CN1812366A - Method for realizing wireless local network virtual insertion point to-point communication - Google Patents
Method for realizing wireless local network virtual insertion point to-point communication Download PDFInfo
- Publication number
- CN1812366A CN1812366A CNA2005100049165A CN200510004916A CN1812366A CN 1812366 A CN1812366 A CN 1812366A CN A2005100049165 A CNA2005100049165 A CN A2005100049165A CN 200510004916 A CN200510004916 A CN 200510004916A CN 1812366 A CN1812366 A CN 1812366A
- Authority
- CN
- China
- Prior art keywords
- message
- point
- wireless local
- virtual
- local network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
This invention discloses a kind of method for achieving communication between virtual switch-in points in wireless local area network. The distinguishing identification of object virtual switch-in point is added to transmitted message. The physical switch-in point of receiving end decided the object virtual switch-in point of the said message, according to the said distinguishing identification. Thus, the accurate communication between virtual switch-in points in wireless local area network is fulfilled. This invention can set different security mechanisms aiming at different virtual AP. Network security is increased.
Description
Technical field
The present invention relates to the virtual access point of WLAN (wireless local area network), relate in particular to a kind of method that realizes wireless local network virtual insertion point to-point communication.
Background technology
In the practical application of AP (Access Point, access point), SSID (Service Set Identifier, service set) can have multiple use.As: SSID can identify different ISP (Internet ServiceProvider, ISP), connect the STA (Station that belongs to a plurality of ISP as AP, end station (wireless network card)) time, needs AP to support a plurality of SSID, and realize different SS (Service Set, services set) different VLAN (the Virtual Local Area Network of mark, VLAN), the isolation between the realization SS (Service Set, services set).Different SSID can also identify different COS, as IP phone service, data, services, Video service etc.At this moment needing provides different QoS (Quality of Service, service quality) to guarantee to different SS.In actual applications, this demand may exist, and only needs phone to hang down the time delay service as Wi-Fi (Wireless Fidelity is based on the WLAN (wireless local area network) of IEEE 802.11b standard) cellphone subscriber.
The corresponding virtual AP of each SSID.According to user's configuration, on a physics AP, can dispose a plurality of SSID, there are a plurality of virtual AP, also may have only a virtual AP.Each virtual AP as one independently management entity be present in the network, have certain contact again.Communication mostly occurs between virtual AP between AP, so the communication issue between the virtual AP needs to solve.And in the network planning, be example with the most normal IP agreement of using, and distribute independent IP address may have the wasting of resources and collision problem to each virtual AP, therefore can only be to physics AP distributing IP address.And the port of communication is the unified regulation of standard between physics AP, also can't be provided with at virtual AP.
As shown in Figure 1, in the prior art, do not distinguish the notion of physics AP and virtual AP, communication is only carried out between physics AP between AP, and IAPP (Inter-Access Point Protocol, access point internal agreement) module or load balancing module will need the message notifying communication module of communicating by letter, send to far-end AP by communication module, after far-end AP communication module receives message, give corresponding IAPP module or load balancing module with message notifying, vice versa.
IAPP module and load balancing module are two modules independent of each other, between do not have what logical relation.Unique similarity is exactly that they all need be communicated by letter between AP, and the exchange message just can be finished required function.Communication module provides the service of communication between AP for IAPP module and load balancing module, and the communication between AP can only be undertaken by communication module.
Between existing AP, in the communication plan, only use the IP address of physics AP to realize communicating by letter, the communication information content is resolved distribution voluntarily by each application module with designated port.Physics AP is handled the information of communicating by letter between AP by its inner IAPP module, load balancing module etc.Between existing AP in the communication plan, there is not to be used to distinguish the information of virtual AP at all, need the recipient according to content entrained in the information, MAC (Media Access Control as STA, the medium access control) address, the BSSID of AP (Basic Service Set Identifier, basic service set identification) etc. distinguishes.But it is insecure only depending on these data separations, because these information that AP upward stores may be incomplete, these information that the transmitting terminal AP of communication and receiving terminal AP preserve also may be inconsistent, and which virtual AP the resolution communication information that this moment just can't be correct belongs to.Owing to need application module to participate in the identification process of virtual AP, therefore can't security mechanism be set at each virtual AP, thereby give WLAN (Wireless Local AreaNetwork, WLAN (wireless local area network)) network brings potential safety hazard, increased the workload of each application module simultaneously, cause inefficiency, the protocol processes level is unintelligible.
Summary of the invention
The object of the present invention is to provide a kind of method that realizes wireless local network virtual insertion point to-point communication, virtual AP and the problem that security mechanism can't be set at each virtual AP under the resolution communication information that can't be correct when communicating by letter between virtual AP in the WLAN (wireless local area network) in the prior art to solve.
For addressing the above problem, the invention provides following technical scheme:
A kind of method that realizes wireless local network virtual insertion point to-point communication comprises step:
The virtual access point of A, transmitting terminal adds the sign of distinguishing of target virtual access point in the message that sends;
The physical access point of B, receiving terminal is delivered to corresponding target virtual access point according to the described sign of distinguishing with described message.
The security mechanism of the virtual access point utilization setting of transmitting terminal is carried out safe handling to the message that sends before steps A, and the security mechanism of target virtual access point utilization correspondence is carried out contrary the processing to message after step B.The safe handling that message is carried out is to encrypt and/or authentication, and contrary processing that message is carried out is deciphering and/or verification.The virtual access point of transmitting terminal can carry out safe handling to whole message or part message.
Between described steps A and step B, also comprise step:
The security mechanism of the physical access point utilization setting of A1, transmitting terminal distinguishes that to interpolation the message of sign carries out safe handling;
The physical access point utilization of A2, receiving terminal and steps A 1 corresponding security mechanism distinguishes that to interpolation the message of sign carries out contrary the processing.
Safe handling in the described steps A 1 is for encrypting and/or authentication, and contrary being treated in the described steps A 2 deciphered and/or verification.In described steps A 1, can add and distinguish that the message of sign carries out safe handling whole or part.
The described sign of distinguishing can be positioned at the optional position of message.
Described distinguishing is designated service set.
Because the present invention has adopted above technical scheme, so have following beneficial effect:
The present invention has added the sign of distinguishing of target virtual access point in the message that virtual access point sent of transmitting terminal, the physical access point of receiving terminal can distinguish that sign determines the target virtual access point of message according to this, thereby realized the correct communication between the wireless local network virtual access point, the present invention simultaneously can be provided with different security mechanisms at different virtual AP, improved internet security.
Description of drawings
The schematic diagram of Fig. 1 for communicating by letter between AP in the prior art;
Fig. 2 is the process chart when carrying out communicating by letter between virtual AP of the present invention;
Fig. 3 is that communication transmitting terminal message is handled schematic diagram between virtual AP;
Fig. 4 is that the communication receiver message is handled schematic diagram between virtual AP.
Embodiment
The process of method for communicating is as follows between realization wireless local network virtual AP of the present invention:
The virtual AP of transmitting terminal is added the sign of distinguishing of target virtual AP in the message that sends, this distinguishes that sign is used to identify the target virtual AP of the message that is sent; After the physics AP of receiving terminal obtains distinguishing sign from message, according to distinguishing that sign determines the target virtual AP of this message, passes to this message corresponding target virtual AP then.
The sign of distinguishing of target virtual AP can be positioned at the optional position of message, but in the virtual AP and all messages between the target virtual AP of transmitting terminal, this distinguishes that sign need be placed on a fixed position, promptly the position in each message is all the same, so just can allow receiving terminal locate fast and distinguish sign, just know after not needing message content handled and distinguish where sign leaves in.
Because the corresponding virtual AP of each SSID, so the sign of distinguishing of target virtual AP selects SSID usually for use, and this distinguishes that sign also can be other signs of artificial definition, as long as can distinguish the target virtual AP.
The fail safe of the message of communicating by letter in order to guarantee between virtual AP, in message, add distinguishing before the sign of target virtual AP, the virtual AP of transmitting terminal need be provided with security mechanism usually the message that sends is carried out safe handling, and safe handling mainly realizes by encrypting and/or authenticating.The processing procedure of encrypting is that the plaintext in the Content of Communication is replaced to ciphertext, makes the unauthorized person can't obtain the content of information, and the mode of encryption has a variety of, as DES, 3DES, RC5, RC4, AES etc., and can be optional according to actual conditions.The processing procedure of authentication is to calculate a digital signature of not knowing that key just can't be copied according to Content of Communication, prevent that Content of Communication from being distorted or forging, the mode of authentication has a variety of equally, as MD5, SHA, KPDK, SHA2 etc., and can be optional according to actual conditions.In order to guarantee communication security between AP, this security mechanism is provided with respectively at the virtual AP and the target virtual AP of transmitting terminal.
When carrying out safe handling, can only carry out encryption to message, also can only carry out authentication processing to message, can also encrypt and authenticate dual processing to message, when message being encrypted and authenticates dual processing, should encrypt message earlier, calculate the required digital signature of authentication according to the message after encrypting then.Encrypt and/or authenticate and to carry out whole message, also can only carry out certain part of message.
If the virtual AP of transmitting terminal has been carried out safe handling to the message that will send, then after the physics AP of receiving terminal basis distinguished that sign passes to message corresponding target virtual AP, the target virtual AP need utilize corresponding security mechanism that message is carried out contrary the processing.If the virtual AP of transmitting terminal is encrypted the message that will send, then the target virtual AP need be deciphered accordingly to message, obtains expressly; If the virtual AP of transmitting terminal authenticates the message that will send, then the target virtual AP need be carried out verification to message, guarantees that message is not distorted.If the virtual AP of transmitting terminal has been done the message that will send and has been encrypted and authenticated dual processing, then the target virtual AP at first calculates digital signature according to the message content of receiving, after guaranteeing that message is not distorted and forged, again message content is decrypted, draw original message.
In order further to improve fail safe, guarantee that the sign of distinguishing of target virtual AP is not distorted, also can carry out safe handling by the set security mechanism of the physics AP of transmitting terminal again at the message of interpolation being distinguished sign.This safe handling mainly realizes by encrypting and/or authenticating, and can only carry out encryption to message, also can only carry out authentication processing to message, can also encrypt and authenticate dual processing to message.Encrypt and/or authenticate and to carry out whole message, also can only carry out certain part of message.This security mechanism is handled and is set respectively at each physics AP.
If the physics AP of transmitting terminal distinguishes that to interpolation the message of sign has carried out safe handling, then the physics AP of receiving terminal need utilize corresponding security mechanism that message is carried out contrary the processing.If the physics AP of transmitting terminal distinguishes that to interpolation the message of sign authenticates, then the physics AP of receiving terminal need carry out corresponding verification, guarantee that message is not distorted, if the physics AP of transmitting terminal distinguishes that to interpolation the message of sign encrypts, then the physics AP of receiving terminal need be decrypted, and obtains expressly.If the physics AP of transmitting terminal distinguishes to interpolation that the message of sign has been done and encrypts and authenticate dual processing, then the physics AP of receiving terminal at first calculates digital signature according to the message content of receiving, after guaranteeing that message is not distorted and forged, again message content is decrypted, draw original message.
As shown in Figure 2, the preferred process process of method for communicating is as follows between realization wireless local network virtual AP of the present invention:
The virtual AP of S1, transmitting terminal is provided with security mechanism the message that sends is carried out safe handling;
The virtual AP of S2, transmitting terminal is added the sign of distinguishing of target virtual AP in the message that sends;
The physics AP of S3, transmitting terminal is provided with security mechanism interpolation is distinguished that the message of sign carries out safe handling;
The physics AP of S4, receiving terminal utilizes the security mechanism corresponding with step S3 that message is carried out contrary the processing;
The physics AP of S5, receiving terminal is delivered to corresponding target virtual AP according to the sign of distinguishing among the step S2 with message;
S6, the target virtual AP utilization security mechanism corresponding with step S1 are carried out contrary the processing to message.
In above-mentioned processing procedure, step S1, S2, S3 carry out at transmitting terminal, and step S4, S5, S6 carry out at receiving terminal.
The present invention is effective to all communication protocol (as IP), if the source address that communication module is recognized in the communication protocol is consistent with destination address, the virtual AP that then shows target virtual AP and transmitting terminal promptly can be applied in the present invention on the internal communication mechanism on same physics AP.
With a specific embodiment overall process of communicating by letter between virtual AP of the present invention is described below:
As shown in Figure 3, Figure 4, in the IAPP of WLAN agreement, for realizing the switching of STA between AP, need between the AP to communicate by letter so that exchange the relevant information of relevant this STA, transmitting terminal AP independently is provided with security mechanism to original IAPP message by virtual AP, and former IAPP message is carried out des encryption, then message is expanded, increase the SSID conduct and distinguish sign, and increase is distinguished that the message of sign carries out sending to receiving terminal AP after the md5 authentication; After receiving terminal AP receives message, at first the md5 authentication word is carried out verification, guarantee that message is not copied or distorted, press the security mechanism that virtual AP independently is provided with then, message is carried out the DES deciphering, obtain former IAPP message, can solve the safety problem and the efficiency of IAPP agreement work under the virtual AP.
Below only the present invention will be described with preferred embodiment, and those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (9)
1, a kind of method that realizes wireless local network virtual insertion point to-point communication is characterized in that comprising step:
The virtual access point of A, transmitting terminal adds the sign of distinguishing of target virtual access point in the message that sends;
The physical access point of B, receiving terminal is delivered to corresponding target virtual access point according to the described sign of distinguishing with described message.
2, the method for realization wireless local network virtual insertion point to-point communication according to claim 1, it is characterized in that: the security mechanism of the virtual access point utilization setting of transmitting terminal is carried out safe handling to the message that sends before steps A, and the security mechanism of target virtual access point utilization correspondence is carried out contrary the processing to message after step B.
3, the method for realization wireless local network virtual insertion point to-point communication according to claim 2 is characterized in that: the safe handling that message is carried out is to encrypt and/or authentication, and contrary processing that message is carried out is deciphering and/or verification.
4, the method for realization wireless local network virtual insertion point to-point communication according to claim 2 is characterized in that: the virtual access point of transmitting terminal can carry out safe handling to whole message or part message.
5, the method for realization wireless local network virtual insertion point to-point communication according to claim 1 and 2 is characterized in that: also comprise step between described steps A and step B:
The security mechanism of the physical access point utilization setting of A1, transmitting terminal distinguishes that to interpolation the message of sign carries out safe handling;
The physical access point utilization of A2, receiving terminal and steps A 1 corresponding security mechanism distinguishes that to interpolation the message of sign carries out contrary the processing.
6, the method for realization wireless local network virtual insertion point to-point communication according to claim 5 is characterized in that: the safe handling in the described steps A 1 is for encrypting and/or authentication, and contrary being treated in the described steps A 2 deciphered and/or verification.
7, the method for realization wireless local network virtual insertion point to-point communication according to claim 5 is characterized in that: can add whole or part in described steps A 1 and distinguish that the message of sign carries out safe handling.
8, the method for realization wireless local network virtual insertion point to-point communication according to claim 1 is characterized in that: the described sign of distinguishing can be positioned at the optional position of message.
9, the method for realization wireless local network virtual insertion point to-point communication according to claim 1 is characterized in that: described distinguishing is designated service set.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2005100049165A CN1812366A (en) | 2005-01-28 | 2005-01-28 | Method for realizing wireless local network virtual insertion point to-point communication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2005100049165A CN1812366A (en) | 2005-01-28 | 2005-01-28 | Method for realizing wireless local network virtual insertion point to-point communication |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1812366A true CN1812366A (en) | 2006-08-02 |
Family
ID=36845064
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2005100049165A Pending CN1812366A (en) | 2005-01-28 | 2005-01-28 | Method for realizing wireless local network virtual insertion point to-point communication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1812366A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101959196A (en) * | 2010-10-20 | 2011-01-26 | 中国电信股份有限公司 | WLAN (Wireless Local Area Network) resource sharing method and WLAN network system |
| WO2014005461A1 (en) * | 2012-07-06 | 2014-01-09 | Hangzhou H3C Technologies Co., Ltd. | Virtual access point |
| CN107148578A (en) * | 2014-11-10 | 2017-09-08 | 高通股份有限公司 | Method, equipment and device for the mobile device location estimation using virtual access point |
| CN108668326A (en) * | 2017-03-10 | 2018-10-16 | 联发科技(新加坡)私人有限公司 | virtual roaming method and device |
-
2005
- 2005-01-28 CN CNA2005100049165A patent/CN1812366A/en active Pending
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101959196A (en) * | 2010-10-20 | 2011-01-26 | 中国电信股份有限公司 | WLAN (Wireless Local Area Network) resource sharing method and WLAN network system |
| CN101959196B (en) * | 2010-10-20 | 2015-07-15 | 中国电信股份有限公司 | WLAN (Wireless Local Area Network) resource sharing method and WLAN network system |
| WO2014005461A1 (en) * | 2012-07-06 | 2014-01-09 | Hangzhou H3C Technologies Co., Ltd. | Virtual access point |
| CN107148578A (en) * | 2014-11-10 | 2017-09-08 | 高通股份有限公司 | Method, equipment and device for the mobile device location estimation using virtual access point |
| CN108668326A (en) * | 2017-03-10 | 2018-10-16 | 联发科技(新加坡)私人有限公司 | virtual roaming method and device |
| CN108668326B (en) * | 2017-03-10 | 2021-05-04 | 联发科技(新加坡)私人有限公司 | Virtual roaming method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101406021B (en) | SIM based authentication | |
| US7434047B2 (en) | System, method and computer program product for detecting a rogue member in a multicast group | |
| CN100341290C (en) | Authentication method for fast handover in a wireless local area network | |
| CN1266893C (en) | Method for insuring user's anonymous and its wireless local network system | |
| US20020196764A1 (en) | Method and system for authentication in wireless LAN system | |
| WO2015144050A1 (en) | Method for allocating addressing identifier, access point, station and communication system | |
| CN101496387A (en) | System and method for access authentication in a mobile wireless network | |
| US20070204158A1 (en) | Methods and apparatus for encryption key management | |
| JP2012217207A (en) | Exchange of key material | |
| US9398455B2 (en) | System and method for generating an identification based on a public key of an asymmetric key pair | |
| CN108259469A (en) | Cluster security authentication method based on block chain, node and cluster | |
| TWI307232B (en) | Wireless local area network with protection function and method for preventing attack | |
| US7243368B2 (en) | Access control system and method for a networked computer system | |
| WO2005125089A1 (en) | System, method and computer program product for authenticating a data source in multicast communications | |
| US20050129236A1 (en) | Apparatus and method for data source authentication for multicast security | |
| CN1406034A (en) | Electronic apparatus with relay function in wireless data communication | |
| CN1812366A (en) | Method for realizing wireless local network virtual insertion point to-point communication | |
| CN1864386A (en) | Naming of 802.11 group keys to allow support of multiple broadcast and multicast domains | |
| CA2661050A1 (en) | Dynamic temporary mac address generation in wireless networks | |
| JPH06318939A (en) | Cipher communication system | |
| CN1225871C (en) | Method for distributing enciphered key in wireless local area network | |
| GB2607948A (en) | Apparatuses, a system, and a method of operating a wireless network | |
| CN1700636A (en) | Method of applying certificate for wireless LAN mobile terminal and certificate management system | |
| JP2006191429A (en) | Authentication method and system in assembly type customer station network | |
| CN113225298A (en) | Message verification method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20060802 |