CN1968082A - Multicast authentication method, system and application - Google Patents

Multicast authentication method, system and application Download PDF

Info

Publication number
CN1968082A
CN1968082A CNA2006101504472A CN200610150447A CN1968082A CN 1968082 A CN1968082 A CN 1968082A CN A2006101504472 A CNA2006101504472 A CN A2006101504472A CN 200610150447 A CN200610150447 A CN 200610150447A CN 1968082 A CN1968082 A CN 1968082A
Authority
CN
China
Prior art keywords
multicast
physical location
location information
message
user side
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2006101504472A
Other languages
Chinese (zh)
Other versions
CN100596059C (en
Inventor
顾勤丰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN200610150447A priority Critical patent/CN100596059C/en
Publication of CN1968082A publication Critical patent/CN1968082A/en
Priority to PCT/CN2007/070973 priority patent/WO2008052475A1/en
Application granted granted Critical
Publication of CN100596059C publication Critical patent/CN100596059C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/16Arrangements for providing special services to substations
    • H04L12/18Arrangements for providing special services to substations for broadcast or conference, e.g. multicast
    • H04L12/185Arrangements for providing special services to substations for broadcast or conference, e.g. multicast with management of multicast group membership
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/02Services making use of location information
    • H04W4/029Location-based management or tracking services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/16Arrangements for providing special services to substations
    • H04L12/18Arrangements for providing special services to substations for broadcast or conference, e.g. multicast
    • H04L12/189Arrangements for providing special services to substations for broadcast or conference, e.g. multicast in combination with wireless systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/02Services making use of location information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/52Network services specially adapted for the location of the user terminal

Abstract

The invention relates to a multicast identifying method, relative system, and data multicast method, wherein said method comprises that: confirming the user physical position that requests to add multicast; based on physical position, identifying multicast. The invention inserts physical position information into the access request of multicast user, to check the multicast, without single broadcast identification, with high flexibility and simple management.

Description

A kind of multicast authenticating method, system and application
Technical field
The present invention relates to network communications technology field, relate in particular to a kind of multicast authenticating method, system and application.
Background technology
Multicasting technology is a kind of important IP technology, is widely used in the network information transfer.When network uses multicasting technology, if certain user's demand customizing messages, multicast message transmit leg that is multicast source only need send once this customizing messages, this customizing messages is that multicast packet is set up tree type route by multicast routing protocol, duplicates in fork on the road far away as far as possible and distributes.
As shown in Figure 1, suppose user B, D and this customizing messages of E demand, then user B, D, E are formed recipient's set, transmit and duplicate according to the distribution situation of each recipient in this set information of carrying out, at last information is transferred to recipient B, D and E exactly by each router in the network.
By Fig. 1 and top description as can be seen, mainly contain three entities in the multicast: multicast source, multicast router, multicast recipient.
The multicast recipient uses different agreements for different networks, and the IPv4 network is used the IGMP agreement, and the IPv6 network is used the MLD agreement.
For can receiving multicast message, all participate in recipient's main frame of multicast transmission must realize IGMP agreement or MLD agreement.
Support the router of multicast to need not to preserve the member relation of main frame, only need to understand the recipient who whether has certain multicast group on the network segment that each interface connects by the IGMP agreement; Support each main frame of multicast need preserve the information of added multicast group.
In the process of carrying out multicast, also need to use IGMP Snooping (Internet GroupManagement Protocol Snooping) technology, this technology is the multicast tied mechanism that operates on the two-layer equipment, is used for management and control multicast group.
IGMP Snooping operates in link layer.When two-layer equipment is received the IGMP message that transmits between main frame and the router, IGMP Snooping analyze the IGMP message with information.
When listening to the igmp host report message (IGMP host report message) that main frame sends, switch just joins this main frame in the corresponding multicast table; When listening to the IGMP leave message (IGMP leave message) that main frame sends, switch just will be deleted the multicast list corresponding with this main frame.By constantly monitoring the IGMP message, the MAC multicast address be set up and be safeguarded to switch just can at two layers.Afterwards, switch just can be transmitted the multicast that issues from router according to the MAC multicast address and joins message.
Yet, because the equipment of upstream is behind the IGMP/MLD message of receiving from client, can't user side accurately be navigated to the port of access according to this message, so present IGMP/MLDSnooping has just realized beta pruning simply on two-layer equipment, its function ratio is more single, flexibility is not high, so in the multicast of reality, it generally is the mode that matches by multicast and unicast authentication, but the family end carries out network login earlier, after landing successfully, carry out unicast authentication again and obtain the multicast mandate and realize, can't directly carry out the authorization control of multicast.
Summary of the invention
In view of above-mentioned existing in prior technology problem, the purpose of this invention is to provide a kind of method and system of data multicast.
The objective of the invention is to be achieved through the following technical solutions:
A kind of data multicast authenticating method comprises:
Determine to require to add the user side physical location information of multicast;
According to physical location information multicast is authenticated.
The described verification process that multicast is carried out comprises:
Judge the position at multicast control point, according to physical location information multicast is authenticated by the multicast control point.
The process of described definite user side physical location information comprises:
When the multicast control point is nonnumeric user line access multiplexing device DSLAM, report the physical location information that inserts the user side that sends this message in the message at multicast;
Described multicast control point receives after multicast reports message, and message is resolved, and obtains the described user side physical location information that is inserted in the message.
Obtain the user side physical location information of insertion at the multicast control point after, report the physical location information of message and the user's that clean culture is reached the standard grade physical location information to compare described multicast, carry out the physical location information checking:
If both physical location information unanimities, then this physical location information can authenticate multicast according to this physical location information by checking;
If both physical location informations are inconsistent, then this physical location information by checking, can not authenticate by this physical location.
Describedly the process that multicast authenticates is comprised according to physical location information:
Described multicast control point sends the request of access to remote dial authentification of user Radius server, comprise the multicast address that user name, password and user side requirement add in the described access request, wherein said user is by name to carry out assembled arrangement and the character string that obtains to the user side physical location;
The Radius server is determined the physical location information of user side according to user name, and determines the multicast mandate corresponding with this information;
The Radius server authenticates multicast according to its multicast authorization message of determining.
The process of described definite user side physical location information comprises:
When the multicast control point was DSLAM, DSLAM reported message to determine the physical location information of user side by the multicast that user side sends.
Described DSLAM realizes authentication according to the physical location information of user side to multicast.
A kind of data set broadcasting method comprises:
DSLAM reports in the message physical location information that inserts the user side that sends this message at multicast, and BRAS initiates multicast authentication according to described physical location information to certificate server, and by BRAS for the user side duplicated multicast message by authentication and send.
A kind of data set broadcasting method comprises:
DSLAM reports the physical location information that inserts the user side that sends this message in the message at multicast, and BRAS authenticates multicast according to described physical location information;
BRAS sends to DSLAM and duplicates the control message;
DSLAM adds the multicast replication outgoing interface according to physical location information, and is user side duplicated multicast message and transmission.
A kind of data set broadcasting method comprises
When the control point is DSLAM, DSLAM detects multicast and reports message, therefrom obtains the user side physical location information that sends this message, and according to described physical location information multicast is authenticated, and multicast message is sent to user side by authentication.
A kind of data multicast Verification System comprises user side, Digital Subscriber Line Access Multiplexer DSLAM, broad band remote server B RAS and remote dial subscriber authentication server Radius,
Comprise physical location information detection module, physical location information insert module among the described DSLAM, comprise message read module and multicast authentication module among the described BRAS;
Described physical location information detection module is used to detect the physical location information that requirement adds the user side of multicast;
Described physical location information insert module is used for that detected physical location information is inserted into multicast and reports message;
Described message read module is used to read the multicast that user side sends and reports message, obtains the user side physical location information that inserts in the message;
Described multicast authentication module is used for the physical location information that described message read module obtains is sent to Radius, and user side is carried out multicast authentication.
A kind of data multicast Verification System comprises user side, Digital Subscriber Line Access Multiplexer DSLAM and remote dial subscriber authentication server Radius,
Described DSLAM comprises physical location information detection module and multicast authentication module,
Described physical location information detection module is used to detect the physical location information that requirement adds the user side of multicast;
Described multicast authentication module is used for physical location information is sent to Radius, and user side is carried out multicast authentication.
A kind of data set broadcast system comprises user side, DSLAM, BRAS and data provider,
Comprise multicast authentication module, multicast replication module and multicast sending module among the described BRAS, comprise physical location information detection module and physical location information insert module among the DSLAM;
Described physical location information detection module is used to detect the physical location information that requirement adds the user side of multicast;
Described physical location information insert module is used for that detected physical location information is inserted into multicast and reports message;
Described multicast authentication module is used for the physical location information that described message read module obtains is sent to Radius, and user side is carried out multicast authentication;
Described multicast replication module is used to the user side duplicated multicast message through multicast authentication;
Described multicast sending module, be used for described multicast replication module duplicate multicast message be sent to user side.
A kind of data set broadcast system comprises user side, DSLAM, BRAS and data provider,
Comprise the multicast authentication module among the described BRAS and duplicate control module, comprise physical location information detection module, multicast replication module and multicast sending module among the described DSLAM;
Described physical location information detection module is used to detect the physical location information that requirement adds the user side of multicast;
Described multicast authentication module is used for according to physical location information user side being carried out multicast authentication;
The described control module of duplicating is used for duplicating the control message to the DSLAM transmission, and control DSLAM is the user side duplicated multicast message that passes through multicast authentication that duplicates appointment in the control message;
Described multicast replication module is used to the user side duplicated multicast message that duplicates in the control message;
Described multicast sending module is used for the multicast message through duplicating is sent to the user side that links to each other with described outgoing interface.
A kind of data set broadcast system comprises user side, DSLAM, BRAS and data provider,
Described DSLAM comprises described physical location information detection module, multicast replication module and multicast sending module;
Described physical location information detection module is used to detect the physical location information that requirement adds the user side of multicast;
Described multicast replication module is used to the user side duplicated multicast message by multicast authentication;
Described multicast sending module sends multicast message for the user side through multicast authentication when being used at the multicast control point for DSLAM.
As seen from the above technical solution provided by the invention, the present invention requires the user who carries out multicast to add physical location information, multicast is authenticated in the process of multicast according to this physical location information, need not outside multicast procedures, to carry out extra unicast authentication, the flexibility that has height in the multicast of reality is easy to control and management.
Description of drawings
Figure 1 shows that the multicast schematic diagram of prior art;
Figure 2 shows that the multicast authentication flow chart of the embodiment of the invention one;
Figure 3 shows that the data multicast flow chart of the embodiment of the invention two;
Figure 4 shows that the data multicast flow chart of the embodiment of the invention three;
Figure 5 shows that the data multicast flow chart of the embodiment of the invention four;
Figure 6 shows that the multicast authentication system schematic of the embodiment of the invention five;
Figure 7 shows that the multicast authentication system schematic of the embodiment of the invention six;
Figure 8 shows that the data set broadcast system schematic diagram of the embodiment of the invention seven;
Figure 9 shows that the data set broadcast system schematic diagram of the embodiment of the invention eight;
Figure 10 shows that the data set broadcast system schematic diagram of the embodiment of the invention nine.
Embodiment
Core of the present invention is the physical location information that reports message adding user side for multicast, and according to physical location information multicast is authenticated, and realizes that the multicast of data sends.
More specifically say:
At first, user side obtains unicast address, and the position difference to the multicast control point detects the following two kinds of situations that are divided into then:
When multicast control point during at Digital Subscriber Line Access Multiplexer DSLAM:
Send the request of access to the Radius server, comprise the multicast address that user name, password and user side requirement add in the described access request, wherein said user is by name to be made up and the character string that obtains the user side physical location, comprises the physical location information (it is identical with following description specifically to authenticate signaling) of user side;
DSLAM carries out multicast authentication as the multicast control point according to physical location information,
If user side then is a respective user duplicated multicast data flow by multicast authentication;
If by authentication, then duplicated multicast data flow not.
When multicast control point during at BRAS equipment:
The multicast that DSLAM sends during to user side request receiving group message reports message to monitor, and reports the physical location information that inserts user side in the message at multicast in the process of monitoring;
After receiving the message that is inserted with the user side physical location information at BRAS, extract the user side physical location information in the message, send the request of access, carry out multicast authentication to the Radius server;
Comprise the multicast address that user name, password and user side requirement add in the described access request, wherein said user is by name to be made up and the character string that obtains the user side physical location, comprises the physical location information of user side;
The Radius server is determined the physical location information of user side according to user name, and determines the multicast mandate corresponding with this information, and determines finally whether the multicast address that user side will add allows the multicast mandate;
If the multicast address that the user side request adds allows to authorize, then the Radius server sends to BRAS and accepts message, and detects the equipment at copy-point place:
When multicast replication point at BRAS equipment, then BRAS adds the outgoing interface copy list with the user, for user's duplicated multicast joins message, and sends data flow in the multicast channel to user side;
When multicast replication point at DSLAM, then BRAS is joined message for user's duplicated multicast by DSLAM adding the outgoing interface tabulation by signaling DSLAM according to physical location information.
If the multicast address that the user side request adds does not allow to authorize, then the Radius server sends access-reject message to BRAS, and BRAS does not send multicast traffic stream to user side.
Below in conjunction with the specific embodiment of the invention and embodiment accompanying drawing the present invention is elaborated.
As shown in Figure 2, the embodiment of the invention one process of carrying out multicast authentication comprises:
Step 11, user obtain unicast address.
For networks of different type, the user obtains the method difference of unicast address:
For the IPv4 network, the user can hold consultation by DHCP (DHCP) and Broadband Remote Access Server (BRAS), is that the user distributes unicast address by BRAS;
For the IPv6 network, the user can generate link-local (Link Local) address automatically.
Whether step 12, test set broadcast the control point at DSLAM.
Step 13, when the multicast control point at Digital Subscriber Line Access Multiplexer (DSLAM), DSLAM reports message to monitor to the multicast that user side sends, obtain the physical location information of user side, and the user side physical address information is sent to Radius, multicast is realized authentication, determine to add the user side of multicast.
Step 14, when multicast control point during not at DSLAM, Digital Subscriber Line Access Multiplexer (DSLAM) reports (Report) message to monitor (Snooping) to the multicast that the user sends, and inserts the physical location information of user side in message;
Described physical location information for inserting in the message, its insertion position can report the rear portion of message valid data section for IGMP/MLD, and its attribute format is as shown below:
Attribute code attribute codes Attribute length attribute length
0x01 Length length Agent Circuit ID value... agent circuit ID value
Agent Circuit ID value (cont) agent circuit ID value (continuation)
0x02 Length length Agent Remote ID value... acts on behalf of the remote ident value
Agent Remote ID value (cont) acts on behalf of remote ident value (continuation)
Attribute codes (Attribute code)=0x0001, attribute length (attribute length) are the length of 2 sub-option (subopt);
Whole attribute can be inserted into the valid data back of IGMP message and MLD message;
IGMP reports message and MLD to report the message format of message can slightly change under different protocol versions, and above-mentioned physical location form only provides a Reference Design, and the insertion position of concrete physical location information can be adjusted.
Step 15, when the multicast control point not at DSLAM, its multicast authentication at first need be reported from multicast by the multicast control point and obtain the physical location information that is inserted by DSLAM the message, then physical location information is verified, last according to multicast being realized authentication by the physical location information of verifying.
Report the process of the checking that the physical location of message carries out to comprise to multicast described in the step 15:
BRAS equipment obtains the physical location information of this message from the message that joins request, the user's that the physical location information and the clean culture of this message are reached the standard grade physical location information compares:
If both physical location information unanimities show that then this IGMP/MLD multicast reports message to come from same physical link, are not that other users forge;
If both physical location informations are inconsistent, then to join request might be that other users forge to IGMP/MLD.
BRAS equipment multicast is reported the physical location information of message and the user's that clean culture is reached the standard grade physical location information to compare to be because, physical location information in the IGMP/MLD message is that DSLAM inserts, for BRAS equipment, the information that DSLAM inserts is believable.
Process to multicast realization authentication described in the step 15 is carried out multicast authentication realization according to the physical location information that DSLAM adds to Radius Server by BRAS, and its concrete steps comprise:
Step 151, BRAS initiate to insert request (Access-Request) message to Radius Server, comprise the multicast address that user name, password and customer requirements add in this request message, and its concrete content is respectively:
User name, according to the character string of physical location combination, for example: Dslam1 0/1/0.12,12 line ports on the expression Ddlam1 equipment on No. 1 port of No. 0 veneer of No. 0 frame;
Password, password value can be determined according to the concrete configuration of equipment;
Need the multicast address of adding, utilize manufacturer's particular community (Vendor-Specific) to expand, increase the sub-attribute of Vendor-Specific:
The form of Vendor-Specific is as shown in the table:
The Type type Length length The Vendor-Id vendor id Vendor type vendor types Vendor length manufacturer length Attribute-Specific... particular community
Wherein type (Type)=26 expands sub-attribute vendor types (Vendor type)=211;
The content of particular type (Attribute-Specific) is: the multicast group address of having encoded (Encoded-Multicast Group Address);
The concrete form of Encoded-Multicast Group Address is:
Addr Family address family Encoding Type type of coding Mask Len mask-length Group Address group address
Step 152, the authentication request message that Radius Server receives and treatments B RAS reports are for the user issues the multicast mandate.
Radius Server is according to user name, and promptly physical location information finds and the corresponding multicast mandate of physical location information, and described multicast mandate is meant the channel information of the permission user program request of adding among the Radius Server when the user opens an account.
Radius Server asks the multicast address that adds and the multicast mandate of above-mentioned this user's physical location information correspondence according to the user, judges whether send the multicast address that the user that adds multicast request will add allows program request.
If the multicast address that the user asks to add allows to authorize, then Radius Server sends to insert to BRAS equipment and accepts (Access-Accept) message;
If the multicast address that the user asks to add does not allow to authorize, then Radius Server sends the message of refusal mandate or carries out other operations to BRAS equipment, as requires to send once more other request messages etc.
The present invention can also report message to monitor to the multicast that is inserted with physical location information by the two-layer equipment between DSLAM and the BRAS, obtains physical location information, and realizes the authentication of multicast by physical location information.
As shown in Figure 3, be non-DSLAM for the control point, and send that the processing procedure of the embodiment of the invention two is as follows at the multicast that BRAS carries out multicast replication:
Step 21, the user side that requires to add multicast is carried out multicast authentication;
Step 22, BRAS will be by multicast authentication the physical location information of user side be added to the outgoing interface copy list, be user's duplicated multicast message;
Step 23, the multicast message of BRAS in user side transmission multicast channel make the user obtain multicast services.
As shown in Figure 4, be non-DSLAM for the control point, and do not carry out the multicast transmission of multicast replication that the processing procedure of the embodiment of the invention three is as follows at BRAS:
Step 31, the user side that requires to add multicast is carried out multicast authentication;
Step 32, BRAS equipment send the control message to DSLAM, comprise link information in the message, the user side duplicated multicast message that BRAS is a link information correspondence in the message by described control message notifying DSLAM;
The described control message that sends to DSLAM is defined as follows:
This message is based on User Datagram Protoco (UDP) (UDP), and destination address is the management address of DSLAM, and destination interface is 65001 (enable the equipment of this function, keep this port), and the message format content is:
The Type type Reserved keeps the position Link-location-attribute link address attribute Encoded-Multicast Group Address-1 coding multicast group address
Work as Type=1, BRAS requires to add physical link, the data forwarding of corresponding multicast group to DSLAM;
Work as Type=2, DSLAM responds to BRAS and adds successfully;
Step 33, DSLAM receive the interpolation control messages of BRAS, add corresponding physical link to the forwarding-table item of corresponding multicast group, and the duplicated multicast message is user's forwarding multicasting flow, and send the receiveing the response to BRAS of type=2.
As shown in Figure 5, be the multicast transmission of DSLAM for the control point, the processing procedure of the embodiment of the invention four is as follows:
Step 41, the user side that requires to add multicast is carried out multicast authentication;
By behind the multicast authentication, the physical location information adding outgoing interface copy list with user side is user's duplicated multicast message at definite user side for step 42, DSLAM;
The multicast message that step 43, DSLAM will duplicate is sent to user side, realizes user's information multicast is sent.
Behind the multicast of realizing the user, in order to determine whether the multicast user need continues the receiving group content, also need send IGMP/MLD inquiry (Query) message by BRAS, its step is as follows:
BRAS sends IGMP/MLD inquiry (Query) message to DSLAM, carries user's physical location information in the Query message.
DSLAM receives and handles this Query message, the user's physical location information in the message is removed, and the Query message is sent to the user of appointment according to user's physical location information.
The user receives the Query message, and replys message to BRAS, and whether notice BRAS needs to continue the receiving group message.
As shown in Figure 6, a kind of multicast authentication system shown in the embodiment of the invention five, this system comprises user side, Digital Subscriber Line Access Multiplexer DSLAM, broad band remote server B RAS and remote dial subscriber authentication server Radius, wherein, described DSLAM comprises physical location information detection module and physical location information insert module, and described BRAS comprises message read module and multicast authentication module.
Carry out in the process of work at present embodiment:
Physical location information detection module among the DSLAM detects multicast and reports message, determines that requirement adds the physical location information of the user side of multicast;
Physical location information insert module among the DSLAM is inserted described multicast with detected physical location information and is reported message;
The multicast that DSLAM will carry physical location information reports message to be sent to BRAS;
The multicast that message read module among the BRAS reads the user side transmission reports message, obtains the user side physical location information that inserts in the message;
Multicast authentication module among the BRAS is sent to Radius with the physical location information that described message read module obtains, and realizes the multicast authentication of native system to user side.
As shown in Figure 7, a kind of multicast authentication system shown in the embodiment of the invention six, this system comprises user side, Digital Subscriber Line Access Multiplexer DSLAM and remote dial subscriber authentication server Radius, wherein, comprises physical location information detection module and multicast authentication module among the DSLAM.
When described system carries out work:
Multicast is reported the physical location information that detects user side in the snoop procedure of message by the physical location information detection module among the DSLAM at DSLAM;
Multicast authentication module among the DSLAM is sent to Radius with detected physical location information, and physical location information is carried out multicast authentication, realizes the multicast authentication of multicast authentication system to user side.
The present invention also comprises the data set broadcast system based on multicast authentication except that the multicast authentication system.
Be illustrated in figure 8 as the data set broadcast system of the embodiment of the invention seven, described system comprises user side, DSLAM, BRAS, Radius and data provider, comprise multicast authentication module, multicast replication module and multicast sending module among the wherein said BRAS, comprise physical location information detection module and physical location information insert module among the described DSLAM.
When the described system of present embodiment carries out work:
Report message to monitor by DSLAM to the multicast that user side sends, and in snoop procedure, detect the physical location information of user side by its physical location information detection module;
Physical location information insert module among the DSLAM is inserted multicast with physical location information and is reported message, and reports message to be sent to BRAS described multicast;
Multicast authentication module among the BRAS is sent to Radius with the physical location information that receives and carries out multicast authentication;
Multicast replication module among the BRAS is the user side duplicated multicast message by multicast authentication;
Multicast sending module among the BRAS will by described multicast replication module duplicate multicast message be sent to user side, realize that data set is broadcast to send.
The data set broadcast system of the embodiment of the invention 8 as shown in Figure 9, comprise user side, DSLAM, BRAS, Radius and data provider, wherein, comprise the multicast authentication module among the described BRAS and duplicate control module, comprise physical location information insert module, multicast replication module and multicast sending module among the described DSLAM;
In the course of work of present embodiment:
Report message to monitor by DSLAM to the multicast that user side sends, detect physical location information, and detected physical location information insertion multicast is reported message by the physical location information insert module;
Multicast authentication module among the BRAS is sent to Radius with the physical location information that receives and carries out multicast authentication;
After passing through multicast authentication, the control module of duplicating among the BRAS is duplicated the control message to the DSLAM transmission, and control DSLAM is the user side duplicated multicast message that passes through multicast authentication that duplicates appointment in the control message;
DSLAM receive duplicate the control message after, multicast replication module wherein is according to the requirement of control message, for duplicating the user side duplicated multicast message of control in the message;
Multicast sending module among the DSLAM is sent to user side with the multicast message through duplicating, and the realization data set is broadcast and sent.
The data set broadcast system of the embodiment of the invention 9 as shown in figure 10, described system comprises user side, DSLAM, BRAS and data provider, wherein comprises the multicast sending module among the DSLAM.
The course of work of described system comprises:
Physical location information detection module among the DSLAM detects and sends the physical location information that multicast reports the user side of message;
Multicast authentication module among the DSLAM is sent to Radius with described physical location information and carries out multicast authentication;
Behind the process multicast authentication, the multicast replication module among the DSLAM is a user side duplicated multicast message, and the multicast message that the multicast sending module will duplicate is sent to user side, realizes the multicast of user side is sent.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.

Claims (15)

1, a kind of data multicast authenticating method is characterized in that, comprising:
Determine to require to add the user side physical location information of multicast;
According to physical location information multicast is authenticated.
2, a kind of data multicast authenticating method according to claim 1 is characterized in that, the described verification process that multicast is carried out comprises:
Judge the position at multicast control point, according to physical location information multicast is authenticated by the multicast control point.
3, a kind of data multicast authenticating method according to claim 1 is characterized in that the process of described definite user side physical location information comprises:
When the multicast control point is nonnumeric user line access multiplexing device DSLAM, report the physical location information that inserts the user side that sends this message in the message at multicast;
Described multicast control point receives after multicast reports message, and message is resolved, and obtains the described user side physical location information that is inserted in the message.
4, a kind of data multicast authenticating method according to claim 3, it is characterized in that, obtain the user side physical location information of insertion at the multicast control point after, report the physical location information of message and the user's that clean culture is reached the standard grade physical location information to compare described multicast, carry out the physical location information checking:
If both physical location information unanimities, then this physical location information can authenticate multicast according to this physical location information by checking;
If both physical location informations are inconsistent, then this physical location information by checking, can not authenticate by this physical location.
5, according to claim 3 or 4 described a kind of data multicast authenticating methods, it is characterized in that, describedly the process that multicast authenticates comprised according to physical location information:
Described multicast control point sends the request of access to remote dial authentification of user Radius server, comprise the multicast address that user name, password and user side requirement add in the described access request, wherein said user is by name to carry out assembled arrangement and the character string that obtains to the user side physical location;
The Radius server is determined the physical location information of user side according to user name, and determines the multicast mandate corresponding with this information;
The Radius server authenticates multicast according to its multicast authorization message of determining.
6, a kind of data multicast authenticating method according to claim 1 is characterized in that the process of described definite user side physical location information comprises:
When the multicast control point was DSLAM, DSLAM reported message to determine the physical location information of user side by the multicast that user side sends.
7, a kind of data multicast authenticating method according to claim 6 is characterized in that, described DSLAM realizes authentication according to the physical location information of user side to multicast.
8, a kind of data set broadcasting method is characterized in that,
DSLAM reports in the message physical location information that inserts the user side that sends this message at multicast, and BRAS initiates multicast authentication according to described physical location information to certificate server, and by BRAS for the user side duplicated multicast message by authentication and send.
9, a kind of data set broadcasting method is characterized in that,
DSLAM reports the physical location information that inserts the user side that sends this message in the message at multicast, and BRAS authenticates multicast according to described physical location information;
BRAS sends to DSLAM and duplicates the control message;
DSLAM adds the multicast replication outgoing interface according to physical location information, and is user side duplicated multicast message and transmission.
10, a kind of data set broadcasting method is characterized in that,
When the control point is DSLAM, DSLAM detects multicast and reports message, therefrom obtains the user side physical location information that sends this message, and according to described physical location information multicast is authenticated, and multicast message is sent to user side by authentication.
11, a kind of data multicast Verification System, comprise user side, Digital Subscriber Line Access Multiplexer DSLAM, broad band remote server B RAS and remote dial subscriber authentication server Radius, it is characterized in that, comprise physical location information detection module, physical location information insert module among the described DSLAM, comprise message read module and multicast authentication module among the described BRAS;
Described physical location information detection module is used to detect the physical location information that requirement adds the user side of multicast;
Described physical location information insert module is used for that detected physical location information is inserted into multicast and reports message;
Described message read module is used to read the multicast that user side sends and reports message, obtains the user side physical location information that inserts in the message;
Described multicast authentication module is used for the physical location information that described message read module obtains is sent to Radius, and user side is carried out multicast authentication.
12, a kind of data multicast Verification System comprises user side, Digital Subscriber Line Access Multiplexer DSLAM and remote dial subscriber authentication server Radius, it is characterized in that described DSLAM comprises physical location information detection module and multicast authentication module,
Described physical location information detection module is used to detect the physical location information that requirement adds the user side of multicast;
Described multicast authentication module is used for physical location information is sent to Radius, and user side is carried out multicast authentication.
13, a kind of data set broadcast system, comprise user side, DSLAM, BRAS and data provider, it is characterized in that, comprise multicast authentication module, multicast replication module and multicast sending module among the described BRAS, comprise physical location information detection module and physical location information insert module among the DSLAM;
Described physical location information detection module is used to detect the physical location information that requirement adds the user side of multicast;
Described physical location information insert module is used for that detected physical location information is inserted into multicast and reports message;
Described multicast authentication module is used for the physical location information that described message read module obtains is sent to Radius, and user side is carried out multicast authentication;
Described multicast replication module is used to the user side duplicated multicast message through multicast authentication;
Described multicast sending module, be used for described multicast replication module duplicate multicast message be sent to user side.
14, a kind of data set broadcast system, comprise user side, DSLAM, BRAS and data provider, it is characterized in that, comprise the multicast authentication module among the described BRAS and duplicate control module, comprise physical location information detection module, multicast replication module and multicast sending module among the described DSLAM;
Described physical location information detection module is used to detect the physical location information that requirement adds the user side of multicast;
Described multicast authentication module is used for according to physical location information user side being carried out multicast authentication;
The described control module of duplicating is used for duplicating the control message to the DSLAM transmission, and control DSLAM is the user side duplicated multicast message that passes through multicast authentication that duplicates appointment in the control message;
Described multicast replication module is used to the user side duplicated multicast message that duplicates in the control message;
Described multicast sending module is used for the multicast message through duplicating is sent to the user side that links to each other with described outgoing interface.
15, a kind of data set broadcast system comprises user side, DSLAM, BRAS and data provider, it is characterized in that, described DSLAM comprises described physical location information detection module, multicast replication module and multicast sending module;
Described physical location information detection module is used to detect the physical location information that requirement adds the user side of multicast;
Described multicast replication module is used to the user side duplicated multicast message by multicast authentication;
Described multicast sending module sends multicast message for the user side through multicast authentication when being used at the multicast control point for DSLAM.
CN200610150447A 2006-10-27 2006-10-27 Multicast authentication method, system and application Expired - Fee Related CN100596059C (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN200610150447A CN100596059C (en) 2006-10-27 2006-10-27 Multicast authentication method, system and application
PCT/CN2007/070973 WO2008052475A1 (en) 2006-10-27 2007-10-26 A method, system and device for multicast authenticating

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200610150447A CN100596059C (en) 2006-10-27 2006-10-27 Multicast authentication method, system and application

Publications (2)

Publication Number Publication Date
CN1968082A true CN1968082A (en) 2007-05-23
CN100596059C CN100596059C (en) 2010-03-24

Family

ID=38076658

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200610150447A Expired - Fee Related CN100596059C (en) 2006-10-27 2006-10-27 Multicast authentication method, system and application

Country Status (2)

Country Link
CN (1) CN100596059C (en)
WO (1) WO2008052475A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008052475A1 (en) * 2006-10-27 2008-05-08 Huawei Technologies Co., Ltd. A method, system and device for multicast authenticating
CN101296085B (en) * 2008-06-23 2011-07-13 中兴通讯股份有限公司 Authentication method and system based on bifurcation, and bifurcation authentication system
CN102523221A (en) * 2011-12-20 2012-06-27 国家计算机网络与信息安全管理中心 Detection method of data message and network safety detection device
CN101610254B (en) * 2009-06-23 2012-07-04 杭州华三通信技术有限公司 Multicast user permission control method, multicast authentication server and access device
CN103326996A (en) * 2012-03-23 2013-09-25 中兴通讯股份有限公司 Method and system for controlling multi-casting member to join
WO2015066844A1 (en) * 2013-11-05 2015-05-14 华为技术有限公司 Method and apparatus for transmitting and obtaining information, application server, base station, and terminal

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1252961C (en) * 2001-07-09 2006-04-19 中兴通讯股份有限公司 Method for authenticating group broadcast service
EP1492381B1 (en) * 2003-06-24 2007-01-10 Alcatel Digital subscriber line access network with improved authentication, authorization, accounting and configuration control for multicast services
CN1309213C (en) * 2003-08-01 2007-04-04 华为技术有限公司 Network access anthentication method for improving network management performance
JP4498968B2 (en) * 2005-04-06 2010-07-07 エヌ・ティ・ティ・コミュニケーションズ株式会社 Authentication gateway device and program thereof
CN100596059C (en) * 2006-10-27 2010-03-24 华为技术有限公司 Multicast authentication method, system and application

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008052475A1 (en) * 2006-10-27 2008-05-08 Huawei Technologies Co., Ltd. A method, system and device for multicast authenticating
CN101296085B (en) * 2008-06-23 2011-07-13 中兴通讯股份有限公司 Authentication method and system based on bifurcation, and bifurcation authentication system
CN101610254B (en) * 2009-06-23 2012-07-04 杭州华三通信技术有限公司 Multicast user permission control method, multicast authentication server and access device
CN102523221A (en) * 2011-12-20 2012-06-27 国家计算机网络与信息安全管理中心 Detection method of data message and network safety detection device
CN102523221B (en) * 2011-12-20 2014-11-19 国家计算机网络与信息安全管理中心 Detection method of data message and network safety detection device
CN103326996A (en) * 2012-03-23 2013-09-25 中兴通讯股份有限公司 Method and system for controlling multi-casting member to join
WO2015066844A1 (en) * 2013-11-05 2015-05-14 华为技术有限公司 Method and apparatus for transmitting and obtaining information, application server, base station, and terminal

Also Published As

Publication number Publication date
WO2008052475A1 (en) 2008-05-08
CN100596059C (en) 2010-03-24

Similar Documents

Publication Publication Date Title
CN1681238A (en) Key allocating method and key allocation system for encrypted communication
CN1859729A (en) Authentifying method and relative information transfer method
CN1838824A (en) Broadcast multicast area management realizing method in wireless communication system
CN1852094A (en) Method and system for protecting account of network business user
CN1968082A (en) Multicast authentication method, system and application
CN101064628A (en) Household network appliance safe management system and method
CN101030851A (en) Encrypted communication system, encrypted communication method, communication status management server, and communication status management method
CN1531245A (en) Server, terminal controller and terminal weight determiner
CN101061672A (en) Communication system, wireless lan base station controller, and wireless lan base station device
CN1574840A (en) Peer-to-peer name resolution telecommunication protocol and message format data structure for use therein
CN1738248A (en) Information-processing method, information-processing apparatus and computer program
CN1852551A (en) Method for realizing multi-cast business data based on mobile network
CN1674577A (en) Router and SIP server
CN101043755A (en) Method, system and apparatus for admittance determination in mobile communication system
CN1761233A (en) Network service selection and authentication in IPv6 access network, and automatic configuration without status
CN101047607A (en) System and method for implementing multicast service
CN1941711A (en) Method for controlling or setting a communication session and corresponding device thereof
CN1685306A (en) Printing system, printing device and method for giving printing command
CN101047662A (en) Method and system for implementing multi-identity immediate message communication and present service of single account number
CN101051898A (en) Certifying method and its device for radio network end-to-end communication
CN1809072A (en) Network architecture of backward compatible authentication, authorization and accounting system and implementation method
CN1661962A (en) Information-processing apparatus, information-processing method, and computer program
CN1422035A (en) Cipher key exchange equipment, method, program and recording medium for recording the same program
CN1708018A (en) Method for switching in radio local-area network mobile terminal
CN1878092A (en) Domain management system, method for building local domain and method for acquisition of local domain licence

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20100324

Termination date: 20191027