the authentication result determining module is used for determining an authentication result based on the authentication response message when receiving the authentication response message sent by the center-end device, and the edge device can perform zero-configuration cross-network communication with the SDN controller through the device authentication information when the authentication result is authentication passing.
9. An apparatus for authenticating a device, applied to a center-end device, the apparatus comprising:
the device comprises an intermediate receiving module, a network side module and a network side module, wherein the intermediate receiving module is used for receiving an authentication request message sent by edge equipment, the authentication request message is received by an interface connected with a user network sniffed by the edge equipment, and equipment authentication information is packaged into the load of the message to obtain the authentication request message;
the analysis module is used for analyzing the authentication request message to obtain the equipment authentication information;
the intermediate sending module is used for sending the equipment authentication information to an SDN controller after the equipment authentication information of the authentication request message is analyzed, so that the SDN controller verifies the equipment authentication information and returns an authentication result corresponding to the equipment authentication information;
the storage module is used for storing the equipment authentication information in the equipment authentication information;
the intermediate receiving module is configured to receive the authentication result returned by the SDN controller based on the device authentication information;
and the intermediate sending module is used for sending an authentication response message to the edge equipment based on the authentication result.
10. An apparatus for authenticating a device, applied to an SDN controller, the apparatus comprising:
the authentication module is used for receiving equipment authentication information sent by center end equipment, wherein the equipment authentication information is obtained by analyzing an authentication request message sent by edge equipment by the center end equipment, the equipment authentication information comprises equipment authentication information, the equipment authentication information comprises information of a transmission layer of the edge equipment, and the authentication request message is obtained by sniffing an interface connected with a user network by the edge equipment and packaging the equipment authentication information into a load of the message;
the verification module is used for verifying the equipment authentication information;
a control sending module, configured to send an authentication result to the center device when the device authentication information passes verification, so that the center device sends an authentication response packet to the edge device based on the authentication result after receiving the authentication result, where the authentication response packet is used for zero-configuration cross-network communication between the edge device and the SDN controller.
11. An electronic device, comprising a processor that executes program instructions to perform the steps of the method of any of claims 1-7.
CN202011462741.3A 2020-12-09 2020-12-09 Equipment authentication method and device, electronic equipment and storage medium Active CN112637154B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011462741.3A CN112637154B (en) 2020-12-09 2020-12-09 Equipment authentication method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011462741.3A CN112637154B (en) 2020-12-09 2020-12-09 Equipment authentication method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN112637154A CN112637154A (en) 2021-04-09
CN112637154B true CN112637154B (en) 2022-06-21

Family

ID=75312403

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011462741.3A Active CN112637154B (en) 2020-12-09 2020-12-09 Equipment authentication method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112637154B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105978810A (en) * 2016-06-27 2016-09-28 上海斐讯数据通信技术有限公司 User authentication method and system based on SDN (Software Defined Network)
CN106487788A (en) * 2016-09-30 2017-03-08 中国联合网络通信集团有限公司 A kind of user access method, SDN controller, forwarding unit and subscriber access system
CN106506515A (en) * 2016-11-22 2017-03-15 杭州华三通信技术有限公司 A kind of authentication method and device
CN107181720A (en) * 2016-03-11 2017-09-19 中兴通讯股份有限公司 A kind of method and device of software definition networking SDN secure communications
CN107222433A (en) * 2017-04-18 2017-09-29 中国科学院信息工程研究所 A kind of access control method and system based on SDN path
CN107241454A (en) * 2016-03-29 2017-10-10 中兴通讯股份有限公司 A kind of method for realizing address administration, device, aaa server and SDN controllers
CN108632124A (en) * 2017-03-24 2018-10-09 中兴通讯股份有限公司 A kind of resource allocation methods, server, optical line terminal and system
CN108696479A (en) * 2017-04-07 2018-10-23 中兴通讯股份有限公司 A kind of Internet of Things Verification System and Internet of Things authentication method
CN109347784A (en) * 2018-08-10 2019-02-15 锐捷网络股份有限公司 Terminal admittance control method, controller, management and control devices and system
CN110868352A (en) * 2019-11-14 2020-03-06 迈普通信技术股份有限公司 Private network application identification system and method, SDN controller and P device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104469772A (en) * 2014-12-29 2015-03-25 迈普通信技术股份有限公司 Website equipment authentication method and device and authentication system
JP6083009B1 (en) * 2016-05-11 2017-02-22 アライドテレシスホールディングス株式会社 SDN controller
CN111818100B (en) * 2020-09-04 2021-02-02 腾讯科技(深圳)有限公司 Method for configuring channel across networks, related equipment and storage medium

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107181720A (en) * 2016-03-11 2017-09-19 中兴通讯股份有限公司 A kind of method and device of software definition networking SDN secure communications
CN107241454A (en) * 2016-03-29 2017-10-10 中兴通讯股份有限公司 A kind of method for realizing address administration, device, aaa server and SDN controllers
CN105978810A (en) * 2016-06-27 2016-09-28 上海斐讯数据通信技术有限公司 User authentication method and system based on SDN (Software Defined Network)
CN106487788A (en) * 2016-09-30 2017-03-08 中国联合网络通信集团有限公司 A kind of user access method, SDN controller, forwarding unit and subscriber access system
CN106506515A (en) * 2016-11-22 2017-03-15 杭州华三通信技术有限公司 A kind of authentication method and device
CN108632124A (en) * 2017-03-24 2018-10-09 中兴通讯股份有限公司 A kind of resource allocation methods, server, optical line terminal and system
CN108696479A (en) * 2017-04-07 2018-10-23 中兴通讯股份有限公司 A kind of Internet of Things Verification System and Internet of Things authentication method
CN107222433A (en) * 2017-04-18 2017-09-29 中国科学院信息工程研究所 A kind of access control method and system based on SDN path
CN109347784A (en) * 2018-08-10 2019-02-15 锐捷网络股份有限公司 Terminal admittance control method, controller, management and control devices and system
CN110868352A (en) * 2019-11-14 2020-03-06 迈普通信技术股份有限公司 Private network application identification system and method, SDN controller and P device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Fog-Assisted SDN Controlled Framework for Enduring Anomaly Detection in an IoT Network;Qaisar Shafi;《IEEE》;20181130;全文 *
基于OpenFlow的SDN终端接入控制研究;魏占祯;《信息网络安全》;20180410;全文 *

Also Published As

Publication number Publication date
CN112637154A (en) 2021-04-09

Similar Documents

Publication Publication Date Title
US11379602B2 (en) Internal controls engine and reporting of events generated by a network or associated applications
US8010643B2 (en) System and methods for simulating traffic generation
US7848259B2 (en) Systems and methods for inferring services on a network
US20170366416A1 (en) Gui and high-level api wrapper for software defined networking and software defined access for controlling network routing and rules
EP3018861B1 (en) Configuration information sending method, system and apparatus
US20190081930A1 (en) Dynamic, user-configurable virtual private network
EP2725762B1 (en) Deciphering internet protocol (IP) security in an IP multimedia subsystem (IMS) using a monitoring system
US11444833B1 (en) Business policy management for self-driving network
US11171809B2 (en) Identity-based virtual private network tunneling
Santos Network Security with NetFlow and IPFIX: Big Data Analytics for Information Security
Morris Network management, MIBs and MPLS
CN116055254A (en) Safe and trusted gateway system, control method, medium, equipment and terminal
Erel-Özçevik et al. OFaaS: OpenFlow switch as a service for multi tenant slicing in SD-CDN
US20240089178A1 (en) Network service processing method, system, and gateway device
CN112637154B (en) Equipment authentication method and device, electronic equipment and storage medium
Grossman et al. Deterministic networking (DetNet) security considerations
CN114422160A (en) Method and device for setting virtual firewall, electronic equipment and storage medium
Li Policy-based IPsec management
CN109376507B (en) Data security management method and system
US20170279940A1 (en) Software defined network-based data management method and system, and computer storage medium
CN109587134A (en) Method, apparatus, equipment and the medium of the safety certification of interface bus
CN107634884B (en) Cloud networking behavior management system and method based on virtual private dial-up network
CN115242645A (en) Loading virtualized network devices into a cloud-based network assurance system
Cisco SNMP Support for VPNs
CN109347822A (en) A kind of user accesses the reminding method and device of unauthorized resource

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant