CN1671096A - Policy control based multicast access control method - Google Patents
Policy control based multicast access control method Download PDFInfo
- Publication number
- CN1671096A CN1671096A CNA2004100143887A CN200410014388A CN1671096A CN 1671096 A CN1671096 A CN 1671096A CN A2004100143887 A CNA2004100143887 A CN A2004100143887A CN 200410014388 A CN200410014388 A CN 200410014388A CN 1671096 A CN1671096 A CN 1671096A
- Authority
- CN
- China
- Prior art keywords
- multicast
- participant
- request
- information
- router
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A strategy control based multicast access control method for multicast network, which contains leading strategy control system, the multicast access user sending access request and own information to multicast router, sending strategy request to strategy control system by multicast router, the strategy making answer by judging the permission of user accessing, sending back strategy instruction, the multicast router making relative operation according to strategy instruction and dynamically modifying control list, the user obtained permission can access multicast, said invention has fine expandability.
Description
Technical field:
The present invention relates to internet security multicast field, when being used for multicast participant incoming multicast group it is carried out the method for access control.
Background technology:
Multicasting technology can be saved Internet resources, is convenient to use in the occasion of one-to-many and multi-to-multi.Multicasting technology more and more is applied in the various broadband services, as news on demand, video conference etc.Wherein: multicast participant (MulticastParticipant) refers to participate in the sender (Sender) or the recipient (Receiver) of multicast services.Multicast member (Multicast Member) refers to join the recipient (Receiver) of multicast group.Insert (Access), refer to be connected to multicast domain, participate in the operation of multicast services.Add (Join), refer to that the user becomes the operation of multicast member.
What Fig. 1 showed is the network topological diagram of a multicast services.Multicast source (sender, Sender) (Multicast Router, MR) access network send multicast packet (for example 192.168.2.9 among Fig. 1) to multicast address by multicast router; User in each subnet sends the message (IGMP) that joins request to network, and adding multicast group becomes multicast member (Receiver/Member), receiving multicast data (for example 192.168.3.11 among Fig. 1 and 192.168.6.141); The user (Host/Non-member) who does not add multicast group in the subnet can not receiving multicast data (for example 192.168.3.75 among Fig. 1).Range ability multicast vector Routing Protocol (DVMRP between the multicast router, Distance VectorMulticast Routing Protocol) or Protocol Independent Multicast (PIM, Protocol Independent Multicast) multicast pathfinding agreement such as, set up the multicast tree of sharing, multicast packet is sent to multicast member from multicast source.
The multicast control method of current use allows Any user to add multicast group.This user's main frame can send the message that joins request to contiguous multicast router, and this router promptly sends to the upper strata multicast tree and joins request.In existing multicast control method, without any access control, all join request all can be by success response.In case request adds successfully, multicast tree will extend to this subnet, and sending the main frame that joins request just can receiving multicast data.
Another problem in the existing multicast control method is, do not have authentication function for the data source of multicast.As long as certain main frame has been known the multicast address that multicast services is used, just can send interfering data to this multicast address.This can cause following consequence: 1. cause normal multicast service quality to descend, 2. waste Internet resources, influence network service quality.
Summary of the invention
The purpose of this invention is to provide a kind of multicast access control method, to solve the access control problem in the safe multicasting based on policy control.
Technical solution of the present invention is as follows:
Strategic server and the LIST SERVER thereof that can communicate by letter with the multicast router of each subnet is set in the management level of multicast network, wherein disposes the policing rule and the validated user information of access control, the participant implements access control to multicast; Control procedure is: 1. the multicast participant at first will insert the information of asking with oneself and send to multicast router when the incoming multicast group; 2. multicast router sends strategy request according to the member type in the information to strategic server again; 3. strategic server is made strategy request according to the policing rule of access control and validated user information and being replied, and returns policy instructions; 4. multicast router carries out corresponding operating according to policy instructions, and forwarding strategy instructs to the multicast participant; 5. the multicast participant who obtains to allow through authentication can the incoming multicast group.
In such scheme, the course of work of each several part is as follows:
1. described multicast participant's the course of work comprises the steps: the multicast participant according to the multicast group that will insert, one group of information of initialization oneself, and this group information comprises host IP address, multicast address, member type, main frame authentication information; 2. the multicast participant sends the request of access and the information of oneself to multicast router; 3. wait for the response of multicast router, the policy instructions of transmitting according to multicast router determines whether can the incoming multicast group, receives or send data.
The course of work of described multicast router comprises the steps: 1. initialization, sets up Access Control List (ACL), waits for multicast participant's access request and information; 2. after receiving multicast participant's access request and information,, send corresponding strategy request to strategic server according to information judgement multicast participant's member type; 3. wait for replying of strategic server; 4. receive the policy instructions of strategic server, whether revise Access Control List (ACL) according to the policy instructions decision; 5. forwarding strategy instructs to the multicast participant.
The course of work of described strategic server comprises the steps: 1. initialization, sets policing rule and validated user information in the LIST SERVER, waits for the strategy request that multicast router sends; 2. after receiving the strategy request of multicast router, the query directory server; 3. multicast participant's information in the comparison strategy request determines whether to allow multicast participant incoming multicast group; 4. return corresponding policy instructions to multicast router.
Key of the present invention is that the usage policy control system carries out access control to the multicast participant.The policing rule and the validated user information of configuration access control on the LIST SERVER in policy controlling system; By strategic server authentication multicast participant's relevant information, and on-the-fly modify Access Control List (ACL) by multicast router the multicast participant is carried out access control.Can implement authentication to the multicast participant effectively in multicast environment, solve the access control problem in the multicast environment, be a kind of effective ways that are applicable to the safe multicasting field, has a good application prospect.
Description of drawings
Fig. 1 is existing multicast services network topological diagram;
Fig. 2 is existing IGMPv2 message format figure;
Fig. 3 is based on the multicast access control system assumption diagram of policy control;
Fig. 4 is the host information message format figure that the multicast participant sends;
Fig. 5 is the strategy request message format figure that multicast router sends;
Fig. 6 is the policy instructions message format figure that strategic server sends;
Fig. 7 is a multicast participant process chart;
Fig. 8 is the multicast router process chart;
Fig. 9 is the strategic server process chart;
Embodiment
Be described in detail below in conjunction with the background technology of drawings and Examples content of the present invention and institute's foundation thereof:
(1) IGMP agreement
In existing multicast model, allow any main frame to add multicast group, the multicast participant is not carried out access control without audit ground.Any main frame can send the message that joins request to contiguous multicast router, and this router promptly sends to the upper strata multicast tree and joins request.In case request adds successfully, multicast tree will extend to this subnet, and sending the main frame that joins request just can receiving multicast data.
Usually, (Internet Group Manage Protocol IGMP) gives multicast router with the multicast member report information to IP main frame use Internet Group Management Protocol.It is in 1 the IP packet that the IGMP message is encapsulated in ttl value (vital values, Time to Live).For example, the form of IGMPv2 message is as shown in Figure 2:
Type field (Type): the type of sign IGMP message.Maximum response time (Max Response Time): stipulate member's query message use maximum response time.Verification and (Checksum): protection entire I GMP message.Group address (Group Address): the multicast address of group is inquired about, is added or leave in expression.
The IGMPv1 that uses has only defined two kinds of messages, rank and file's query message (router is used for inquiring about has the member is arranged for which group in the subnet) and IGMPv1 member's report message at present.IGMPv2 has increased by three kinds of messages, group ad hoc inquiry message (a certain particular group of query router), IGMPv2 member's report message and leave group message (when leaving multicast group to router report).IGMPv3 has increased by two kinds of messages again, group-source ad hoc inquiry message (query router is sent to the member of particular group by particular source) and IGMPv3 member's report message.
Main frame sends IGMP member's report message when adding multicast group; When leaving multicast group, send IGMP and leave the group message.Router timed sending membership query message is used to understand the group membership's information in the subnet, and the group membership in the subnet sends member's report message and responds inquiry.
(2) use the ACL control that conducts interviews
(Access Control List ACL) is the access control technology of network layer to Access Control List (ACL).The basic principle of Access Control List (ACL) is to use the packet filtering technology, on router, read information in the 3rd layer and the 4th layer of packet header such as source address, destination address, source port, destination interface etc., according to the rule that pre-defines bag is filtered, thereby reach the purpose of access control.
Node in the multicast network is divided into two kinds, and a kind of is resource node, and a kind of is user node.Use Access Control List (ACL), the resource conservation node stops the visit of disabled user to resource node on the one hand; On the other hand, guarantee that legal resource node just can send data to network.
For the multicast model of Fig. 1, if respectively to multicast source (be the sender, Sender) and recipient (Receiver) carry out access control, can on the multicast router of their place subnets, distinguish arranging access control list.For example: the access control requirement to each multicast participant is, the subnet LAN1 at multicast source place only allows this multicast source (sender ip:192.168.2.9) to send multicast packet, and subnet LAN2, LAN3 only allow recipient A, recipient B receiving multicast data.So, the Access Control List (ACL) configuration of multicast router MR1 and MR2 (the MR3 configuration is similar to MR2, Therefore, omited) is as shown in table 1.In subnet LAN1, only allowing source address is the multicast source main frame transmission data of 192.168.2.9, and the data that send other address all can be dropped, and have realized the access control to multicast source.In subnet LAN2, only allowing destination address is the main frame receiving multicast data of 192.168.3.11, has realized the access control to the recipient.
The Access Control List (ACL) configuration of table 1 multicast router
| ?MR1 | ?MR2 |
| ?access-list?1?permit?host ?192.168.2.9 ?access-list?1?deny?any ?int?lan?1 ?ip?access-group?1?out | ?access-list?2?permit?host ?192.168.3.11 ?access-list?2?deny?any ?int?lan?2 ?ip?access-group?2?in |
In last table, the 1, the 2nd behind the keyword access-list, ACL number, ACL number identical ACL constitutes same group, when judging a bag, uses the clauses and subclauses in same group to judge one by one from top to bottom, once running into the judgement of satisfied clauses and subclauses termination to this bag.Keyword Permit represents to allow certain IP to pass through, and deny represents discarded packets.Keyword int lan represents which subnet ACL is applied to.In and out represent the direction used, and representative flows into or flows out.
As top method, on multicast router the ACL of static human configuration can simple realization to multicast participant's access control.But this method only is suitable for small-scale static multicast service.Investigate the characteristics of multicast, can find: 1. the scale of multicast is general bigger, and the member has hundreds and thousands of, even up to ten thousand.2. multicast member is dynamic change, constantly has the member to add or withdraws from.3. have a plurality of multicast services on the network simultaneously, perhaps certain user is the validated user of a service, and is not authorized to use other service.So the expense of static human configuration ACL will be very big, make mistakes easily, nor can in time respond the variation of multicast member.
(3) policy controlling system
At the problem that the static configuration Access Control List (ACL) exists, the present invention adopts the method that on-the-fly modifies Access Control List (ACL) based on policy controlling system.Introduce policy controlling system in the method, configuration multicast participant's Access Control Policy rule and relevant information on its LIST SERVER.When having the multicast participant to insert, the participant communicates by letter with strategic server by the multicast router of place subnet, and behind the authentication success, strategic server sends instruction, dynamically revises the Access Control List (ACL) configuration on the multicast router, allows the participant to insert.
Policy controlling system is by the Internet engineering duty group (The Internet Engineering Task Force, agreement that tactful working group IETF) (Policy Framework Group) formulates and draft specifies.Policy controlling system comprises four parts: tactful implementer, strategic server, LIST SERVER and Policy Administrator.The strategy implementer is exactly the tactful controlled node in the network, implements the function of access control by the instruction modification Access Control List (ACL) of implementation strategy server; Strategic server from the LIST SERVER acquisition strategy, and will return to tactful implementer after the strategy explanation according to tactful implementer's strategy request; The Policy Administrator comes the database of storage policy in the remote maintenance LIST SERVER by collocation strategy administration interface on strategic server, and the collocation strategy rule monitors the operation of this policy controlling system; LIST SERVER is the basis of implementation strategy unified management, storage strategy rule and relevant information thereof.
Strategic server uses letter version directory access protocol (LDAP) that the policy information in the LIST SERVER is carried out accessing operation.Adopt public open policy service protocol (COPS) exchanging policy request and policy instructions between strategic server and the tactful implementer.
The multicast access control system that on-the-fly modifies Access Control List (ACL) based on policy control has been introduced policy controlling system as shown in Figure 3 in multicast network.Multicast router is exactly the tactful implementer who is distributed in each subnet, and they use public open policy service protocol (COPS) agreement to communicate by letter exchanging policy request and policy instructions with strategic server; Strategic server and LIST SERVER thereof are configured in the position of managing multicast network, and can communicate by letter with the multicast router of each subnet; By Policy Administrator collocation strategy rule and validated user information in LIST SERVER, strategic server decides according to the strategy request query directory server of multicast router and which kind of is implemented to the user and reply.
The participant of multicast services mainly is sender (Sender) and recipient (Receiver).At dissimilar multicast services, the multicast participant has more concrete division.In in news on demand service, the sender only is responsible for sending data, and both can add multicast group becomes member (Member) and also can not add multicast group; The recipient just adds multicast group becomes multicast member reception data.In video conference service, each participant had both wished to send the video data of oneself, also wished to receive others' video data, also was the recipient so they are the sender.
According to multicast participant sending and receiving data conditions, can set their specifically being classified as follows: the transmitting-receiving member (SendReceive-Member, SR-Member)---adding multicast group becomes multicast member, has both sent data and has also received data.
Only send out the member (SendOnly-Member, SO-Member)---adding multicast group becomes multicast member, sends data; Usually do not receive data, but have the right to receive data, can receive data at any time as required.
Only send out the member non-(Non-Member-Sender, NMS)---do not add multicast group, only send data.
Harvest person (ReceiveOnly-Member, RO-Member)---adding multicast group becomes multicast member, receives only data.
Be respectively them for various participant and formulate different policing rules, as table 2.These policing rules are stored in the LIST SERVER of policy controlling system.
Table 2 multicast participant's policing rule
| ??ACL | ??SR-Member | ??SO-Member | ????NMS | ??RO-Member |
| Allow to send | ??Yes | ??Yes | ????Yes | ??No |
| Allow to receive | ??Yes | ??Yes | ????No | ??Yes |
(4) based on the connection control method of policy controlling system
All multicast participants must be by strategic server mandate ability incoming multicast group before sending or receiving data.Therefore the multicast participant at first sends the request of access and own one group of information to multicast router, and to strategic server transmission strategy request, strategic server is made response according to the information of strategy request to multicast router, returns policy instructions again.Multicast router carries out corresponding operating according to policy instructions.
1, the multicast participant sends the request of inserting and the one group of information of oneself to multicast router.
The multicast participant sends request incoming multicast group to multicast router, and one group of information of transmission oneself is to multicast router.This group information comprises host IP address, multicast address, and member type, the main frame authentication information, the form of infomational message such as Fig. 4, particular content is:
Type (Type): being used for identifying this message is the host information message that the multicast participant sends, and value is decided to be 00000010 (binary system);
Member type (Member-Type): be used for identifying the member type that sends this message.The transmitting-receiving member, value is decided to be 00000000 (binary system); Only send out the member, value is decided to be 00000001 (binary system); Only send out the member non-, value is decided to be 00000010 (binary system); Harvest person, value is decided to be 00000011 (binary system);
Keep territory (Reserved): it must the person of being sent out be set to 0, and the person of being accepted ignores;
IP address (IP Address): sign multicast participant's IP address;
Multicast address (Multicast Address): the multicast address in the identification request, i.e. the IP address of the multicast group that request inserts;
Main frame authentication information (Authenticaticn Information): the user authentication information in the identification request.For example adopt the password of routine or the modes such as certificate that strategic server is signed and issued.
2, the strategy request of multicast router transmission has two kinds:
1. send request of data (Send-Request)
The multicast participant need send the transmission request of data by multicast router to strategic server when multicast group sends multicast packet, the parameter in the request is multicast participant's host IP address, multicast address, the tlv triple of main frame authentication information.Because the multicast packet source of some multicast services is one (as video conference) not only, require to add fashionable as new multicast source, must verify its legitimacy.
2. (Join-Request) joins request
When the multicast participant need add multicast group, send to strategic server by multicast router and to join request, the parameter in the request is multicast participant's host IP address, multicast address, the tlv triple of main frame authentication information.Because provide multiple multicast services on the network, the multicast participant may be the validated user of some service, other service of uncommitted use authenticates so must send this request when becoming multicast member.
Strategy request is used for multicast router and sends request and pass a parameter to strategic server, message format such as accompanying drawing 5, and particular content is:
Type (Type): being used for identifying this message is the strategy request message, and value is decided to be 00000000 (binary system);
Inferior type (Sub-Type): which kind of strategy request message is used for identifying this message is.Send the request of data message, value is decided to be 00000000 (binary system); The message that joins request, value is decided to be 00000001 (binary system);
Keep territory (Reserved): it must the person of being sent out be set to 0, and the person of being accepted ignores;
IP address (IP Address): sign multicast participant's IP address;
Multicast address (Multicast Address): the multicast address in the identification request, i.e. the IP address of the multicast group that request inserts;
Main frame authentication information (Authentication Information): the user authentication information in the identification request.For example adopt the password of routine or the modes such as certificate that strategic server is signed and issued.
3, strategic server comprises to the policy instructions that multicast router returns:
1. allow to send data command (Permit-Sending)
After strategic server is received and is sent request of data, check parameter, and and the local directory server in policing rule and validated user information compare, if the multicast participant is the transmit leg that has been authorized to, then return to multicast router and allow the transmission data command, order parameter comprises multicast participant's host IP address, multicast address.After multicast router is received this instruction, revise Access Control List (ACL), allow the multicast participant of this IP address to send data to this multicast address.
2. refusal sends data command (Deny-Sending)
After strategic server is received and sent request of data,, then return refusal and send data command to multicast router if the multicast participant is uncommitted.After multicast router is received this instruction, must not revise Access Control List (ACL), because deny any instruction is arranged in the Access Control List (ACL), promptly remove the front and allow outside the address of transmission, other address does not allow to send.
3. allow to add instruction (Permit-Join)
After strategic server is received and is joined request, check parameter, and and the local directory server in policing rule and validated user information compare, if the multicast participant is the recipient who has been authorized to, then return to allow to add to multicast router and instruct, order parameter comprises multicast participant's host IP address, multicast address.After multicast router is received this instruction, revise Access Control List (ACL), allow the multicast participant of this IP address to add this multicast group reception data.
4. refusal adds instruction (Deny-Join)
After strategic server is received joining request of uncommitted multicast participant, then return refusal and add instruction to multicast router.
Policy instructions is used for strategic server to be returned strategy to multicast router and replys and pass a parameter, message format such as accompanying drawing 6, and particular content is:
Type (Type): being used for identifying this message is the policy instructions message, and value is decided to be 00000001 (binary system);
Inferior type (Sub-Type): which kind of policy instructions message is used for identifying this message is.Allow to send the data command message, value is decided to be 00000000 (binary system); Refusal sends the data command message, and value is decided to be 00000001 (binary system); Allow to add the instruction message, value is decided to be 00000010 (binary system); Refusal adds the instruction message, and value is decided to be 00000011 (binary system);
Keep territory (Reserved): it must the person of being sent out be set to 0, and the person of being accepted ignores;
IP address (IP Address): sign multicast participant's IP address;
Multicast address (Multicast Address): the multicast address in the identification request, i.e. the IP address of the multicast group that request inserts.
4, multicast router carries out corresponding operating according to policy instructions.
1. after receiving that permission sends data command, revise Access Control List (ACL).Add the host IP address that allows to send data, use keyword " permit host host ip "; And allow it to send data, using keyword " out " expression data direction is to flow out, and promptly sends data.Example is as follows:
Access Control List (ACL) before revising is as follows:
access-list?1?permit?host?192.168.2.9
access-list?1?deny?any
int?lan?1
ip?access-group?1?out
Amended Access Control List (ACL) is as follows:
access-list?1?permit?host?192.168.2.9
access-list?1?permit?host?192.168.2.1
access-list?1?deny?any
int?lan?1
ip?access-group?1?out
This example represents to increase a rule, and allowing host address is the main frame transmission data of 192.168.2.1.
2. after receiving that refusal sends data command, must not revise Access Control List (ACL), because the denyany instruction is arranged in the Access Control List (ACL), promptly remove the front and allow outside the address of transmission, other address does not allow to send.
3. after receiving that permission adds instruction, revise Access Control List (ACL).Add the host IP address that allows adding, use keyword " permit host host ip "; And allow it to receive data, using keyword " in " expression data direction is to flow into, and promptly receives data.Example is as follows:
Access Control List (ACL) before revising is as follows:
access-list?2?permit?host?192.168.3.11
access-list?2?deny?any
int?lan?2
ip?access-group?2?in
Amended Access Control List (ACL) is as follows:
access-list?2?permit?host?192.168.3.11
access-list?2?permit?host?192.168.3.2
access-list?2?deny?any
int?lan?2
ip?access-group?2?in
This example represents to increase a rule, and allowing host address is the main frame adding multicast group of 192.168.3.2, receives data.
4. receive that refusal adds instruction, must not revise Access Control List (ACL), because deny any instruction is arranged in the Access Control List (ACL).
5, forwarding strategy instructs to the multicast participant.Message format is identical with the policy instructions that strategic server returns.
Concrete connection control method is as follows:
1, multicast participant's the course of work comprises the steps:
1. initialization: the multicast participant is according to the multicast group that will insert, one group of information of initialization oneself, and this group information comprises: host IP address, multicast address, member type, main frame authentication information; Wherein member type is determined according to the needs of oneself by the multicast participant;
2. send request and information: the multicast participant sends the request of access to multicast router, promptly send IGMP member's report message, need simultaneously host IP address, multicast address, member type, main frame authentication information are sent to multicast router to multicast router;
3. wait for the response of multicast router, allow this participant to add or/and after sending the policy instructions of data, this participant gets final product the incoming multicast group of received or sends data when receiving; Otherwise, just cannot the incoming multicast group.
2, the course of work of multicast router comprises the steps:
1. initialization, set up Access Control List (ACL) (for not having the in advance known multicast source and the situation of multicast member, set point transmits and receive data for not allowing Any user, and for some multicast source and the prior known situation of multicast member, can they directly be configured on the Access Control List (ACL) of multicast router according to the information on the strategic server, can reduce the number of times of strategy request/reply like this, further reduce the time delay of service); Wait for multicast participant's access request and information;
2. receiving group participant's access request and relevant information;
3. read information, obtain multicast participant's host IP address respectively, multicast address, member type, main frame authentication information;
4. judge member type, send strategy request, and receive the policy instructions of strategic server, make respective handling.Dissimilar according to the multicast participant, the operation of multicast router is as follows:
A. for transmitting-receiving member (SR-Member)
Receive transmitting-receiving member's access request when multicast router after, it can send the request of data and two requests that join request of sending to strategic server.Strategic server is verified this multicast participant for behind the validated user, returns to multicast router to allow to send data command and allow to add instruction; Then, multicast router is revised Access Control List (ACL), allows this transmitting-receiving member to transmit and receive data; If verify illegally, return then that refusal sends data command and refusal adds instruction, multicast router is not revised Access Control List (ACL).
B. for only sending out member (SO-Member)
After multicast router is received the access request of only sending out the member, be similar to the transmitting-receiving member, also send the transmission request of data and join request to strategic server.Verify legal after, strategic server returns and allow to send data command and allow to add instruction; Multicast router is revised Access Control List (ACL), allows this member to send data and maintenance member condition, the data of promptly having the right to receive; If verify illegally, return then that refusal sends data command and refusal adds instruction, multicast router is not revised Access Control List (ACL).
C. for only sending out member (NMS) non-
Multicast router sends the transmission request of data to strategic server after receiving the access request of only sending out the member non-.Strategic server is verified this multicast participant for behind the validated user, returns to multicast router and allows to send data command; Multicast router is revised Access Control List (ACL), allows this to send out the member non-and sends data; If verify illegally, then return refusal and send data command, multicast router is not revised Access Control List (ACL).
D. for a harvest person (RO-Member)
After multicast router is received a harvest person access request, send to strategic server and to join request.Strategic server is verified this multicast participant for behind the validated user, returns to multicast router and allows to add instruction; Multicast router is revised Access Control List (ACL), allows this harvest person to receive data; If verify illegally, then return refusal and add instruction, multicast router is not revised Access Control List (ACL).
E. for wrong member type
After multicast router is received other member's access request, return the report of member's type error to the multicast participant.Strategic server does not return any instruction, and multicast router is not also revised Access Control List (ACL).
5. forwarding strategy instructs to the multicast participant.
3, the course of work of strategic server comprises the steps:
1. initialization: initialization policing rule (as table 2) and can allow to insert all validated user information of this multicast group, these information stores are in LIST SERVER, wait for the strategy request that multicast router sends, adopt public open policy service protocol (COPS) exchanging policy request and policy instructions between strategic server and the multicast router;
2. inquiry: after receiving the strategy request that multicast router sends, the query directory server, read relevant policing rule and user profile, strategic server uses letter version directory access protocol (LDAP) that the policy information in the LIST SERVER is carried out accessing operation;
3. judge: according to policing rule, multicast participant's information in the comparison strategy request, whether decision allows multicast participant incoming multicast group.For sending request of data, check the requestor whether in allowing the tabulation that sends, if, promptly allow its transmission, return and allow to send data command; Otherwise, return refusal and send data command.For joining request, check whether the requestor has the authority receiving multicast data in the tabulation, if, promptly allow it to add multicast group, return and allow to add instruction; Otherwise, return refusal and add instruction.
4. return instruction: the policy instructions of generation in 3. multicast router sends.
In order to check effect of the present invention, on the platform of (SuSE) Linux OS, simulate multicast participant incoming multicast group and sent the request of access, judge the situation that realizes access control function through strategy controller.Main implementation process is as follows: at first (represent multicast participant, multicast router, strategic server, LIST SERVER under the real network environment in that corresponding functional modules is set on the main frame of linux system.Under the real network environment, should multicast router be set in the position, local area network (LAN) exit at multicast participant place; At the position configuration strategic server and the LIST SERVER of managing multicast network, and make all multicast routers to communicate by letter with it; And corresponding functional modules is assemblied in wherein), the realization block diagram of each concrete module sees also accompanying drawing 7~9.Receiving group participant's access request on the multicast router, and send strategy request and give strategic server; Collocation strategy rule and relevant validated user information in policy controlling system, strategic server judges whether the multicast participant has the authority access group to broadcast group, returns policy instructions then and gives multicast router, to realize the access control function to the multicast participant.The result shows, when not using the inventive method, without any access control, the multicast participant can the incoming multicast group arbitrarily, sends or obtain multicast information; After using the inventive method, increased access control function, made validated user can send effectively or receiving group information, and illegal user is rejected multicast services is provided.
Claims (3)
1, a kind of multicast access control method based on policy control is characterized in that:
Strategic server and the LIST SERVER thereof that can communicate by letter with the multicast router of each subnet is set in the management level of multicast network, wherein disposes the policing rule and the validated user information of access control, the participant implements access control to multicast; Control procedure is:
1. the multicast participant at first will insert the information of asking with oneself and send to multicast router when the incoming multicast group;
2. multicast router sends strategy request according to the member type in the information to strategic server again;
3. strategic server is made strategy request according to the policing rule of access control and validated user information and being replied, and returns policy instructions;
4. multicast router carries out corresponding operating according to policy instructions, and forwarding strategy instructs to the multicast participant;
5. the multicast participant who obtains to allow through authentication can the incoming multicast group.
2, the method for claim 1 is characterized in that:
Described multicast participant's the course of work comprises the steps:
1. the multicast participant is according to the multicast group that will insert, one group of information of initialization oneself, and this group information comprises host IP address, multicast address, member type, main frame authentication information;
2. the multicast participant sends the request of access and the information of oneself to multicast router;
3. wait for the response of multicast router, the policy instructions of transmitting according to multicast router determines whether can the incoming multicast group, receives or send data;
The course of work of described multicast router comprises the steps:
1. Access Control List (ACL) is set up in initialization, waits for multicast participant's access request and information;
2. after receiving multicast participant's access request and information,, send corresponding strategy request to strategic server according to information judgement multicast participant's member type;
3. wait for replying of strategic server;
4. receive the policy instructions of strategic server, whether revise Access Control List (ACL) according to the policy instructions decision;
5. forwarding strategy instructs to the multicast participant;
The course of work of described strategic server comprises the steps:
1. policing rule and validated user information in the LIST SERVER are set in initialization, wait for the strategy request that multicast router sends;
2. after receiving the strategy request of multicast router, the query directory server;
3. multicast participant's information in the comparison strategy request determines whether to allow multicast participant incoming multicast group;
4. return corresponding policy instructions to multicast router.
3, method as claimed in claim 1 or 2 is characterized in that:
1. the multicast participant sends the request of access and the information of oneself to multicast router, and the infomational message content is: type, and member type keeps the territory, IP address, multicast address, main frame authentication information;
2. the strategy request sent to strategic server of multicast router comprises and sends request of data, joins request; The strategy request message content is: type, and inferior type keeps the territory, IP address, multicast address, main frame authentication information;
3. the policy instructions returned to multicast router of strategic server comprises and allows to send that data command, refusal send data command, allow to add instruction, refusal adds instruction; The policy instructions message content is: type, inferior type keeps the territory, IP address, multicast address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2004100143887A CN1671096A (en) | 2004-03-17 | 2004-03-17 | Policy control based multicast access control method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2004100143887A CN1671096A (en) | 2004-03-17 | 2004-03-17 | Policy control based multicast access control method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1671096A true CN1671096A (en) | 2005-09-21 |
Family
ID=35042178
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2004100143887A Pending CN1671096A (en) | 2004-03-17 | 2004-03-17 | Policy control based multicast access control method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1671096A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008046336A1 (en) * | 2006-10-19 | 2008-04-24 | Huawei Technologies Co., Ltd. | A system and method for realizing distributed access control in multicast service |
| WO2009143750A1 (en) * | 2008-05-26 | 2009-12-03 | 华为技术有限公司 | Methods, devices and systems for terminal data management and terminal security evaluation based on tnc |
| CN1852080B (en) * | 2005-11-30 | 2010-04-14 | 华为技术有限公司 | Method for treating abnormal multicast business |
| CN101141488B (en) * | 2006-09-08 | 2010-04-21 | 华为技术有限公司 | Multicast service agent implementing method and system and node discovering method |
| CN101383719B (en) * | 2007-09-05 | 2011-04-06 | 中兴通讯股份有限公司 | Communication device access management method |
| CN101425976B (en) * | 2008-12-09 | 2011-08-24 | 中兴通讯股份有限公司 | Method for multicast data packet forwarding control |
| CN102202001A (en) * | 2011-06-15 | 2011-09-28 | 中国电信股份有限公司 | Dynamic subscriber bandwidth regulation method, system and broadband network gateway |
| CN101465856B (en) * | 2008-12-31 | 2012-09-05 | 杭州华三通信技术有限公司 | Method and system for controlling user access |
| US8661248B2 (en) | 2007-08-16 | 2014-02-25 | Huawei Technologies Co., Ltd. | Method, apparatus, and system for sending and receiving security policy of multicast sessions |
| CN105827451A (en) * | 2016-04-12 | 2016-08-03 | 浙江宇视科技有限公司 | Method and device for automatically configuring whole network controllable multicast |
| CN106341737A (en) * | 2016-08-18 | 2017-01-18 | 中央电视台 | IP multicast stream processing method, switch set, server and system |
-
2004
- 2004-03-17 CN CNA2004100143887A patent/CN1671096A/en active Pending
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1852080B (en) * | 2005-11-30 | 2010-04-14 | 华为技术有限公司 | Method for treating abnormal multicast business |
| CN101141488B (en) * | 2006-09-08 | 2010-04-21 | 华为技术有限公司 | Multicast service agent implementing method and system and node discovering method |
| CN101166194B (en) * | 2006-10-19 | 2011-03-30 | 华为技术有限公司 | A system and method for realizing distributed acceptance control |
| WO2008046336A1 (en) * | 2006-10-19 | 2008-04-24 | Huawei Technologies Co., Ltd. | A system and method for realizing distributed access control in multicast service |
| US8661248B2 (en) | 2007-08-16 | 2014-02-25 | Huawei Technologies Co., Ltd. | Method, apparatus, and system for sending and receiving security policy of multicast sessions |
| CN101383719B (en) * | 2007-09-05 | 2011-04-06 | 中兴通讯股份有限公司 | Communication device access management method |
| WO2009143750A1 (en) * | 2008-05-26 | 2009-12-03 | 华为技术有限公司 | Methods, devices and systems for terminal data management and terminal security evaluation based on tnc |
| CN101425976B (en) * | 2008-12-09 | 2011-08-24 | 中兴通讯股份有限公司 | Method for multicast data packet forwarding control |
| CN101465856B (en) * | 2008-12-31 | 2012-09-05 | 杭州华三通信技术有限公司 | Method and system for controlling user access |
| CN102202001A (en) * | 2011-06-15 | 2011-09-28 | 中国电信股份有限公司 | Dynamic subscriber bandwidth regulation method, system and broadband network gateway |
| CN105827451A (en) * | 2016-04-12 | 2016-08-03 | 浙江宇视科技有限公司 | Method and device for automatically configuring whole network controllable multicast |
| CN105827451B (en) * | 2016-04-12 | 2019-04-09 | 浙江宇视科技有限公司 | A kind of method and apparatus automatically configuring the whole network controllable multicast |
| CN106341737A (en) * | 2016-08-18 | 2017-01-18 | 中央电视台 | IP multicast stream processing method, switch set, server and system |
| CN106341737B (en) * | 2016-08-18 | 2020-05-19 | 中央电视台 | IP multicast stream processing method, switch set, server and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100346605C (en) | A method and system for multicast source control | |
| CN1192574C (en) | Controlled group broadcasting system and its realizing method | |
| CN1777149A (en) | Method for realizing multicast translation in three-layer switching unit | |
| CN1836400A (en) | Controlling data link layer elements with network layer elements | |
| CN1298592A (en) | Establishing connectivity in networks | |
| CN1842016A (en) | Method and apparatus for realizing multiuser conference service using broadcast multicast service in wireless communication system | |
| CN1957566A (en) | Server for routing connection to client device | |
| CN1791054A (en) | Virtual special network multicast method by virtual router mode | |
| CN1691603A (en) | A method for implementing equipment group and intercommunication between grouped equipments | |
| CN1671096A (en) | Policy control based multicast access control method | |
| CN1631007A (en) | System and method for establishing service access relation | |
| CN1845527A (en) | Method and system for providing multicast service in microwave access global intercommunication system | |
| CN1822548A (en) | Distribtive flow managing method based on counter network | |
| CN1747447A (en) | IP group broadcasting method for supporting different service quality in specification service network domain | |
| CN1925450A (en) | Communication method preventing circumbendibus of media-flow | |
| CN1809072A (en) | Network architecture of backward compatible authentication, authorization and accounting system and implementation method | |
| CN1801711A (en) | Multicast group member identification method and apparatus | |
| CN1835514A (en) | Management method of broadband access of DHCP customer's terminal mode | |
| CN1697424A (en) | Method for carrying out private security data communication base on decimal communication numbers | |
| CN1852234A (en) | Method for transmitting message | |
| CN1863113A (en) | System and method for implementing multi-user access in LAN terminal | |
| CN1874224A (en) | Safety multicast method based on protocol of conversation initialization | |
| CN100346596C (en) | Method for activating service of multimedia broadcast/group broadcast service | |
| CN101145924A (en) | Method, device and system for SSM multicast | |
| CN101052006A (en) | Message up sending method and interface plate and router for realizing said method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20050921 |