TW550925B - Method capable of back tracing authentication status in a multi-layer network apparatus architecture - Google Patents

Method capable of back tracing authentication status in a multi-layer network apparatus architecture Download PDF

Info

Publication number
TW550925B
TW550925B TW91111546A TW91111546A TW550925B TW 550925 B TW550925 B TW 550925B TW 91111546 A TW91111546 A TW 91111546A TW 91111546 A TW91111546 A TW 91111546A TW 550925 B TW550925 B TW 550925B
Authority
TW
Taiwan
Prior art keywords
packet
authentication
network device
network
architecture
Prior art date
Application number
TW91111546A
Other languages
Chinese (zh)
Inventor
Pei-Hua Ju
Yung-Shin Chen
Original Assignee
D Link Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by D Link Corp filed Critical D Link Corp
Priority to TW91111546A priority Critical patent/TW550925B/en
Application granted granted Critical
Publication of TW550925B publication Critical patent/TW550925B/en

Links

Landscapes

  • Small-Scale Networks (AREA)

Abstract

The present invention provides a method capable of back tracing authentication status in a multi-layer network apparatus architecture. In the method, a protocol packet of multi-layer back-trace is designed in the multi-layer network apparatus architecture. Therefore, when each user side finds that its authentication is not passed, the user side can ask each network apparatus to sequentially back trace each node in the multi-layer network apparatus architecture by issuing the protocol packet. The response packets from each network apparatus are carried with all authentication pass and rejection information, so that each user side can quickly find the authentication status of each network apparatus, the node, time and reason that cause errors by analyzing the information carried by the response packets, and thus correct them.

Description

550925 五、發明說明(1) 發明背景: t f明係—種在多層次網路設備架構中進行認證之方 :,尤扣一種可在該多層次網路設備架 各網路設備之認證狀態、發生錯 枯間及原因之方法。 先前技術: 由於網路世界之蓬勃發展,各式各樣 地被開發出來,且祜夂广夂普由,像 <、.,罔路汉備不斷 *,亦為人們資訊流通之速度及效 來,隨著無線區域網路卡:便利。近年 已開始透過無線區域網路技術,、二漸增加’許多資訊 多無線區域網路完全沒有任何广路上流通,由於許 =域網路之機會,亦與曰劇增:二::入侵該等無 術中,駭客僅需藉攜帶一配備廣為人知之駭客技 記型電腦,在公眾場合四 Λ 11無線網路卡之筆 網路,當其它配備802 1 1盔 心有防護措施之無線區域 傳輸設備之筆記型電腦,在…八'、’ 網路、紅外線及藍芽 附近駭客入侵,非法盜用頻17 被使用時,即可能遭 網站,竊取企業重要機密資料、費上網,甚至侵入企業 此’由許多角度觀之,無線區域::毒或修改網頁,因 設裡最脆弱之一環。 -、、罔路均係網路資訊基礎建 故,目对網路產品之發展, ___ ’逐漸走向網路安全與 550925 五、發明說明(2) έ忍證機制之趨勢,而在認證機制上,一般係採用丨EEE 8 0 2 · 1 X標準,該標準係一極為普遍使用之標準,主要係利 用擴張式網路g忍證協定EAPoL (Extensible550925 V. Description of the invention (1) Background of the invention: tf Ming is a party that performs authentication in a multi-level network device architecture: especially declaring an authentication status of each network device in the multi-level network device rack, How to make mistakes and causes. Previous technology: Due to the booming development of the Internet world, a variety of places have been developed, and the wide range of popular sources, such as <,., And Kushiro Hanbok *, are also the speed and effectiveness of people's information circulation. Come with wireless LAN card: Convenient. In recent years, it has begun to use wireless LAN technology, and the number of multi-information wireless LANs has gradually increased. There is no wide-road circulation at all. Because of the opportunity of the local area network, it has also increased dramatically: Without surgery, the hacker only needs to carry a pen network with a well-known hacker technology notebook computer in a public place, while other 802.11 wireless helmets are equipped with a shielded wireless area for transmission. The notebook computer of the device is hacked in the vicinity of the eighth, the Internet, the infrared and the Bluetooth, and when it is used illegally, it may be stolen by the website, steal the important confidential information of the company, charge the Internet, and even invade the company. 'From many perspectives, the wireless zone: poisons or modifies web pages, which is one of the most vulnerable areas in the world. -,, and Kushiro are the foundation of network information infrastructure. For the development of network products, ___ 'gradually move to network security and 550925. 5. Description of invention (2) Trend of tolerance mechanism, and in the authentication mechanism , Generally adopts the EEE 8 0 2 · 1 X standard, which is a very commonly used standard, mainly using the extended network g tolerance protocol EAPoL (Extensible

Authentication Protocol Over LAN ,以下簡稱EAPoL), 並與撥接使用者遠端認證服務RADIUS (RemoteAuthentication Protocol Over LAN (hereinafter referred to as EAPoL), and communicates with the remote authentication service RADIUS (Remote

Authentication Dial-In User Service,以下簡稱 RAD I US )相搭配,以在認證功能上達成非常有效率之管理 模式。採用IEEE 8 0 2· lx標準,能夠讓使用者每次登入網 路都使用不同之加密金鑰,而該標準本身亦提供金鑰管理 機制,且支援如:Kerberos及RADIUS等之集中式認 近、辨識及帳號管理架構。一般言,IEEE 8〇2· 1X係針對 IEEE 80 2· 11安全性不足之問題,所產生之新標準,增強 以連接琿為基礎之網路存取控制(P〇rt-Based Netw〇rk Access Control),而在;[EEE⑽^丨丨上,最為顯著之安全 性不足問題,包括缺乏使用者身分認證機制及動態資料加 密金錄配送機制,故藉由IEEE 80 2. 1 χ標準、RADIUS伺服 器與使用者帳號資料庫間之合作,企業或網際網路供應商 (Internet Service provider)可對無線區域網路之行動 使用者之存取行為,進行有效之管理,並在該等使用者 得授權進入以IEEE 8 0 2. lx標準管制之無線區域網路前,X 可令其經由EAPoL,並透過無線擷取器或無線寬頻路由 器,來提供帳號與密碼或數位憑證(Digital Certificate)予後端之RADIUS伺服器,經該RADIus伺服哭 認證通過後,始能合法進入無線區域網路,此時,radi& 55〇925 五、發明說明(3) — " " '—^- 词服器也會記載使用者登入與登出之時間資訊,作計 網路使用狀態監控之用途。 、3 然而’在對使用者端進行認證之過程中,一般僅能知 逼該機器上層(Server )端是否與使用者端成功連線,萬 :認證結果不符合規定,如:密碼錯誤或使用者名稱錯 誤·專’該連接琿即被封住(β丨〇 c k e d ),由於,在_具 ^多重層次之網路架構下,認證之通路往往會經過好幾個 網路設備(lntermedia)與以?〇;1驗證機制,此時,若使 用者端只知道認證錯誤,並不知道哪邊出問題,就等於好 像只知這認證沒通過,卻不知道哪邊設備令該使用者端無 ,順利完成認證,完全沒有追蹤之線索,造成使用者在查 力錯為、’或找出系統問題方面,發生極大之問題。 目如’對於採用I EEE 8 0 2 · 1 X標準之區域網路而言, 使用者端(End P〇int)與伺服器端(Server)間係利用 EAPoL機制作為驗證基礎,若認證通過,則該網路設備 ^Device)就會允許連接埠通訊(Unb丨〇cked),令封包 資料通過,進行網路通訊,若認證不通過,則將該連接埠 封住(Bl0cked),令該使用者端(End p〇int)無法使用網 路在此種傳統之認證機制中,由於IEEE 8〇2· ιχ標準並 ΐίϋ層次查詢回溯(BaCk TraCe)機制,故僅能知道 ^也、" 而無法清楚得知到底哪個節點之認證,發生問 ^t "清形在現今網路產品日趨複雜之情況下,尤其是 ΐ LC史備之架構下’確實對網路管理者與使用者 一 a曰戎節點方面,造成很大困擾,若欲有效解決,勢Authentication Dial-In User Service (hereinafter referred to as RAD I US) is matched to achieve a very efficient management mode on the authentication function. Adopting IEEE 802 · lx standard, which enables users to use different encryption keys each time they log in to the network. The standard itself also provides key management mechanisms and supports centralized identification such as Kerberos and RADIUS. , Identification and account management framework. Generally speaking, IEEE 802 · 1X is a new standard created to address the inadequate security of IEEE 80 2 · 11. It strengthens connection-based network access control (Port-Based Network Access). Control), and on [EEE⑽ ^ 丨 丨, the most significant lack of security issues, including the lack of user identity authentication mechanism and dynamic data encryption gold record distribution mechanism, so by IEEE 80 2.1 χ standard, RADIUS server Cooperation between the server and the user account database, the enterprise or Internet service provider can effectively manage the access behavior of mobile users on the wireless local area network, and Before authorizing access to the wireless LAN controlled by the IEEE 802.1x standard, X can make it pass EAPoL and provide the account and password or digital certificate (Digital Certificate) to the back end through EAPoL and wireless broadband router. The RADIUS server can only legally enter the wireless LAN after passing the RADIus server cry authentication. At this time, radi & 55〇925 V. Description of the invention (3) — " " '— ^-word It is also described in the user login and logout time information for purposes of monitoring the state of network usage count. 3 However, 'In the process of authenticating the user side, it is generally only possible to know whether the upper server (Server) side of the machine is successfully connected to the user side. Wan: The authentication result does not meet the requirements, such as a wrong password or use The user name is wrong. The connection is immediately blocked (β 丨 〇cked). Because in a multi-level network architecture, the authentication path often passes through several network devices (lntermedia) and the Internet. ? 〇; 1 authentication mechanism, at this time, if the user only knows the authentication error and does not know which side is the problem, it is equivalent to only knowing that the authentication has failed, but not knowing which side makes the user side non-existent and smooth. After completing the certification, there is no clue for tracking, which causes users to have great problems in checking for errors, or finding system problems. The goal is' For a local network using the I EEE 802 · 1 X standard, the EAPoL mechanism is used as the basis for authentication between the client (End Point) and the server (Server). If the authentication passes, Then the network device (Device) will allow the port communication (Unb 丨 cked) to allow the packet data to pass through for network communication. If the authentication fails, the port will be blocked (Bl0cked) for the use The end (End point) cannot use the network. In this traditional authentication mechanism, because of the IEEE 8002 standard and the Hierarchical Query Backtracking (BaCk TraCe) mechanism, it can only know ^ 也, " I ca n’t know exactly which node ’s authentication, there is a problem ^ t " Qingxing in the current situation of increasingly complex network products, especially under the framework of LC Shibei's indeed for network administrators and users a As for the Rong node, it causes a lot of trouble. If it is to be effectively resolved, the potential

550925 五、發明說明(4) 必須花費不少時間,來加以解決。 茲以一多層次網路設備架構為例,參閱第1圖所示, 說明使用區域認證(1 〇 c a 1 a u ΐ h e n t i c a t i ο η )之情形如下: 當使用者端SI 4、SI 5及S16皆通過網路伺服器端D1 3上 EAPoL之認證,使用者端S13及網路伺服器端D13則通過網 路伺服器端D12上EAPoL之認證,但使用者端S12並未通過 網路伺服器端D12上EAPoL之認證,且網路伺服器端D1 2亦 未通過網路伺服器端Dl 1上EAPoL之認證,此時,各該連接 埠間之線路L14、L15、L16、L17及L18係呈可通訊之狀 態’線路L12及L13則係呈斷訊狀態,因此,使用者端S1 4 雖可分別連線至使用者端S15、S16及S13,卻無法連線至 使用者端S1 2及SI 1,且使用者端S1 4在獲得認證通過之資 訊後’並無法得知到底是哪部機器設定有誤(如·· S i 2 )’或是哪一網域無法存取(如·· s 11 )。 ^ 兹再以另一多層次網路設備架構為例,參閱第2圖所 示’說明使用集中認證之情形如下: 在該另一多層次網路設備架構中,主要係藉增設一 RADIUS伺服器R21作為集中認證之伺服器,其中使用者端 S21係透過伺服器端D21被RADIUS伺服器R21認證成功,使 用者端S22及網路伺服器端D22則認證失敗,此時,由於各 該連接璋間之線路L20及L21係呈可通訊之狀態,線路L22 及123則係呈斷訊狀態,而使用者端S23、S24、S25、S26 及網路飼服器端D23欲進行認證前,皆必需先連接至 RADIUS飼服器R21,故在線路L23呈斷訊之情況下,使用550925 V. Description of Invention (4) It must take a lot of time to solve. A multi-layer network equipment architecture is taken as an example. Refer to Figure 1 to illustrate the use of regional authentication (10 ca 1 au hen henticati ο η) as follows: When the user terminal SI 4, SI 5 and S16 are all Passed the EAPoL authentication on the web server D1 3, and the client S13 and the web server D13 passed the EAPoL authentication on the web server D12, but the client S12 did not pass the web server The EAPoL authentication on D12, and the network server D1 2 has not passed the EAPoL authentication on the network server Dl1. At this time, the lines L14, L15, L16, L17, and L18 between the ports are presented. Communicable state 'The lines L12 and L13 are in a broken state. Therefore, although the user terminal S1 4 can connect to the user terminals S15, S16, and S13 respectively, it cannot connect to the user terminals S1 2 and SI. 1, and the client S1 4 after obtaining the information that the authentication passed, 'can't know which machine is set incorrectly (such as S i 2)' or which domain cannot be accessed (such as ... s 11). ^ Take another multi-level network device architecture as an example. Refer to Figure 2 to illustrate the use of centralized authentication as follows: In this other multi-level network device architecture, a RADIUS server is mainly added. R21 is used as a centralized authentication server. The user side S21 is successfully authenticated by the RADIUS server R21 through the server side D21. The user side S22 and the network server side D22 fail the authentication. At this time, due to each connection 璋Lines L20 and L21 are in a communicable state, lines L22 and 123 are in a discontinued state, and the user side S23, S24, S25, S26 and D23 on the network feeder must be authenticated before they must be authenticated. Connect to RADIUS feeder R21 first, so in the case of line L23 interruption, use

550925 五、發明說明(5) ' -------—- 者端S23、S24、 /25、S26及網路伺服器端D2:3均無法認證 無法得知*立传用者端S24僅獲得認證沒通過之資訊,卻 …士九兄’、哪部機器,令其無法通過認證。 制之情形下,接^該等情況,在不影響網路安全認證機 制,令使用者或管效率之回溯追蹤(BackTrace)機 認證出了問題,里鳊可輕易且明確地了解哪個節點端, 重要課題。、即成為網路設備及系統業者亟待解決之一 發明綱要: 有鑒於前述值& ^ ^ 無法清楚得知3 = f機制中,僅能知道認證結果,而 出一種可θ嘲、έ 郎點認證發生問題,發明人乃研究 出檀了口,明追縱多 法,期# ώ名兮夕層一人網路设備架構中認證狀態之方 回溯追蹤(Back TTra x又備木構干叹计一個多層次 未被認證通過時,可^ ^之協定封包,俾各使用者端發現 備依序回溯追蹤該多:a f出該協定封包,要求各網路設 各網路設備傳回以=路設備架構中之各節點,並令 及未通過之資訊。應封包,帶回所有網路設備認證通過 本發明之一目的 γ 封包所帶回之資訊,=在各使用者端可透過分析該回應 次網路設備架構,、、主、—個提供8〇2· lx認證機制之多層 備架構所發生=錯二f快速地回溯追蹤該多層次網路設 程中谓錯及除錯:;斤耗#::更正’以有效減少在認證過 賈之吩間,大幅增進網路認證、管550925 V. Description of the invention (5) '---------- The client side S23, S24, / 25, S26 and the web server side D2: 3 cannot be authenticated and cannot be known * Lichuan user side S24 I only get the information that the certification has not passed, but ... what brother, Jiu Jiu ', which makes it impossible to pass the certification. Under the circumstance of control, following these circumstances, without affecting the network security authentication mechanism, the user or management efficiency of the BackTrace machine authentication has a problem. Li can easily and clearly understand which node end, important topic. That is, one of the invention outlines that network equipment and system operators need to solve urgently: In view of the foregoing value & ^ ^, it is impossible to know clearly in the 3 = f mechanism, only the authentication result can be known, and a kind of θ can be mocked, and the point Authentication problems, the inventor has researched and talked about, and pursued multiple methods, the period # his name Xixi layer one-person network equipment architecture back-tracking the authentication status (Back TTra x When a multi-layer is not authenticated, you can use ^ ^ protocol packets. 俾 Each client finds that they need to track back in order: af sends out the protocol packets, and requires each network to set each network device to return a route. Each node in the equipment architecture, and the information that has failed. Should be packaged to bring back all network equipment certifications. Information brought back by a packet that passes one of the objectives of the present invention. Γ = The response can be analyzed at each user end. second network device architecture ,,, main, - a 8〇2 · lx authentication mechanisms to provide multiple layers of backup architecture that occurred two f = wrong quickly backtracking of the multi-level network design process that was wrong and debugging:; kg Consumption # :: Correction 'to effectively reduce Between the thiophene, significantly enhance network authentication, tube

550925550925

五、發明說明(6) 理及維護上之便利性。 徂古月之另一目的,係該協定封包之内容内,僅需提 仏有關發生認證問題之錯誤訊息,而無需 而杈 ^ βπ ^ 而攸1/、顆外之網路 汉備内谷,故駭客並無法利用該回溯追蹤 訊’以對網路設備進行任何破壞行為。制獲侍更多負 0今,為能更清楚地表達本發明之技術手段及運作渦 程,茲配合附圖舉一較佳實施例,說明如下: k 詳細說明: 、在本發明^-最佳實施例中,主要係針對一多層次網 路設備架構’參閱第3圖所示’利用集中認證 設備進行管理,在該實施例之多層次網 路一 RADHS賴器川,以作為集中認證之一 有 RADIUS祠服器R31係以多層次網路連線架構,;序盥至少 本發明為了在多層次網 迅速得知到底哪個節點端出 次回溯追蹤(Back Trace ) 現沒被認證通過時,可藉由 設備依序回溯追蹤該多層次 令各網路設借傳回之回應封 過及未通過之資訊,如:網 ID)或位址(Mac Address) 原因,如此,各使用者端即 之資訊,找出發生錯誤之節 路設備架構中’令使用者端能 了問題,乃藉由設計一個多層 之協定封包,俾各使用者端發 發出該協定封包,要求各網路 網路設備架構中之各節點,並 包,帶回所有網路設備認證通 路設備名稱、識別碼(Device 、時間及未通過認證之錯誤 可透過分析該回應封包所帶回 點,並加以修正。V. Description of the invention (6) Convenience in management and maintenance. Another purpose of Gu Yueyue is in the content of the agreement package. It only needs to mention the error message about the authentication problem, and it doesn't need to be ^ βπ ^ Therefore, the hacker cannot use the traceback message to perform any sabotage on the network equipment. In order to more clearly express the technical means and operating vortex of the present invention, a preferred embodiment will be given in conjunction with the accompanying drawings, which are described as follows: k Detailed description: In the present invention ^-最In the preferred embodiment, it is mainly directed to a multi-level network device architecture. See FIG. 3, 'Using centralized authentication equipment for management. In this embodiment, a multi-level network, RADHS, is used as a centralized authentication device. First, there is a RADIUS server server R31 with a multi-layer network connection structure. At least the present invention is to quickly learn which node has a back trace in the multi-layer network when the back trace is not authenticated. The equipment can trace back the multi-layered information in order to block and fail the information returned by each network setting, such as: network ID) or address (Mac Address). Information to find out the error-prone device architecture that caused the error. 'Enable the client. By designing a multi-layer protocol packet, each client sends and sends the protocol packet, requesting each network device. In architecture Each node and package will bring back all network equipment authentication path equipment name, identification code (Device, time, and failed authentication errors. You can analyze the point brought back by the response packet and correct it.

550925 五、發明說明(7) 一個以上之網路設備相連接,在第3圖所示之該實施例 中,該RADIUS伺服器R31係透過線路L3〇,與第一網路設 備D31之一連接埠相連線,該第一網路設備D31再透過線x L33,與第二網路設備D32之一連接埠相連線,該第二網 設備D32再透過線路L35,與第三網路設備D33之一連接 相連線,以此類推,形成本發明所稱之多層次網路設 構。在該實施例中’該第-網路設備D31並分別透過線路、 L31及L32,分別與第一使用者端S31及第二使用者端a?上 之-連接埠相連線,該第二網路設備D32係透過線路⑶, 與第三使用者端S33上之一連接埠相連線,第三網 D33則係透過線路L36、L37及L38,分別與第四使用者&備 S34、第五使用者端S35及第六使用者端S36上一 相連線。 連接璋 =實施例中,係藉設計一個可多層次回溯追縱 (Back Trace)之協定封包,俾各使用者端發現 通過時’可透過發出該協定封包,要求各 在;, 層次網路設備架構中,目溯追蹤並傳回各節 J该夕 令各使用者端能迅速得知到底哪個節貞’、、以 ”立該回溯斷㈣,必須先定義之:, 今俾各網路°又備均具備回溯追蹤之能力,_協定 其類型,可分為要求封包(Request)及回力岸封*協疋封包依 (Response)等二種,其中該要求封包係由該 2架構中之下層網路設備傳送H 二 應封包則係由上層網路設備傳送至下層網路=端而=550925 V. Description of the invention (7) More than one network device is connected. In the embodiment shown in FIG. 3, the RADIUS server R31 is connected to one of the first network devices D31 through the line L30. The first network device D31 is connected to one of the ports of the second network device D32 through line x L33, and the second network device D32 is connected to the third network device through line L35. One of D33 is connected to the connecting line, and so on, to form the multi-layer network structure referred to in the present invention. In this embodiment, 'the first network device D31 is connected to the-port on the first user terminal S31 and the second user terminal a through the lines, L31, and L32, respectively, and the second The network device D32 is connected to one of the ports on the third user terminal S33 through line ⑶, and the third network D33 is connected to the fourth user & device S34 through the lines L36, L37, and L38, respectively. The fifth user terminal S35 and the sixth user terminal S36 are connected to each other. Connection 璋 = In the embodiment, by designing a multi-level back trace agreement packet, when each client finds that it can pass the agreement packet, it can request each of them; In the architecture, visually tracking and returning each section J should allow each user to quickly know which section is true, and "to deserve the retrospective break, you must first define :, now every network ° Both are equipped with the ability to trace back. The types of agreements can be divided into two types: request packets and pull-back shore packets. * Response packets. The request packets are composed of the lower layers of the two architectures. Network devices transmit H-Secondary packets from upper-layer network devices to lower-layer networks.

第10頁 550925 五、發明說明(8) 相關資訊帶回。 在該多層次網路設備架構中,以第3圖所示之該實施 例為例’假設在該多層次網路設備架構中,第一層:S3 1, D32及S32皆被認證通過,亦即L31,L33及L32皆是可通訊 狀態;第二層:S33被認證通過,D33被認證失敗,亦即 L 3 4疋可通訊狀態,[3 5是斷訊狀態,;則第三層,$ 3 4, S 3 5,S 3 6杳無法被認證成功。各該網路設備在 該回溯追礙之要求封包時,係依下列步驟,進行處理傳、 方案一: 、 當該第四使用者端S34發出一回溯追蹤之要长封包 :^於該第三網路設備D33對該第四使用者端咖認證並 f通過,該第三網路設備D33將接收該回溯追 包’並產生-回溯追蹤之回應封包,將其送回兮之要求封 m ,Λ 要切包,傳送至上一層 該第三網路設侧認證並未通過,、:ί;網:;訓對 亦產生-回溯追蹤之回應封包' 下—^路設備D 3 2 網路設備D33,並發出一回溯追縱之回下—層之該第三 -層之该苐-網路設備D31,此時 辱达至上 咖對該第二網路設備D32進行認證後由,於:。 此,此一通過認證之基本資訊,必兩八涊證,因 設備D32及第三網路設備!)33,傳=铕左該第二網路 S34。 至該第四使用者端 在該實施例中,該回溯追蹤 义要求封包及回應封包之Page 10 550925 V. Description of the invention (8) Relevant information is brought back. In the multi-layer network equipment architecture, the embodiment shown in FIG. 3 is taken as an example. 'Assuming that in the multi-layer network equipment architecture, the first layer: S3 1, D32, and S32 are all certified, and That is, L31, L33, and L32 are all communicable states; the second layer: S33 is authenticated and D33 is failed to authenticate, that is, L 3 4 疋 communicable state, [3 5 is the interrupt state, then the third layer, $ 3 4, S 3 5, S 3 6 杳 cannot be successfully authenticated. When each network device requests a packet for the traceback, the following steps are followed to process the transmission. Solution 1: When the fourth client S34 sends a traceback packet for traceback: ^ in the third The network device D33 authenticates and authenticates the fourth user, and the third network device D33 will receive the traceback packet and generate a traceback response packet, and send it back to the request packet m. Λ To cut the packet and send it to the upper layer. The third network device side has not passed the authentication.,: Ί; 网:; training pair also generates a response packet for backtracking. 'Next — Route device D 3 2 Network device D33 , And issue a trace back to the bottom-layer of the third-layer of the network-device D31. At this time, the top-level client authenticates the second network device D32. Therefore, the basic information of this certification must be obtained for two reasons, because the device D32 and the third network device!) 33, it is transmitted to the left of the second network S34. To the fourth user end In this embodiment, the traceback request packet and response packet

$ 11頁 550925 五、發明說明(9) 格式,可為下表所示之一種格式(格式1): SA DA Code State Depth Length Description Char[6] Char[6] Integer Integer Integer Integer Char[] 亦可為另一種格式(格式2): SA DA Code State Depth Type Char[6] Char[6] Integer Integer Integer Integer 各攔位說明如下: 槪位SA :用以代表發出封包之來源位址(s〇urce Address ); 攔位D A :用以代表封包欲傳送之目的位址(d e s t i n a t i〇η Address ); 攔位Code :用以代表要求封包或回應封包之碼值,〇代 表要求封包,1代表回應封包; 攔位Depth :用以代表距離發出要求封包之來源深度, 如:當要求封包係由第三網路設備D33發出 時,其D e p t h = 1,當要求封包係由第二網路 設備D 3 2發出時,其D e p t h = 2,當要求封包 係由第一網路設備D31發出時,其Depth 欄位State :用以代表認證成功或失敗之碼值,〇代表認 證失敗,1代表認證成功; 欄位Length :用以代表Description之長度;$ 11 pages 550925 V. Description of the invention (9) The format can be one of the formats shown in the table below (format 1): SA DA Code State Depth Length Description Char [6] Char [6] Integer Integer Integer Integer Char [] Also Can be another format (format 2): SA DA Code State Depth Type Char [6] Char [6] Integer Integer Integer Integer The description of each block is as follows: Unit SA: It is used to represent the source address of the packet sent (s〇 urce Address); Block DA: used to represent the destination address (destinati〇η Address) of the packet to be transmitted; Block Code: used to represent the code value of the requested packet or response packet, 0 represents the requested packet, 1 represents the response packet ; Depth: used to represent the depth of the source from which the request packet was sent. For example, when the request packet is sent by the third network device D33, its Depth = 1, and when the request packet is sent by the second network device D 3 When it is sent out, its Depth = 2. When it is required that the packet is sent by the first network device D31, its Depth field State: a code value used to represent the success or failure of the authentication, 〇 represents the authentication failure, and 1 represents the authentication success. Field Length: Description for the representative length;

第12頁 550925 五、發明說明(ίο) 欄位Descript ion ··用以說明該認證問題之基本描述; 欄位Type:用以代表認證問題之基本分類,各該基本分 類可預先加以定義,亦可日後擴充,如:類 型〇係代表認證成功,類型1係代表RADIUS伺 服器認證不通過,類型2係代表RADIUS伺服器 無回應’類型3係代表網路設備認證不通過, 類型4係表網路設備無回應; 至於’ Char [ ] &Integer及則分別用以代表各該欄位内 資料之屬性’分別為字串及整數。Page 12 550925 V. Description of the invention (ίο) Field Description ·· Describes the basic description of the authentication problem; Field Type: It is used to represent the basic classification of the authentication problem, each of which can be defined in advance, also It can be expanded in the future. For example: Type 0 means that the authentication is successful, Type 1 means that the RADIUS server fails to pass the authentication, Type 2 means that the RADIUS server does not respond. Type 3 means that the network device fails to pass the authentication, and Type 4 refers to the network. There was no response from the device; as for 'Char [] & Integer and the attributes used to represent the data in each field', respectively, are strings and integers.

據、上所述’在該實施例中,當該第四使用者端S34發 出要求ί其匕使用者端進行連線之封包後,若接獲未認證 通過之貧訊’則該第四使用者端S34可送出一回溯追蹤之 要求封包,要求回溯追蹤認證之結果,則各該網路設備傳 回^該!!溯追縱之回應封包,經該第四使用者端S34之分 析:Ϊ後二將攜帶著下表中所包含之該等資訊(格式2,詳 細封匕内容請參考第4圖所示)·· SA DA State Depth Type D33 S34 認證失敗 1 RADIUS伺服器無回應 D33 S34 2 密碼(password)錯誤 D33 S34 ~IBS~ 3 - 方案二: ^ 3第,,用者端S34發出一回溯追蹤之要求封包 ’ 於該第二網路設備D33對該第四使用者端S34認證並According to the above, "In this embodiment, when the fourth client S34 sends a packet requesting the client to connect, if it receives a poor message that is not authenticated," the fourth use The client S34 can send a traceback request packet. If the traceback authentication result is requested, each network device returns ^ Yes! The traceback response packet is analyzed by the fourth user terminal S34: the second two will carry the information contained in the following table (format 2, please refer to Figure 4 for detailed seal content) ·· SA DA State Depth Type D33 S34 Authentication failure 1 RADIUS server did not respond D33 S34 2 Password error D33 S34 ~ IBS ~ 3-Option 2: ^ 3rd, the user side S34 issues a request for backtracking Packet 'authenticates the fourth client S34 with the second network device D33 and

第13頁 550925 五、發明說明(11) --- 未通過,该第三網路設備J) 3 3將接收該回溯追蹤之要求封 包並產生一回溯追蹤之回應封包,將其送回該第四使用 者端S34,並發出一回溯追蹤之要求封包,傳送至上一層 之5亥第一網路設備D 3 2,同理,由於該第二網路設備D 3 2對 该第二網路設備D33認證並未通過,故該第二網路設備])32 亦產生一回溯追蹤之回應封包,將其直接送回源頭之該第 四使用者端S 3 4 ’並發出一回溯追蹤之要求封包,傳送至 上一層之該苐一網路設備D 3 1,此時,由於該第一網路設 備D 3 1對该苐二網路設備d 3 2進行認證後,已通過認證,因 此’此一通過認證之基本資訊,直接傳回至該第四使用者 端S34。 在該實施例中,該回溯追蹤之要求封包及回應封包之 格式’可為下表所示之一種格式(格式3): SA DA Code SSA SDA State Depth Length Description Char[6] Char[6] Integer Char[6] Char[6] Integer Integer Integer Char[] 亦可為另一種格式(格式4): SA DA Code SSA SDA State Depth Type Char[6] Char[6] Integer Char[6] Char[6] Integer Integer Integer 各欄位說明如下: 攔位S A :用以代表發出封包之來源位址(S 〇 u r c e Address); 欄位D A :用以代表封包欲傳送之目的位址(D e s t i n a t i ο ηPage 13 550925 V. Description of the invention (11) --- failed, the third network device J) 3 3 will receive the traceback request packet and generate a traceback response packet, and send it back to the first The four clients S34 send a traceback request packet and send it to the first network device D 3 2 of the upper layer. Similarly, since the second network device D 3 2 sends the second network device D33 certification failed, so the second network device]) 32 also generates a response packet for traceback, sends it directly to the fourth client S 3 4 'at the source and sends a request packet for traceback. , Sent to the first network device D 3 1 in the upper layer. At this time, since the first network device D 3 1 has authenticated the second network device d 3 2 and has passed the authentication, 'this one The basic information that passed the authentication is directly returned to the fourth user terminal S34. In this embodiment, the format of the request packet and response packet of the traceback can be one of the formats (format 3) shown in the following table: SA DA Code SSA SDA State Depth Length Description Char [6] Char [6] Integer Char [6] Char [6] Integer Integer Integer Char [] can also be in another format (format 4): SA DA Code SSA SDA State Depth Type Char [6] Char [6] Integer Char [6] Char [6] The fields of Integer Integer Integer are described as follows: Block SA: used to represent the source address of the packet (S 〇urce Address); Field DA: used to represent the destination address of the packet to be transmitted (Destinati ο η

第14頁 550925 五、發明說明(12)Page 14 550925 V. Description of the invention (12)

Address); 攔位Code :用以代表要求封包或回應封包之碼值,〇代 表要求封包,1代表回應封包; 攔位SSA :若在要求封包之格式,此攔用以代表回湖 〜 之源頭位址(Start Source Address);若在 應封包之格式,此欄用以代表認證區段之起如 位址(.Segment Source Address); 攔位SDA ··若在要求封包之格式,此欄用以代表回溯追縱 之目前盡頭位址(Scale Destination Address);若在回應封包之格式,此欄用以代 表認證區段之目的位址(S e g m e n tAddress); Block Code: It is used to represent the code value of the requested packet or response packet, 0 is the requested packet, and 1 is the response packet; Block SSA: If the format of the requested packet, this block is used to represent the source of back to the lake ~ Address (Start Source Address); if it should be in the format of the packet, this column is used to represent the beginning of the authentication segment, such as the address (.Segment Source Address); Block SDA ·· If the format of the packet is required, this column is used It represents the current destination address (Scale Destination Address) traced back. If the format of the response packet is used, this column is used to represent the destination address of the authentication section.

Destination Address); 欄位Depth :用以代表距離發出要求封包之來源深度, 如:當要求封包係由第三網路設備D33發出 時’其D e p t h = 1,當要求封包係由第二網路 設備D32發出時,其Depth =2,當要求封包 係由第一網路設備D31發出時,其Depth =3 ; 欄位S t a t e :用以代表認證成功或失敗之碼值,〇代表認 證失敗,1代表認證成功; 欄位Length :用以代表Description之長度; 爛位Descript i〇n ··用以說明該認證問題之基本描述; 極1位Type :用以代表認證問題之基本分類,各該基本分 類可預先加以定義,亦可日後擴充,如:類Destination Address); Field Depth: It is used to represent the depth of the source from which the request packet is sent. For example, when the request packet is sent by the third network device D33, its Depth = 1, and when the request packet is sent by the second network When device D32 sends out, its Depth = 2, when it is required that the packet is sent by the first network device D31, its Depth = 3; Field S tate: a code value used to represent the success or failure of authentication, 〇 represents the authentication failure, 1 indicates successful authentication; Field Length: used to represent the length of the description; Descript i〇n ·· Used to describe the basic description of the authentication problem; Extreme 1-bit Type: Used to represent the basic classification of the authentication problem, each should Basic classifications can be defined in advance or extended in the future, such as:

第15頁 (13) " ' " -- 550925 型0^係代表認證成功,類型1係代表RADius伺 服器認證不通過,類型2係代表RADIUs伺服器 無回應,類型3係代表網路設備認證不通過, 類型4係表網路設備無回應; ^於,Char[ ] &Integer及則分別用以代表各該攔位内 為料之屬性,分別為字串及整數。 據上所述,在该貫施例中,當該第四使用者端s 3 4發 出要求與其匕使用者端進行連線之封包後,若接獲未認證 通過之資訊,則該第四使用者端S3 4可送出一回溯追蹤之 要求封包’要求回溯追蹤認證之結果,則各該網路設備傳 回之該回溯追蹤之回應封包,經該第四使用者端S34之分 析處理後’將攜帶著下表中所包含之該等資訊(格式4,詳 細封包内容請參考第5圖所示): ’ SA DA SSA SDA State Depth Type D33 S34 S34 D33 認證失敗 1 RADIUS伺服器無回應 D32 S34 D33 D32 認證失敗 2 密碼(password)錯誤 D31 S34 D32 D31 認證通過 3 - 因此’對於一個提供80 2· ΐχ認證機制之多層次網路設 備架構’確可透過本發明之該等回溯追蹤之要求封包及回 應封包’協助使用者或管理者更清楚且快速地回溯追蹤各 網路設備所發生之錯誤,並加以更正,以有效減少在認證 過程中耗費在偵錯及除錯上之時間,大幅增進網路認證、 管理及維護上之便利性。Page 15 (13) " '"-Type 550925 0 ^ means successful authentication, type 1 means RADius server failed certification, type 2 means no response from RADIUs server, type 3 means network equipment If the authentication fails, the type 4 series network device has no response. ^ In, Char [] & Integer and are used to represent the attributes in the block, which are string and integer respectively. According to the above, in this embodiment, when the fourth user terminal s 3 4 sends a packet requesting connection with its user terminal, if it receives unauthenticated information, the fourth use The client S3 4 can send a traceback request packet 'requests the result of the traceback authentication, and then each network device returns a response packet of the traceback after analysis and processing by the fourth client S34' will Bring the information contained in the following table (format 4, detailed packet content please refer to Figure 5): 'SA DA SSA SDA State Depth Type D33 S34 S34 D33 Authentication failure 1 No response from RADIUS server D32 S34 D33 D32 authentication failed 2 password error D31 S34 D32 D31 authentication passed 3-so 'for a multi-level network equipment architecture that provides 80 2 · ΐχ authentication mechanism' can indeed pass the packets and 'Response packet' helps users or administrators to more clearly and quickly trace back errors occurring in various network devices and correct them to effectively reduce the cost of debugging and troubleshooting during the authentication process. Wrong time, greatly improving the convenience of network authentication, management and maintenance.

第16頁 550925 五、發明說明(14) 在本發明中,由於,在該等回溯追蹤之要求封包及回 應封包之内容中,僅需提供有關認證發生問題之錯誤訊 息,而無需提供額外之設備内容,故若駭客欲利用此回溯 追蹤(B a c k T r a c e )機制,入侵網路,因駭客僅能由該等封 包之内容,了解到認證出問題之設備及相關之錯誤訊息, 因此’駭客並無法利用該回溯追縱機制’得知更多貢訊’ 亦無法據以對網路設備進行任何破壞行為。 以上所述,僅為本發明之一最佳具體實施例,惟,本 發明在實際實施時,並不侷限於此,按,凡任何熟悉該項 技藝者,在本發明領域内,可輕易思及之變化或修飾,均 應涵蓋在以下所主張之申請專利範圍内。Page 16 550925 V. Description of the invention (14) In the present invention, since in the content of the traceback request packet and response packet, only the error message about the authentication problem is required, and no additional equipment is required. Content, so if a hacker wants to use this backtracking (B ack T race) mechanism to invade the network, because the hacker can only understand the problematic device and related error messages from the contents of these packets, therefore ' Hackers could not use the retrospective tracking mechanism to 'learn more about the tribute' 'and could not perform any acts of sabotage on the network equipment. The above is only one of the preferred embodiments of the present invention. However, the present invention is not limited to this in practice. Anyone familiar with the art can easily think in the field of the present invention. Any changes or modifications shall be covered by the scope of patent application claimed below.

第17頁 550925 圖式簡單說明 附圖說明: 第1圖所示乃傳統多層次網路設備架構中,使用區域 認證之連線示意圖; 第2圖所示乃傳統多層次網路設備架構中,使用集中 認證之連線示意圖; 第3圖所示乃本發明之一最佳實施例,在多層次網路 設備架構中,使用集中認證之連線示意圖; 第4圖所示乃在該實施例中,各該網路設備傳回之一 種回溯追蹤之回應封包内容;The 550925 diagram on page 17 is briefly explained. The diagram is as follows: Figure 1 shows the connection diagram using area authentication in the traditional multi-layer network equipment architecture. Figure 2 shows the traditional multi-layer network equipment architecture. Schematic diagram of connection using centralized authentication; Fig. 3 illustrates a preferred embodiment of the present invention. In a multi-layer network equipment architecture, a schematic diagram of connection using centralized authentication; Fig. 4 illustrates this embodiment. Content of a traceback response packet returned by each network device;

第5圖所示乃在該實施例中,各該網路設備傳回之另 一種回溯追蹤之回應封包内容。 主要元件之圖號說明:Figure 5 shows the content of another traceback response packet returned by each network device in this embodiment. Description of drawing numbers of main components:

RADIUS 伺服器… "•R31 第 一網 路 設 備…… "•D31 第二 網 路設 備… "•D32 第 三網 路 設 備…… "•D33 第一 使 用者 端… "•S31 第 二使 用 者 端...... …S32 第三 使 用者 端… "•S33 第 四使 用 者 端...... "•S34 第五 使 用者 端… "•S35 第 六使 用 者 端...... …S36 線路 •••L30 、L31、 L32 Λ L33 、 L34 Λ L35、L36、L37 及L38RADIUS server ... " • R31 first network device ... " • D31 second network device ... " • D32 third network device ... " • D33 first client ... " • S31 Second client ...… S32 Third client ... " • S33 Fourth client ... " • S34 Fifth client ... " • S35 Sixth User end ...… S36 line ••• L30, L31, L32 Λ L33, L34 Λ L35, L36, L37 and L38

第18頁Page 18

Claims (1)

550925 --—______ 六、申請專利範圍 1、一種可回溯追縱 之方法,該方法係應用於一曰/人展罔^路設備架構中認證狀態 層次網路設備架構包括二夕曰ς次_網路設備架構中,該多 器係作為集中認證之—伺 伺服器,該RAD I US伺服 序與至少一個以上之網路外:f以多層次連線方式,依 別與至少一個以上之一使用又目相f :各該網路設備並分 備架構係利用-個多層.欠σ .、,二連線’該多層次網路設 者端在發現未被認;協定封包,令各使用 求各網路設備依序回潮追出該協定封包’要 I- , , π 月追椒該夕層次網路設備架構中之各 郎”沾 並傳回所有網路兮§·供士刀 >双、s、证Ώ丄 各使用去诚可、类、μ八4 Γ故 未通過之資訊,俾 纥刀斤该等貧訊,迅速找出各網路設備之 说證狀態及錯誤原因。 \如申明專利範圍第1項所述之方法,其中該協定封 匕匕含一要求封包,該要求封包係由各使用者端發出,經 由該多層次網路設備架構中,遠離該RADIUS伺服器端之 下層網路設備,傳送到鄰近該RADIUS伺服器端之上層網 路設備。 3、 如申請專利範圍第1項所述之方法,其中該協定封 包包含一回應封包,該回應封包係由該多層次網路設備架 構中,鄰近該RADIUS伺服器端之上層網路設備,將各該 網路設備認證通過及未通過之資訊,傳送回遠離該RAD丨us 词服器端之下層網路設備及各該使用者端。 4、 如申請專利範圍第1項所述之方法,其中該協定封 包之格式包括: 第19頁 550925 六、申請專利範圍 一用以代表發出封包之來源位址之攔位; 一用以代表封包欲傳送之目的位址之欄位; 一用以代表係屬要求封包或回應封包之碼值欄位;及 一用以代表認證問題類型之襴位,各該問題類型可預 先加以定義。 5、 如申請專利範圍第1項所述之方法,其中該協定封 包之格式包括: 一用以代表發出封包之來源位址之欄位; 一用以代表封包欲傳送之目的位址之攔位; 一用以代表係屬要求封包或回應封包之碼值欄位; 一用以代表文字描述之長度欄位;及 一用以代表說明認證問題之文字描述襴位。 6、 如申請專利範圍第4或5項所述之方法,其中該協 定封包之格式尚包括: 一用以代表距離發出要求封包之來源位址之深度攔 位。 7、 如申請專利範圍第4或5項所述之方法,其中該協 定封包之格式尚包括: 一用以代表封包到達之時間攔位。550925 ---______ 6. Scope of patent application 1. A method for retroactive tracing. This method is applied to the authentication status hierarchy network equipment architecture in the first-person / people-exhibition equipment architecture, including the second-generation equipment. In the network equipment architecture, the multi-server is used as a centralized authentication-servo server. The RAD I US server is connected to at least one of the outside of the network: f is a multi-level connection method, and is connected to at least one of them. Usage and phase f: each of the network equipment and the backup architecture uses a multi-layer. Less σ. ,, two connections. 'The multi-layer network device end is found unrecognized; agreement packets, so that each use All network devices are required to return to the network in order to recover the protocol packet. "I-,, π month to chase the various network devices in the hierarchical network device architecture" and return to all networks. § · Supply knife > Double, s, and certificate each use honesty, class, and μ8 4 Γ, so they fail to pass the information, and quickly find out the state of the network equipment and the reason for the error. The method described in claim 1 of the patent scope, wherein the agreement contains a Packet, the request packet is sent by each client, through the multi-layer network device architecture, away from the RADIUS server-side lower-layer network device, and transmitted to the RADIUS server-side upper-layer network device. 3 The method as described in item 1 of the scope of patent application, wherein the agreement packet includes a response packet, and the response packet is formed by the multi-layer network device architecture adjacent to the upper-layer network device on the RADIUS server side. The information that the network device is authenticated and failed is sent back to the network device below the RAD 丨 us server end and each of the user ends. 4. The method as described in item 1 of the scope of patent application, where The format of the agreement packet includes: Page 19, 550925 6. Scope of patent application-a block representing the source address of the sending packet;-a field representing the destination address of the packet to be transmitted;-a representative of the system It is a code value field of a request packet or a response packet; and a bit field representing the type of authentication problem, each of which can be defined in advance. The method described in item 1, wherein the format of the agreement packet includes: a field representing the source address of the sending packet; a block representing the destination address of the packet to be transmitted; It is a code value field for requesting or responding to a packet; a length field for text description; and a text description field for authentication issues. 6. As indicated in item 4 or 5 of the scope of patent application. The method described above, wherein the format of the agreement packet further includes: a deep block representing the distance from the source address from which the request packet was sent. 7. The method described in item 4 or 5 of the scope of the patent application, wherein the agreement packet The format also includes: A block to represent the time of arrival of the packet. 第20頁Page 20
TW91111546A 2002-05-30 2002-05-30 Method capable of back tracing authentication status in a multi-layer network apparatus architecture TW550925B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW91111546A TW550925B (en) 2002-05-30 2002-05-30 Method capable of back tracing authentication status in a multi-layer network apparatus architecture

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW91111546A TW550925B (en) 2002-05-30 2002-05-30 Method capable of back tracing authentication status in a multi-layer network apparatus architecture

Publications (1)

Publication Number Publication Date
TW550925B true TW550925B (en) 2003-09-01

Family

ID=31713531

Family Applications (1)

Application Number Title Priority Date Filing Date
TW91111546A TW550925B (en) 2002-05-30 2002-05-30 Method capable of back tracing authentication status in a multi-layer network apparatus architecture

Country Status (1)

Country Link
TW (1) TW550925B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI424726B (en) * 2008-06-03 2014-01-21 Ibm Method and system for defeating the man in the middle computer hacking technique

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI424726B (en) * 2008-06-03 2014-01-21 Ibm Method and system for defeating the man in the middle computer hacking technique

Similar Documents

Publication Publication Date Title
CN110120946B (en) Unified authentication system and method for Web and micro-service
US10185963B2 (en) Method for authentication and assuring compliance of devices accessing external services
US10498734B2 (en) Policy service authorization and authentication
KR100960784B1 (en) Data transferring method
US8220032B2 (en) Methods, devices, and computer program products for discovering authentication servers and establishing trust relationships therewith
US9094393B2 (en) Authentication based on previous authentications
CN107771320A (en) For improving security socket layer(SSL)The system and method for communications security
US20080040773A1 (en) Policy isolation for network authentication and authorization
CN106453519A (en) Interface call method and device
WO2022057002A1 (en) Abnormal request processing method and device
TW550925B (en) Method capable of back tracing authentication status in a multi-layer network apparatus architecture
KR20120044381A (en) Method and system for subscriber to log in internet content provider(icp) website in identity/location separation network and login device thereof
JP2010187223A (en) Authentication server
US11438375B2 (en) Method and system for preventing medium access control (MAC) spoofing attacks in a communication network
CN100397811C (en) Method of back tracing confirmation state hierarchial network equipment architecture
Carthern et al. Management Plane
US20040030890A1 (en) Method for back tracing authentication status in a hierarchical intermedia architecture
Procházka et al. User centric authentication for web applications
Gonçalves Authentication and accounting framework for SDN controller
CN116032645A (en) Authentication method based on terminal
Nandhakumar et al. Non repudiation for internet access by using browser based user authentication mechanism
Haug Inspire: A View From the Other Side
JP2002132596A (en) Convergence and deployment method of port number, and gateway server thereof
SRIVIDYA ON CONFIDENTIALITY OF ENCRYPTED VOICE TELEPHONY

Legal Events

Date Code Title Description
GD4A Issue of patent certificate for granted invention patent
MM4A Annulment or lapse of patent due to non-payment of fees