CN1477816A - Network access control method of network address conversioin protocol user - Google Patents
Network access control method of network address conversioin protocol user Download PDFInfo
- Publication number
- CN1477816A CN1477816A CNA021290059A CN02129005A CN1477816A CN 1477816 A CN1477816 A CN 1477816A CN A021290059 A CNA021290059 A CN A021290059A CN 02129005 A CN02129005 A CN 02129005A CN 1477816 A CN1477816 A CN 1477816A
- Authority
- CN
- China
- Prior art keywords
- user
- network
- current
- speed
- nat
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention discloses a network access control for NAT user. The method adopts network connection quantity control value for every user, when the current network connection quantity of one user exceeds the above-mentioned control value, the next network access of said user can be stopped; and adopts network session connection speed control value for every user, when the current network session connection speed of one user exceeds said control value, the next network access of said user also can be stopped. Said invention can protect most of user to normally used NAT equipment resource.
Description
Technical field
The present invention relates to the method that user network inserts, relate in particular to the user's of network address translation (nat) agreement access control method.
Background technology
Along with the network user sharply increases, distributable IP address is fewer and feweri, so the application of network address translation (nat) equipment also more and more widely.The NAT technology is divided into basic NAT and port address translation (pat), basic NAT can be divided into static network address conversion and dynamic address conversion, its common ground is only the IP address to be changed, but public network IP of synchronization can only provide the public network outlet for a private network IP, can not save public network IP address; And under the PAT pattern, each public network IP can provide the public network outlet for a plurality of private users simultaneously, by private network IP and transmission control protocol/User Datagram Protocol (TCP/UDP) port conversion are reached the shared public network outlet of a plurality of private network IP.In the user network access procedure of reality, some user uses TCP class tool software to initiate a large amount of connection session to NAT device, this will influence the visit of other users to Internet in heavy traffic, because the memory source that NAT device can distribute for private user is limited, and because NAT device internal resource dynamic refresh frequency is too high, can not write down all Visitor Logs of the inner private user of NAT, make the user who follows the trail of above-mentioned illegal operation just compare difficulty like this.The user is when carrying out network insertion, NAT device is to the uplink message from private network, if the message of initiating to connect maybe needs the message of the information of connecting, then the storage allocation resource is preserved private network and the required information of public network conversion, then message is carried out that IP address and TCP/UDP port are changed and the message after the conversion is sent to Internet, in said process, NAT device does not manage the user, just merely message is carried out corresponding address and port translation, therefore can't stop the hostile network of illegal private user to insert, take the NAT resource, thereby the proper network resource that influences other users is used undesiredly.
Summary of the invention
The object of the present invention is to provide a kind of NAT user's access control method, use this method can effectively stop the hostile network of illegal private user to insert and undesired take the NAT resource, thereby reduce influence as far as possible other private user.
For achieving the above object, NAT user's provided by the invention access control method comprises:
Each user's network number of connection controlling value is set, when a user's current network linking number surpasses above-mentioned controlling value, ends the follow-up network insertion of this user;
Each user's network connection speed controlling value is set, when a user's current network connection speed surpasses above-mentioned controlling value, ends the follow-up network insertion of this user;
Described method comprises:
The quantity that connects control table is used to save as the network number of connection controlling value that each user is provided with; Set up current linking number scale, be used to preserve user's current network linking number or preserve the current available network linking number of user.
The speed control that connects table is used to save as the network connection speed controlling value that each user is provided with; Set up current connection speed table, be used to preserve speed or the current available network connection speed of preservation user that user's current network connects.
The task timer is set, is used for user's network connection being controlled according to the network connection speed of setting.
Because the present invention adopts the control of network connection sum to be connected the method for setting up speed control with network the user is carried out network connection control, when certain user network connects sum or network connection speed and surpasses set point, end the follow-up network insertion of this user, thereby the preventing malice user abuses the attack of tool software generation to NAT device effectively, and most of users' normal use is protected; Simultaneously, the present invention can also more effectively manage the NAT device resource according to user personality; Can carry out priority control to a certain extent; NAT user connects sum control and sets up speed control and unite use and can effectively take precautions against SYN (initiation) message and RST (termination) message combination attacks with being connected.
Embodiment
Present technique can be controlled the concurrent visit capacity and the access session speed of the inner private user of NAT effectively, thereby improves the reliability of equipment and provide more operation means for operator.Specifically, the present invention adopts and connects method that sum control and connection speed limit and user's network is connected controls.
At first, when disposing, NAT device can distinguish the user by disposing different IP network sections, take the connection sum restriction of differentiation for different user objects, for example ordinary family user's connection sum is restricted to a less order of magnitude, the user that specific demand is arranged, can be restricted to a bigger order of magnitude with connecting sum as network bar users or group user, concrete condition is decided on the group user group size; Its specific implementation is made of two tables, promptly to set up two tables, first table is the number of connection control table, be used to deposit the controlling value that each user who sets in advance connects sum, second table is current linking number scale, be used to preserve user's current network linking number or preserve the current available network linking number of user, the numerical value of second table connects the variation of generation along with the user and changes, and the message that whether allows the user to connect connects and determined by the comparison of two table value corresponding by NAT device.Suppose that the number of connection control table when the present invention specifically implements is with reference to following table:
| The user | Pre-configured session connection number (controlling value) |
| ?10.10.1.1 | ?20 |
| ?10.10.2.1 | ?50 |
| ?10.10.3.1 | ?100 |
| ....................... |
Current linking number scale is preserved current available network linking number, with reference to following table:
| The user | Current available sessions linking number |
| ?10.10.1.1 | ?10 |
| ?10.10.2.1 | ?50 |
| ?10.10.3.1 | ?100 |
| ....................... |
The explanation of last table, user 10.10.1.1 sets in advance the ability of setting up 20 session connections altogether on NAT device, 10 have been spent now, if user 10.10.1.1 continues to initiate to connect, then " current available sessions linking number " can continue to descend, when dropping to 0,, this user can't not set up new connection by NAT device to Internet again if not discharging original connection.When this user discharged original connection, " current available sessions number " can increase successively.Action of 10.10.1.1 can not influence other users during this.
Secondly, can take the speed limit of the connection foundation of differentiation for different user objects, for example to set up speed limit be a less order of magnitude in ordinary family user's connection, have the user of specific demand such as network bar users or group user connection speed can be restricted to a bigger order of magnitude, concrete condition is decided on the group user group size; Its specific implementation can realize by two tables and task of timer, the one, and the speed control that connects table is used to save as the network connection speed controlling value that each user is provided with; Two set up current connection speed table, are used to preserve speed or the current available network connection speed of preservation user that user's current network connects; A task timer also to be set, be used for user's network connection being controlled according to the network connection speed of setting.Certainly, above-mentioned specific implementation also can be made up of a table and a task, this table is current connection speed table, be used to deposit the general speed that the current time can connect, this general speed is along with establishment of connection gradually reduces, and set task timer regularly replenishes this connection speed control number according to predefined speed to this table, connects the control of setting up speed thereby reached.
Each is generally a session (session) by NAT to the visit of Internet the user, and NAT device is necessary for each session and sets up the mapping table of public affairs, private network characteristic corresponding relation so that carry out the NAT conversion of data message, the restriction that connects sum at NAT user has been arranged, the utilance of the limited resources of NAT device is improved, guarantee the use of most normal users, and helped the normal operation of NAT device.For example, in heavy traffic, there has been the user to connect the restriction of setting up speed, NAT device just can be according to predefined speed limit, the user's who exceeds limit value packet loss, also can set the connection speed restriction thus, guarantee that Very Important Person is the control of priority in advance thereby reach to a certain extent according to client's significance level.
Suppose that the connection speed control table when the present invention specifically implements is:
| The user | Pre-configured session connection number/s (speed control value) |
| ?10.10.1.1 | ?10 |
| ?10.10.2.1 | ?20 |
| ?10.10.3.1 | ?30 |
| ....................... |
Current connection speed table is preserved current available network connection speed, with reference to following table:
| The user | Current available sessions linking number |
| ?10.10.1.1 | ?5 |
| ?10.10.2.1 | ?20 |
| ?10.10.3.1 | ?30 |
| ....................... |
Then user 10.10.1.1 has the ability that 10/s session connection is set up on NAT device, 5 have been spent now, if user 10.10.1.1 continues to initiate to connect, then " current available sessions linking number " can continue to descend, when dropping to 0, this user can't set up new connection by NAT device to Internet again." current available sessions linking number " can regularly return to the speed control value.Any action of 10.10.1.1 can not influence other users during this.
Claims (4)
1, a kind of network address translation protocol (NAT) user's access control method comprises:
Each user's network number of connection controlling value is set, when a user's current network linking number surpasses above-mentioned controlling value, ends the follow-up network insertion of this user;
Each user's network connection speed controlling value is set, when a user's current network connection speed surpasses above-mentioned controlling value, ends the follow-up network insertion of this user.
2, NAT user's according to claim 1 access control method is characterized in that described method comprises: the quantity that connects control table is used to save as the network number of connection controlling value that each user is provided with; Set up current linking number scale, be used to preserve user's current network linking number or preserve the current available network linking number of user.
3, NAT user's according to claim 1 and 2 access control method is characterized in that described method comprises: the speed control that connects table is used to save as the network connection speed controlling value that each user is provided with; Set up current connection speed table, be used to preserve speed or the current available network connection speed of preservation user that user's current network connects.
4, NAT user's according to claim 3 access control method is characterized in that described method comprises: the task timer is set, is used for according to the network connection speed of setting user's network connection being controlled.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 02129005 CN1249950C (en) | 2002-08-23 | 2002-08-23 | Network access control method of network address conversioin protocol user |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 02129005 CN1249950C (en) | 2002-08-23 | 2002-08-23 | Network access control method of network address conversioin protocol user |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1477816A true CN1477816A (en) | 2004-02-25 |
| CN1249950C CN1249950C (en) | 2006-04-05 |
Family
ID=34143927
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 02129005 Expired - Fee Related CN1249950C (en) | 2002-08-23 | 2002-08-23 | Network access control method of network address conversioin protocol user |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1249950C (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008083597A1 (en) * | 2006-12-31 | 2008-07-17 | Huawei Technologies Co., Ltd. | Method and device of controlling the number of sessions of user |
| CN100423512C (en) * | 2005-06-17 | 2008-10-01 | 杭州华三通信技术有限公司 | Control method for using resource of network address transition equipment of virtual proviate network method for controlling usage of NAT equipment resources of VPN |
| CN101969637A (en) * | 2009-07-28 | 2011-02-09 | 华为技术有限公司 | Network connection management method and related device |
| CN102006201A (en) * | 2010-11-23 | 2011-04-06 | 北京星网锐捷网络技术有限公司 | New connection number test method, system and device in network address translation |
| CN101873252B (en) * | 2008-10-22 | 2012-10-24 | 冲电气工业株式会社 | Packet transfer device, packet transfer method and communication device |
| CN103905573A (en) * | 2012-12-26 | 2014-07-02 | 中国移动通信集团广西有限公司 | Method and equipment for managing IP resources |
-
2002
- 2002-08-23 CN CN 02129005 patent/CN1249950C/en not_active Expired - Fee Related
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100423512C (en) * | 2005-06-17 | 2008-10-01 | 杭州华三通信技术有限公司 | Control method for using resource of network address transition equipment of virtual proviate network method for controlling usage of NAT equipment resources of VPN |
| WO2008083597A1 (en) * | 2006-12-31 | 2008-07-17 | Huawei Technologies Co., Ltd. | Method and device of controlling the number of sessions of user |
| CN101212483B (en) * | 2006-12-31 | 2012-04-25 | 华为技术有限公司 | Method and system for controlling the number of user sessions |
| CN101873252B (en) * | 2008-10-22 | 2012-10-24 | 冲电气工业株式会社 | Packet transfer device, packet transfer method and communication device |
| CN101969637A (en) * | 2009-07-28 | 2011-02-09 | 华为技术有限公司 | Network connection management method and related device |
| CN102006201A (en) * | 2010-11-23 | 2011-04-06 | 北京星网锐捷网络技术有限公司 | New connection number test method, system and device in network address translation |
| CN102006201B (en) * | 2010-11-23 | 2012-07-25 | 北京星网锐捷网络技术有限公司 | New connection number test method, system and device in network address translation |
| CN103905573A (en) * | 2012-12-26 | 2014-07-02 | 中国移动通信集团广西有限公司 | Method and equipment for managing IP resources |
| CN103905573B (en) * | 2012-12-26 | 2017-11-21 | 中国移动通信集团广西有限公司 | A kind of method and apparatus being managed to IP resources |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1249950C (en) | 2006-04-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100477671C (en) | Network address converting method for supporting multi-dialogue application-layer protocol under PAT mode | |
| EP2002616B1 (en) | Method for managing computational resources | |
| DE60127978T2 (en) | System and method of defense against denial of service attacks on the network nodes | |
| CN102685272B (en) | Method and device for distributing public network addresses | |
| CN104702710B (en) | Port assignment method and device | |
| CN101110847B (en) | Method, device and system for obtaining medium access control address | |
| US20190344171A1 (en) | Cloud gaming system and method of initiating a gaming session | |
| WO2001084320A3 (en) | System and method for a communication terminal to manage memory and maintain a current application version for multiple applications | |
| CN1249950C (en) | Network access control method of network address conversioin protocol user | |
| WO2003021395A2 (en) | Method and apparatus for dynamic client-side load balancing system | |
| EP2456173A1 (en) | Management method and apparatus for network address translation | |
| CN101227356A (en) | Equipment, system and method for network access based on dynamic state host computer collocation protocol | |
| CN106060131B (en) | A kind of method and apparatus for distributing dns server | |
| EP1404080A1 (en) | Method for defense against attacks on nodes in a communication network | |
| CN109413018B (en) | Port scanning method and device | |
| CN106878487A (en) | Public network address distribution method and device | |
| CN104333612B (en) | The method and apparatus of switching network address | |
| CN100417077C (en) | Method for storage area management with static and dynamic joint | |
| CN107360275A (en) | A kind of Forecasting Methodology and device of symmetric NAT port | |
| KR100407517B1 (en) | Apparatus and method for controlling common ownership of ip addresses in a private network | |
| CN103856582A (en) | Method for controlling IPv6 internet of things through IPv4 internet of things | |
| DE10324372B4 (en) | Method and arrangement for registering a terminal at a communication node | |
| CN1274116C (en) | Method for detecting user access state | |
| CN109639845B (en) | Network Address Translation (NAT) resource allocation method and equipment | |
| CN100433667C (en) | Method for assigning user access resources of private network in conversion of network addresses |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20060405 Termination date: 20150823 |
|
| EXPY | Termination of patent right or utility model |