CN1208927C - Control method for connecting network based on proxy mode in network equipment - Google Patents
Control method for connecting network based on proxy mode in network equipment Download PDFInfo
- Publication number
- CN1208927C CN1208927C CNB021212724A CN02121272A CN1208927C CN 1208927 C CN1208927 C CN 1208927C CN B021212724 A CNB021212724 A CN B021212724A CN 02121272 A CN02121272 A CN 02121272A CN 1208927 C CN1208927 C CN 1208927C
- Authority
- CN
- China
- Prior art keywords
- user
- characteristic
- message
- address
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention discloses a control method for being accessed to a network based on a proxy mode in a network device. The method comprises that an access device receives a message of a user access, extracts the characteristic data of the message, and makes a judgement according to the characteristic data, if suitable characteristic data exists in the access device, the access message is forwarded, and the timestamp of the characteristic data to which the access message is corresponding is refreshed; else, the attribute of a user to whom the message belongs is looked up in the access device by using the source address of the access message, and the authority of the user is determined according to the attribute and whether the user has the right to add new characteristic data or not is judged according to the authority of the user; if the user has no right to add new characteristic data, the access message is discarded, else, the characteristic data of the access message is added to the access device, then the access message is forwarded, and the timestamp of the characteristic data to which the access message is corresponding is refreshed. By using the proposal, the access service of an illegal proxy can be prevented, so that the reasonableness and the validity of the use of network resources are improved.
Description
Technical field:
The present invention relates to the connection control method in the communication system, relate in particular to the control method of the network equipment by the mode access network of agency service.
Background technology:
Along with popularizing that wideband data inserts, a lot of Internet Service Providers (ISP) can run into such problem, be exactly after the equipment access network, again by the equipment of agent way with its user, for example computer also is linked on the network, to reduce Internet utilization fee usefulness, for ISP, just lost the income that the client that originally should directly insert brings like this.So, prevent that the user from inserting other users privately by agent way and seeming very important for ISP without approval the time.
At present, the control method commonly used of ISP restriction disabled user access network, just be to use some as modes such as PPP (point-to-point protocol) authentication, WEB authentications, source IP address inspection to user's message, the method of perhaps using user's Internet protocol (IP) address and media interviews control (MAC) address and user's virtual network signs (VLANID) binding limits user's illegal access, uses Internet resources in the network to prevent that the disabled user is linked under unauthorized situation.Though the main frame that said method can be operatively connected on the network must be the main frame of legal authentication, can't discern the legal user who reaches the standard grade and serve as acting server and insert the disabled user.That is to say that existing method can not be discerned validated user and whether fill acting server, can not make control at user's act of agency.Therefore, existing access control method can't prevent that the equipment of access network inserts other illegal access device by agent way, thereby causes the reasonability that Internet resources use and the reduction of efficient.
Summary of the invention:
The object of the present invention is to provide in a kind of network equipment based on the control method of agent way access network, use this method can effectively limit the disabled user, thereby improve reasonability and the validity that Internet resources use by the agent way un-authorised access to network.
For achieving the above object, based on the control method of agent way access network, comprising in the network equipment provided by the invention:
(1) in the network equipment, sets up the characteristic information table, the characteristic that is used to store validated user;
In the network equipment, set up user attribute table, be used to store user's operating right, comprise whether the user has the right to increase new characteristic and the setting of characteristic refresh time;
(2) network equipment receives user's message, and extracts the characteristic in this message;
Whether (3) network equipment is searched in described user's characteristic information table has and the corresponding record of characteristic that extracts, if having, changes step (7); Otherwise, execution in step 4;
(4) in described user attribute table, search the authority of user under this message;
(5) judge according to described user right whether this user has the right to increase new characteristic,, then abandon described message if having no right to increase; Otherwise, execution in step 6;
(6) characteristic with described message is increased in the described characteristic information table;
(7) transmit described message, refresh the timestamp of message characteristic of correspondence data described in the described characteristic information table.
Characteristic of the present invention comprises protocol type, source IP address, source port number, purpose IP address, destination slogan.
Characteristic of the present invention also can comprise protocol type, source IP address and purpose IP address.
The characteristic information table of setting up in described step (1) comprises following field:
IP address: the IP address that is used to store validated user;
Information: be used to store the characteristic of validated user, and the refresh time of this characteristic.
The user attribute table of setting up in described step (1) comprises following field:
The IP group of addresses: be used to store the user's IP address group, this IP group of addresses is used to describe the set with identical authority user's IP address;
Attribute: the operating right that is used to store the different IP addresses group.
Described method also comprises the aging process of characteristic in the network equipment, and this process comprises:
(A1) determine the user property of each characteristic in the network equipment according to described user attribute table;
(A2) determine the setting refresh time of each user's characteristic of correspondence data according to described user property;
(A3) according to the setting refresh time of user's characteristic of correspondence data, judge whether the refresh time of each characteristic in the described characteristic information table surpasses the setting refresh time, if surpass, delete this characteristic; Otherwise do not carry out any processing.
Because the present invention extracts the characteristic in the five-tuple data that receive message, utilize the affiliated user's of this characteristic or this message authority to judge that receiving message is the legal message that agent way inserts that passes through, if normally transmit this message, otherwise abandon this message; Adopt such scheme, can on higher degree, prevent illegal agency's access service, thereby improve reasonability and validity that Internet resources use.
Description of drawings:
Fig. 1 is the embodiment flow chart of the method for the invention;
Fig. 2 uses network diagram of the present invention.
Embodiment:
The present invention is described in further detail below in conjunction with drawings and Examples.
The present invention can be applied in the diverse network connecting system, with reference to figure 2.User 1 to user N among the figure is connected with metropolitan area network or backbone network by access server, connects and Internet connection by metropolitan area network or backbone network again.When user access network, carry out user's access control by access server, when certain access device that inserts the user during, limit by access server as connected other subscriber equipment access network of illegal agent equipment agency.
In data insertion system, the access device of subscriber equipment and network, for example transmission information is not direct transmission " naked " IP message usually between the access server, and be based on TCP (TransferControl Protocol, transmission control protocol) or UDP (User Datagram Protocol, User Datagram Protoco (UDP)) message, when using TCP or UDP, user side operating system network protocol stack can distribute one less than several port numbers of 65535, the operating system server protocol stack of the access server of user capture also can distribute a port numbers, above-mentioned port numbers can be used for distinguishing same user and the server different application between straight, formation is by protocol type (TCP or UDP etc.), source IP address, source port number, purpose IP address, these 5 information combination of destination slogan characteristic together, be Wuyuan group data, be used as the unique identifier that a communications applications on the expression Internet connects.
Because the user is when carrying out network insertion, to provide the five-tuple data inevitably, therefore, the user is not have vestige when using agency's mode to insert the disabled user, and what can't hide a bit is exactly that the Wuyuan group used of the message that sends in than short time interval of user is more.According to this fact, the present invention is on access server, by the Wuyuan group number of discerning and the statistics user used in a relatively shorter time, find whether to exist the access device that uses agent way to insert other disabled users, and in a relatively shorter time, use the number of Wuyuan group and user Wuyuan group refreshing frequency to come limited subscriber to use agent way to insert the disabled user by the control user.
According to the method for the invention, at first in access device, set up the five-tuple information table, be used to store the five-tuple information of validated user, this table comprises following field:
IP address: the IP address that is used to store validated user;
Information: be used to store the five-tuple data of validated user, also store the refresh time of corresponding five-tuple data.
Also will set up user attribute table in access device, be used to store user's operating right, this table comprises following field:
The IP group of addresses: be used to store the user's IP address group, this IP group of addresses is used to describe the set with identical authority user's IP address;
Attribute: the operating right that is used to store the different IP addresses group.
According to above table, can be on the access device of network, use above-mentioned list item to preserve the Wuyuan group information that the user uses, when receiving user's Wuyuan group information, the forwarding module of access device is according to receiving that message information searches at the five-tuple information table, if found corresponding list item, then think legal message, normally transmit, if do not find, then give the agent authority of power administration module of access device and handle, act on behalf of control module and find the user profile allocation list, whether allow this type of Wuyuan group message to pass through according to number in the authority of administrator configurations and the user Wuyuan group information table in the table and time refreshing information decision according to source IP address, if pass through, then in the group information table of Wuyuan, add corresponding list item, and continue to E-Packet, if do not allow by just directly abandoning user's message.The user profile allocation list is pre-configured by the administration module configuration by the keeper in advance.
Fig. 1 is the embodiment flow chart of the method for the invention.According to Fig. 1, at first carry out step 1, access device receives the message that the user inserts, and extracts the characteristic in the five-tuple data of carrying in this message then.Promptly extract protocol type, source IP address, source port number, purpose IP address and 5 data of destination slogan in the five-tuple data.If illegal agency's control precision is not required too high, also can only extract protocol type, 3 data of source IP address and purpose IP address in the five-tuple data.Then utilize in the five-tuple information table of above-mentioned characteristic at access device to search whether the five-tuple data that adapt are arranged in this table in step 2, if have, illustrate that inserting message is the message with customer access equipment access of legal proxy qualification, therefore directly transmit and insert message, and refresh the timestamp that inserts the five-tuple data of message correspondence in the five-tuple information table of access device in step 7; Otherwise illustrate that inserting message is not the message with customer access equipment access of legal proxy qualification, will continue to search this user's authority this moment, whether has legal proxy qualification with the message of judging this user.Therefore in step 3, the source address that utilize to insert message is searched attribute of user under this message in the user attribute table of access device, determine this user's authority according to described user property in step 4, judge according to user right whether this user has the right to increase new five-tuple in step 5 then, increase if having no right, then abandon the access message in step 8, otherwise the five-tuple data that will insert message in step 6 are increased in the access device, transmit to insert message in step 7 at last, refresh the timestamp that inserts the five-tuple data of message correspondence in the five-tuple information table of access device.
In the reality, having the right, the user of increase five-tuple data might not have legal proxy qualification in the five-tuple information table of access device, therefore also will regularly carry out burin-in process to the five-tuple data in the five-tuple information table, this is handled specifically can be with reference to following step:
The 1st goes on foot, and determines the user property of each the five-tuple data in the access device five-tuple information table; The 2nd step was determined the regulation refresh time of the five-tuple of each user's correspondence according to described user property; The 3rd step is according to the refresh time of the five-tuple data of user's correspondence, whether the refresh time of judging each the five-tuple data in the access device five-tuple information table surpasses setting-up time, if surpass, the user network that this five-tuple correspondence is described inserts the frequent degree that surpasses setting, can judge and not have legal proxy qualification, the five-tuple data of therefore deletion correspondence, otherwise the five-tuple data that do not surpass setting-up time are not processed.
Also need explanation, the retrieval of user profile and five-tuple information can adopt Hash lookup algorithm, binary search tree, CAM methods such as (Content addressable memory, Content Addressable Memories) to realize in this example.
Claims (6)
1, in a kind of network equipment based on the control method of agent way access network, it is characterized in that, may further comprise the steps:
(1) in the network equipment, sets up the characteristic information table, the characteristic that is used to store validated user;
In the network equipment, set up user attribute table, be used to store user's operating right, comprise whether the user has the right to increase new characteristic and the setting of characteristic refresh time;
(2) network equipment receives user's message, and extracts the characteristic in this message;
Whether (3) network equipment is searched in described characteristic information table has and the corresponding record of characteristic that extracts, if having, changes step (7); Otherwise, execution in step 4;
(4) in described user attribute table, search the authority of user under this message;
(5) judge according to described user right whether this user has the right to increase new characteristic,, then abandon described message if having no right to increase; Otherwise execution in step 6;
(6) characteristic with described message is increased in the described characteristic information table;
(7) transmit described message, refresh the timestamp of message characteristic of correspondence data described in the described characteristic information table.
2, the control method based on the agent way access network according to claim 1 is characterized in that: described characteristic comprises protocol type, source IP address, source port number, purpose IP address, destination slogan.
3, the control method based on the agent way access network according to claim 1 is characterized in that: described characteristic comprises protocol type, source IP address and purpose IP address.
4, the control method based on the agent way access network according to claim 1 is characterized in that: described characteristic information table comprises following field:
IP address: the IP address that is used to store validated user;
Information: the characteristic and the refresh time thereof that are used to store validated user.
5, the control method based on the agent way access network according to claim 1, it is characterized in that: described user attribute table comprises following field:
The IP group of addresses: be used to store the user's IP address group, this IP group of addresses is used to describe the set with identical authority user's IP address;
Attribute: the operating right that is used to store the different IP addresses group.
6, the control method based on the agent way access network according to claim 1 is characterized in that described method also comprises the aging process of characteristic in the network equipment, and this process comprises:
(A1) determine the user property of each characteristic in the network equipment according to described user attribute table;
(A2) determine the setting refresh time of each user's characteristic of correspondence data according to described user property;
(A3) according to the setting refresh time of user's characteristic of correspondence data, judge whether the refresh time of each characteristic in the described characteristic information table surpasses the setting refresh time, if surpass, delete this characteristic; Otherwise do not carry out any processing.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB021212724A CN1208927C (en) | 2002-06-12 | 2002-06-12 | Control method for connecting network based on proxy mode in network equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB021212724A CN1208927C (en) | 2002-06-12 | 2002-06-12 | Control method for connecting network based on proxy mode in network equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1466312A CN1466312A (en) | 2004-01-07 |
| CN1208927C true CN1208927C (en) | 2005-06-29 |
Family
ID=34142161
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB021212724A Expired - Fee Related CN1208927C (en) | 2002-06-12 | 2002-06-12 | Control method for connecting network based on proxy mode in network equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1208927C (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100338915C (en) * | 2005-08-19 | 2007-09-19 | 杭州华三通信技术有限公司 | Message mirroring method and network equipment with message mirroring function |
| CN101212375B (en) * | 2006-12-30 | 2014-07-23 | 方正宽带网络服务股份有限公司 | Method and system for controlling network access via agent |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101167079B (en) * | 2006-03-29 | 2010-11-17 | 日本三菱东京日联银行股份有限公司 | User affirming device and method |
| CN101106508B (en) * | 2006-07-14 | 2012-06-20 | 华为技术有限公司 | A method for obtainment user specification in isomerous system |
| CN101399749B (en) * | 2007-09-27 | 2012-04-04 | 华为技术有限公司 | Method, system and device for packet filtering |
| CN101453308B (en) * | 2008-12-31 | 2011-09-14 | 华为技术有限公司 | IP clock packet processing method, equipment and system |
| CN101729311B (en) * | 2009-11-18 | 2013-01-09 | 中兴通讯股份有限公司 | Method and device for detecting effectiveness of local active source |
| CN105939357A (en) * | 2016-06-13 | 2016-09-14 | 杭州迪普科技有限公司 | Method and device for obtaining corresponding relation of user IP (Internet Protocol) address and user group information |
-
2002
- 2002-06-12 CN CNB021212724A patent/CN1208927C/en not_active Expired - Fee Related
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100338915C (en) * | 2005-08-19 | 2007-09-19 | 杭州华三通信技术有限公司 | Message mirroring method and network equipment with message mirroring function |
| CN101212375B (en) * | 2006-12-30 | 2014-07-23 | 方正宽带网络服务股份有限公司 | Method and system for controlling network access via agent |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1466312A (en) | 2004-01-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1177439C (en) | Method of acting address analytic protocol Ethernet Switch in application | |
| US8001254B1 (en) | Translating switch and method | |
| CN1146809C (en) | Integrated IP network | |
| US7366728B2 (en) | System for compressing a search tree structure used in rule classification | |
| CN1118167C (en) | System and method for using domain names to route data sent to a destination on a network | |
| CN1852297A (en) | Network data flow recognizing system and method | |
| US7916656B2 (en) | Providing a symmetric key for efficient session identification | |
| CN1713593A (en) | Security system and method using server security solution and network security solution | |
| US7577151B2 (en) | Method and apparatus for providing a network connection table | |
| CN1252961C (en) | Method for authenticating group broadcast service | |
| CN1655533A (en) | Filter based on longest prefix match algorithm | |
| CN1505338A (en) | User identifying technique on networks having different address systems | |
| US6980550B1 (en) | Method and apparatus for server load balancing | |
| CN1208927C (en) | Control method for connecting network based on proxy mode in network equipment | |
| CN1194502C (en) | System and method for managing access authority of network users | |
| CN101056306A (en) | Network device and its access control method | |
| CN1653760A (en) | Method and apparatus to improve network routing | |
| CN1917512A (en) | Method for establishing direct connected peer-to-peer channel | |
| CN1152531C (en) | Network addressing control method of zone message | |
| CN1176540C (en) | Method for realizing switch in with mixed multiple users'types in Ethernet network switch in devices | |
| CN1210919C (en) | Data flow control method in data insertion equipment | |
| CN101039223A (en) | DHCP monitoring method and apparatus thereof | |
| CN1464703A (en) | Method for increasing IP message transferring speed | |
| CN1612537A (en) | Method for preventing main computer from being counterfeited in IP ethernet | |
| US7191168B1 (en) | Fast prefix matching of bounded strings |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20050629 Termination date: 20150612 |
|
| EXPY | Termination of patent right or utility model |