WO2009036685A1 - A method and apparatus for implementing multicast authentication - Google Patents

A method and apparatus for implementing multicast authentication Download PDF

Info

Publication number
WO2009036685A1
WO2009036685A1 PCT/CN2008/072309 CN2008072309W WO2009036685A1 WO 2009036685 A1 WO2009036685 A1 WO 2009036685A1 CN 2008072309 W CN2008072309 W CN 2008072309W WO 2009036685 A1 WO2009036685 A1 WO 2009036685A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
multicast
authentication
information
network device
Prior art date
Application number
PCT/CN2008/072309
Other languages
French (fr)
Chinese (zh)
Inventor
Peilin Yang
Guomin Wu
Yuping Zhao
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009036685A1 publication Critical patent/WO2009036685A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to the field of multicast technologies, and in particular, to a method and apparatus for implementing multicast authentication.
  • a multicast group consists of a sender and a receiver, and a sender-to-receiver is connected by a multicast distribution tree.
  • the sender needs to send data to the receiver, the sender sends the data through the host to the router connected to it, and the router forwards the data to the receiver through the multicast distribution tree.
  • the router does not impose any restrictions on the host that sends the data.
  • IGMP Internet Group Management Protocol
  • the router processes the report. After the text, the corresponding multicast group data is forwarded to the host.
  • the router does not impose any restrictions on hosts that want to receive multicast messages.
  • multicast security has become a problem that must be solved as soon as possible. Preventing unauthorized recipients from receiving multicast packets is a key factor in achieving multicast security.
  • the multicast protocol such as IGMP
  • the user can join or leave at will, which prevents the user from performing access control on the multicast service.
  • the user can perform the denial of service for the network bandwidth. (Deny of Service, DoS) attacks, thereby wasting network bandwidth.
  • DoS Deny of Service
  • the second is the charging problem. Because the multicast protocol, such as IGMP, does not involve accounting, the multicast source cannot know when the user joins or leaves the multicast group.
  • the third is the authorization problem; because the multicast protocol, such as IGMP, does not have the authentication function, the operator cannot authorize each user with different rights according to the needs of each user.
  • a method for implementing multicast security in the prior art is: authenticating a user at the application layer (such as the Web mode), authenticating the user at the application layer, and not setting permissions on the user at the access network layer.
  • the application layer such as the Web mode
  • the user rights of the network device between the router and the host can be set up; or the user can download the corresponding user rights through the network management mode.
  • User management can also be achieved by encrypting multicast data and managing it by key.
  • the inventors have found that the above prior art method has at least the following problems: The method is difficult to implement and high in cost. At the same time, this method cannot solve the problem that the user performs DoS attacks against network bandwidth and wastes network bandwidth.
  • Embodiments of the present invention provide a method and apparatus for implementing multicast authentication. Therefore, multicast authentication can be performed on the access network, and the multicast service received by the user can be controlled.
  • An embodiment of the present invention is implemented by the following technical solutions: A method for implementing multicast authentication, including: a switching device receiving an authentication result of a multicast authentication, and acquiring rights information of a user included in the authentication result; The switching device saves the permission information, and controls the multicast stream that needs to be sent to the user according to the permission information.
  • a method for implementing multicast authentication including: after the network device determines that the user terminal needs to perform multicast authentication, the network device sends a message requesting multicast authentication to the user; the user receives the request After the multicast authentication message is sent, the multicast authentication request is sent to the network device.
  • a method for implementing multicast authentication comprising: an authentication server receiving a multicast authentication request that is sent by a user and carrying user authentication information and multicast group identification information; the authentication server is configured according to the user authentication information and the multicast group identifier The information is authenticated by the user, and the authentication result carrying the authentication success or failure information is returned to the network device corresponding to the user.
  • a switching device comprising: a rights information obtaining module, configured to receive an authentication result of the multicast authentication sent by another network device, and obtain the user right information from the authentication result; and the rights information saving module is configured to obtain the The user's permission information stores the correspondence between each user and user authority information.
  • a network side device comprising: a multicast authentication judging module, configured to: after receiving a multicast authentication request sent by a user, determine, according to the multicast address and the user address included in the multicast authentication request, whether the device needs to be
  • the multicast authentication triggering module is configured to: after the multicast authentication determination module determines that the user needs to perform multicast authentication, send a message requesting multicast authentication to the user.
  • the embodiment of the present invention saves the rights information of each user in the switching device, so that the receiving device can perform the receiving control of the multicast service by using the switching device.
  • the embodiment of the present invention can also pass through the network side. After the judgment, the multicast authentication to the user is initiated first.
  • the embodiments of the present invention can also implement other authentication protocols and multicast protocols to cooperate with each other to perform multicast authentication for users.
  • FIG. 1 is a schematic diagram of a process flow of Embodiment 1 according to an embodiment of the present invention
  • FIG. 2 is an IGMP/MLD join message using an extended manner of IGMP/MLD Report messages according to an embodiment of the present invention
  • An IGMP/MLD jo in message in a new message type manner defined in the IGMP/MLD protocol is provided in the embodiment of the present invention
  • FIG. 4 is a schematic diagram of a switching device that forwards a multicast stream to a user according to a multicast forwarding table according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram of a process flow of Embodiment 2 according to an embodiment of the present invention
  • FIG. 6 is a schematic flowchart of a process of Embodiment 3 according to an embodiment of the present invention
  • FIG. 8 is a schematic diagram of another processing procedure of Embodiment 4 according to an embodiment of the present invention
  • FIG. 9 is a schematic structural diagram of a switching device according to an embodiment of the present invention
  • Embodiments of the present invention provide a method and apparatus for authenticating a multicast service.
  • the switching device receives the authentication result sent by the multicast router, where the authentication result includes the user receiving the corresponding multicast service right information, and the switching device forms a multicast forwarding table according to the received authentication result.
  • the switching device After receiving the multicast service that the user needs to receive, the switching device searches the multicast forwarding table to determine whether the user has the right to receive the multicast service, and if yes, forwards the multicast service to the user; otherwise, does not The user forwards the above multicast service.
  • the above process of authenticating a multicast service may be performed by extending an existing Group Management Protocol (GMP) protocol, such as IGMP, a multicast listening (MLD) protocol, or an Extensible Authentication Protocol (EAP). to realise.
  • GMP Group Management Protocol
  • IGMP multicast listening
  • EAP Extensible Authentication Protocol
  • the above authentication process can also be implemented by designing a special GMP protocol.
  • the authentication process can also be implemented by using other authentication protocols and multicast protocols to cooperate with each other.
  • the above process of authenticating a multicast service may first be triggered by a multicast router. That is, the multicast router generates a trigger mechanism to require the multicast user to perform authentication.
  • the IGMP and EAP protocols are first introduced.
  • IGMP The function implemented by IGMP is bidirectional: On the one hand, the user informs the local multicast router through IGMP that it wants to join and receive information of a specific multicast group. On the other hand, the multicast router periodically queries the local area network through IGMP. Whether the members of the group are active (that is, whether there are still members of a multicast group in the network segment), and collecting and maintaining the membership of the group in the network segment.
  • IGMPvl the members of the group are active (that is, whether there are still members of a multicast group in the network segment), and collecting and maintaining the membership of the group in the network segment.
  • the Type field in Table 1 above indicates the IGMPv2 packet type, which mainly includes four types:
  • the general query packet is used to learn which multicast group members exist on the adjacent network.
  • a specific group query message is used to know whether a member specified in a neighboring network exists.
  • the general query message and the specific group query message are distinguished by the group address field: The group address field of the general query message is 0, and the group address field of the specific group query message is the address of the multicast group to be queried.
  • this type of packet is mainly used to implement IGMPvl member report.
  • This is a message class that is added to IGMPv2 and is added to IGMPv2.
  • this type of packet is mainly used to implement IGMPv2 member report.
  • this type of message is mainly used to implement the leave group report.
  • the format of the IGMPv3 and IGMPv1 packets is similar to the IGMPv2 packet format.
  • EAP protocol packet format is described in detail in RFC3748.
  • the encapsulation format of EAP packets is shown in Table 2 below: Table 2 :
  • the code value of EAP is specified as follows: 1 indicates the type of Request message; 2 indicates the type of Response message; 3 indicates the type of Success; 4 indicates the type of Failure message.
  • the meanings of the Code field, the Identifier field, and the Length field in Table 3 above are as described in Table 2 above.
  • the Type field in Table 3 above occupies 1 byte, and the field value specifies the type of Request or Response. It must appear in the EAP Request message or Response message and only one Type appears. Generally, the value of the Type field in the Response packet is the same as the value of the Type field in the Request packet. However, the Response packet can have a Nak type. When the Supplicant sends a Nak-type packet to respond to the Request, it indicates that the Type in the Request cannot be accepted by the Supplicant. It can indicate that it wants to use and support it. Type of certification.
  • Type field values defined in RFC2284 are: 1 for Identity type; 2 for Notification type; 3 for Nak (Response only) type; 4 for MD5-Challenge type; 5 for OTP (One-Time Password) (RFC 1938) type ; 6 indicates the Generic Token Card type.
  • the meanings of the Code field, the Identifier field, and the Length field in Table 4 above are as described in Table 2 above.
  • the Success message is sent to the Supplicant by the Authenticator. After the user information is successfully authenticated, the Authenticator sends an EAP packet with a value of 3 (Success) to indicate that the authentication succeeds. When the user information fails to be authenticated, the Authenticator sends a Code field value. 4 EAP packet (ie Failure) to indicate that the authentication failed.
  • Embodiment 1 implements multicast message exchange between a host (user) and a multicast router by extending the IGMP/MLD protocol.
  • the specific processing process includes:
  • a bit in Reserved is used, for example, the last bit is used to identify whether it is the first Report message, and "1" is indicated as the first Join message. "0" is expressed as a normal Report message.
  • the above user authentication information can be placed in the new type: Information, and the new type Protocol Type indicates the authentication type, PAP, CHAP. Etc., the new type Length indicates the length of the user information.
  • the multicast router After receiving the IGMP/MLD join message, the multicast router obtains the user authentication information and the group address information of the multicast group carried in the message. The multicast router also determines whether the IGMP/MLD join message is the first report message sent by the user to the multicast router according to the configuration method of the IGMP/MLD join message. After the multicast router determines that the received IGMP/MLD join message is the first report message of the user, that is, the IGMP join message, the multicast authentication information and the group address information of the multicast group are sent to the authentication server. . After receiving the user authentication information and the group address information of the multicast group, the authentication server authenticates the user.
  • the authentication server After the authentication server successfully authenticates the user, the authentication server returns an authentication result carrying the authentication success information to the multicast router.
  • the multicast router After receiving the above authentication result, the multicast router gives the user the corresponding permission, and allows the user to join the multicast group to be joined, and allows the user to receive the corresponding multicast service.
  • the multicast router transmits the authentication result of the user's authority information to the switching device, and the user's rights information includes the multicast service information that the user can receive.
  • the switching device After receiving the above authentication result, the switching device adds the permission information of the user to the multicast forwarding table.
  • the multicast forwarding table contains multicast service information that each user has permission to receive.
  • the switching device After receiving the multicast stream that the user needs to receive, the switching device searches the multicast forwarding table to determine whether the user has the right to receive the multicast stream, and if yes, forwards the multicast stream to the user; otherwise, The above multicast stream is not forwarded to the user.
  • the switching device notifies the user that the authentication is successful.
  • the authentication server fails to authenticate the user, the authentication result of the authentication failure information is returned to the multicast router.
  • the multicast router After receiving the above authentication result carrying the authentication failure information, the multicast router sends the authentication result to the switching device.
  • the switching device After receiving the above authentication result carrying the authentication failure information, the switching device does not add the user to the multicast forwarding table. Notify the user that the authentication failed. After receiving the multicast stream that the user needs to receive, the switching device searches the multicast forwarding table and finds that the user does not have permission to receive the multicast stream, and does not forward the multicast stream to the user.
  • a multicast forwarding table may be set up in the foregoing switching device.
  • the multicast forwarding table may include: a multicast group MAC address, a user MAC address, and a port/VC where the user is located, and may also include a VLAN. User IP address and other information.
  • the device searches for the corresponding multicast forwarding table and replaces the destination multicast MAC address of the multicast stream with the unicast MAC address for each user.
  • a schematic diagram of the switching device forwarding the multicast stream to the user according to the multicast forwarding table is shown in FIG. 4 .
  • a user multicast forwarding table is formed, so that the network can control the forwarding of the multicast stream to the authorized multicast user, but for the user without the authority. , illegal users cannot receive multicast streams.
  • the above switching devices include but are not limited to: network switches such as Layer 2 switches, Layer 3 switches, or digital subscriber line access multiplexers.
  • the multicast router After receiving the multicast authentication request packet, the multicast router sends the extended EAP request packet to the user, and the extended EAP request packet carries the multicast information.
  • the EAP code type is request or response
  • the Type 1 indicates the user ID.
  • the type is extended.
  • the user identifier is not limited to the user name, and the user identifier also carries the group information (group address) that the user wants to join.
  • the user After receiving the extended EAP request packet, the user sends the extended EAP response packet to the multicast router.
  • the user identifier in the extended EAP response packet carries user authentication information, such as a user name, a user authentication code, and the like, and the group information that the user wants to join.
  • the multicast router After receiving the EAP response packet, the multicast router sends a normal EAP challenge word request packet to the user.
  • the challenge word is carried in the user identifier in the EAP challenge word request message.
  • the so-called challenge word is a random number.
  • the multicast router and the user have a shared key, which is a key that both the multicast router and the user know.
  • the user After receiving the challenge word sent by the multicast router, the user encrypts the challenge word with the shared key, and then sends the ciphertext to the multicast router.
  • the multicast router decrypts the ciphertext with the shared key to obtain the ciphertext.
  • the challenge word compares the challenge word with the challenge word previously sent to the user, and determines the correctness of the shared key based on the comparison result.
  • the user After receiving the EAP challenge word request message, the user encrypts the challenge word with the shared key, and then responds to the EAP challenge word response message carrying the ciphertext to the multicast router.
  • the multicast router decrypts the ciphertext by using the shared key, obtains the challenge word carried in the ciphertext, compares the challenge word with the challenge word previously sent to the user, and after the comparison result is consistent, the user authentication is performed.
  • the information is transmitted to the authentication server along with the group information that the user wants to join.
  • the authentication server determines whether the user has the right to join the multicast group, and if yes, sends an authentication success message that allows the user to join the multicast group to the multicast router; otherwise, the sending rejection The user joins the authentication failure message of the multicast group to the multicast router.
  • Embodiment 3 of the embodiment of the present invention provides a trigger mechanism to require a multicast user to perform authentication.
  • the process flow of Embodiment 3 is shown in FIG. 6.
  • the specific processing process includes the following steps:
  • the IGMP join message contains the group address of the multicast group to be joined and the related information of the user. : IP address and MAC address, etc.
  • the multicast router extracts the related information of the user and the group address information of the multicast group from the received IGMP join message. In addition, the multicast router can obtain the port number information of the user through the port that receives the IGMP join message. The multicast router also determines whether the IGMP join message is the first report message sent by the user to the multicast router according to the configuration method of the IGMP join message. After the multicast router determines that the received report packet is the first report packet of the user, that is, the IGMP join packet, the multicast router sends the related information of the obtained user and the group address information of the multicast group to the authentication. server.
  • the authentication server authenticates the received information about the client, and determines whether the multicast group that the user needs to join is a specific group, or whether the user is a privileged user.
  • the principle that the authentication server performs the above judgment may be set according to specific requirements. For example, to determine whether the source address of the user is a privileged address, the so-called privileged address can be understood as an address with special rights, and a special address of all group contents can be viewed. If yes, it is determined that the above user is a privileged user. Determine whether the group address that the user applies for is A specific group, a specific group can be understood as some open group, such as a television advertisement channel, etc. If yes, it is determined that the multicast group that the user needs to join is a specific group.
  • the multicast router sends an authentication success message to the multicast router to allow the user to join the multicast group; otherwise, the group is sent to the group.
  • the broadcast router returns an authentication failure packet that triggers multicast authentication.
  • the multicast router After receiving the authentication success packet, the multicast router gives the user the corresponding permission, and allows the user to join the multicast group to be joined, allowing the user to receive data of the multicast group and view the multicast group. Content.
  • the multicast router sends a multicast authentication trigger packet to the user.
  • the multicast authentication trigger packet can be implemented in multiple forms.
  • the multicast authentication trigger packet may be an IGMP query packet carrying an authentication request.
  • the message is sent in unicast form.
  • the normal IGMPv3 query message is shown in Table 5 below. table 5:
  • Source Address [N] can use one bit in the Resv field in Table 5 above, for example, the last bit to identify whether the query message carries the authentication request, and set "1" to carry the authentication request, set "0" Indicated as not carrying an authentication request.
  • the IGMPv3 query message after the last bit position of the Resv field is "1" is as shown in Table 6 below. Table 6:
  • Embodiment 4 of the embodiment of the present invention provides a process of authenticating a user by using other out-of-band authentication protocols (such as DHCP, PPP0E, etc.) and a multicast protocol.
  • the process flow of the embodiment 4 is as shown in FIG. 7.
  • the specific process is as follows: The user sends a multicast authentication request carrying the user authentication information and the group address of the multicast group that the user needs to join to the authentication server through other out-of-band authentication protocols. .
  • FIG. 8 A schematic diagram of another processing flow of Embodiment 4 is shown in FIG. 8. The difference between the processing flow and the processing flow shown in FIG. 7 is that the multicast router returns the authentication result to the switching device through a multicast protocol (such as IGMP).
  • the switching device forms a multicast forwarding table according to the received authentication result, and controls the user according to the multicast forwarding table.
  • the multicast router in each of the above embodiments may also be a NAS device.
  • the structure of the switching device provided by the embodiment of the present invention is as shown in FIG. 9 , and includes the following modules:
  • the privilege information obtaining module 91 is configured to receive an authentication result that is sent by another network device to authenticate the request of the user to join the multicast group, and obtain the authentication result.
  • the user included in the authentication result obtains the rights information of the corresponding multicast service;
  • the rights information saving module 92 is configured to save the correspondence between the users and the rights information according to the rights information acquired by the user rights information obtaining module.
  • the multicast service control module 93 is configured to: after receiving the multicast service that needs to be sent to the user, search for a corresponding relationship saved by the rights information storage module, and determine whether the user has the right to receive the multicast service, If yes, the multicast service is forwarded to the user; otherwise, the multicast service is not forwarded to the user.
  • the foregoing multicast service control module is optional and can be embedded in the switching device or a module that is set independently of the switching device.
  • the rights information storage module 92 may further store a multicast forwarding table, where the multicast forwarding table includes: a correspondence between a multicast address and a user address.
  • the multicast service control module 93 may further include: a unicast stream forwarding submodule, configured to: after receiving the multicast stream that needs to be forwarded, query the multicast forwarding table, and obtain an address corresponding to the address of the multicast stream. The user address is copied to the corresponding unicast stream of each user and sent to the user. As shown in FIG.
  • the schematic diagram of the network side device for performing multicast authentication includes the following modules:
  • the multicast authentication determining module 101 is configured to: after receiving the request for joining the multicast group sent by the user, And determining, according to the multicast address and the user address included in the request for joining the multicast group, whether the multicast authentication is required for the user, and the multicast authentication triggering module 102 is configured to: when the multicast authentication determination module determines that the After the user performs multicast authentication, the user sends a multicast authentication trigger message to the user.
  • the network side device may be a NAS or a multicast router.
  • the embodiment of the present invention implements multicast user authentication, which solves the problem that users in the previous multicast protocol can join a multicast group at will, and can leave an important problem arbitrarily, thereby avoiding the enjoyment of users without rights.
  • Multicast service implementing multicast-based access control.
  • the solution applies the result of the multicast authentication to the switching device, thereby further avoiding the problem that the multicast stream is not flooded in the switching device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiments of the present invention provide a method and apparatus for implementing multicast authentication. The method mainly includes: a switch device receives the authentication result of the multicast authentication, and acquires the user's right information included in the authentication result; The switch device saves the right information, and controls the multicast stream needed to be sent to the user depending on the right information. The apparatus mainly includes a switch device, and the switch device includes: a right information acquirement module, for receiving the authentication result of the multicast authentication sent by other network devices and acquiring the user's right information included in the authentication result; A right information saving module, for saving the corresponding relationship between each user and the user' right information depending on the right information acquired by the user right information acquirement module. Using the invention, multicast authenticating users in access networks and controlling the multicast service received by users can be implemented.

Description

实现组播认证的方法和装置 技术领域  Method and device for realizing multicast authentication
本发明涉及组播技术领域, 尤其涉及一种实现组播认证的方法和装置。  The present invention relates to the field of multicast technologies, and in particular, to a method and apparatus for implementing multicast authentication.
发明背景 随着 IP组播技术的成熟, IP组播应用得越来越广泛, 但是在 IP模型中, 任何一台主机都能够不受 限制地加入到任何一个组播组, 到目前为止, 还没有一种方法能够有效地解决 IP组播中的主机接入控制 问题。 在 IP组播模型中, 一个组播组由发送者和接收者组成, 发送者到接收者之间由组播分布树连接。 当发送者需要向接收者发送数据时, 该发送者通过主机把数据发送到与其相连的路由器, 该路由器将该 数据通过组播分发树转发给接收者。 该路由器不对发送数据的主机作任何限制。 当一台主机想接收某个组播组的数据时, 该主机根据因特网组管理协议 (Internet Group Management Protocol, IGMP) 向与其相连的路由器发送成员报告 ( Member Report ) 报文, 该路由器处 理此报文之后, 将相应的组播组数据转发给上述主机。 同样, 该路由器不会对想接收组播报文的主机作 任何限制。 随着 IP组播应用的商业化, 组播安全已经成为必须尽快解决的一个问题, 而阻止未授权的接收者 接收组播报文是实现组播安全的关键因素。 实现组播安全主要存在以下三个问题。 第一是认证问题; 由 于组播协议, 如 IGMP, 不提供用户认证功能, 用户可随意地加入或离开, 导致不能对用户进行组播业务 的接入控制, 用户可以进行针对网络带宽的拒绝服务 (Deny of Service , DoS ) 攻击, 从而浪费网络带 宽。 第二是计费问题; 由于组播协议, 如 IGMP不涉及计费, 导致组播源无法得知用户何时加入或离开组 播组。 第三是授权问题; 由于组播协议, 如 IGMP不具备认证功能, 所以运营商无法根据每个用户的需要 有针对性的给每个用户以不同权限的授权。 现有技术中一种实现组播安全的方法为: 在应用层对用户进行鉴权 (如 Web方式), 在应用层实现 对用户的认证, 在接入网层不对用户做权限设置。 在实际应用中, 可以在用户加入组播组时, 在路由器 到主机之间的网络设备设立相应的用户权限; 或者使用户通过网管方式下载相应的用户权限。 还可以通 过对组播数据进行加密并通过密钥管理来实现对用户的管理。 在实现本发明的过程中, 发明人发现上述现有技术的方法至少存在如下的问题: 该方法实现难度 大, 成本高。 同时, 该方法无法解决用户进行针对网络带宽的 DoS 攻击, 浪费网络带宽的问题。 BACKGROUND OF THE INVENTION With the maturity of IP multicast technology, IP multicast applications are becoming more and more widely used, but in the IP model, any host can be added to any multicast group without restriction, so far, There is no way to effectively solve the problem of host access control in IP multicast. In the IP multicast model, a multicast group consists of a sender and a receiver, and a sender-to-receiver is connected by a multicast distribution tree. When the sender needs to send data to the receiver, the sender sends the data through the host to the router connected to it, and the router forwards the data to the receiver through the multicast distribution tree. The router does not impose any restrictions on the host that sends the data. When a host wants to receive data of a multicast group, the host sends a Member Report message to the router connected to it according to the Internet Group Management Protocol (IGMP). The router processes the report. After the text, the corresponding multicast group data is forwarded to the host. Similarly, the router does not impose any restrictions on hosts that want to receive multicast messages. With the commercialization of IP multicast applications, multicast security has become a problem that must be solved as soon as possible. Preventing unauthorized recipients from receiving multicast packets is a key factor in achieving multicast security. There are three main problems in implementing multicast security. The first is the authentication problem. Because the multicast protocol, such as IGMP, does not provide the user authentication function, the user can join or leave at will, which prevents the user from performing access control on the multicast service. The user can perform the denial of service for the network bandwidth. (Deny of Service, DoS) attacks, thereby wasting network bandwidth. The second is the charging problem. Because the multicast protocol, such as IGMP, does not involve accounting, the multicast source cannot know when the user joins or leaves the multicast group. The third is the authorization problem; because the multicast protocol, such as IGMP, does not have the authentication function, the operator cannot authorize each user with different rights according to the needs of each user. A method for implementing multicast security in the prior art is: authenticating a user at the application layer (such as the Web mode), authenticating the user at the application layer, and not setting permissions on the user at the access network layer. In a practical application, when a user joins a multicast group, the user rights of the network device between the router and the host can be set up; or the user can download the corresponding user rights through the network management mode. User management can also be achieved by encrypting multicast data and managing it by key. In the process of implementing the present invention, the inventors have found that the above prior art method has at least the following problems: The method is difficult to implement and high in cost. At the same time, this method cannot solve the problem that the user performs DoS attacks against network bandwidth and wastes network bandwidth.
发明内容 本发明实施例提供了一种实现组播认证的方法和装置。 从而可以实现在接入网中对用户进行组播 认证, 并对用户所接收的组播业务进行控制。 本发明实施例的目的是通过以下技术方案实现的: 一种实现组播认证的方法, 包括: 交换设备接收组播认证的认证结果, 获取所述认证结果中包含的用户的权限信息; 所述交换设备将所述权限信息进行保存, 根据所述权限信息对需要发送给所述用户的组播流进行 控制。 一种实现组播认证的方法, 包括: 当网络设备判断需要对用户终端进行组播认证后, 所述网络设备向所述用户发送要求进行组播认 证的消息; 所述用户接收到所述要求进行组播认证的消息后, 向所述网络设备发送组播认证请求。 一种实现组播认证的方法, 包括: 鉴权服务器接收用户发送的携带用户认证信息和组播组标识信息的组播认证请求; 所述鉴权服务器根据所述用户认证信息和组播组标识信息对所述用户进行认证, 向所述用户对应 的网络设备返回携带认证成功或失败信息的认证结果。 一种交换设备, 包括: 权限信息获取模块, 用于接收其他网络设备发送的组播认证的认证结果, 并从所述认证结果中获 取用户的权限信息; 权限信息保存模块, 用于根据获取的用户的权限信息, 保存各个用户和用户权限信息之间的对应 关系。 一种网络侧设备, 包括: 组播认证判断模块, 用于当收到用户发送的组播认证请求后, 根据所述组播认证请求中包含的组 播地址和用户地址, 判断是否需要对所述用户进行组播认证; 组播认证触发模块, 用于当组播认证判断模块判断需要对所述用户进行组播认证后, 向所述用户 发送要求进行组播认证的消息。 由上述本发明实施例提供的技术方案可以看出, 本发明实施例通过在交换设备中保存各个用户的 权限信息, 从而可以通过交换设备对用户进行组播业务的接收控制。 本发明实施例还可以在网络侧经过 判断后, 首先发起对用户的组播认证。 本发明实施例还可以实现其他认证协议和组播协议互相配合, 来 对用户进行组播认证。 SUMMARY OF THE INVENTION Embodiments of the present invention provide a method and apparatus for implementing multicast authentication. Therefore, multicast authentication can be performed on the access network, and the multicast service received by the user can be controlled. An embodiment of the present invention is implemented by the following technical solutions: A method for implementing multicast authentication, including: a switching device receiving an authentication result of a multicast authentication, and acquiring rights information of a user included in the authentication result; The switching device saves the permission information, and controls the multicast stream that needs to be sent to the user according to the permission information. A method for implementing multicast authentication, including: after the network device determines that the user terminal needs to perform multicast authentication, the network device sends a message requesting multicast authentication to the user; the user receives the request After the multicast authentication message is sent, the multicast authentication request is sent to the network device. A method for implementing multicast authentication, comprising: an authentication server receiving a multicast authentication request that is sent by a user and carrying user authentication information and multicast group identification information; the authentication server is configured according to the user authentication information and the multicast group identifier The information is authenticated by the user, and the authentication result carrying the authentication success or failure information is returned to the network device corresponding to the user. A switching device, comprising: a rights information obtaining module, configured to receive an authentication result of the multicast authentication sent by another network device, and obtain the user right information from the authentication result; and the rights information saving module is configured to obtain the The user's permission information stores the correspondence between each user and user authority information. A network side device, comprising: a multicast authentication judging module, configured to: after receiving a multicast authentication request sent by a user, determine, according to the multicast address and the user address included in the multicast authentication request, whether the device needs to be The multicast authentication triggering module is configured to: after the multicast authentication determination module determines that the user needs to perform multicast authentication, send a message requesting multicast authentication to the user. It can be seen from the technical solutions provided by the foregoing embodiments of the present invention that the embodiment of the present invention saves the rights information of each user in the switching device, so that the receiving device can perform the receiving control of the multicast service by using the switching device. The embodiment of the present invention can also pass through the network side. After the judgment, the multicast authentication to the user is initiated first. The embodiments of the present invention can also implement other authentication protocols and multicast protocols to cooperate with each other to perform multicast authentication for users.
附图简要说明 图 1为本发明实施例提供的实施例 1的处理流程示意图; 图 2为本发明实施例提供的采用 IGMP/MLD Report消息的扩展方式的 IGMP/MLD join消息; 图 3为本发明实施例提供的采用 IGMP/MLD协议中定义的一个新的消息类型方式的 IGMP/MLD j o in消 息; 图 4为本发明实施例提供的交换设备根据组播转发表对用户进行组播流转发的示意图; 图 5为本发明实施例提供的实施例 2的处理流程示意图; 图 6为本发明实施例提供的实施例 3的处理流程示意图; 图 7为本发明实施例提供的实施例 4的处理流程示意图; 图 8为本发明实施例提供的实施例 4的另一种处理流程示意图; 图 9为本发明实施例提供的交换设备的结构示意图; 图 10为本发明实施例提供的网络侧设备的结构示意图。 BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a schematic diagram of a process flow of Embodiment 1 according to an embodiment of the present invention; FIG. 2 is an IGMP/MLD join message using an extended manner of IGMP/MLD Report messages according to an embodiment of the present invention; An IGMP/MLD jo in message in a new message type manner defined in the IGMP/MLD protocol is provided in the embodiment of the present invention; FIG. 4 is a schematic diagram of a switching device that forwards a multicast stream to a user according to a multicast forwarding table according to an embodiment of the present invention; FIG. 5 is a schematic diagram of a process flow of Embodiment 2 according to an embodiment of the present invention; FIG. 6 is a schematic flowchart of a process of Embodiment 3 according to an embodiment of the present invention; FIG. 8 is a schematic diagram of another processing procedure of Embodiment 4 according to an embodiment of the present invention; FIG. 9 is a schematic structural diagram of a switching device according to an embodiment of the present invention; FIG. Schematic diagram of the device.
具体实施方式 本发明实施例提供了一种对组播业务进行认证的方法和装置。 在本发明实施例提供的方案中, 交换设备接收组播路由器发送的认证结果, 该认证结果包含用户 接收相应的组播业务的权限信息, 交换设备根据接收到的认证结果形成组播转发表。 当交换设备收到用 户需要接收的组播业务后, 查找上述组播转发表, 判断该用户是否有权限接收该组播业务, 如果是, 则 向该用户转发上述组播业务; 否则, 不向该用户转发上述组播业务。 上述对组播业务进行认证的过程可以通过扩展现有的组管理协议 (Group Management Protocol, GMP)协议, 比如, IGMP,组播监听(MLD)协议,或扩展认证协议(Extensible Authentication Protocol, EAP) 来实现。 在实际应用中, 还可以通过设计专门的 GMP协议来实现上述认证过程。 还可以采用其他认 证协议和组播协议互相配合的方式, 来实现上述认证过程。 上述对组播业务进行认证的过程可以首先由组播路由器进行触发。 即由组播路由器产生一种触发 机制来要求组播用户进行认证。 为了更好地描述本发明实施例, 先对 IGMP和 EAP协议进行介绍。 DETAILED DESCRIPTION OF THE EMBODIMENTS Embodiments of the present invention provide a method and apparatus for authenticating a multicast service. In the solution provided by the embodiment of the present invention, the switching device receives the authentication result sent by the multicast router, where the authentication result includes the user receiving the corresponding multicast service right information, and the switching device forms a multicast forwarding table according to the received authentication result. After receiving the multicast service that the user needs to receive, the switching device searches the multicast forwarding table to determine whether the user has the right to receive the multicast service, and if yes, forwards the multicast service to the user; otherwise, does not The user forwards the above multicast service. The above process of authenticating a multicast service may be performed by extending an existing Group Management Protocol (GMP) protocol, such as IGMP, a multicast listening (MLD) protocol, or an Extensible Authentication Protocol (EAP). to realise. In practical applications, the above authentication process can also be implemented by designing a special GMP protocol. The authentication process can also be implemented by using other authentication protocols and multicast protocols to cooperate with each other. The above process of authenticating a multicast service may first be triggered by a multicast router. That is, the multicast router generates a trigger mechanism to require the multicast user to perform authentication. In order to better describe the embodiments of the present invention, the IGMP and EAP protocols are first introduced.
IGMP实现的功能是双向的: 一方面, 用户通过 IGMP通知本地组播路由器希望加入并接收某个特定 组播组的信息; 另一方面, 组播路由器通过 IGMP周期性地查询局域网内某个已知组成员是否处于活动状 态 (即检查该网段内是否仍有属于某个组播组的成员), 实现对该网段内组成员关系的收集与维护。 目前 IGMP主要有三个版本: IGMPvl、 IGMPv2和 IGMPv3。 The function implemented by IGMP is bidirectional: On the one hand, the user informs the local multicast router through IGMP that it wants to join and receive information of a specific multicast group. On the other hand, the multicast router periodically queries the local area network through IGMP. Whether the members of the group are active (that is, whether there are still members of a multicast group in the network segment), and collecting and maintaining the membership of the group in the network segment. Currently, there are three major versions of IGMP: IGMPvl, IGMPv2, and IGMPv3.
IGMPv2的报文格式如下述表 1所示。 表 1 :  The packet format of IGMPv2 is shown in Table 1 below. Table 1 :
1 8 16 24 32  1 8 16 24 32
Figure imgf000006_0001
上述表 1中的 Type (类型) 字段表示 IGMPv2的报文类型, 主要包括四种类型:
Figure imgf000006_0001
The Type field in Table 1 above indicates the IGMPv2 packet type, which mainly includes four types:
( 1 ) 0x11 , 该类型报文主要用于实现成员关系查询。 (1) 0x11, this type of message is mainly used to implement membership query.
IGMPv2的成员关系查询报文有两个子类型: 一般查询报文, 用于了解在相邻的网络有哪些组播组 的成员存在。 特定组查询报文, 用于了解在相邻的网络中指定的组是否有成员存在。 一般查询报文和特定组查询报文由组地址字段进行区分: 一般查询消息的组地址字段为 0, 而特定 组查询消息的组地址字段则为要查询的组播组的地址。 There are two subtypes of the IGMPv2 membership query packet: The general query packet is used to learn which multicast group members exist on the adjacent network. A specific group query message is used to know whether a member specified in a neighboring network exists. The general query message and the specific group query message are distinguished by the group address field: The group address field of the general query message is 0, and the group address field of the specific group query message is the address of the multicast group to be queried.
( 2 ) 0x12, 该类型报文主要用于实现 IGMPvl成员报告。 这是为了和 IGMPvl兼容, 在 IGMPv2中增加 的一个报文类别。 ( 2 ) 0x12, this type of packet is mainly used to implement IGMPvl member report. This is a message class that is added to IGMPv2 and is added to IGMPv2.
( 3 ) 0x16, 该类型报文主要用于实现 IGMPv2成员报告。 (3) 0x16, this type of packet is mainly used to implement IGMPv2 member report.
( 4 ) 0x17, 该类型报文主要用于实现离开组报告。 IGMPv3和 IGMPvl的报文格式和上述 IGMPv2的报文格式类似。 (4) 0x17, this type of message is mainly used to implement the leave group report. The format of the IGMPv3 and IGMPv1 packets is similar to the IGMPv2 packet format.
EAP协议报文格式在 RFC3748中有详细描述。 EAP报文的封装格式如下表 2所示: 表 2 : The EAP protocol packet format is described in detail in RFC3748. The encapsulation format of EAP packets is shown in Table 2 below: Table 2 :
Oct Number Oct Number
Code 1 Code 1
Identifier 2 length 3-4 Identifier 2 length 3-4
Data 5-N Data 5-N
上述表 2中的 Code字段: 占 1个字节, 该字段指定 EAP报文的类型。 EAP的 code值指定如下: 1表示 Request报文类型; 2表示 Response报文类型; 3表示 Success类型; 4表示 Failure报文类型。 The Code field in Table 2 above: 1 byte, this field specifies the type of EAP message. The code value of EAP is specified as follows: 1 indicates the type of Request message; 2 indicates the type of Response message; 3 indicates the type of Success; 4 indicates the type of Failure message.
EAP Request和 Response报文格式如下述表 3所示。 表 3: The EAP Request and Response packet formats are shown in Table 3 below. table 3:
Oct Number Oct Number
Code Code
Identifier 2 length 3-4 Type 5 Identifier 2 length 3-4 Type 5
Type-Data 6-N Type-Data 6-N
上述表 3中的 Code字段、 Identifier字段和 Length字段的含义如上述表 2所述。 上述表 3中的 Type字段: 占 1个字节, 该字段值指定 Request或 Response的类型。 在 EAP的 Request报 文或 Response报文中必须出现且仅出现一个 Type。一般情况下, Response报文中的 Type字段值和 Request 报文中的 Type字段值相同。 但是, Response报文可以有一个 Nak类型, 当 Supplicant发送 Nak类型的报文 来响应 Request时, 表明 Request中的 Type不能被 Supplicant接受, 它可以暗示它所希望使用并且支持的 认证类型。 The meanings of the Code field, the Identifier field, and the Length field in Table 3 above are as described in Table 2 above. The Type field in Table 3 above: occupies 1 byte, and the field value specifies the type of Request or Response. It must appear in the EAP Request message or Response message and only one Type appears. Generally, the value of the Type field in the Response packet is the same as the value of the Type field in the Request packet. However, the Response packet can have a Nak type. When the Supplicant sends a Nak-type packet to respond to the Request, it indicates that the Type in the Request cannot be accepted by the Supplicant. It can indicate that it wants to use and support it. Type of certification.
RFC2284中定义 Type字段值对应类型有: 1表示 Identity类型; 2表示 Notification类型; 3 表示 Nak (Response only)类型; 4表示 MD5- Challenge类型; 5表示 OTP ( One-Time Password ) (RFC 1938) 类型; 6表示 Generic Token Card类型。 The corresponding types of Type field values defined in RFC2284 are: 1 for Identity type; 2 for Notification type; 3 for Nak (Response only) type; 4 for MD5-Challenge type; 5 for OTP (One-Time Password) (RFC 1938) type ; 6 indicates the Generic Token Card type.
EAP Success和 Failure报文格式如下述表 4所示。 表 4: The EAP Success and Failure message formats are shown in Table 4 below. Table 4:
Oct Number Oct Number
Code 1 Code 1
Identifier 2 length 3-4 Identifier 2 length 3-4
上述表 4中的 Code字段、 Identifier字段和 Length字段的含义如上述表 2所述。 Success报文由 Authenticator发送给 Supplicant,当用户信息认证成功后, Authenticator发送一个 Code字段值为 3的 EAP 数据包 (即 Success ) 来表明认证成功; 当用户信息认证失败, Authenticator发送一个 Code字段值为 4 的 EAP数据包 (即 Failure ) 来表明认证失败。 The meanings of the Code field, the Identifier field, and the Length field in Table 4 above are as described in Table 2 above. The Success message is sent to the Supplicant by the Authenticator. After the user information is successfully authenticated, the Authenticator sends an EAP packet with a value of 3 (Success) to indicate that the authentication succeeds. When the user information fails to be authenticated, the Authenticator sends a Code field value. 4 EAP packet (ie Failure) to indicate that the authentication failed.
EAP Success和 Failure报文是无数据字段的固定长度的报文, 长度为 4字节。 本发明实施例的实施例 1的处理流程示意图如图 1所示。 实施例 1通过扩展 IGMP/MLD协议来实现主机 (用户) 到组播路由器之间的组播消息交互。 具体处理过程包括: The EAP Success and Failure messages are fixed-length messages with no data fields and are 4 bytes long. A schematic diagram of the processing flow of Embodiment 1 of the embodiment of the present invention is shown in FIG. 1. Embodiment 1 implements multicast message exchange between a host (user) and a multicast router by extending the IGMP/MLD protocol. The specific processing process includes:
11、 当用户需要加入到一个组播组中时, 向组播路由器发送 IGMP/MLD join消息, 在该消息中携带 需要加入的组播组的组地址和对用户进行鉴权认证所需的用户认证信息, 该用户认证信息如用户名, 用 户认证码等, 该用户认证信息还可以包括客户端的 IP地址、 MAC地址、 VLAN等。 上述 IGMP/MLD join消息的方式可以是如图 2所示的 IGMP/MLD Report消息的扩展方式, 也可以是如 图 3所示的在 IGMP/MLD协议中定义的一个新的消息类型, 该新的消息类型是 Type = 0x36。 在图 2所示的 IGMP Report消息的扩展方式中, 使用 Reserved中的一个比特位, 例如为最后一位来 标识是否为第一个 Report消息, 置 " 1 "表示为第一个 Join消息, 置 "0"表示为普通 Report消息。 上述 用户认证信息可以放在新增类型: Information中, 新增类型 Protocol Type表示鉴权类型, PAP, CHAP 等, 新增类型 Length表示用户信息长度。 When the user needs to join a multicast group, the device sends an IGMP/MLD join message to the multicast router, where the message carries the group address of the multicast group to be joined and the user who needs to authenticate the user. Authentication information, such as user name, user authentication code, etc., the user authentication information may also include an IP address, a MAC address, a VLAN, and the like of the client. The manner of the foregoing IGMP/MLD join message may be an extension manner of the IGMP/MLD Report message as shown in FIG. 2, or a new message type defined in the IGMP/MLD protocol as shown in FIG. The message type is Type = 0x36. In the extended manner of the IGMP Report message shown in FIG. 2, a bit in Reserved is used, for example, the last bit is used to identify whether it is the first Report message, and "1" is indicated as the first Join message. "0" is expressed as a normal Report message. The above user authentication information can be placed in the new type: Information, and the new type Protocol Type indicates the authentication type, PAP, CHAP. Etc., the new type Length indicates the length of the user information.
12、 组播路由器接收到上述 IGMP/MLD join消息后, 获取消息中携带的用户认证信息和组播组的组 地址信息。 组播路由器还根据上述 IGMP/MLD join消息的构造方法, 判断该 IGMP/MLD join消息是否为该用户 发送给组播路由器的第一个 report消息。 当组播路由器判定接收到的 IGMP/MLD join消息是该用户的第一 个 report消息 (即 IGMP join消息) 后, 则发送上述获取的用户认证信息和组播组的组地址信息给鉴权服 务器。 鉴权服务器收到上述用户认证信息和组播组的组地址信息后, 对用户进行认证。 After receiving the IGMP/MLD join message, the multicast router obtains the user authentication information and the group address information of the multicast group carried in the message. The multicast router also determines whether the IGMP/MLD join message is the first report message sent by the user to the multicast router according to the configuration method of the IGMP/MLD join message. After the multicast router determines that the received IGMP/MLD join message is the first report message of the user, that is, the IGMP join message, the multicast authentication information and the group address information of the multicast group are sent to the authentication server. . After receiving the user authentication information and the group address information of the multicast group, the authentication server authenticates the user.
13、 鉴权服务器对用户进行认证成功后, 向组播路由器返回携带认证成功信息的认证结果。 After the authentication server successfully authenticates the user, the authentication server returns an authentication result carrying the authentication success information to the multicast router.
14、 组播路由器收到上述认证结果后, 赋予上述用户相应的权限, 允许上述用户加入到需要加入 的组播组, 允许上述用户接收相应的组播业务。 组播路由器将携带用户的权限信息的认证结果传输给交换设备, 该用户的权限信息中包括用户可 以接收的组播业务信息。 After receiving the above authentication result, the multicast router gives the user the corresponding permission, and allows the user to join the multicast group to be joined, and allows the user to receive the corresponding multicast service. The multicast router transmits the authentication result of the user's authority information to the switching device, and the user's rights information includes the multicast service information that the user can receive.
15、 交换设备收到上述认证结果后, 将上述用户的权限信息加入到组播转发表中。 该组播转发表 中包含各个用户有权限接收的组播业务信息。 之后, 当交换设备收到用户需要接收的组播流后, 查找上述组播转发表, 判断该用户是否有权限 接收该组播流, 如果是, 则向该用户转发上述组播流; 否则, 不向该用户转发上述组播流。 15. After receiving the above authentication result, the switching device adds the permission information of the user to the multicast forwarding table. The multicast forwarding table contains multicast service information that each user has permission to receive. After receiving the multicast stream that the user needs to receive, the switching device searches the multicast forwarding table to determine whether the user has the right to receive the multicast stream, and if yes, forwards the multicast stream to the user; otherwise, The above multicast stream is not forwarded to the user.
16、 交换设备通知用户认证成功。 16. The switching device notifies the user that the authentication is successful.
13' 、 鉴权服务器对用户进行认证失败后, 向组播路由器返回携带认证失败信息的认证结果。 13'. After the authentication server fails to authenticate the user, the authentication result of the authentication failure information is returned to the multicast router.
14' 、 组播路由器收到上述携带认证失败信息的认证结果后, 将该认证结果发送给交换设备。 After receiving the above authentication result carrying the authentication failure information, the multicast router sends the authentication result to the switching device.
15' 、 交换设备收到上述携带认证失败信息的认证结果后, 不把该用户加入到组播转发表。 通知 用户认证失败。 当交换设备收到用户需要接收的组播流后, 查找组播转发表, 发现用户没权限接收该组播流, 不 向用户转发该组播流。 在实际应用中, 可以在上述交换设备中设置一个组播转发表, 该组播转发表可以包括: 组播组 MAC 地址, 用户 MAC地址, 以及用户所在的 Port/VC等, 还可以包括 VLAN, 用户 IP地址及其它信息。 当该交换 设备收到组播流后, 查找相应的组播转发表, 把组播流的目的组播 MAC地址分别替换成单播 MAC地址向每 个用户进行转发。 交换设备根据组播转发表对用户进行组播流转发的示意图如图 4所示。 根据上述实施例 1的处理流程, 当用户实现组播认证后, 形成有权限的用户组播转发表, 这样网络 就能够控制向有权限的组播用户转发组播流, 而对于没有权限的用户, 非法的用户无法收到组播流。 上述交换设备包括但不限于: 二层交换机、 三层交换机或数字用户线接入复用器等网络交换机。 本发明实施例的实施例 2提供了扩展 EAP协议以支持组播认证的方案。 实施例 2通过扩展 EAP协议, 使 EAP协议可以针对某个用户的某个组播组进行认证。实施例 2的处理流程示意图如图 5所示, 具体处理过 程包括如下步骤: 15: After receiving the above authentication result carrying the authentication failure information, the switching device does not add the user to the multicast forwarding table. Notify the user that the authentication failed. After receiving the multicast stream that the user needs to receive, the switching device searches the multicast forwarding table and finds that the user does not have permission to receive the multicast stream, and does not forward the multicast stream to the user. In a practical application, a multicast forwarding table may be set up in the foregoing switching device. The multicast forwarding table may include: a multicast group MAC address, a user MAC address, and a port/VC where the user is located, and may also include a VLAN. User IP address and other information. When the exchange After receiving the multicast stream, the device searches for the corresponding multicast forwarding table and replaces the destination multicast MAC address of the multicast stream with the unicast MAC address for each user. A schematic diagram of the switching device forwarding the multicast stream to the user according to the multicast forwarding table is shown in FIG. 4 . According to the processing procedure of the foregoing Embodiment 1, after the user implements the multicast authentication, a user multicast forwarding table is formed, so that the network can control the forwarding of the multicast stream to the authorized multicast user, but for the user without the authority. , illegal users cannot receive multicast streams. The above switching devices include but are not limited to: network switches such as Layer 2 switches, Layer 3 switches, or digital subscriber line access multiplexers. Embodiment 2 of the embodiment of the present invention provides a scheme for extending the EAP protocol to support multicast authentication. Embodiment 2 implements the EAP protocol to authenticate a certain multicast group of a certain user by extending the EAP protocol. A schematic diagram of the processing flow of Embodiment 2 is shown in FIG. 5, and the specific processing procedure includes the following steps:
51、 用户发送组播认证请求报文给组播路由器。 51. The user sends a multicast authentication request packet to the multicast router.
52、 组播路由器收到上述组播认证请求报文后, 发送经过扩展的 EAP请求报文给用户, 该经过扩展 的 EAP请求报文携带组播信息。 根据上述描述, 当 EAP的 Code类型为请求或者响应的时候, Type为 1时表示的是用户标识。 在本实 施例中, 对该类型进行扩展,用户标识不仅仅限于用户名,还在用户标识中携带用户想加入的组信息(组 地址)。 After receiving the multicast authentication request packet, the multicast router sends the extended EAP request packet to the user, and the extended EAP request packet carries the multicast information. According to the above description, when the EAP code type is request or response, the Type 1 indicates the user ID. In this embodiment, the type is extended. The user identifier is not limited to the user name, and the user identifier also carries the group information (group address) that the user wants to join.
53、 用户收到上述经过扩展的 EAP请求报文后, 发送经过扩展的 EAP响应报文给组播路由器。 在上述经过扩展的 EAP响应报文中的用户标识中携带对用户进行鉴权认证所需的用户认证信息, 如 用户名, 用户认证码等, 以及上述用户想加入的组信息。 After receiving the extended EAP request packet, the user sends the extended EAP response packet to the multicast router. The user identifier in the extended EAP response packet carries user authentication information, such as a user name, a user authentication code, and the like, and the group information that the user wants to join.
54、 下面以 MD5这种 EAP方法为例来介绍该认证过程。 组播路由器收到上述 EAP响应报文后, 发送正常的 EAP挑战字请求报文给用户。 在该 EAP挑战字请求 报文中的用户标识中携带挑战字。 所谓挑战字就是一个随机数, 在 MD5加密算法中, 组播路由器和用户拥有一个共享密钥, 就是组播 路由器和用户都知道的一个密钥。 用户收到组播路由器发送的挑战字后, 用共享密钥对挑战字进行加密 后, 把密文发送给组播路由器, 组播路由器用共享密钥对该密文进行解密, 获取密文中携带的挑战字, 将该挑战字与以前发送给用户的挑战字进行比较, 根据比较结果来判定共享密钥的正确性。 54. The following describes the authentication process by taking the EAP method of MD5 as an example. After receiving the EAP response packet, the multicast router sends a normal EAP challenge word request packet to the user. The challenge word is carried in the user identifier in the EAP challenge word request message. The so-called challenge word is a random number. In the MD5 encryption algorithm, the multicast router and the user have a shared key, which is a key that both the multicast router and the user know. After receiving the challenge word sent by the multicast router, the user encrypts the challenge word with the shared key, and then sends the ciphertext to the multicast router. The multicast router decrypts the ciphertext with the shared key to obtain the ciphertext. The challenge word compares the challenge word with the challenge word previously sent to the user, and determines the correctness of the shared key based on the comparison result.
55、 用户收到 EAP挑战字请求报文后, 用共享密钥对挑战字进行加密后, 回应携带密文的 EAP挑战 字应答报文给组播路由器。 56、 组播路由器用共享密钥对该密文进行解密, 获取密文中携带的挑战字, 将该挑战字与以前发 送给用户的挑战字进行比较, 当比较结果为一致后, 将上述用户认证信息和用户想加入的组信息一起传 输给鉴权服务器。 After receiving the EAP challenge word request message, the user encrypts the challenge word with the shared key, and then responds to the EAP challenge word response message carrying the ciphertext to the multicast router. The multicast router decrypts the ciphertext by using the shared key, obtains the challenge word carried in the ciphertext, compares the challenge word with the challenge word previously sent to the user, and after the comparison result is consistent, the user authentication is performed. The information is transmitted to the authentication server along with the group information that the user wants to join.
57、 鉴权服务器收到上述信息后, 判断该用户是否拥有加入到该组播组的权限, 如果有, 发送允 许用户加入到该组播组的认证成功消息给组播路由器; 否则, 发送拒绝用户加入到该组播组的认证失败 消息给组播路由器。 After receiving the foregoing information, the authentication server determines whether the user has the right to join the multicast group, and if yes, sends an authentication success message that allows the user to join the multicast group to the multicast router; otherwise, the sending rejection The user joins the authentication failure message of the multicast group to the multicast router.
58、 组播路由器接收到上述认证成功报文后, 则添加上述用户到相应的组播组, 重新建立上述组 播组的组播树和组播出接口。 同时保存该用户的相关信息到本地数据库, 该相关信息包括: 上述组播组 的组地址、 用户的 IP地址和 MAC地址, 用户具体的端口号信息等。 组播路由器接收到上述认证失败报文后, 则拒绝上述用户加入到上述组播组。 组播路由器还将上述认证成功报文或认证失败报文转发给上述用户。 本发明实施例的实施例 3提供了一种触发机制来要求组播用户进行认证, 实施例 3的处理流程示意 图如图 6所示, 具体处理过程包括如下步骤: After receiving the authentication success packet, the multicast router adds the user to the corresponding multicast group, and re-establishes the multicast tree and the multicast outgoing interface of the multicast group. At the same time, the related information of the user is saved to the local database, and the related information includes: a group address of the multicast group, a user's IP address and a MAC address, and a specific port number information of the user. After receiving the above authentication failure packet, the multicast router rejects the user from joining the multicast group. The multicast router also forwards the above authentication success packet or authentication failure packet to the above user. Embodiment 3 of the embodiment of the present invention provides a trigger mechanism to require a multicast user to perform authentication. The process flow of Embodiment 3 is shown in FIG. 6. The specific processing process includes the following steps:
61 、 在 用 户 获 得 网 络 的 普 通 访 问 权 限 后 , 经 过 动 态 主 机 配 置 协 议 ( DynamicHostConfigurationProtocol, DHCP) 等协议获得了 IP地址后, 就可以进行正常的网络访问。 当用户需要加入到一个组播组中时, 用户发送 IGMP join报文给组播路由器, 该 IGMP join报文中 包含上述需要加入的组播组的组地址、 用户的相关信息, 该相关信息包括: IP地址和 MAC地址等。 61. After the user obtains the universal access right of the network, after obtaining the IP address through the protocol such as DynamicHostConfigurationProtocol (DHCP), normal network access can be performed. When the user needs to join a multicast group, the user sends an IGMP join message to the multicast router. The IGMP join message contains the group address of the multicast group to be joined and the related information of the user. : IP address and MAC address, etc.
62、 组播路由器从接收到的 IGMP join报文中提取用户的相关信息和组播组的组地址信息。 此外, 组播路由器还可以通过接收 IGMP join报文的端口获得用户具体的端口号信息等。 组播路由器还根据上述 IGMP join报文的构造方法, 判断该 IGMP join报文是否为该用户发送给组 播路由器的第一个 report报文。当组播路由器判定接收到的 report报文是该用户的第一个 report报文(即 IGMP join报文) 后, 则发送上述获取的用户的相关信息和组播组的组地址信息至鉴权服务器。 62. The multicast router extracts the related information of the user and the group address information of the multicast group from the received IGMP join message. In addition, the multicast router can obtain the port number information of the user through the port that receives the IGMP join message. The multicast router also determines whether the IGMP join message is the first report message sent by the user to the multicast router according to the configuration method of the IGMP join message. After the multicast router determines that the received report packet is the first report packet of the user, that is, the IGMP join packet, the multicast router sends the related information of the obtained user and the group address information of the multicast group to the authentication. server.
63、 鉴权服务器对接收到的上述客户端的相关信息进行认证, 判断上述用户需要加入的组播组是 否为特定组, 或上述用户是否为特权用户。 鉴权服务器进行上述判断的原则可以为根据具体的需求来设 置。 例如, 判断用户的源地址是否为特权地址, 所谓特权地址可以理解为拥有特殊权限的地址, 可以 查看一切组内容的特殊地址。 如果是, 则判断上述用户为特权用户。 判断用户申请加入的组地址是否为 特定组, 所谓特定组可以理解为某些开放性的组, 比如说电视广告频道等, 如果是, 则判断上述用户需 要加入的组播组为特定组。 如果鉴权服务器判断上述用户需要加入的组播组为特定组, 或上述用户为特权用户, 则向组播路 由器返回发送允许上述用户加入到该组播组的认证成功报文; 否则, 向组播路由器返回携带触发组播认 证的认证失败报文。 63. The authentication server authenticates the received information about the client, and determines whether the multicast group that the user needs to join is a specific group, or whether the user is a privileged user. The principle that the authentication server performs the above judgment may be set according to specific requirements. For example, to determine whether the source address of the user is a privileged address, the so-called privileged address can be understood as an address with special rights, and a special address of all group contents can be viewed. If yes, it is determined that the above user is a privileged user. Determine whether the group address that the user applies for is A specific group, a specific group can be understood as some open group, such as a television advertisement channel, etc. If yes, it is determined that the multicast group that the user needs to join is a specific group. If the authentication server determines that the multicast group to be joined by the user is a specific group, or the user is a privileged user, then the multicast router sends an authentication success message to the multicast router to allow the user to join the multicast group; otherwise, the group is sent to the group. The broadcast router returns an authentication failure packet that triggers multicast authentication.
64、 组播路由器收到上述认证成功报文后, 赋予上述用户相应的权限, 允许上述用户加入到上述 需要加入的组播组, 允许上述用户接收该组播组的数据、 查看该组播组的内容。 组播路由器收到上述认证失败报文后, 则发送组播认证触发报文给用户。 该组播认证触发报文的 实现形式可以是多种。 比如, 该组播认证触发报文可以为携带认证请求的 IGMP查询报文。 该报文采用单 播形式来发送。 下面以 IGMPv3为例, 来介绍如何扩展 IGMP的查询报文来携带认证请求, 即实现组播认证触发报文。 正常的 IGMPv3的查询报文如下述表 5所示。 表 5: After receiving the authentication success packet, the multicast router gives the user the corresponding permission, and allows the user to join the multicast group to be joined, allowing the user to receive data of the multicast group and view the multicast group. Content. After receiving the above authentication failure packet, the multicast router sends a multicast authentication trigger packet to the user. The multicast authentication trigger packet can be implemented in multiple forms. For example, the multicast authentication trigger packet may be an IGMP query packet carrying an authentication request. The message is sent in unicast form. The following takes IGMPv3 as an example to describe how to extend IGMP query packets to carry authentication requests, that is, implement multicast authentication trigger packets. The normal IGMPv3 query message is shown in Table 5 below. table 5:
8 16 24 32 8 16 24 32
Type = 0x11 Max Resp Code Checksum  Type = 0x11 Max Resp Code Checksum
Group Record [M]
Figure imgf000012_0001
Group Record [M]
Figure imgf000012_0001
Source Address [1]  Source Address [1]
Source Address [2] Source Address [2]
Source Address [N] 可以使用上述表 5中的 Resv字段中的一个比特位, 例如最后一个比特位来标识查询报文是否携带了 认证请求, 置 " 1 "表示为携带认证请求, 置 "0"表示为不携带认证请求。 将 Resv字段的最后一个比特 位置 " 1 "后的 IGMPv3的查询报文如下述表 6所示。 表 6 :
Figure imgf000013_0001
Source Address [N] can use one bit in the Resv field in Table 5 above, for example, the last bit to identify whether the query message carries the authentication request, and set "1" to carry the authentication request, set "0" Indicated as not carrying an authentication request. The IGMPv3 query message after the last bit position of the Resv field is "1" is as shown in Table 6 below. Table 6:
Figure imgf000013_0001
65、 用户收到上述组播认证触发报文后, 发送携带用户认证信息的 IGMP join报文给组播路由器。 之后, 组播路由器、 鉴权服务器和用户之间进行信息交互, 实现对用户的组播认证。 本发明实施例的实施例 4提供了采用其它带外认证协议 (如 DHCP, PPP0E等) 和组播协议相配合来 实现对用户进行认证的过程。 实施例 4的处理流程示意图如图 7所示, 具体过程为: 用户通过其它带外认证协议, 发送携带用户认证信息和用户需要加入的组播组的组地址的组播认 证请求给鉴权服务器。 鉴权服务器对用户进行认证后, 通过组播协议 (如 IGMP等) 将认证结果返回给组 播路由器, 组播路由器再通过组播协议 (如 IGMP等) 将认证结果返回给用户。 实施例 4的另一种处理流程示意图如图 8所示, 该处理流程和图 7所示的处理流程的区别是, 组播路 由器通过组播协议 (如 IGMP等) 将认证结果返回交换设备, 交换设备根据接收到的认证结果形成组播转 发表, 并根据该组播转发表对用户进行控制。 上述各个实施例中的组播路由器还可以为 NAS设备。  After receiving the multicast authentication trigger packet, the user sends an IGMP join message carrying the user authentication information to the multicast router. After that, the multicast router, the authentication server, and the user exchange information to implement multicast authentication for the user. Embodiment 4 of the embodiment of the present invention provides a process of authenticating a user by using other out-of-band authentication protocols (such as DHCP, PPP0E, etc.) and a multicast protocol. The process flow of the embodiment 4 is as shown in FIG. 7. The specific process is as follows: The user sends a multicast authentication request carrying the user authentication information and the group address of the multicast group that the user needs to join to the authentication server through other out-of-band authentication protocols. . After the authentication server authenticates the user, the authentication result is returned to the multicast router through a multicast protocol (such as IGMP). The multicast router then returns the authentication result to the user through a multicast protocol (such as IGMP). A schematic diagram of another processing flow of Embodiment 4 is shown in FIG. 8. The difference between the processing flow and the processing flow shown in FIG. 7 is that the multicast router returns the authentication result to the switching device through a multicast protocol (such as IGMP). The switching device forms a multicast forwarding table according to the received authentication result, and controls the user according to the multicast forwarding table. The multicast router in each of the above embodiments may also be a NAS device.
本发明实施例提供的交换设备的结构示意图如图 9所示, 包括如下模块: 权限信息获取模块 91, 用于接收其他网络设备发送的对用户加入组播组的请求进行认证的认证结 果, 获取所述认证结果中包含的用户获取相应的组播业务的权限信息; 权限信息保存模块 92, 用于根据用户权限信息获取模块所获取的权限信息, 保存各个用户和所述 权限信息之间的对应关系; 组播业务控制模块 93, 用于当接收到需要发送给所述用户的组播业务后, 查找所述权限信息保存 模块保存的对应关系, 判断所述用户是否有权限接收所述组播业务, 如果是, 则向所述用户转发所述组 播业务; 否则, 不向所述用户转发所述组播业务。 上述组播业务控制模块为可选的, 可以内嵌在交换设 备中, 也可以为独立于交换设备而设置的一个模块。 所述权限信息保存模块 92中还可以保存组播转发表, 该组播转发表中包含: 组播地址和用户地址 的对应关系。 所述组播业务控制模块 93还可以包括: 单播流转发子模块, 用于当接收到需要转发的组播流后, 查询所述组播转发表, 获取所述组播流的地址对应的用户地址, 将所述组播流复制成各个用户相应的单 播流, 并发送给所述用户。 本发明实施例提供的进行组播认证的网络侧设备的结构示意图如图 10所示, 包括如下模块: 组播认证判断模块 101, 用于当收到用户发送的加入组播组的请求后, 根据所述加入组播组的请求 中包含的组播地址和用户地址, 判断是否需要对所述用户进行组播认证后; 组播认证触发模块 102, 用于当组播认证判断模块判断需要对所述用户进行组播认证后, 向所述用 户发送组播认证触发消息。 上述网络侧设备可以为 NAS或组播路由器。 综上所述, 本发明实施例实现了组播用户鉴权认证, 解决了以前组播协议中的用户可以随意加入 一个组播组, 并可以任意离开一个重要问题, 避免了没有权限的用户享受组播业务, 实现基于组播的接 入控制。 同时该方案把组播认证的结果应用到交换设备, 从而更进一步避免没有了组播流在交换设备中 的泛滥问题。 以上所述, 仅为本发明较佳的具体实施方式, 但本发明的保护范围并不局限于此, 任何熟悉本技 术领域的技术人员在本发明揭露的技术范围内, 可轻易想到的变化或替换, 都应涵盖在本发明的保护范 围之内。 因此, 本发明的保护范围应该以权利要求的保护范围为准。 The structure of the switching device provided by the embodiment of the present invention is as shown in FIG. 9 , and includes the following modules: The privilege information obtaining module 91 is configured to receive an authentication result that is sent by another network device to authenticate the request of the user to join the multicast group, and obtain the authentication result. The user included in the authentication result obtains the rights information of the corresponding multicast service; the rights information saving module 92 is configured to save the correspondence between the users and the rights information according to the rights information acquired by the user rights information obtaining module. relationship; The multicast service control module 93 is configured to: after receiving the multicast service that needs to be sent to the user, search for a corresponding relationship saved by the rights information storage module, and determine whether the user has the right to receive the multicast service, If yes, the multicast service is forwarded to the user; otherwise, the multicast service is not forwarded to the user. The foregoing multicast service control module is optional and can be embedded in the switching device or a module that is set independently of the switching device. The rights information storage module 92 may further store a multicast forwarding table, where the multicast forwarding table includes: a correspondence between a multicast address and a user address. The multicast service control module 93 may further include: a unicast stream forwarding submodule, configured to: after receiving the multicast stream that needs to be forwarded, query the multicast forwarding table, and obtain an address corresponding to the address of the multicast stream. The user address is copied to the corresponding unicast stream of each user and sent to the user. As shown in FIG. 10, the schematic diagram of the network side device for performing multicast authentication according to the embodiment of the present invention includes the following modules: The multicast authentication determining module 101 is configured to: after receiving the request for joining the multicast group sent by the user, And determining, according to the multicast address and the user address included in the request for joining the multicast group, whether the multicast authentication is required for the user, and the multicast authentication triggering module 102 is configured to: when the multicast authentication determination module determines that the After the user performs multicast authentication, the user sends a multicast authentication trigger message to the user. The network side device may be a NAS or a multicast router. In summary, the embodiment of the present invention implements multicast user authentication, which solves the problem that users in the previous multicast protocol can join a multicast group at will, and can leave an important problem arbitrarily, thereby avoiding the enjoyment of users without rights. Multicast service, implementing multicast-based access control. At the same time, the solution applies the result of the multicast authentication to the switching device, thereby further avoiding the problem that the multicast stream is not flooded in the switching device. The above is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or within the technical scope disclosed by the present invention. Alternatives are intended to be covered by the scope of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.

Claims

权利要求 Rights request
1、 一种实现组播认证的方法, 其特征在于, 包括: 交换设备接收组播认证的认证结果, 并从所述认证结果中获取用户的权限信息; 所述交换设备将所述权限信息进行保存, 根据所述权限信息对需要发送给所述用户的组播流进行 控制。 A method for implementing multicast authentication, comprising: receiving, by a switching device, an authentication result of the multicast authentication, and obtaining the authority information of the user from the authentication result; the switching device performing the rights information And saving, controlling, according to the permission information, a multicast stream that needs to be sent to the user.
2、 根据权利要求 1所述的方法, 其特征在于, 所述交换设备接收组播认证的认证结果的过程, 具 体包括: 网络设备接收携带用户认证信息和组播组标识信息的组播认证请求, 将所述用户认证信息和组播 组标识信息发送给鉴权服务器; 所述鉴权服务器根据所述用户认证信息和组播组标识信息对所述用户进行认证, 向所述网络设备 返回携带认证成功或失败的认证结果; 所述网络设备接收到携带认证成功的认证结果后, 赋予所述用户接收相应的组播业务的权限, 将 所述权限信息和认证结果发送给所述交换设备; 所述网络设备接收到携带认证失败的认证结果后, 拒绝 向所述用户发送组播流。 The method according to claim 1, wherein the process of receiving the authentication result of the multicast authentication by the switching device comprises: receiving, by the network device, a multicast authentication request that carries user authentication information and multicast group identification information Sending the user authentication information and the multicast group identification information to the authentication server; the authentication server authenticates the user according to the user authentication information and the multicast group identification information, and returns the carried to the network device. The authentication result of the successful or failed authentication; after receiving the authentication result that the authentication succeeds, the network device grants the user the right to receive the corresponding multicast service, and sends the rights information and the authentication result to the switching device; After receiving the authentication result that fails the authentication, the network device refuses to send the multicast stream to the user.
3、 根据权利要求 2所述的方法, 其特征在于, 所述网络设备接收携带用户认证信息和组播组标识 信息的组播认证请求之前, 还包括: 所述网络设备接收用户相关信息, 所述网络设备将所述用户相关信息发送给鉴权服务器, 所述用 户相关信息包括: 组播地址和用户地址; 所述鉴权服务器根据所述用户相关信息判断是否需要对所述用户进行组播认证, 如需要, 则向所 述网络设备返回需要进行组播认证的信息; 否则, 向所述网络设备返回不需要进行组播认证的信息; 所述网络设备接收到所述需要进行组播认证的信息后, 向所述用户发送要求进行组播认证的消息, 所述用户发送的携带用户认证信息和组播组标识信息的请求组播认证的请求。 The method according to claim 2, wherein, before the network device receives the multicast authentication request that carries the user authentication information and the multicast group identification information, the method further includes: the network device receiving the user related information, where The network device sends the user-related information to the authentication server, where the user-related information includes: a multicast address and a user address; the authentication server determines, according to the user-related information, whether the user needs to be multicast. Authentication, if necessary, returning information to the network device that needs to perform multicast authentication; otherwise, returning information to the network device that does not need to perform multicast authentication; and the network device receiving the need for multicast authentication After the information is sent, a message requesting multicast authentication is sent to the user, and the request for multicast authentication is sent by the user that carries user authentication information and multicast group identification information.
4、 根据权利要求 3所述的方法, 其特征在于, 所述鉴权服务器根据所述用户相关信息判断是否需 要对所述用户进行组播认证的过程, 具体包括: 当所述鉴权服务器根据接收到的组播地址信息判断所述组播组为允许所有用户加入的特定组播组 时, 或者, 当所述鉴权服务器根据接收到的用户地址信息判断所述用户为能够加入所有组播组的特定客 户端时, 所述鉴权服务器不需要对所述用户进行组播认证; 否则, 需要对所述用户进行组播认证。 The method according to claim 3, wherein the authentication server determines, according to the user-related information, whether a process of performing multicast authentication on the user is required, specifically: when the authentication server is configured according to When the received multicast address information determines that the multicast group is a specific multicast group that allows all users to join, or when the authentication server determines, according to the received user address information, the user is able to join all multicasts. Group of specific customers The authentication server does not need to perform multicast authentication on the user; otherwise, the user needs to perform multicast authentication.
5、 根据权利要求 1所述的方法, 其特征在于, 所述交换设备接收组播认证的认证结果的过程, 具 体包括: 鉴权服务器接收用户发送的携带用户认证信息和组播组标识信息的请求组播认证的请求; 所述鉴权服务器根据所述用户认证信息和组播组标识信息对所述用户进行认证, 向网络设备返回 携带认证成功或失败的认证结果; 所述网络设备接收到携带认证成功的认证结果后, 允许所述用户加入到所述组播组, 赋予所述用 户接收相应的组播业务的权限, 将所述权限信息和认证结果发送给所述交换设备; 所述网络设备接收到 携带认证失败的认证结果后, 拒绝所述用户加入到所述组播组。 The method according to claim 1, wherein the process of receiving the authentication result of the multicast authentication by the switching device comprises: the authentication server receiving the user authentication information and the multicast group identification information sent by the user Requesting a multicast authentication request; the authentication server authenticates the user according to the user authentication information and the multicast group identification information, and returns an authentication result that the authentication succeeds or fails to the network device; the network device receives After the authentication result of the authentication succeeds, the user is allowed to join the multicast group, and the user is given the right to receive the corresponding multicast service, and the rights information and the authentication result are sent to the switching device; After receiving the authentication result that fails the authentication, the network device rejects the user from joining the multicast group.
6、 根据权利要求 2所述的方法, 其特征在于, 所述组播认证请求为所述用户向所述网络设备发送 的第一个因特网组管理协议 IGMP的 report报文, 并且通过所述 IGMP的 report报文的特定字节来标识所述 第一个 report报文。 The method according to claim 2, wherein the multicast authentication request is a report packet of the first Internet Group Management Protocol (IGMP) sent by the user to the network device, and the IGMP is passed. The specific byte of the report packet identifies the first report packet.
7、根据权利要求 2所述的方法, 其特征在于, 所述组播认证请求使用可扩展认证协议 EAP认证方式, 对所述用户进行组播认证。 The method according to claim 2, wherein the multicast authentication request uses the extensible authentication protocol EAP authentication mode to perform multicast authentication on the user.
8、 根据权利要求 1至 7任一项所述的方法, 其特征在于, 所述交换设备将所述权限信息进行保存, 根据所述权限信息对需要发送给用户的组播业务进行控制的过程, 具体包括: 所述交换设备保存用户和用户权限信息之间的对应关系; 当所述交换设备接收到需要发送给用户的组播业务后, 查找所述保存的对应关系, 判断所述用户 是否有权限接收所述组播业务, 如果是, 则向所述用户转发所述组播业务; 否则, 不向所述用户转发所 述组播业务。 The method according to any one of claims 1 to 7, wherein the switching device saves the rights information, and controls the multicast service that needs to be sent to the user according to the rights information. Specifically, the method includes: the switching device stores a correspondence between the user and the user right information; and after the switching device receives the multicast service that needs to be sent to the user, searches for the saved correspondence, and determines whether the user is Having the right to receive the multicast service, if yes, forwarding the multicast service to the user; otherwise, forwarding the multicast service to the user.
9、 根据权利要求 8所述的方法, 其特征在于, 所述交换设备向所述用户转发所述组播业务的过程, 具体包括: 所述交换设备将所述组播流转化为单播流, 并将该单播流发送给所述用户。 The method according to claim 8, wherein the process of forwarding the multicast service to the user by the switching device comprises: converting, by the switching device, the multicast stream into a unicast stream And sending the unicast stream to the user.
10、 根据权利要求 1至 7任一项所述的方法, 其特征在于, 所述交换设备包括二层交换机、 三层交 换机或数字用户线接入复用器 DSLAM。 The method according to any one of claims 1 to 7, wherein the switching device comprises a Layer 2 switch, a Layer 3 switch or a Digital Subscriber Line Access Multiplexer DSLAM.
11、 一种实现组播认证的方法, 其特征在于, 包括: 当网络设备判断需要对用户终端进行组播认证后, 所述网络设备向所述用户发送要求进行组播认 证的消息; 所述用户接收到所述要求进行组播认证的消息后, 向所述网络设备发送组播认证请求。 A method for implementing multicast authentication, comprising: After the network device determines that the user terminal needs to perform multicast authentication, the network device sends a message requesting multicast authentication to the user; after receiving the message requesting multicast authentication, the user sends the message to the The network device sends a multicast authentication request.
12、 根据权利要求 11所述的方法, 其特征在于, 所述当网络设备判断需要对用户终端进行组播认 证后, 所述网络设备向所述用户发送要求进行组播认证的消息的过程, 具体包括: 网络设备接收用户发送的用户相关信息, 所述用户相关信息包括: 组播地址和用户地址; 所述网 络设备将所述用户相关信息发送给鉴权服务器; 所述鉴权服务器根据所述用户相关信息判断是否需要对所述用户进行组播认证, 如果是, 则向所 述网络设备返回需要进行组播认证的信息; 否则, 向所述网络设备返回不需要进行组播认证的信息, 所 述用户相关信息包括: 组播地址和用户地址; 所述网络设备接收到所述需要进行组播认证的信息后, 向所述用户发送要求进行组播认证的消息。 The method according to claim 11, wherein, after the network device determines that the user terminal needs to perform multicast authentication, the network device sends a message requesting multicast authentication to the user, Specifically, the network device receives the user-related information sent by the user, where the user-related information includes: a multicast address and a user address; the network device sends the user-related information to the authentication server; Determining whether the user needs to perform multicast authentication on the network device, and if yes, returning information to the network device that needs to perform multicast authentication; otherwise, returning information to the network device that does not need to perform multicast authentication. The user-related information includes: a multicast address and a user address. After receiving the information that needs to be authenticated by the network, the network device sends a message requesting multicast authentication to the user.
13、 根据权利要求 12所述的方法, 其特征在于, 所述鉴权服务器根据所述用户相关信息判断是否 需要对所述用户进行组播认证的过程, 具体包括: 当所述鉴权服务器根据接收到的组播地址信息判断所述组播组为允许所有用户加入的特定组播组 时, 或者, 当所述鉴权服务器根据接收到的用户地址信息判断所述用户为能够加入所有组播组的特定客 户端时, 则所述鉴权服务器不需要对所述用户进行组播认证; 否则, 需要对所述用户进行组播认证。 The method according to claim 12, wherein the determining, by the authentication server, the process of performing multicast authentication on the user according to the information about the user, specifically includes: when the authentication server is configured according to When the received multicast address information determines that the multicast group is a specific multicast group that allows all users to join, or when the authentication server determines, according to the received user address information, the user is able to join all multicasts. When the specific client of the group is used, the authentication server does not need to perform multicast authentication on the user; otherwise, the user needs to perform multicast authentication.
14、 根据权利要求 11或 12或 13所述的方法, 其特征在于, 所述要求进行组播认证的消息为携带了 认证请求的 IGMP查询报文或者 EAP START报文。 The method according to claim 11 or 12 or 13, wherein the message requiring multicast authentication is an IGMP Query message or an EAP START message carrying an authentication request.
15、 一种实现组播认证的方法, 其特征在于, 包括: 鉴权服务器接收用户发送的携带用户认证信息和组播组标识信息的组播认证请求; 所述鉴权服务器根据所述用户认证信息和组播组标识信息对所述用户进行认证, 向所述用户对应 的网络设备返回携带认证成功或失败的认证结果。 A method for implementing multicast authentication, comprising: an authentication server receiving a multicast authentication request that is sent by a user and carrying user authentication information and multicast group identification information; and the authentication server is configured according to the user authentication The information and the multicast group identification information are used to authenticate the user, and the authentication result of the successful or failed authentication is returned to the network device corresponding to the user.
16、 根据权利要求 15所述的实现组播认证的方法, 其特征在于, 所述方法还包括: 所述网络设备接收到携带认证成功的认证结果后, 赋予所述用户接收相应的组播业务的权限, 通 过第二协议将所述权限信息和认证结果发送给所述交换设备, 或者所述网络设备将所述权限信息发送给 所述用户; 所述网络设备接收到携带认证失败的认证结果后, 拒绝向所述用户设备发送组播流。 The method for implementing multicast authentication according to claim 15, wherein the method further comprises: after receiving the authentication result that the authentication succeeds, the network device is given the user to receive the corresponding multicast service. Permission, the rights information and the authentication result are sent to the switching device by using a second protocol, or the network device sends the rights information to the user; After receiving the authentication result that fails the authentication, the network device refuses to send the multicast stream to the user equipment.
17、 一种交换设备, 其特征在于, 包括: 权限信息获取模块, 用于接收其他网络设备发送的组播认证的认证结果, 并从所述认证结果中获 取用户的权限信息; 权限信息保存模块, 用于根据获取的用户的权限信息, 保存各个用户和用户权限信息之间的对应 关系。 A switching device, comprising: a rights information acquiring module, configured to receive an authentication result of the multicast authentication sent by another network device, and obtain the user right information from the authentication result; the rights information saving module And configured to save a correspondence between each user and user authority information according to the obtained user's permission information.
18、 根据权利要求 17所述的交换设备, 其特征在于, 所述交换设备还包括: 组播业务控制模块, 用于当接收到需要发送给所述用户的组播业务后, 查找所述权限信息保存模 块保存的对应关系, 判断所述用户是否有权限接收所述组播业务, 如果是, 则向所述用户转发所述组播 业务; 否则, 不向所述用户转发所述组播业务。 The switching device according to claim 17, wherein the switching device further includes: a multicast service control module, configured to: after receiving the multicast service that needs to be sent to the user, searching for the permission Corresponding relationship saved by the information saving module, determining whether the user has the right to receive the multicast service, and if yes, forwarding the multicast service to the user; otherwise, forwarding the multicast service to the user .
19、 根据权利要求 18所述的交换设备, 其特征在于: 所述权限信息保存模块还用于保存组播转发表, 该组播转发表中包含: 组播地址和用户地址的对 应关系。 The switching device according to claim 18, wherein: the rights information saving module is further configured to save a multicast forwarding table, where the multicast forwarding table includes: a correspondence between a multicast address and a user address.
20、 根据权利要求 19所述的交换设备, 其特征在于, 所述组播业务控制模块包括: 单播流转发子模块, 用于当接收到需要转发的组播流后, 查询所述组播转发表, 获取所述组播流 的地址对应的用户地址, 将所述组播流复制成各个用户相应的单播流, 并发送给所述用户。 The switching device according to claim 19, wherein the multicast service control module comprises: a unicast stream forwarding submodule, configured to query the multicast after receiving the multicast stream to be forwarded The forwarding table is configured to obtain a user address corresponding to the address of the multicast stream, and the multicast stream is copied into a unicast stream corresponding to each user, and sent to the user.
21、 一种网络侧设备, 其特征在于, 包括: 组播认证判断模块, 用于当收到用户发送的组播认证请求后, 根据所述组播认证请求中包含的组 播地址和用户地址, 判断是否需要对所述用户进行组播认证; 组播认证触发模块, 用于当组播认证判断模块判断需要对所述用户进行组播认证后, 向所述用户 发送要求进行组播认证的消息。 A network-side device, comprising: a multicast authentication judgment module, configured to: after receiving a multicast authentication request sent by a user, according to a multicast address and a user address included in the multicast authentication request The multicast authentication triggering module is configured to send a multicast authentication request to the user after the multicast authentication determination module determines that the user needs to perform multicast authentication. Message.
PCT/CN2008/072309 2007-09-17 2008-09-09 A method and apparatus for implementing multicast authentication WO2009036685A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710121896.9 2007-09-17
CNA2007101218969A CN101394277A (en) 2007-09-17 2007-09-17 Method and apparatus for implementing multicast authentication

Publications (1)

Publication Number Publication Date
WO2009036685A1 true WO2009036685A1 (en) 2009-03-26

Family

ID=40467517

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/072309 WO2009036685A1 (en) 2007-09-17 2008-09-09 A method and apparatus for implementing multicast authentication

Country Status (2)

Country Link
CN (1) CN101394277A (en)
WO (1) WO2009036685A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102378115A (en) * 2010-08-16 2012-03-14 杭州华三通信技术有限公司 Control method of multicast access, system and device thereof
CN107645728A (en) * 2017-09-30 2018-01-30 刘昱 Implementation method, device and the storage medium of MANET
CN113691462A (en) * 2021-07-29 2021-11-23 杭州迪普科技股份有限公司 Response method and device of Internet group management protocol
CN115473843A (en) * 2021-06-10 2022-12-13 中国电信股份有限公司 Information interaction method, router and communication system
CN115550736A (en) * 2022-12-02 2022-12-30 浙江宇视科技有限公司 Video privacy area acquisition and transmission method and device, electronic equipment and medium

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101917280A (en) * 2010-08-19 2010-12-15 中兴通讯股份有限公司 Method and system for authenticating and accounting group user for using multicast service
CN102447565B (en) * 2010-10-11 2015-09-09 中国电信股份有限公司 A kind of method and system realizing multicast control at broadband access network
CN103166769A (en) * 2011-12-14 2013-06-19 中兴通讯股份有限公司 Method and system of multicast service control
CN102970614B (en) * 2012-11-22 2016-06-08 杭州华三通信技术有限公司 Aaa server in IPTV network and processing method thereof
CN103312514B (en) * 2013-06-21 2016-06-29 中国人民解放军信息工程大学 Multicast receivers based on unicast forwarding pattern accesses verification method
CN110798812B (en) * 2018-08-02 2021-07-09 华为技术有限公司 Group communication method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1414759A (en) * 2002-01-30 2003-04-30 华为技术有限公司 Controlled group broadcasting system and its realizing method
WO2004040860A1 (en) * 2002-10-31 2004-05-13 Fujitsu Limited Ip multi-cast communication system
CN1798024A (en) * 2004-12-20 2006-07-05 上海贝尔阿尔卡特股份有限公司 Method and device for implementing multicast authentication and fee charging
CN1917507A (en) * 2005-08-19 2007-02-21 上海贝尔阿尔卡特股份有限公司 Method and device for implementing preview of multicast service

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1414759A (en) * 2002-01-30 2003-04-30 华为技术有限公司 Controlled group broadcasting system and its realizing method
WO2004040860A1 (en) * 2002-10-31 2004-05-13 Fujitsu Limited Ip multi-cast communication system
CN1798024A (en) * 2004-12-20 2006-07-05 上海贝尔阿尔卡特股份有限公司 Method and device for implementing multicast authentication and fee charging
CN1917507A (en) * 2005-08-19 2007-02-21 上海贝尔阿尔卡特股份有限公司 Method and device for implementing preview of multicast service

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102378115A (en) * 2010-08-16 2012-03-14 杭州华三通信技术有限公司 Control method of multicast access, system and device thereof
CN107645728A (en) * 2017-09-30 2018-01-30 刘昱 Implementation method, device and the storage medium of MANET
CN107645728B (en) * 2017-09-30 2023-06-02 刘昱 Ad hoc network realization method, device and storage medium
CN115473843A (en) * 2021-06-10 2022-12-13 中国电信股份有限公司 Information interaction method, router and communication system
CN115473843B (en) * 2021-06-10 2023-06-20 中国电信股份有限公司 Information interaction method, router and communication system
CN113691462A (en) * 2021-07-29 2021-11-23 杭州迪普科技股份有限公司 Response method and device of Internet group management protocol
CN113691462B (en) * 2021-07-29 2023-09-15 杭州迪普科技股份有限公司 Response method and device of Internet group management protocol
CN115550736A (en) * 2022-12-02 2022-12-30 浙江宇视科技有限公司 Video privacy area acquisition and transmission method and device, electronic equipment and medium
CN115550736B (en) * 2022-12-02 2023-05-05 浙江宇视科技有限公司 Video privacy zone acquisition and transmission methods, devices, electronic equipment and medium

Also Published As

Publication number Publication date
CN101394277A (en) 2009-03-25

Similar Documents

Publication Publication Date Title
WO2009036685A1 (en) A method and apparatus for implementing multicast authentication
EP1424807B1 (en) Method for controlling multicast group membership
EP1986396B1 (en) System and implementation method of controlled multicast
Ballardie et al. Multicast-specific security threats and counter-measures
US8762707B2 (en) Authorization, authentication and accounting protocols in multicast content distribution networks
KR101396042B1 (en) Dynamic host configuration and network access authentication
ES2310343T3 (en) METHOD FOR IMPLEMENTING A MULTIDIFUSION SERVICE.
CN100499554C (en) Network admission control method and network admission control system
US8104072B2 (en) Apparatus and methods for authenticating voice and data devices on the same port
US8094663B2 (en) System and method for authentication of SP ethernet aggregation networks
US20110167482A1 (en) Secure authentication advertisement protocol
JP2004135281A (en) Stable multicast flow
US20120240209A1 (en) Secure information distribution between nodes (network devices)
WO2004114619A1 (en) A method and system for controlling the multicast source
WO2008034319A1 (en) Authentication method, system and device for network device
WO2009043220A1 (en) Method and device for controlling access of user device to multicast service in access network
Liyanage et al. Securing virtual private LAN service by efficient key management
Benzekki et al. Devolving IEEE 802.1 X authentication capability to data plane in software‐defined networking (SDN) architecture
WO2008052475A1 (en) A method, system and device for multicast authenticating
CN100591068C (en) Method of transmitting 802.1X audit message via bridging device
WO2009003383A1 (en) Multicast method, network device and multicast system
Ishikawa et al. An architecture for user authentication of IP multicast and its implementation
GB2423435A (en) Access control for mobile multicast
JP2003348149A (en) Authentication method for ip multicast and authentication system for ip multicast employing the same
Kovačić et al. Improving the security of access to network resources using the 802.1 x standard in wired and wireless environments

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08800821

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08800821

Country of ref document: EP

Kind code of ref document: A1