WO2009067871A1 - Method, system and device for user access security control - Google Patents

Method, system and device for user access security control Download PDF

Info

Publication number
WO2009067871A1
WO2009067871A1 PCT/CN2008/072243 CN2008072243W WO2009067871A1 WO 2009067871 A1 WO2009067871 A1 WO 2009067871A1 CN 2008072243 W CN2008072243 W CN 2008072243W WO 2009067871 A1 WO2009067871 A1 WO 2009067871A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
link identifier
access
module
control
Prior art date
Application number
PCT/CN2008/072243
Other languages
French (fr)
Chinese (zh)
Inventor
Qinfeng Gu
Jiaofeng Li
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009067871A1 publication Critical patent/WO2009067871A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks

Definitions

  • the present invention relates to the field of communications, and in particular, to a method, system and device for user access security control. Background technique
  • the network is also developed into a multi-service bearer network by a traditional network that provides only Internet access services.
  • 1 is a schematic diagram of networking of a broadband access technology provided by the prior art, where a TV set-top box, a VoIP (Voice over Internet Protocol) terminal, a PC connected to a Tnternet, and a mobile phone terminal, a handheld multimedia terminal, etc.
  • the user completes unified access through the RG (Residential Gateway), and the RG passes the telephone twisted pair or ADSL (Asymmetric Digital Subscriber Line)/VDSL (very-high-data-rate Digital Subscriber).
  • ADSL Asymmetric Digital Subscriber Line
  • VDSL very-high-data-rate Digital Subscriber
  • DSLAM Digital Subscriber Line Access Multiplexer
  • DSLAM Digital Subscriber Line Access Multiplexer
  • BNG Broadband Network Gateway
  • BNG Broadband Network Gateway
  • BRAS Broadband Remote Access Server, broadband remote access service Equipment
  • PPPoE PPP over Ethernet, PPP protocol carried on Ethernet
  • DHCP Dynamic Host Configuration Protocol
  • the network also includes a policy server, a gateway server, and the like that implement user/service management by issuing control policies to various gateway devices in the network.
  • BNG is a core node in the network that handles functions such as user access management, service distribution, and service policy implementation.
  • FIG. 2 a schematic diagram of user service access mapping provided by the prior art is provided.
  • the user services are connected to the DSLAM through different VCs (Virtual Circuits).
  • the TV set-top box service is accessed through VC1 access, VoIP services through VC2 access, and PC services through VC3.
  • DSLAM completes VC to VLAN mapping
  • the prior art provides two mapping models:
  • N 1 model: The same service type, mapped to the same S-VLAN, that is, the traffic of the same service type of all users on one DSLAM, when the BNG arrives, the BNG is through the same S-VLAN. Recognized.
  • DSLAM assigns a unique combination of S-VLAN + C-VLAN for each service type, generally S-VLAN to identify the service, C-VLAN to identify the user, that is, a DSLAM, the user's Data message arrival for each type of service
  • BNG is uniquely determined by a combination of S-VLAN + C-VLAN.
  • the BNG identifies the user link of the access through VLAN/QinQ (extended 802.1Q), and the security control is also
  • the VLAN/QinQ is granular. In the multi-service mode, the BNG cannot uniquely identify the user link through VLAN/QinQ, and thus cannot implement security control on a single user link. Summary of the invention
  • an embodiment of the present invention provides a method, system, and device for user access security control.
  • the technical solution is as follows:
  • An embodiment of the present invention provides a method for a user to access security control, where the method includes:
  • the embodiment of the invention further provides a system for user access security control, the system comprising:
  • a user node configured to send an access request message
  • An access device configured to receive an access request message sent by the user node, insert a user link identifier in the access request message sent by the user node, and send an access request message inserted into the user link identifier.
  • the control device is configured to: after receiving the access request message inserted by the access device and inserting the user link identifier, perform the analysis to obtain the user link identifier; and determine the access request according to the user link identifier. Whether the packet meets the preset access condition, and if yes, allows the user node corresponding to the user link identifier to access.
  • An embodiment of the present invention further provides an access device, where the device includes:
  • a receiving module configured to receive an access request message sent by the user node
  • the identifier insertion module is configured to insert a user link identifier in the access request message received by the receiving module, and send a request message, where the sending module inserts the user link identifier into the access request message.
  • An embodiment of the present invention further provides a control device, where the device includes: a receiving module, configured to receive an access request message sent by the access device, where the access request message carries a user link identifier;
  • a parsing module configured to parse the access request packet received by the receiving module to obtain the user link identifier
  • the processing module configured to determine, according to the user link identifier obtained by the parsing module, the access request packet Whether the preset access condition is met, and if so, the user corresponding to the link identifier of the user is allowed to access.
  • the user link can be uniquely identified in the multi-service mode, thereby implementing security control on a single user link according to the user link identification information on the pre-configured logical interface.
  • FIG. 1 is a schematic diagram of networking of a broadband access technology provided by the prior art
  • FIG. 2 is a schematic diagram of user service access mapping provided by the prior art
  • Embodiment 3 is a flowchart of a method for user access security control provided by Embodiment 1 of the present invention.
  • Embodiment 4 is a flowchart of a method for user access security control provided by Embodiment 2 of the present invention.
  • Embodiment 5 is a flowchart of a method for user access security control provided by Embodiment 3 of the present invention.
  • FIG. 6 is a schematic diagram of a system for user access security control provided by Embodiment 4 of the present invention.
  • Embodiment 7 is a detailed schematic diagram of a system for user access security control provided by Embodiment 4 of the present invention.
  • FIG. 8 is a schematic diagram of an access device according to Embodiment 5 of the present invention.
  • FIG. 9 is a schematic diagram of a control device according to Embodiment 6 of the present invention.
  • FIG. 10 is a detailed schematic diagram of a control device according to Embodiment 6 of the present invention.
  • FIG 11 is another schematic diagram of the control device provided in Embodiment 6 of the present invention. detailed description
  • the BNG can uniquely identify the user link identification information in the multi-service mode, and implement security control on a single user link.
  • the method for user access security control provided by the embodiment of the present invention includes:
  • Embodiment 1 Receiving an access request message, the access request message carrying the user link identifier; parsing the access request message to obtain the user link identifier; determining whether the access request message satisfies the preset access condition according to the user link identifier; Yes, the user access corresponding to the user link identifier is allowed.
  • an embodiment of the present invention provides a method for user access security control, and the steps are as follows:
  • Step 101 The BNG obtains a user link identifier.
  • the BNG can obtain the user link identifier information in the following two ways:
  • the DSLAM device information includes: the frame number, slot number, and port number of the device.
  • the DSLAM can uniquely identify a user link to the DSLAM by using the frame number + slot number + port number.
  • the reference command line format is as follows:
  • Access-loop-circuit-identifier dslaml-atm-frame-slot/port [vpi. vci].
  • the access-loop-circuit-identifier is a command word, which indicates that a user link identifier needs to be configured on the BNG, and then a string corresponding to each identifier.
  • the dslaml identifier indicates a DSLAM node name, and the atm indicates the RG and DSLAM chain.
  • the road layer is ATM
  • the frame is the frame number of the DSLAM
  • the slot is the slot number in the DSLAM
  • the port is the port number of the DSLAM
  • the vpi. vci is the optional PVC (Permanent Virtual Circuit) information.
  • the link information reporting function provided by the Access Node Control Protocol (ANCP) protocol is implemented.
  • the ANCP protocol is used as the transport layer protocol to provide the control information transmission between the BNG and the DSLAM.
  • the DSLAM reports the user link information of the user to the ANCP protocol.
  • the BNG where the user link information includes a user link status, a user link identifier, and related user link parameters.
  • the ANCP protocol is defined as follows:
  • Step 102 The BNG creates a corresponding logical link identifier (ie, a logical interface) for the user link identifier according to the obtained user link identifier.
  • a logical link identifier ie, a logical interface
  • the logical link identifier may be a user link identifier or a logical interface created according to the user link identifier.
  • the logical link identifier is a logical interface as an example.
  • the logical interface created by the BNG uniquely corresponds to the user link identifier.
  • the BNG After the BNG creates a logical interface, it can implement the security control policy on the created logical interface.
  • Step 103 User X initiates an access request through DHCP, that is, sends a DHCP access request message.
  • the user initiates an access request through the DHCP protocol or the PPPoE protocol for the service type of the user. For example, if the PC user requests to access the Internet, the PPPoE protocol initiates an access request.
  • the PPPoE protocol initiates an access request.
  • a user requests access to an IPTV service or a VoIP phone terminal user requests access to a VoIP service
  • the access request is initiated through the DHCP protocol.
  • This embodiment uses the user X to initiate an access request through DHCP as an example, but does not limit the type of the access request.
  • Step 104 The DSLAM receives the DHCP access request packet sent by the user X, inserts the user link identifier into the received DHCP access request packet, and forwards the DHCP access request packet after the user link identifier is inserted. To BNG.
  • the agent-Circuit-ID option is used in the packet to indicate the identifier of the line that the user accesses.
  • the DSLAM When receiving the DHCP access request message sent by the user X, the DSLAM knows which frame, slot, and port the access request message is received by, and correspondingly, inserts a corresponding user link identifier.
  • the format of the user link identifier must be the same as the format of the user link identifier preset by the BNG.
  • Step 105 The BNG receives the DHCP access request packet that is sent by the DSLAM and carries the user link identifier, and determines whether the corresponding logical interface can be found according to the user link identifier carried in the DHCP access request packet. Step 106 is performed, otherwise, step 107 is performed.
  • Step 106 The BNG creates a user access entry bound to the logical interface, saves the information of the user X, and executes the step.
  • the information of the user X and the corresponding logical interface identifier may be stored in the user access table, and the information of the user X includes the MAC (Media Access Control) address, IP address, authentication, charging, and the like of the user X. information.
  • MAC Media Access Control
  • Step 107 The BNG discards the received access request packet, prohibits the user X from accessing, and ends.
  • Step 108 The BNG returns a DHCP response message to the DSLAM, where the DHCP response message carries the user link identification information.
  • Step 109 The DSLAM receives the DHCP response packet returned by the BNG, deletes the user link identifier information carried in the DHCP response packet, and forwards the DHCP response packet with the user link identifier information to the user X.
  • Step 110 After the DHCP I is completed, User X successfully accesses the BNG and ends.
  • the user After the user accesses the BNG device, the user can also perform security control on the user.
  • security control E.g:
  • the BNG can also configure a bandwidth parameter for the created logical interface, where the bandwidth parameter specifically includes an uplink bandwidth parameter and a downlink bandwidth parameter.
  • user X After user X successfully accesses the BNG, user X sends a data packet, which carries the user's MAC address and IP address, and the BNG searches for the user based on the user's MAC address and IP address carried in the received data packet. Accessing the table, finding the corresponding logical interface, and performing bandwidth control on the data packet according to the uplink bandwidth parameter configured by the logical interface; when the device (such as ASP) providing the service in the network sends the data packet to the user X through the BNG According to the user MAC address carried in the data packet, the user access table is searched, and the corresponding logical interface is found, and the bandwidth of the data packet sent to the user X is performed according to the downlink bandwidth parameter configured on the logical interface. control. 2) When you need to implement access control on user X, you can use the traffic policy traffic-policy command to configure an access control policy on the BNG logical interface.
  • user X After user X successfully accesses the BNG, user X sends a data packet, which carries the user's MAC address and IP address, and the BNG searches for the user based on the user's MAC address and IP address carried in the received data packet. Accessing the table, finding the logical interface corresponding to the user X, performing flow control on the data packet sent by the user X according to the access control policy configured by the logical interface; and providing the service device (such as ASP) in the network to the user through the BNG
  • X sends a data packet it searches for the user access table according to the MAC address of the user X carried in the data packet, and finds the logical interface corresponding to the user X. The next hop address of the data packet is the user X corresponding to the BNG device.
  • the logical interface performs flow control on the data packet sent to the user X through the BNG according to the access control policy configured by the logical interface.
  • the BNG can also configure the multicast control policy on the logical interface, that is, configure the multicast control list.
  • IGMP Internet Group Management Protocol
  • user X After user X successfully accesses the BNG, user X sends an IGMP message request, and the message request carries the user MAC address. After receiving the TGMP message sent by user X, the RNG searches the user access table according to the MAC address. The logical interface corresponding to the user X determines whether the user X is allowed to join the multicast group according to the multicast control list configured on the logical interface. If yes, the BNG allows the user X to join the multicast group, and the user X sends an IGMP message request. Send multicast data traffic; otherwise, discard user X to send IGMP packet request.
  • the method provided by the embodiment of the present invention can configure the logical interface on the BNG device to uniquely identify the user link in the multi-service mode, thereby implementing the security control policy configured on the logical interface, according to the user link identification information.
  • a single user link implements security controls such as access control, bandwidth control, flow control, and multicast control.
  • an embodiment of the present invention provides a method for user access security control, and the steps are as follows:
  • Step 201 The BNG acquires a user link identifier.
  • Step 202 The BNG creates a corresponding logical link identifier (ie, a logical interface) for the user link identifier information according to the obtained user link identifier.
  • a logical link identifier ie, a logical interface
  • the embodiment of the present invention uses a logical link identifier as a logical interface as an example for description.
  • Step 203 The BNG limits the number of sessions of the user's session IP session on the logical interface, that is, the upper limit of the IP session of the preset user.
  • Step 204 User X initiates an access request through DHCP, that is, sends a DHCP access request message.
  • Step 205 The DSLAM receives the DHCP access request packet sent by the user X, and receives the DHCP access request packet.
  • the user link identifier is inserted, and the DHCP access request packet inserted into the user link identifier is forwarded to the BNG.
  • Step 206 The BNG receives the DHCP access request packet that is sent by the DSLAM and carries the user link identifier, and determines whether the corresponding logical interface can be found according to the user link identifier carried in the access request packet.
  • step 208 is performed.
  • Step 207 Determine whether the number of IP sessions of the user X is smaller than the IP of the preset user on the logical interface.
  • step 209 is performed, otherwise step 208 is performed.
  • Step 208 The BNG discards the received access request packet, prohibits the user X from accessing, and ends.
  • Step 209 The BNG creates a user access entry bound to the logical interface, and saves the information of the user X.
  • the BNG returns a response packet to the DSLAM, where the response packet carries the user link identifier.
  • Step 210 The DSLAM receives the DHCP response packet returned by the BNG, deletes the user link identifier carried in the packet, and forwards the DHCP response packet with the user link identifier to the user X.
  • Step 211 After the DHCP negotiation is complete, user X successfully accesses the BNG.
  • the BNG device adds 1 to the number of recorded IP sessions of the user.
  • the user After the user accesses the RNG device, the user can be securely controlled.
  • the user After the user accesses the RNG device, the user can be securely controlled.
  • the BNG can also configure a bandwidth parameter for the created logical interface, where the bandwidth parameter specifically includes an uplink bandwidth parameter and a downlink bandwidth parameter.
  • user X After user X successfully accesses the BNG, user X sends a data packet, which carries the user's MAC address and IP address, and the BNG searches for the user based on the user's MAC address and IP address carried in the received data packet. Accessing the table, finding the corresponding logical interface, and performing bandwidth control on the data packet according to the uplink bandwidth parameter configured by the logical interface; when the device providing the service in the network (such as ASP) sends the datagram to the user X through the BNG And searching for the user access table according to the user MAC address carried in the data packet, and finding the corresponding logical interface, and performing the data packet sent to the user X according to the downlink bandwidth parameter configured on the logical interface. Bandwidth control.
  • the traffic control is performed, and the access control policy can be configured on the BNG logical interface by using the traffic-policy command.
  • user X After user X successfully accesses the BNG, user X sends a data packet carrying the user MAC address and
  • the information such as the IP address, the BNG searches the user access table according to the user MAC address and IP address carried in the received data packet, and finds the logical interface corresponding to the user X. According to the access control policy configured by the logical interface, the user X
  • the data packet is sent for traffic control.
  • a device such as an ASP
  • the user access table is searched according to the MAC address of the user X carried in the data packet.
  • the logical interface corresponding to the user X is found, and the next hop address of the data packet is a logical interface corresponding to the user X on the BNG device, and the data packet sent to the user X through the BNG is performed according to the access control policy configured by the logical interface. flow control. 3)
  • the BNG can also configure the multicast control policy on the logical interface, that is, configure the multicast control list.
  • user X After user X successfully accesses the BNG, user X sends an IGMP message request, and the message request carries the user MAC address. After receiving the IGMP message request sent by user X, the BNG searches the user access table according to the MAC address. The logical interface corresponding to the user X determines whether the user X is allowed to join the multicast group according to the multicast control list configured on the logical interface. If yes, the BNG allows the user X to join the multicast group, and the user X sends an IGMP message request. Send multicast data traffic; otherwise, discard user X to send IGMP packet request.
  • the method provided by the embodiment of the present invention can configure the logical interface on the BNG device to uniquely identify the user link in the multi-service mode, thereby implementing the security control policy configured on the logical interface, according to the user link identification information.
  • a single user link implements security controls such as access control, bandwidth control, flow control, and multicast control.
  • an embodiment of the present invention provides a method for a user to access security control, and the steps are as follows:
  • Step 301 The BNG obtains the user link identifier.
  • Step 302 The BNG creates a corresponding logical link identifier (ie, a logical interface) for the user link identifier according to the obtained user link identifier.
  • a logical link identifier ie, a logical interface
  • the embodiment of the present invention uses a logical link identifier as a logical interface as an example for description.
  • Step 303 The BNG configures different user types on the logical interface through different keywords.
  • the reference command line is as follows: [BNG] terminal-type voip dhcp-option-60 include VoIP
  • Step 304 User X initiates an access request through DHCP, that is, sends a DHCP access request message.
  • the DHCP access request carries the keyword VoIP-ISP-1, indicating that user X is the VoIP terminal of ISP-1.
  • the user and the BNG are simultaneously defined keywords of different types of users.
  • Step 305 The DSLAM receives the DHCP access request packet sent by the user X, inserts the user link identifier into the DHCP access request packet, and forwards the DHCP access request packet after the user link identifier is inserted. BNG.
  • Step 306 The BNG receives the DHCP access request packet that is sent by the DSLAM and carries the user link identifier information, and determines whether the corresponding logical interface can be found according to the user link identifier carried in the DHCP access request packet. Step 307 is performed, otherwise, step 308 is performed.
  • Step 307 The BNG determines whether the keyword carried in the DHCP access request packet of the user X matches the keyword configured on the logical interface. If yes, the process proceeds to step 309. Otherwise, the process proceeds to step 308. Step 308: The BNG discards the received access request packet, prohibits the user X from accessing, and ends.
  • Step 309 The BNG creates a user access entry bound to the logical interface, and saves the information of the user X.
  • the device returns a DHCP response packet to the DSLAM, where the DHCP response packet carries the user link identifier.
  • Step 310 The DSLAM receives the DHCP response packet returned by the BNG, deletes the user link identifier carried in the packet, and forwards the response packet of the user link identifier to the user X.
  • Step 311 After the DHCP negotiation is completed, user X successfully accesses the BNG and ends.
  • the user After the user accesses the BNG device, the user can be securely controlled.
  • the user After the user accesses the BNG device, the user can be securely controlled.
  • the BNG can also configure a bandwidth parameter for the created logical interface, where the bandwidth parameter specifically includes an uplink bandwidth parameter and a downlink bandwidth parameter.
  • user X After user X successfully accesses the BNG, user X sends a data packet carrying the user MAC address and
  • the BNG searches the user access table according to the user MAC address and IP address carried in the received data packet, finds the corresponding logical interface, and uses the uplink bandwidth parameter configured according to the logical interface to the datagram.
  • the device that provides the service such as ASP
  • the user accesses the user access table according to the user's MAC address carried in the data packet, and finds the corresponding logical interface.
  • the bandwidth control is performed on the data packet sent to the user X according to the downlink bandwidth parameter configured on the logical interface.
  • the traffic control is performed, and the access control policy can be configured on the BNG logical connection U by using the traffic-policy command.
  • user X After user X successfully accesses the BNG, user X sends a data packet, which carries the user's MAC address and IP address, and the BNG searches for the user based on the user's MAC address and IP address carried in the received data packet. Accessing the table, finding the logical interface corresponding to the user X, performing flow control on the data packet sent by the user X according to the access control policy configured by the logical interface; and providing the service device (such as ASP) in the network to the user through the BNG
  • the user access table is searched according to the MAC address of the user X carried in the data packet, and the logical interface corresponding to the user X is found.
  • the hop address of the data packet is the user X corresponding to the BNG device.
  • the logical interface performs flow control on the data packet sent to the user X through the BNG according to the access control policy configured by the logical interface.
  • the BNG can also configure the multicast control policy on the logical interface, that is, configure the multicast control list.
  • IGMP Internet Group Management Protocol
  • user X After user X successfully accesses the BNG, user X sends an IGMP message request, and the message request carries the user MAC address. After receiving the IGMP message request sent by user X, the BNG searches the user access table according to the MAC address. The logical interface corresponding to the user X determines whether the user X is allowed to join the multicast group according to the multicast control list configured on the logical interface. If yes, the BNG allows the user X to join the multicast group, and the user X sends an IGMP message request. Send multicast stream The user X sends an IGMP message request.
  • the method provided by the embodiment of the present invention can directly identify the user link in the multi-service mode by configuring the logical interface on the BNG device, thereby implementing the security control policy configured on the logical interface, according to the user link identification information.
  • Implement security control such as access control, bandwidth control, flow control, and multicast control for a single user link.
  • an embodiment of the present invention provides a system for user access security control, where the system includes:
  • a user node 601 configured to send an access request message
  • the access device 602 is configured to receive an access request message sent by the user node 601, insert a user link identifier in the access request message sent by the user node 601, and send an access request message inserted into the user link identifier.
  • the control device 603 is configured to: after receiving the access request message inserted by the access device 602 and inserting the user link identifier, perform the analysis to obtain the user link identifier; determine whether the access request message satisfies the preset according to the user link identifier. The access condition, if yes, allows the user node 601 corresponding to the user link identifier to access.
  • control device 603 includes:
  • the first receiving module 6031 is configured to receive an access request message sent by the access device 602.
  • the first parsing module 6032 is configured to parse the access request packet received by the first receiving module 6031 to obtain a user link identifier.
  • the first determining module 6033 is configured to determine, according to the user link identifier that is parsed by the first parsing module 6032, whether the logical link identifier corresponding to the user link identifier can be found.
  • the first processing module 6034 when the result of the determination by the first determining module 6033 is that the logical link identifier corresponding to the user link identifier can be found, the user node 601 corresponding to the user link identifier is allowed to access.
  • control device 603 includes:
  • the second receiving module 6035 is configured to receive an access request message sent by the access device 602.
  • the second parsing module 6036 is configured to parse the access request packet received by the second receiving module 6035 to obtain a user link identifier.
  • the searching module 6037 is configured to search, according to the second parsing module 6036, the user link identifier to find a logical link identifier corresponding to the user link identifier.
  • the second determining module 6038 is configured to determine that the logical link identifier that is found by the first searching module 6037 is accessed by the user. Whether the number of sessions reaches a preset threshold;
  • the second processing module 6039 is configured to allow the user node 601 corresponding to the user link identifier to access when the second judgment module 6038 determines that the number of the accessed user sessions does not reach the preset threshold, and the received The number of incoming user sessions is increased by one.
  • control device 603 includes:
  • the third receiving module 60310 is configured to receive an access request message sent by the access device 602.
  • the third parsing module 60311 is configured to parse the access request packet received by the third receiving module 60310 to obtain a user link identifier.
  • the second search module is configured to search for the logical link identifier corresponding to the user link identifier by using the user link identifier according to the third parsing module 60311.
  • the third judging module 60313 is configured to determine whether the user type carried in the access request packet is consistent with the preset user type on the logical link identifier found by the second searching module 60312;
  • the third processing module 60314 is configured to: when the third determination module 60313 determines that the result is that the user type carried in the access request message is consistent with the preset user type on the logical link identifier found by the first search module 60312 The user node 601 corresponding to the user link identifier is allowed to access.
  • the system provided by the embodiment of the present invention can implement the logical link identifier (which can be implemented in the form of creating a logical connection U) on the control device, and can uniquely identify the user link in the multi-service mode, thereby implementing pre-configured
  • the security control policy corresponding to the logical link identifier implements security control policies such as access control, bandwidth control, flow control, and multicast control for a single user link according to the user link identification information.
  • an embodiment of the present invention provides an access device, where the device includes:
  • the receiving module 701 is configured to receive an access request message sent by the user node.
  • the identifier insertion module 702 is configured to insert a user link identifier in the access request message received by the receiving module 701.
  • the sending module 703 is configured to send an access request message after the identifier insertion module 702 inserts the user link identifier.
  • the access device provided by the embodiment of the present invention can receive the access request message sent by the user contact, insert the user link identifier in the received access request message, and send the access after the user link identifier is inserted. Request a message.
  • the device may also insert other information, such as a user type, into the received access request message.
  • an embodiment of the present invention provides a control device, where the device includes:
  • the receiving module 801 is configured to receive an access request message sent by the access device, where the access request message carries the user link.
  • the parsing module 802 is configured to parse the access request packet received by the receiving module 801 to obtain a user link identifier.
  • the processing module 803 is configured to determine, according to the user link identifier parsed by the parsing module 802, whether the access request packet satisfies a preset. The access condition, if yes, allows the user corresponding to the link identifier of the user to access.
  • the processing module 803 includes:
  • the first determining unit 8031 is configured to determine, according to the user link identifier that is parsed by the parsing module 802, whether the logical link identifier corresponding to the user link identifier can be found.
  • the first processing unit 8032 is configured to allow the user corresponding to the user link identifier to access when the first determination unit 8031 determines that the logical link identifier corresponding to the user link identifier can be found.
  • the processing module 803 includes:
  • the first searching unit 8033 is configured to: according to the parsing module 802, parse the user link identifier to find a logical link identifier corresponding to the user link identifier;
  • the second determining unit 8034 is configured to determine whether the number of user sessions that the logical link identifier that is found by the first searching unit 8033 has reached a preset threshold;
  • the second processing unit 8035 is configured to allow the user corresponding to the user link identifier to access when the number of the user sessions that have been accessed by the second determining unit 8034 is not reached, and the access is The number of user sessions is increased by 1.
  • the processing module 803 includes:
  • the second searching unit 8036 is configured to search, according to the parsing module 802, the user link identifier to find a logical link identifier corresponding to the user link identifier.
  • the third determining unit 8037 is configured to determine whether the user type carried in the access request packet and the second searching unit
  • the default user type on the logical link identifier found by the 8036 is the same;
  • the third processing unit 8038 is configured to: when the third determining unit 8037 determines that the result is the user type carried in the access request message and the preset user type on the logical link identifier found by the second searching unit 8036. Allows the user to access the corresponding user ID.
  • control device After the user accesses the control device, it can also perform security control on the accessed user. At this time, see the figure.
  • control device also includes:
  • the first recording module 804 is configured to: when the processing module 803 allows the user corresponding to the user link identifier to access, the media access control address, the IP address, the user link identifier, and the logical link identifier of the user according to the access request message. Recorded in the user access list;
  • the first configuration module 805 is configured to configure a control policy for the logical link identifier according to the logical link identifier recorded by the recording module 803 in the user access table.
  • the first control module 806 is configured to: when receiving the data packet sent by the user, search for a corresponding logical link identifier in the user access table of the recording module according to the media access control address and the IP address carried in the data packet, Controlling data packets according to the corresponding control policy of the logical link identifier that is found;
  • the second control module 807 is configured to: when receiving the data packet sent to the user, search for a corresponding logical link identifier in the recording module according to the media access control address carried in the data packet sent to the user, according to the The logical link identifies the corresponding control policy and controls the data packets sent to the user.
  • the control policy configured by the foregoing configuration module may be an access control policy or/and a bandwidth control policy, and correspondingly, may perform flow control or bandwidth control of data packets.
  • the embodiment of the present invention does not limit the type of control policy configured by the configuration module.
  • the control device further includes: a second recording module 808, configured to: when the processing module 803 allows the user corresponding to the user link identifier to access, according to the access request
  • the packet records the user's media access control address, IP address, user link identifier, and logical link identifier in the user access table.
  • the first-configuration module 809 is configured to configure a multicast control policy for the logical link identifier according to the logical link identifier recorded by the first-recording module 808.
  • the multicast control module 8010 is configured to: when receiving a network group management protocol packet sent by the user to join the multicast group, according to the media access control address carried in the network group management protocol packet, the user access table in the recording module The corresponding logical link identifier is searched for, and the multicast control policy corresponding to the logical link identifier is found to determine whether the user is allowed to join the multicast group. If yes, the user is allowed to join the multicast group.
  • the configuration of the logical link identifier (which can be implemented in the form of creating a logical interface) is provided on the control device according to the embodiment of the present invention, and the user link can be uniquely identified in the multi-service mode, thereby implementing the pre-configured logical chain.
  • the corresponding security control policy of the road identifier implements security control policies such as access control, bandwidth control, flow control, and multicast control for a single user link according to the user link identification information.
  • the technical solution provided by the foregoing embodiment of the present invention can identify a user link in a multi-service mode by configuring a logical link identifier on a similar control device such as a BNG, thereby implementing a logical link identifier corresponding to the pre-configured logical link.
  • the security control policy implements security control policies such as access control, bandwidth control, traffic control, and multicast control for a single user link according to user link identification information.
  • Some steps in the embodiment of the present invention may be implemented by using software, and the corresponding software program may be stored in a readable storage medium, such as an optical disk or a hard disk.

Abstract

A Method, a system and a device for user access security control are provided. The method comprises: receiving an access request message which contains the user link ID; parsing the access request message to obtain the user link ID; judging whether the access request message satisfies the preset access condition according to the user link ID ; if so, permitting the user corresponding to the user link ID to access. The system includes user nodes, an access device and a control device. The access device includes a receiving module, an identifier inserting module and a transmitting module. The control device includes a receiving module, a parsing module and a processing module. The user link can be identified uniquely under the multi-service mode by configuring logic interface on BNG devices, thereby the security control policy such as access control, bandwidth control and multicast control for a single user link is performed by the user link ID information according to the preset security control policy of the logic interface.

Description

说 明 书  Description
一种用户接入安全控制的方法、 系统和设备 技术领域  Method, system and device for user access security control
本发明涉及通信领域, 特别涉及一种用户接入安全控制的方法、 系统和设备。 背景技术  The present invention relates to the field of communications, and in particular, to a method, system and device for user access security control. Background technique
随着宽带接入技术的发展, 网络的接入方式和接入技术已经发生了很大的变化。 网络 也由传统的只提供 Internet接入业务的网络, 发展为多业务承载的网络。 参见图 1, 为现 有技术提供的宽带接入技术的组网示意图, 其中, 电视机顶盒、 VoIP (Voice over Internet Protocol , 网络电话)终端、 连接 Tnternet的 PC、 以及移动电话终端、 手持多媒体终端等 用户通过 RG (Residential Gateway, 家庭网关设备) 完成统一地接入, RG通过电话双绞 线或通过 ADSL ( Asymmetric Digital Subscriber Line , 异歩数字用户线路) /VDSL ( Very-high-data-rate Digital Subscriber Line , 高速数字用户线路) 等技术接入到 DSLAM (Digital Subscriber Line Access Multiplexer,数字用户线路接入设备),其中 DSLAM 是一个二层设备, 用于完成对用户接入链路的汇聚, 实现 xDSL (ADSL/VDSL)和上行的以太 链路的转换; 然后 DSLAM通过接入网接入到 BNG (Broadband Network Gateway , 宽带网络 网关),其中 BNG可以是 BRAS (Broadband Remote Access Server, 宽带远程接入服务设备), 也可以是专门提供业务的路由器, 在网络中 BNG用于实现 PPPoE (PPP over Ethernet , 承 载在 Ethernet上的 PPP协议)的接入,通常是实现 PC接入 Internet的业务;用于实现 DHCP (Dynamic Host Configuration Protocol , 动态主机分配协议) 接入, 通常是实现电视机 顶盒、 VoIP终端等的接入管理; BNG还用于将由 ASP (Appl ication Service Provider, 应 用服务提供商) /ISP ( Internet Service Provider, Internet接入服务提供商) 提供不同 的业务数据流量分发到对应的用户, 其中 ASP/ISP提供的业务包括 IPTV、 Internet接入、 VoIP等。网络中还包括通过向网络中的各个网关设备下发控制策略实现对用户 /业务管理的 策略服务器, 网关服务器等。  With the development of broadband access technology, the access methods and access technologies of the network have undergone great changes. The network is also developed into a multi-service bearer network by a traditional network that provides only Internet access services. 1 is a schematic diagram of networking of a broadband access technology provided by the prior art, where a TV set-top box, a VoIP (Voice over Internet Protocol) terminal, a PC connected to a Tnternet, and a mobile phone terminal, a handheld multimedia terminal, etc. The user completes unified access through the RG (Residential Gateway), and the RG passes the telephone twisted pair or ADSL (Asymmetric Digital Subscriber Line)/VDSL (very-high-data-rate Digital Subscriber). Line, high-speed digital subscriber line) and other technologies are connected to the DSLAM (Digital Subscriber Line Access Multiplexer), where the DSLAM is a Layer 2 device used to complete the aggregation of user access links and implement xDSL. (ADSL/VDSL) and uplink Ethernet link conversion; then DSLAM accesses BNG (Broadband Network Gateway) through the access network, where BNG can be BRAS (Broadband Remote Access Server, broadband remote access service) Equipment), can also be a road to provide business In the network, BNG is used to implement PPPoE (PPP over Ethernet, PPP protocol carried on Ethernet), which is usually used to implement PC access to the Internet. It is used to implement DHCP (Dynamic Host Configuration Protocol). Protocol) access, usually to achieve access management of TV set-top boxes, VoIP terminals, etc.; BNG is also used by ASP (Appl ication Service Provider) / ISP (Internet Service Provider, Internet Access Service Provider) Different service data flows are distributed to corresponding users, and services provided by ASP/ISP include IPTV, Internet access, VoIP, and the like. The network also includes a policy server, a gateway server, and the like that implement user/service management by issuing control policies to various gateway devices in the network.
由此可见, BNG在网络中是处于处理用户接入管理、 业务分发、 业务策略实施等功能的 核心节点。  It can be seen that BNG is a core node in the network that handles functions such as user access management, service distribution, and service policy implementation.
参见图 2, 为现有技术提供的用户业务接入映射示意图。 不同的用户业务通过 RG接入 后, 通过不同的 VC (Virtual Circuit , 虚拟电路)接入到 DSLAM, 其中, 电视机顶盒业务通 过 VC1接入、 VoIP业务通过 VC2接入、 PC业务通过 VC3接入。 DSLAM完成 VC到 VLAN的映 射时, 现有技术提供了两种映射模型: Referring to FIG. 2, a schematic diagram of user service access mapping provided by the prior art is provided. After accessing the RG, the user services are connected to the DSLAM through different VCs (Virtual Circuits). The TV set-top box service is accessed through VC1 access, VoIP services through VC2 access, and PC services through VC3. DSLAM completes VC to VLAN mapping At the time of shooting, the prior art provides two mapping models:
1 ) N : 1模型: 相同的业务类型, 映射到同一个 S-VLAN, 即一台 DSLAM上, 所有的用户 的相同业务类型的流量, 到达 BNG的时候, BNG是通过相同的 S-VLAN来识别的。  1) N: 1 model: The same service type, mapped to the same S-VLAN, that is, the traffic of the same service type of all users on one DSLAM, when the BNG arrives, the BNG is through the same S-VLAN. Recognized.
2 ) 1 : 1模型: DSLAM为每个业务类型,分配唯一的 S-VLAN+C-VLAN的组合,一般 S-VLAN 来识别业务, C-VLAN来识别用户, 即一台 DSLAM上, 用户的每种业务类型的数据报文到达 2) 1 : 1 model: DSLAM assigns a unique combination of S-VLAN + C-VLAN for each service type, generally S-VLAN to identify the service, C-VLAN to identify the user, that is, a DSLAM, the user's Data message arrival for each type of service
BNG的时候, BNG是通过 S-VLAN+C-VLAN的组合进行唯一确定的。 In BNG, BNG is uniquely determined by a combination of S-VLAN + C-VLAN.
发明人在实现本发明的过程中发现, 现有技术至少存在以下缺点和不足:  The inventors have found in the process of implementing the present invention that the prior art has at least the following disadvantages and deficiencies:
BNG 识别接入的用户链路是通过 VLAN/QinQ (扩展的 802. 1Q)实现, 安全控制也是以 The BNG identifies the user link of the access through VLAN/QinQ (extended 802.1Q), and the security control is also
VLAN/QinQ为粒度进行的, 在多业务的模式下, BNG无法通过 VLAN/QinQ唯一地识别出用户 链路, 进而也就无法对单个用户链路实施安全控制。 发明内容 The VLAN/QinQ is granular. In the multi-service mode, the BNG cannot uniquely identify the user link through VLAN/QinQ, and thus cannot implement security control on a single user link. Summary of the invention
为了能够使 BNG对单个用户链路实施安全控制, 本发明实施例提供了一种用户接入安 全控制的方法、 系统和设备。 所述技术方案如下:  In order to enable the BNG to implement security control on a single user link, an embodiment of the present invention provides a method, system, and device for user access security control. The technical solution is as follows:
本发明实施例提供了一种用户接入安全控制的方法, 所述方法包括:  An embodiment of the present invention provides a method for a user to access security control, where the method includes:
接收接入请求报文, 所述接入请求报文携带用户链路标识;  Receiving an access request message, where the access request message carries a user link identifier;
解析所述接入请求报文得到所述用户链路标识;  Parsing the access request packet to obtain the user link identifier;
根据所述用户链路标识判断所述接入请求报文是否满足预设接入条件;  Determining, according to the user link identifier, whether the access request packet meets a preset access condition;
如果是, 允许所述用户链路标识对应的用户接入。  If yes, the user corresponding to the user link identifier is allowed to access.
本发明实施例还提供了 种用户接入安全控制的系统, 所述系统包括:  The embodiment of the invention further provides a system for user access security control, the system comprising:
用户节点, 用于发送接入请求报文;  a user node, configured to send an access request message;
接入设备, 用于接收所述用户节点发送的接入请求报文, 在所述用户节点发送的接入 请求报文中插入用户链路标识, 发送插入用户链路标识的接入请求报文;  An access device, configured to receive an access request message sent by the user node, insert a user link identifier in the access request message sent by the user node, and send an access request message inserted into the user link identifier. ;
控制设备, 用于接收到所述接入设备发送的插入用户链路标识的接入请求报文后, 进 行解析得到所述用户链路标识; 根据所述用户链路标识判断所述接入请求报文是否满足预 设接入条件, 如果是, 允许所述用户链路标识对应的所述用户节点接入。  The control device is configured to: after receiving the access request message inserted by the access device and inserting the user link identifier, perform the analysis to obtain the user link identifier; and determine the access request according to the user link identifier. Whether the packet meets the preset access condition, and if yes, allows the user node corresponding to the user link identifier to access.
本发明实施例还提供了一种接入设备, 所述设备包括:  An embodiment of the present invention further provides an access device, where the device includes:
接收模块, 用于接收用户节点发送的接入请求报文;  a receiving module, configured to receive an access request message sent by the user node;
标识插入模块, 用于在所述接收模块接收的接入请求报文中插入用户链路标识; 发送模块, 用于发送所述标识插入模块插入用户链路标识后的接入请求报文。  The identifier insertion module is configured to insert a user link identifier in the access request message received by the receiving module, and send a request message, where the sending module inserts the user link identifier into the access request message.
本发明实施例还提供了一种控制设备, 所述设备包括: 接收模块, 用于接收接入设备发送的接入请求报文, 所述接入请求报文中携带用户链 路标识; An embodiment of the present invention further provides a control device, where the device includes: a receiving module, configured to receive an access request message sent by the access device, where the access request message carries a user link identifier;
解析模块, 用于解析所述接收模块接收的接入请求报文得到所述用户链路标识; 处理模块, 用于根据所述解析模块解析得到的用户链路标识判断所述接入请求报文是 否满足预设接入条件, 如果是, 允许所述用户链路标识对应的用户接入。  a parsing module, configured to parse the access request packet received by the receiving module to obtain the user link identifier, and the processing module, configured to determine, according to the user link identifier obtained by the parsing module, the access request packet Whether the preset access condition is met, and if so, the user corresponding to the link identifier of the user is allowed to access.
本发明实施例提供的技术方案的有益效果是:  The beneficial effects of the technical solutions provided by the embodiments of the present invention are:
通过在 BNG设备上配置逻辑接口, 在多业务的模式下能够唯一识别出用户链路, 从而 实现在预先配置好的逻辑接口上根据用户链路标识信息对单个用户链路实施安全控制。 附图说明  By configuring a logical interface on the BNG device, the user link can be uniquely identified in the multi-service mode, thereby implementing security control on a single user link according to the user link identification information on the pre-configured logical interface. DRAWINGS
图 1是现有技术提供的宽带接入技术的组网示意图;  FIG. 1 is a schematic diagram of networking of a broadband access technology provided by the prior art;
图 2是现有技术提供的用户业务接入映射示意图;  2 is a schematic diagram of user service access mapping provided by the prior art;
图 3是本发明实施例 1提供的用户接入安全控制的方法流程图;  3 is a flowchart of a method for user access security control provided by Embodiment 1 of the present invention;
图 4是本发明实施例 2提供的用户接入安全控制的方法流程图;  4 is a flowchart of a method for user access security control provided by Embodiment 2 of the present invention;
图 5是本发明实施例 3提供的用户接入安全控制的方法流程图;  5 is a flowchart of a method for user access security control provided by Embodiment 3 of the present invention;
图 6是本发明实施例 4提供的用户接入安全控制的系统示意图;  6 is a schematic diagram of a system for user access security control provided by Embodiment 4 of the present invention;
图 7是本发明实施例 4提供的用户接入安全控制的系统详细示意图;  7 is a detailed schematic diagram of a system for user access security control provided by Embodiment 4 of the present invention;
图 8是本发明实施例 5提供的接入设备的示意图;  8 is a schematic diagram of an access device according to Embodiment 5 of the present invention;
图 9是本发明实施例 6提供的控制设备的示意图;  9 is a schematic diagram of a control device according to Embodiment 6 of the present invention;
图 10是本发明实施例 6提供的控制设备的详细示意图;  FIG. 10 is a detailed schematic diagram of a control device according to Embodiment 6 of the present invention; FIG.
图 11是本发明实施例 6提供的控制设备的另一示意图。 具体实施方式  Figure 11 is another schematic diagram of the control device provided in Embodiment 6 of the present invention. detailed description
为使本发明的目的、 技术方案和优点更加清楚, 下面将结合附图对本发明实施方式作 进一歩地详细描述。  The embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
本发明实施例提供的技术方案, BNG能够在多业务的模式下唯 ·地识别出用户链路标识 信息, 进而对单个用户链路实施安全控制。 其中, 本发明实施例提供的用户接入安全控制 的方法包括:  According to the technical solution provided by the embodiment of the present invention, the BNG can uniquely identify the user link identification information in the multi-service mode, and implement security control on a single user link. The method for user access security control provided by the embodiment of the present invention includes:
接收接入请求报文, 接入请求报文携带用户链路标识; 解析接入请求报文得到用户链 路标识; 根据用户链路标识判断接入请求报文是否满足预设接入条件; 如果是, 允许用户 链路标识对应的用户接入。 下面根据配置的具体的安全控制策略对本发明实施例提供的技术方案做详细的阐述: 实施例 1 Receiving an access request message, the access request message carrying the user link identifier; parsing the access request message to obtain the user link identifier; determining whether the access request message satisfies the preset access condition according to the user link identifier; Yes, the user access corresponding to the user link identifier is allowed. The technical solutions provided by the embodiments of the present invention are described in detail below according to the specific security control policy: Embodiment 1
参见图 3, 本发明实施例提供了 种用户接入安全控制的方法, 歩骤如下:  Referring to FIG. 3, an embodiment of the present invention provides a method for user access security control, and the steps are as follows:
歩骤 101: BNG获取用户链路标识。  Step 101: The BNG obtains a user link identifier.
BNG获取用户链路标识信息时可以采用如下两种方式实现:  The BNG can obtain the user link identifier information in the following two ways:
1 ) 利用管理员在 BNG上通过命令行的方式手工配置出 DSLAM的设备信息实现。 DSLAM 的设备信息具体包括: 设备的框号、 槽号和端口号, 其中, DSLAM能够通过框号 +槽号 +端口 号可以唯一确定接入 DSLAM的一条用户链路。 参考命令行格式如下:  1) Manually configure the device information of the DSLAM through the command line on the BNG. The DSLAM device information includes: the frame number, slot number, and port number of the device. The DSLAM can uniquely identify a user link to the DSLAM by using the frame number + slot number + port number. The reference command line format is as follows:
access-loop-circuit-identifier dslaml-atm-frame-slot/port: [vpi. vci]。  Access-loop-circuit-identifier dslaml-atm-frame-slot/port: [vpi. vci].
其中, access-loop-circuit - identifier是命令字, 表示 BNG上需要配置一个用户链 路标识, 接着是各标识对应的字符串, 其中, dslaml标识表示某个 DSLAM节点名称, atm表 示 RG和 DSLAM链路层是 ATM, frame是 DSLAM的框号, slot是 DSLAM中的槽号, port是 DSLAM 的端口号, vpi. vci是可选的 PVC (Permanent Virtual Circuit , 永久虚电路) 信息。  The access-loop-circuit-identifier is a command word, which indicates that a user link identifier needs to be configured on the BNG, and then a string corresponding to each identifier. The dslaml identifier indicates a DSLAM node name, and the atm indicates the RG and DSLAM chain. The road layer is ATM, the frame is the frame number of the DSLAM, the slot is the slot number in the DSLAM, the port is the port number of the DSLAM, and the vpi. vci is the optional PVC (Permanent Virtual Circuit) information.
2 ) 利用 ANCP ( Access Node Control Protocol , 接入节点控制协议) 协议提供的链路 信息上报功能实现。 ANCP协议是通过 TCP作为传输层协议, 提供了 BNG和 DSLAM之间控制 信息传递的通道, 当用户启动 RG, 激活用户链路时, DSLAM就会通过 ANCP协议将该用户的 用户链路信息上报给 BNG, 其中, 用户链路信息包括用户链路状态、 用户链路标识以及相关 的用户链路参数等。 ANCP协议定义如下:  2) The link information reporting function provided by the Access Node Control Protocol (ANCP) protocol is implemented. The ANCP protocol is used as the transport layer protocol to provide the control information transmission between the BNG and the DSLAM. When the user activates the RG and activates the user link, the DSLAM reports the user link information of the user to the ANCP protocol. The BNG, where the user link information includes a user link status, a user link identifier, and related user link parameters. The ANCP protocol is defined as follows:
Type (Access- Loop- Circuit- ID = 0x01) ' 长度最大为 64, 协议默认的格式为: access-Node-Identifier atm slot/port [: vlan-id]  Type (Access- Loop- Circuit- ID = 0x01) ' The maximum length is 64. The default format of the protocol is: access-Node-Identifier atm slot/port [: vlan-id]
歩骤 102 : BNG根据获取的用户链路标识,为用户链路标识创建对应的逻辑链路标识(即 逻辑接口)。  Step 102: The BNG creates a corresponding logical link identifier (ie, a logical interface) for the user link identifier according to the obtained user link identifier.
其中, 该逻辑链路标识具体可以为用户链路标识, 也可以是根据用户链路标识所创建 的逻辑接口, 本发明实施例以逻辑链路标识为逻辑接口为例进行说明。 BNG创建的逻辑接口 与用户链路标识唯一对应。 创建接口时参考命令行如下:  The logical link identifier may be a user link identifier or a logical interface created according to the user link identifier. The logical link identifier is a logical interface as an example. The logical interface created by the BNG uniquely corresponds to the user link identifier. When creating an interface, refer to the command line as follows:
interface user—丄 ine dslaml— atm_frame_s丄 ot/port: [vpi. vci]  Interface user—丄 ine dslaml— atm_frame_s丄 ot/port: [vpi. vci]
当 BNG创建好逻辑接口后, 就可以在创建的逻辑接口进行安全控制策略的实施。  After the BNG creates a logical interface, it can implement the security control policy on the created logical interface.
歩骤 103 : 用户 X通过 DHCP发起接入请求, 即发送 DHCP接入请求报文。  Step 103: User X initiates an access request through DHCP, that is, sends a DHCP access request message.
其中, 用户针对自身的业务类型的不同, 通常会通过 DHCP协议或 PPPoE协议发起接入 请求, 例如, 如果是 PC用户请求接入 Internet的业务时, 会通过 PPPoE协议发起接入请 求; 如果电视机顶盒用户请求接入 IPTV业务或 VoIP电话终端用户请求接入 VoIP业务时, 则会通过 DHCP协议发起接入请求。 本实施例以用户 X通过 DHCP发起接入请求为例进行说 明, 但是不限制接入请求的类型。 The user initiates an access request through the DHCP protocol or the PPPoE protocol for the service type of the user. For example, if the PC user requests to access the Internet, the PPPoE protocol initiates an access request. When a user requests access to an IPTV service or a VoIP phone terminal user requests access to a VoIP service, The access request is initiated through the DHCP protocol. This embodiment uses the user X to initiate an access request through DHCP as an example, but does not limit the type of the access request.
歩骤 104: DSLAM接收用户 X发送的 DHCP接入请求报文, 在接收到的 DHCP接入请求报 文中插入用户链路标识, 并将插入用户链路标识后的 DHCP接入请求报文转发到 BNG。  Step 104: The DSLAM receives the DHCP access request packet sent by the user X, inserts the user link identifier into the received DHCP access request packet, and forwards the DHCP access request packet after the user link identifier is inserted. To BNG.
其中, 由于 DHCP协议自身的特点, 在报文中存在一个 Agent-Circuit-ID选项, 用来 表示用户接入的线路的标识。 当接收到用户 X发送的 DHCP接入请求报文时, DSLAM知道该 接入请求报文是通过自身的哪个框口、 槽口和端口接收的, 相应地, 插入对应的用户链路 标识, 其用户链路标识的格式必须和 BNG预设的用户链路标识的格式一致。  The agent-Circuit-ID option is used in the packet to indicate the identifier of the line that the user accesses. When receiving the DHCP access request message sent by the user X, the DSLAM knows which frame, slot, and port the access request message is received by, and correspondingly, inserts a corresponding user link identifier. The format of the user link identifier must be the same as the format of the user link identifier preset by the BNG.
歩骤 105 : BNG接收由 DSLAM发送的携带用户链路标识的 DHCP接入请求报文,根据 DHCP 接入请求报文中携带的用户链路标识, 判断是否能查找到对应的逻辑接口, 如果是执行歩 骤 106, 否则, 执行歩骤 107。  Step 105: The BNG receives the DHCP access request packet that is sent by the DSLAM and carries the user link identifier, and determines whether the corresponding logical interface can be found according to the user link identifier carried in the DHCP access request packet. Step 106 is performed, otherwise, step 107 is performed.
歩骤 106 : BNG创建绑定在逻辑接口的用户接入表项, 保存用户 X的信息, 并执行歩骤 Step 106: The BNG creates a user access entry bound to the logical interface, saves the information of the user X, and executes the step.
108。 108.
其中, 可以将用户 X的信息和对应的逻辑接口标识保存在用户接入表中, 用户 X的信 息包括用户 X的 MAC (Media Access Control,媒体访问控制) 地址、 IP地址、 认证、 计费 等信息。  The information of the user X and the corresponding logical interface identifier may be stored in the user access table, and the information of the user X includes the MAC (Media Access Control) address, IP address, authentication, charging, and the like of the user X. information.
歩骤 107 : BNG丢弃收到接入请求报文, 禁止用户 X接入, 结束。  Step 107: The BNG discards the received access request packet, prohibits the user X from accessing, and ends.
歩骤 108 : BNG向 DSLAM返回 DHCP响应报文, 该 DHCP响应报文中携带用户链路标识信 息。  Step 108: The BNG returns a DHCP response message to the DSLAM, where the DHCP response message carries the user link identification information.
歩骤 109: DSLAM收到 BNG返回的 DHCP响应报文, 删除 DHCP响应报文中携带的用户链 路标识信息, 将删除了用户链路标识信息的 DHCP响应报文转发到用户 X。  Step 109: The DSLAM receives the DHCP response packet returned by the BNG, deletes the user link identifier information carried in the DHCP response packet, and forwards the DHCP response packet with the user link identifier information to the user X.
歩骤 110 : DHCP I办商完成后, 用户 X成功接入 BNG, 结束。  Step 110: After the DHCP I is completed, User X successfully accesses the BNG and ends.
当用户接入 BNG设备后, 还可以进 ·^地对用户进行安全控制。 例如:  After the user accesses the BNG device, the user can also perform security control on the user. E.g:
1 ) 当需要对用户 X实施带宽控制时, BNG还可以为创建的逻辑接口配置带宽参数, 其 中带宽参数具体包括上行方向带宽参数和下行方向带宽参数。  1) When bandwidth control is required for the user X, the BNG can also configure a bandwidth parameter for the created logical interface, where the bandwidth parameter specifically includes an uplink bandwidth parameter and a downlink bandwidth parameter.
当用户 X成功接入 BNG后, 用户 X发送数据报文, 该数据报文中携带用户 MAC地址和 IP地址等信息, BNG根据接收到的数据报文中携带的用户 MAC地址和 IP地址查找用户接入 表, 找到对应的逻辑接口, 根据该逻辑接口配置的上行方向带宽参数, 对该数据报文进行 带宽控制; 当网络中提供服务的设备(如 ASP)通过 BNG向用户 X发送数据报文时, 根据该 数据报文中携带的用户 MAC地址, 查找用户接入表, 找到对应的逻辑接口上, 根据该逻辑 接口上配置的下行方向带宽参数, 对向用户 X发送的数据报文进行带宽控制。 2 ) 当需要对用户 X 实施访问控制控制时, 即进行流量控制, 还可以利用流量策略 traffic-policy命令在 BNG逻辑接口上配置访问控制策略。 After user X successfully accesses the BNG, user X sends a data packet, which carries the user's MAC address and IP address, and the BNG searches for the user based on the user's MAC address and IP address carried in the received data packet. Accessing the table, finding the corresponding logical interface, and performing bandwidth control on the data packet according to the uplink bandwidth parameter configured by the logical interface; when the device (such as ASP) providing the service in the network sends the data packet to the user X through the BNG According to the user MAC address carried in the data packet, the user access table is searched, and the corresponding logical interface is found, and the bandwidth of the data packet sent to the user X is performed according to the downlink bandwidth parameter configured on the logical interface. control. 2) When you need to implement access control on user X, you can use the traffic policy traffic-policy command to configure an access control policy on the BNG logical interface.
当用户 X成功接入 BNG后, 用户 X发送数据报文, 该数据报文中携带用户 MAC地址和 IP地址等信息, BNG根据接收到的数据报文中携带的用户 MAC地址和 IP地址查找用户接 入表, 找到用户 X对应的逻辑接口, 根据该逻辑接口配置的访问控制策略, 对该用户 X发 送的数据报文进行流量控制; 当网络中提供服务的设备(如 ASP)通过 BNG向用户 X发送数 据报文时, 根据该数据报文中携带的用户 X的 MAC地址查找用户接入表, 找到用户 X对应 的逻辑接口, 该数据报文的下一跳地址为 BNG设备上用户 X对应的逻辑接口, 根据该逻辑 接口配置的访问控制策略, 对通过 BNG向用户 X发送的数据报文进行流量控制。  After user X successfully accesses the BNG, user X sends a data packet, which carries the user's MAC address and IP address, and the BNG searches for the user based on the user's MAC address and IP address carried in the received data packet. Accessing the table, finding the logical interface corresponding to the user X, performing flow control on the data packet sent by the user X according to the access control policy configured by the logical interface; and providing the service device (such as ASP) in the network to the user through the BNG When X sends a data packet, it searches for the user access table according to the MAC address of the user X carried in the data packet, and finds the logical interface corresponding to the user X. The next hop address of the data packet is the user X corresponding to the BNG device. The logical interface performs flow control on the data packet sent to the user X through the BNG according to the access control policy configured by the logical interface.
3 ) 当用户 X请求 IGMP ( Internet Group Management Protocol , 网络组管理协议) 点 播希望加入组播组时, 进一歩, BNG还可以在逻辑接口配置组播控制策略, 即配置组播控制 列表。  3) When the user X requests the IGMP (Internet Group Management Protocol) to be added to the multicast group, the BNG can also configure the multicast control policy on the logical interface, that is, configure the multicast control list.
当用户 X成功接入 BNG后, 用户 X发送 IGMP报文请求, 该报文请求中携带用户 MAC地 址; RNG收到用户 X发送的 TGMP报文请求后, 根据 MAC地址查找用户接入表, 找到用户 X 对应的逻辑接口, 根据该逻辑接口配置的组播控制列表判断是否允许用户 X加入组播组, 如果是, 则 BNG允许用户 X加入组播组, 处理用户 X发送 IGMP报文请求, 下发组播数据流 量; 否则, 丢弃用户 X发送 IGMP报文请求。  After user X successfully accesses the BNG, user X sends an IGMP message request, and the message request carries the user MAC address. After receiving the TGMP message sent by user X, the RNG searches the user access table according to the MAC address. The logical interface corresponding to the user X determines whether the user X is allowed to join the multicast group according to the multicast control list configured on the logical interface. If yes, the BNG allows the user X to join the multicast group, and the user X sends an IGMP message request. Send multicast data traffic; otherwise, discard user X to send IGMP packet request.
本发明实施例提供的方法通过在 BNG设备上配置逻辑接口, 在多业务的模式下能够唯 一识别出用户链路, 从而实现通过在逻辑接口上配置的安全控制策略, 根据用户链路标识 信息对单个用户链路实施接入控制、 带宽控制、 流量控制以及组播控制等安全控制。 实施例 2  The method provided by the embodiment of the present invention can configure the logical interface on the BNG device to uniquely identify the user link in the multi-service mode, thereby implementing the security control policy configured on the logical interface, according to the user link identification information. A single user link implements security controls such as access control, bandwidth control, flow control, and multicast control. Example 2
参见图 4, 本发明实施例提供了 种用户接入安全控制的方法, 歩骤如下:  Referring to FIG. 4, an embodiment of the present invention provides a method for user access security control, and the steps are as follows:
歩骤 201: BNG获取用户链路标识。  Step 201: The BNG acquires a user link identifier.
歩骤 202: BNG根据获取的用户链路标识, 为用户链路标识信息创建对应的逻辑链路标 识 (即逻辑接口)。  Step 202: The BNG creates a corresponding logical link identifier (ie, a logical interface) for the user link identifier information according to the obtained user link identifier.
其中, 本发明实施例以逻辑链路标识为逻辑接口为例进行说明。  The embodiment of the present invention uses a logical link identifier as a logical interface as an example for description.
歩骤 203: BNG限制逻辑接口上用户的会话 IP Session个数, 即预设用户的 IP Session 的上限。  Step 203: The BNG limits the number of sessions of the user's session IP session on the logical interface, that is, the upper limit of the IP session of the preset user.
歩骤 204: 用户 X通过 DHCP发起接入请求, 即发送 DHCP接入请求报文。  Step 204: User X initiates an access request through DHCP, that is, sends a DHCP access request message.
歩骤 205: DSLAM接收用户 X发送的 DHCP接入请求报文, 在接收的 DHCP接入请求报文 中插入用户链路标识, 并将插入用户链路标识后的 DHCP接入请求报文转发到 BNG。 Step 205: The DSLAM receives the DHCP access request packet sent by the user X, and receives the DHCP access request packet. The user link identifier is inserted, and the DHCP access request packet inserted into the user link identifier is forwarded to the BNG.
歩骤 206: BNG接收由 DSLAM发送的携带用户链路标识的 DHCP接入请求报文, 根据接 入请求报文中携带的用户链路标识, 判断是否能查找到对应的逻辑接口, 如果是执行歩骤 Step 206: The BNG receives the DHCP access request packet that is sent by the DSLAM and carries the user link identifier, and determines whether the corresponding logical interface can be found according to the user link identifier carried in the access request packet. Step
207, 否则, 执行歩骤 208。 207, otherwise, step 208 is performed.
歩骤 207: 判断用户 X的 IP Session个数是否小于查找到逻辑接口上预设用户的 IP Step 207: Determine whether the number of IP sessions of the user X is smaller than the IP of the preset user on the logical interface.
Session的上限, 如果是, 则执行歩骤 209, 否则执行歩骤 208。 The upper limit of the session, if yes, then step 209 is performed, otherwise step 208 is performed.
歩骤 208: BNG丢弃收到的接入请求报文, 禁止用户 X接入, 结束。  Step 208: The BNG discards the received access request packet, prohibits the user X from accessing, and ends.
歩骤 209: BNG创建绑定在逻辑接口的用户接入表项, 保存用户 X的信息; 并向 DSLAM 返回响应报文, 该响应报文中携带用户链路标识。  Step 209: The BNG creates a user access entry bound to the logical interface, and saves the information of the user X. The BNG returns a response packet to the DSLAM, where the response packet carries the user link identifier.
歩骤 210: DSLAM收到 BNG返回的 DHCP响应报文, 删除报文中携带的用户链路标识, 将删除了用户链路标识的 DHCP响应报文转发到用户 X。  Step 210: The DSLAM receives the DHCP response packet returned by the BNG, deletes the user link identifier carried in the packet, and forwards the DHCP response packet with the user link identifier to the user X.
歩骤 211 : DHCP协商完成后,用户 X成功接入 BNG; BNG设备将记录的该用户 IP Session 个数加 1, 结束。  Step 211: After the DHCP negotiation is complete, user X successfully accesses the BNG. The BNG device adds 1 to the number of recorded IP sessions of the user.
当用户接入 RNG设备后, 还可以进一歩地对接入的用户进行安全控制。 例如:  After the user accesses the RNG device, the user can be securely controlled. E.g:
1 ) 当需要对用户 X实施带宽控制时, BNG还可以为创建的逻辑接口配置带宽参数, 其 中带宽参数具体包括上行方向带宽参数和下行方向带宽参数。  1) When bandwidth control is required for the user X, the BNG can also configure a bandwidth parameter for the created logical interface, where the bandwidth parameter specifically includes an uplink bandwidth parameter and a downlink bandwidth parameter.
当用户 X成功接入 BNG后, 用户 X发送数据报文, 该数据报文中携带用户 MAC地址和 IP地址等信息, BNG根据接收到的数据报文中携带的用户 MAC地址和 IP地址查找用户接入 表表, 找到对应的逻辑接口, 根据该逻辑接口配置的上行方向带宽参数, 对该数据报文进 行带宽控制; 当网络中提供服务的设备(如 ASP)通过 BNG向用户 X发送数据报文时, 根据 该数据报文中携带的用户 MAC地址, 查找用户接入表, 找到对应的逻辑接口上, 根据该逻 辑接口上配置的下行方向带宽参数, 对向用户 X发送的数据报文进行带宽控制。  After user X successfully accesses the BNG, user X sends a data packet, which carries the user's MAC address and IP address, and the BNG searches for the user based on the user's MAC address and IP address carried in the received data packet. Accessing the table, finding the corresponding logical interface, and performing bandwidth control on the data packet according to the uplink bandwidth parameter configured by the logical interface; when the device providing the service in the network (such as ASP) sends the datagram to the user X through the BNG And searching for the user access table according to the user MAC address carried in the data packet, and finding the corresponding logical interface, and performing the data packet sent to the user X according to the downlink bandwidth parameter configured on the logical interface. Bandwidth control.
2)当需要对用户 X实施访问控制控制时,即进行流量控制,还可以利用 traffic-policy 等命令在 BNG逻辑接口上配置访问控制策略。  2) When the access control control is required for the user X, the traffic control is performed, and the access control policy can be configured on the BNG logical interface by using the traffic-policy command.
当用户 X成功接入 BNG后, 用户 X发送数据报文, 该数据报文中携带用户 MAC地址和 After user X successfully accesses the BNG, user X sends a data packet carrying the user MAC address and
IP地址等信息, BNG根据接收到的数据报文中携带的用户 MAC地址和 IP地址查找用户接入 表, 找到用户 X对应的逻辑接口, 根据该逻辑接口配置的访问控制策略, 对该用户 X发送 的数据报文进行流量控制; 当网络中提供服务的设备(如 ASP)通过 BNG向用户 X发送数据 报文时, 根据该数据报文中携带的用户 X的 MAC地址查找用户接入表, 找到用户 X对应的 逻辑接口, 该数据报文的下一跳地址为 BNG设备上用户 X对应的逻辑接口, 根据该逻辑接 口配置的访问控制策略, 对通过 BNG向用户 X发送的数据报文进行流量控制。 3 ) 当用户 X请求 IGMP ( Internet Group Management Protocol , 网络组管理协议) 点播希望加入组播组时, 进一歩, BNG还可以在逻辑接口配置组播控制策略, 即配置组播控 制列表。 The information such as the IP address, the BNG searches the user access table according to the user MAC address and IP address carried in the received data packet, and finds the logical interface corresponding to the user X. According to the access control policy configured by the logical interface, the user X The data packet is sent for traffic control. When a device (such as an ASP) that provides a service in the network sends a data packet to the user X through the BNG, the user access table is searched according to the MAC address of the user X carried in the data packet. The logical interface corresponding to the user X is found, and the next hop address of the data packet is a logical interface corresponding to the user X on the BNG device, and the data packet sent to the user X through the BNG is performed according to the access control policy configured by the logical interface. flow control. 3) When the user X requests the IGMP (Internet Group Management Protocol) to be added to the multicast group, the BNG can also configure the multicast control policy on the logical interface, that is, configure the multicast control list.
当用户 X成功接入 BNG后, 用户 X发送 IGMP报文请求, 该报文请求中携带用户 MAC地 址; BNG收到用户 X发送的 IGMP报文请求后, 根据 MAC地址查找用户接入表, 找到用户 X 对应的逻辑接口, 根据该逻辑接口配置的组播控制列表判断是否允许用户 X加入组播组, 如果是, 则 BNG允许用户 X加入组播组, 处理用户 X发送 IGMP报文请求, 下发组播数据流 量; 否则, 丢弃用户 X发送 IGMP报文请求。  After user X successfully accesses the BNG, user X sends an IGMP message request, and the message request carries the user MAC address. After receiving the IGMP message request sent by user X, the BNG searches the user access table according to the MAC address. The logical interface corresponding to the user X determines whether the user X is allowed to join the multicast group according to the multicast control list configured on the logical interface. If yes, the BNG allows the user X to join the multicast group, and the user X sends an IGMP message request. Send multicast data traffic; otherwise, discard user X to send IGMP packet request.
本发明实施例提供的方法通过在 BNG设备上配置逻辑接口, 在多业务的模式下能够唯 一识别出用户链路, 从而实现通过在逻辑接口上配置的安全控制策略, 根据用户链路标识 信息对单个用户链路实施接入控制、 带宽控制、 流量控制以及组播控制等安全控制。 实施例 3  The method provided by the embodiment of the present invention can configure the logical interface on the BNG device to uniquely identify the user link in the multi-service mode, thereby implementing the security control policy configured on the logical interface, according to the user link identification information. A single user link implements security controls such as access control, bandwidth control, flow control, and multicast control. Example 3
参见图 5, 本发明实施例提供了一种用户接入安全控制的方法, 歩骤如下:  Referring to FIG. 5, an embodiment of the present invention provides a method for a user to access security control, and the steps are as follows:
歩骤 301 : BNG获取用户链路标识。  Step 301: The BNG obtains the user link identifier.
歩骤 302: BNG根据获取的用户链路标识,为用户链路标识创建对应的逻辑链路标识(即 逻辑接口)。  Step 302: The BNG creates a corresponding logical link identifier (ie, a logical interface) for the user link identifier according to the obtained user link identifier.
其中, 本发明实施例以逻辑链路标识为逻辑接口为例进行说明。  The embodiment of the present invention uses a logical link identifier as a logical interface as an example for description.
歩骤 303: BNG通过不同的关键字配置逻辑接口上不同的用户类型。 参考命令行如下: [BNG] terminal-type voip dhcp-option-60 include VoIP  Step 303: The BNG configures different user types on the logical interface through different keywords. The reference command line is as follows: [BNG] terminal-type voip dhcp-option-60 include VoIP
歩骤 304: 用户 X通过 DHCP发起接入请求, 即发送 DHCP接入请求报文。  Step 304: User X initiates an access request through DHCP, that is, sends a DHCP access request message.
其中, 用户 X 通过 DHCP 发起接入请求, 例如, 该 DHCP 接入请求中携带关键字为 VoIP-ISP-1 , 表明用户 X是 ISP-1的 VoIP终端。  User X initiates an access request through DHCP. For example, the DHCP access request carries the keyword VoIP-ISP-1, indicating that user X is the VoIP terminal of ISP-1.
通过歩骤 302和歩骤 303实现了用户和 BNG同时定义不同类型用户的关键字。  Through steps 302 and 303, the user and the BNG are simultaneously defined keywords of different types of users.
歩骤 305: DSLAM接收用户 X发送的 DHCP接入请求报文, 在接收到 DHCP接入请求报文 中插入用户链路标识, 并将插入用户链路标识后的 DHCP接入请求报文转发到 BNG。  Step 305: The DSLAM receives the DHCP access request packet sent by the user X, inserts the user link identifier into the DHCP access request packet, and forwards the DHCP access request packet after the user link identifier is inserted. BNG.
歩骤 306: BNG接收由 DSLAM发送的携带用户链路标识信息的 DHCP接入请求报文, 根 据 DHCP接入请求报文中携带的用户链路标识, 判断是否能查找到对应的逻辑接口, 如果是 执行歩骤 307, 否则, 执行歩骤 308.  Step 306: The BNG receives the DHCP access request packet that is sent by the DSLAM and carries the user link identifier information, and determines whether the corresponding logical interface can be found according to the user link identifier carried in the DHCP access request packet. Step 307 is performed, otherwise, step 308 is performed.
歩骤 307: BNG判断用户 X的 DHCP接入请求报文中携带的关键字是否和该逻辑接口上 配置的关键字匹配, 如果是, 执行歩骤 309, 否则执行歩骤 308。 歩骤 308: BNG丢弃收到接入请求报文, 禁止用户 X接入, 结束。 Step 307: The BNG determines whether the keyword carried in the DHCP access request packet of the user X matches the keyword configured on the logical interface. If yes, the process proceeds to step 309. Otherwise, the process proceeds to step 308. Step 308: The BNG discards the received access request packet, prohibits the user X from accessing, and ends.
歩骤 309: BNG创建绑定在逻辑接口的用户接入表项, 保存用户 X的信息; 并向 DSLAM 返回 DHCP响应报文, 该 DHCP响应报文中携带用户链路标识。  Step 309: The BNG creates a user access entry bound to the logical interface, and saves the information of the user X. The device returns a DHCP response packet to the DSLAM, where the DHCP response packet carries the user link identifier.
歩骤 310: DSLAM收到 BNG返回的 DHCP响应报文, 删除报文中携带的用户链路标识, 将删除了用户链路标识的响应报文转发到用户 X。  Step 310: The DSLAM receives the DHCP response packet returned by the BNG, deletes the user link identifier carried in the packet, and forwards the response packet of the user link identifier to the user X.
歩骤 311 : DHCP协商完成后, 用户 X成功接入 BNG, 结束。  Step 311: After the DHCP negotiation is completed, user X successfully accesses the BNG and ends.
当用户接入 BNG设备后, 还可以进一歩地对接入的用户进行安全控制。 例如:  After the user accesses the BNG device, the user can be securely controlled. E.g:
1 ) 当需要对用户 X实施带宽控制时, BNG还可以为创建的逻辑接口配置带宽参数, 其 中带宽参数具体包括上行方向带宽参数和下行方向带宽参数。  1) When bandwidth control is required for the user X, the BNG can also configure a bandwidth parameter for the created logical interface, where the bandwidth parameter specifically includes an uplink bandwidth parameter and a downlink bandwidth parameter.
当用户 X成功接入 BNG后, 用户 X发送数据报文, 该数据报文中携带用户 MAC地址和 After user X successfully accesses the BNG, user X sends a data packet carrying the user MAC address and
IP地址等信息, BNG根据接收到的数据报文中携带的用户 MAC地址和 IP地址查找用户接入 表表, 找到对应的逻辑接口, 根据该逻辑接口配置的上行方向带宽参数, 对该数据报文进 行带宽控制; 当网络中提供服务的设备(如 ASP)通过 BNG向用户 X发送数据报文时, 根据 该数据报文中携带的用户 MAC地址, 查找用户接入表, 找到对应的逻辑接口上, 根据该逻 辑接口上配置的下行方向带宽参数, 对向用户 X发送的数据报文进行带宽控制。 The IP address and other information, the BNG searches the user access table according to the user MAC address and IP address carried in the received data packet, finds the corresponding logical interface, and uses the uplink bandwidth parameter configured according to the logical interface to the datagram. When the device that provides the service (such as ASP) sends a data packet to the user X through the BNG, the user accesses the user access table according to the user's MAC address carried in the data packet, and finds the corresponding logical interface. The bandwidth control is performed on the data packet sent to the user X according to the downlink bandwidth parameter configured on the logical interface.
2)当需要对用户 X实施访问控制控制时,即进行流量控制,还可以利用 traffic-policy 等命令在 BNG逻辑接 U上配置访问控制策略。  2) When the access control control is required for the user X, the traffic control is performed, and the access control policy can be configured on the BNG logical connection U by using the traffic-policy command.
当用户 X成功接入 BNG后, 用户 X发送数据报文, 该数据报文中携带用户 MAC地址和 IP地址等信息, BNG根据接收到的数据报文中携带的用户 MAC地址和 IP地址查找用户接 入表, 找到用户 X对应的逻辑接口, 根据该逻辑接口配置的访问控制策略, 对该用户 X发 送的数据报文进行流量控制; 当网络中提供服务的设备(如 ASP)通过 BNG向用户 X发送数 据报文时, 根据该数据报文中携带的用户 X的 MAC地址查找用户接入表, 找到用户 X对应 的逻辑接口, 该数据报文的下 ·跳地址为 BNG设备上用户 X对应的逻辑接口, 根据该逻辑 接口配置的访问控制策略, 对通过 BNG向用户 X发送的数据报文进行流量控制。  After user X successfully accesses the BNG, user X sends a data packet, which carries the user's MAC address and IP address, and the BNG searches for the user based on the user's MAC address and IP address carried in the received data packet. Accessing the table, finding the logical interface corresponding to the user X, performing flow control on the data packet sent by the user X according to the access control policy configured by the logical interface; and providing the service device (such as ASP) in the network to the user through the BNG When X sends a data packet, the user access table is searched according to the MAC address of the user X carried in the data packet, and the logical interface corresponding to the user X is found. The hop address of the data packet is the user X corresponding to the BNG device. The logical interface performs flow control on the data packet sent to the user X through the BNG according to the access control policy configured by the logical interface.
3 ) 当用户 X请求 IGMP ( Internet Group Management Protocol , 网络组管理协议) 点播希望加入组播组时, 进 ·歩, BNG还可以在逻辑接口配置组播控制策略, 即配置组播控 制列表。  3) When the user X requests the IGMP (Internet Group Management Protocol) to be added to the multicast group, the BNG can also configure the multicast control policy on the logical interface, that is, configure the multicast control list.
当用户 X成功接入 BNG后, 用户 X发送 IGMP报文请求, 该报文请求中携带用户 MAC地 址; BNG收到用户 X发送的 IGMP报文请求后, 根据 MAC地址查找用户接入表, 找到用户 X 对应的逻辑接口, 根据该逻辑接口配置的组播控制列表判断是否允许用户 X加入组播组, 如果是, 则 BNG允许用户 X加入组播组, 处理用户 X发送 IGMP报文请求, 下发组播数据流 量; 否则, 丢弃用户 X发送 IGMP报文请求。 After user X successfully accesses the BNG, user X sends an IGMP message request, and the message request carries the user MAC address. After receiving the IGMP message request sent by user X, the BNG searches the user access table according to the MAC address. The logical interface corresponding to the user X determines whether the user X is allowed to join the multicast group according to the multicast control list configured on the logical interface. If yes, the BNG allows the user X to join the multicast group, and the user X sends an IGMP message request. Send multicast stream The user X sends an IGMP message request.
本发明实施例提供的方法通过在 BNG设备上配置逻辑接口, 在多业务的模式下能够唯 -识别出用户链路, 从而实现通过在逻辑接口上配置的安全控制策略, 根据用户链路标识 信息对单个用户链路实施接入控制、 带宽控制、 流量控制以及组播控制等安全控制。  The method provided by the embodiment of the present invention can directly identify the user link in the multi-service mode by configuring the logical interface on the BNG device, thereby implementing the security control policy configured on the logical interface, according to the user link identification information. Implement security control such as access control, bandwidth control, flow control, and multicast control for a single user link.
上述本发明实施例中创建逻辑接口只是实现的一种方式, 任何在 BNG等类似的设备上 基于逻辑链路标识所实现的接入控制、 流量控制、 带宽控制、 组播控制等安全控制, 都在 本发明的保护范围之内。 实施例 4  The foregoing describes a method for creating a logical interface in the embodiment of the present invention, and any security control such as access control, flow control, bandwidth control, and multicast control implemented on a BNG or the like based on logical link identifiers. It is within the scope of the invention. Example 4
参见图 6, 本发明实施例提供了一种用户接入安全控制的系统, 系统包括:  Referring to FIG. 6, an embodiment of the present invention provides a system for user access security control, where the system includes:
用户节点 601, 用于发送接入请求报文;  a user node 601, configured to send an access request message;
接入设备 602, 用于接收用户节点 601发送的接入请求报文, 在用户节点 601发送的接 入请求报文中插入用户链路标识, 发送插入用户链路标识的接入请求报文;  The access device 602 is configured to receive an access request message sent by the user node 601, insert a user link identifier in the access request message sent by the user node 601, and send an access request message inserted into the user link identifier.
控制设备 603, 用于接收到接入设备 602发送的插入用户链路标识的接入请求报文后, 进行解析得到用户链路标识; 根据用户链路标识判断接入请求报文是否满足预设接入条件, 如果是, 允许用户链路标识对应的用户节点 601接入。  The control device 603 is configured to: after receiving the access request message inserted by the access device 602 and inserting the user link identifier, perform the analysis to obtain the user link identifier; determine whether the access request message satisfies the preset according to the user link identifier. The access condition, if yes, allows the user node 601 corresponding to the user link identifier to access.
其中, 参见图 7, 控制设备 603包括:  Wherein, referring to FIG. 7, the control device 603 includes:
第一接收模块 6031, 用于接收接入设备 602发送的接入请求报文;  The first receiving module 6031 is configured to receive an access request message sent by the access device 602.
第一解析模块 6032,用于解析第一接收模块 6031接收的接入请求报文得到用户链路标 识;  The first parsing module 6032 is configured to parse the access request packet received by the first receiving module 6031 to obtain a user link identifier.
第一判断模块 6033,用于根据第一解析模块 6032解析得到的用户链路标识判断是否能 够查找到用户链路标识对应的逻辑链路标识;  The first determining module 6033 is configured to determine, according to the user link identifier that is parsed by the first parsing module 6032, whether the logical link identifier corresponding to the user link identifier can be found.
第 处理模块 6034,当第 判断模块 6033判断的结果是能够査找到用户链路标识对应 的逻辑链路标识时, 允许用户链路标识对应的用户节点 601接入。  The first processing module 6034, when the result of the determination by the first determining module 6033 is that the logical link identifier corresponding to the user link identifier can be found, the user node 601 corresponding to the user link identifier is allowed to access.
其中, 参见图 7, 控制设备 603包括:  Wherein, referring to FIG. 7, the control device 603 includes:
第二接收模块 6035, 用于接收接入设备 602发送的接入请求报文;  The second receiving module 6035 is configured to receive an access request message sent by the access device 602.
第二解析模块 6036,用于解析第二接收模块 6035接收的接入请求报文得到用户链路标 识;  The second parsing module 6036 is configured to parse the access request packet received by the second receiving module 6035 to obtain a user link identifier.
第 查找模块 6037,用于根据第二解析模块 6036解析得到用户链路标识查找用户链路 标识对应的逻辑链路标识;  The searching module 6037 is configured to search, according to the second parsing module 6036, the user link identifier to find a logical link identifier corresponding to the user link identifier.
第二判断模块 6038,用于判断第一查找模块 6037查找到的逻辑链路标识已接入的用户 会话个数是否达到预设门限; The second determining module 6038 is configured to determine that the logical link identifier that is found by the first searching module 6037 is accessed by the user. Whether the number of sessions reaches a preset threshold;
第二处理模块 6039,用于当第二判断模块 6038判断的结果是已接入的用户会话个数没 有达到预设门限时, 允许用户链路标识对应的用户节点 601 接入, 并将已接入的用户会话 个数加 1。  The second processing module 6039 is configured to allow the user node 601 corresponding to the user link identifier to access when the second judgment module 6038 determines that the number of the accessed user sessions does not reach the preset threshold, and the received The number of incoming user sessions is increased by one.
其中, 参见图 7, 控制设备 603包括:  Wherein, referring to FIG. 7, the control device 603 includes:
第三接收模块 60310, 用于接收接入设备 602发送的接入请求报文;  The third receiving module 60310 is configured to receive an access request message sent by the access device 602.
第三解析模块 60311,用于解析第三接收模块 60310接收的接入请求报文得到用户链路 标识;  The third parsing module 60311 is configured to parse the access request packet received by the third receiving module 60310 to obtain a user link identifier.
第二查找模块 60312,用于根据第三解析模块 60311解析得到用户链路标识查找用户链 路标识对应的逻辑链路标识;  The second search module is configured to search for the logical link identifier corresponding to the user link identifier by using the user link identifier according to the third parsing module 60311.
第三判断模块 60313, 用于判断接入请求报文中携带的用户类型是否和第二查找模块 60312查找到的逻辑链路标识上预设的用户类型一致;  The third judging module 60313 is configured to determine whether the user type carried in the access request packet is consistent with the preset user type on the logical link identifier found by the second searching module 60312;
第三处理模块 60314,用于当第三判断模块 60313判断的结果是接入请求报文中携带的 用户类型和第一.查找模块 60312 查找到的逻辑链路标识上预设的用户类型一致时, 允许用 户链路标识对应的用户节点 601接入。  The third processing module 60314 is configured to: when the third determination module 60313 determines that the result is that the user type carried in the access request message is consistent with the preset user type on the logical link identifier found by the first search module 60312 The user node 601 corresponding to the user link identifier is allowed to access.
本发明实施例提供的系统通过在控制设备上配置逻辑链路标识 (可以采用创建逻辑接 U的形式实现), 在多业务的模式下能够唯一识别出用户链路, 从而实现通过预先配置好的 逻辑链路标识对应的安全控制策略, 根据用户链路标识信息对单个用户链路实施接入控制、 带宽控制、 流量控制以及组播控制等安全控制策略。 实施例 5  The system provided by the embodiment of the present invention can implement the logical link identifier (which can be implemented in the form of creating a logical connection U) on the control device, and can uniquely identify the user link in the multi-service mode, thereby implementing pre-configured The security control policy corresponding to the logical link identifier implements security control policies such as access control, bandwidth control, flow control, and multicast control for a single user link according to the user link identification information. Example 5
参见图 8, 本发明实施例提供了一种接入设备, 设备包括:  Referring to FIG. 8, an embodiment of the present invention provides an access device, where the device includes:
接收模块 701, 用于接收用户节点发送的接入请求报文;  The receiving module 701 is configured to receive an access request message sent by the user node.
标识插入模块 702, 用于在接收模块 701接收的接入请求报文中插入用户链路标识; 发送模块 703, 用于发送标识插入模块 702插入用户链路标识后的接入请求报文。 本发明实施例提供的接入设备能够接收用户接点发送的接入请求报文, 并在接收到的 接入请求报文中插入用户链路标识, 并发送插入了用户链路标识后的接入请求报文。 其中, 该设备对接收到的接入请求报文还可以插入其他的信息如用户类型等。  The identifier insertion module 702 is configured to insert a user link identifier in the access request message received by the receiving module 701. The sending module 703 is configured to send an access request message after the identifier insertion module 702 inserts the user link identifier. The access device provided by the embodiment of the present invention can receive the access request message sent by the user contact, insert the user link identifier in the received access request message, and send the access after the user link identifier is inserted. Request a message. The device may also insert other information, such as a user type, into the received access request message.
实施例 6  Example 6
参见图 9, 本发明实施例提供了一种控制设备, 设备包括:  Referring to FIG. 9, an embodiment of the present invention provides a control device, where the device includes:
接收模块 801, 用于接收接入设备发送的接入请求报文, 接入请求报文中携带用户链路 标识; The receiving module 801 is configured to receive an access request message sent by the access device, where the access request message carries the user link. Identification
解析模块 802, 用于解析接收模块 801接收的接入请求报文得到用户链路标识; 处理模块 803,用于根据解析模块 802解析得到的用户链路标识判断接入请求报文是否 满足预设接入条件, 如果是, 允许用户链路标识对应的用户接入。  The parsing module 802 is configured to parse the access request packet received by the receiving module 801 to obtain a user link identifier. The processing module 803 is configured to determine, according to the user link identifier parsed by the parsing module 802, whether the access request packet satisfies a preset. The access condition, if yes, allows the user corresponding to the link identifier of the user to access.
其中, 参见图 10, 处理模块 803包括:  Wherein, referring to FIG. 10, the processing module 803 includes:
第一判断单元 8031, 用于根据解析模块 802解析得到的用户链路标识判断是否能够查 找到用户链路标识对应的逻辑链路标识;  The first determining unit 8031 is configured to determine, according to the user link identifier that is parsed by the parsing module 802, whether the logical link identifier corresponding to the user link identifier can be found.
第一处理单元 8032,用于当第一判断单元 8031判断的结果是能够查找到用户链路标识 对应的逻辑链路标识时, 允许用户链路标识对应的用户接入。  The first processing unit 8032 is configured to allow the user corresponding to the user link identifier to access when the first determination unit 8031 determines that the logical link identifier corresponding to the user link identifier can be found.
其中, 参见图 10, 处理模块 803包括:  Wherein, referring to FIG. 10, the processing module 803 includes:
第一查找单元 8033, 用于根据解析模块 802解析得到用户链路标识查找用户链路标识 对应的逻辑链路标识;  The first searching unit 8033 is configured to: according to the parsing module 802, parse the user link identifier to find a logical link identifier corresponding to the user link identifier;
第二判断单元 8034,用于判断第一查找单元 8033查找到的逻辑链路标识已接入的用户 会话个数是否达到预设门限;  The second determining unit 8034 is configured to determine whether the number of user sessions that the logical link identifier that is found by the first searching unit 8033 has reached a preset threshold;
第二处理单元 8035,用于当第二判断单元 8034判断的结果是已接入的用户会话个数没 有达到预设门限时, 允许用户链路标识对应的用户接入, 并将已接入的用户会话个数加 1。  The second processing unit 8035 is configured to allow the user corresponding to the user link identifier to access when the number of the user sessions that have been accessed by the second determining unit 8034 is not reached, and the access is The number of user sessions is increased by 1.
其中, 参见图 10, 处理模块 803包括:  Wherein, referring to FIG. 10, the processing module 803 includes:
第二查找单元 8036, 用于根据解析模块 802解析得到用户链路标识查找用户链路标识 对应的逻辑链路标识;  The second searching unit 8036 is configured to search, according to the parsing module 802, the user link identifier to find a logical link identifier corresponding to the user link identifier.
第三判断单元 8037, 用于判断接入请求报文中携带的用户类型是否和第二查找单元 The third determining unit 8037 is configured to determine whether the user type carried in the access request packet and the second searching unit
8036查找到的逻辑链路标识上的预设的用户类型一致; The default user type on the logical link identifier found by the 8036 is the same;
第三处理单元 8038,用于当第三判断单元 8037判断的结果是接入请求报文中携带的用 户类型和第二査找单元 8036査找到的逻辑链路标识上预设的用户类型 ·致时, 允许用户链 路标识对应的用户接入。  The third processing unit 8038 is configured to: when the third determining unit 8037 determines that the result is the user type carried in the access request message and the preset user type on the logical link identifier found by the second searching unit 8036. Allows the user to access the corresponding user ID.
当用户接入控制设备后, 还可以进一歩地对接入的用户进行安全控制, 此时, 参见图 After the user accesses the control device, it can also perform security control on the accessed user. At this time, see the figure.
11, 控制设备还包括: 11, the control device also includes:
第一记录模块 804, 用于当处理模块 803允许用户链路标识对应的用户接入时, 根据接 入请求报文将用户的媒体访问控制地址、 IP地址、 用户链路标识以及逻辑链路标识记录在 用户接入表中;  The first recording module 804 is configured to: when the processing module 803 allows the user corresponding to the user link identifier to access, the media access control address, the IP address, the user link identifier, and the logical link identifier of the user according to the access request message. Recorded in the user access list;
第一配置模块 805,用于根据记录模块 803在用户接入表中记录的逻辑链路标识为逻辑 链路标识配置控制策略。 第一控制模块 806, 用于当接收到用户发送的数据报文时, 根据数据报文中携带的媒体 访问控制地址和 IP地址在记录模块的用户接入表中查找对应的逻辑链路标识, 根据查找到 的逻辑链路标识对应的控制策略, 对数据报文进行控制; The first configuration module 805 is configured to configure a control policy for the logical link identifier according to the logical link identifier recorded by the recording module 803 in the user access table. The first control module 806 is configured to: when receiving the data packet sent by the user, search for a corresponding logical link identifier in the user access table of the recording module according to the media access control address and the IP address carried in the data packet, Controlling data packets according to the corresponding control policy of the logical link identifier that is found;
第二控制模块 807, 用于当接收到发往用户的数据报文时, 根据发往用户的数据报文中 携带的媒体访问控制地址在记录模块中查找对应的逻辑链路标识, 根据查找到的逻辑链路 标识对应的控制策略, 对发往用户的数据报文进行控制。  The second control module 807 is configured to: when receiving the data packet sent to the user, search for a corresponding logical link identifier in the recording module according to the media access control address carried in the data packet sent to the user, according to the The logical link identifies the corresponding control policy and controls the data packets sent to the user.
上述配置模块配置的控制策略可以为访问控制策略或 /和带宽控制策略, 相应地, 可以 进行数据报文的流量控制或 /带宽控制。 本发明实施例不限制配置模块配置的控制策略类 型。  The control policy configured by the foregoing configuration module may be an access control policy or/and a bandwidth control policy, and correspondingly, may perform flow control or bandwidth control of data packets. The embodiment of the present invention does not limit the type of control policy configured by the configuration module.
当用户 X请求 IGMP点播希望加入组播组时, 参见图 11, 控制设备还包括: 第二记录模块 808, 用于当处理模块 803允许用户链路标识对应的用户接入时, 根据接 入请求报文将用户的媒体访问控制地址、 IP地址、 用户链路标识以及逻辑链路标识记录在 用户接入表中;  When the user X requests IGMP on-demand to join the multicast group, referring to FIG. 11, the control device further includes: a second recording module 808, configured to: when the processing module 803 allows the user corresponding to the user link identifier to access, according to the access request The packet records the user's media access control address, IP address, user link identifier, and logical link identifier in the user access table.
第一-配置模块 809,用于根据第一-记录模块 808记录的逻辑链路标识为逻辑链路标识配 置组播控制策略。  The first-configuration module 809 is configured to configure a multicast control policy for the logical link identifier according to the logical link identifier recorded by the first-recording module 808.
组播控制模块 8010, 用于当接收到用户发送的请求加入组播组的网络组管理协议报文 时, 根据网络组管理协议报文中携带的媒体访问控制地址在记录模块的用户接入表中查找 对应的逻辑链路标识, 根据查找到的逻辑链路标识对应的组播控制策略, 判断是否允许用 户加入组播组, 如果是, 允许用户加入组播组。  The multicast control module 8010 is configured to: when receiving a network group management protocol packet sent by the user to join the multicast group, according to the media access control address carried in the network group management protocol packet, the user access table in the recording module The corresponding logical link identifier is searched for, and the multicast control policy corresponding to the logical link identifier is found to determine whether the user is allowed to join the multicast group. If yes, the user is allowed to join the multicast group.
本发明实施例提供的通过在控制设备上配置逻辑链路标识 (可以采用创建逻辑接口的 形式实现), 在多业务的模式下能够唯一识别出用户链路, 从而实现通过预先配置好的逻辑 链路标识的对应安全控制策略, 根据用户链路标识信息对单个用户链路实施接入控制、 带 宽控制、 流量控制以及组播控制等安全控制策略。  The configuration of the logical link identifier (which can be implemented in the form of creating a logical interface) is provided on the control device according to the embodiment of the present invention, and the user link can be uniquely identified in the multi-service mode, thereby implementing the pre-configured logical chain. The corresponding security control policy of the road identifier implements security control policies such as access control, bandwidth control, flow control, and multicast control for a single user link according to the user link identification information.
上述本发明实施例提供的技术方案通过在 BNG等类似控制设备上配置逻辑链路标识, 在多业务的模式下能够唯一识别出用户链路, 从而实现通过预先配置好的逻辑链路标识对 应的安全控制策略, 根据用户链路标识信息对单个用户链路实施接入控制、 带宽控制、 流 量控制以及组播控制等安全控制策略。  The technical solution provided by the foregoing embodiment of the present invention can identify a user link in a multi-service mode by configuring a logical link identifier on a similar control device such as a BNG, thereby implementing a logical link identifier corresponding to the pre-configured logical link. The security control policy implements security control policies such as access control, bandwidth control, traffic control, and multicast control for a single user link according to user link identification information.
本发明实施例中的部分歩骤, 可以利用软件实现, 相应的软件程序可以存储在可读取 的存储介质中, 如光盘或硬盘等。  Some steps in the embodiment of the present invention may be implemented by using software, and the corresponding software program may be stored in a readable storage medium, such as an optical disk or a hard disk.
上所述仅为本发明的较佳实施例, 并不用以限制本发明, 凡在本发明的精神和原则之 内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。  The above description is only the preferred embodiment of the present invention, and is not intended to limit the present invention. Any modifications, equivalent substitutions, improvements, etc., which are within the spirit and principles of the present invention, should be included in the protection of the present invention. Within the scope.

Claims

权 利 要 求 书 Claim
1. 一种控制设备, 其特征在于, 所述设备包括:  A control device, the device comprising:
接收模块 (801 ), 用于接收接入设备发送的接入请求报文, 所述接入请求报文中携带 用户链路标识;  The receiving module (801) is configured to receive an access request message sent by the access device, where the access request message carries a user link identifier;
解析模块 (802), 用于解析所述接收模块 (801 ) 接收的接入请求报文得到所述用户链 路标识;  The parsing module (802) is configured to parse the access request packet received by the receiving module (801) to obtain the user link identifier;
处理模块 (803 ), 用于根据所述解析模块 (802 ) 解析得到的用户链路标识判断所述接 入请求报文是否满足预设接入条件, 如果是, 允许所述用户链路标识对应的用户接入。  The processing module (803) is configured to determine, according to the user link identifier that is parsed by the parsing module (802), whether the access request packet meets a preset access condition, and if yes, allow the user link identifier to correspond to User access.
2. 如权利要求 1所述的控制设备, 其特征在于, 所述处理模块 (803 ) 包括: 第一判断单元 (8031 ), 用于根据所述解析模块 (802 ) 解析得到的用户链路标识判断 是1?能够查找到所述用户链路标识对应的逻辑链路标识; The control device according to claim 1, wherein the processing module (803) comprises: a first determining unit (8031), configured to parse the user link identifier according to the parsing module (802) The judgment is 1 ? The logical link identifier corresponding to the user link identifier can be found;
第一处理单元 (8032), 用于当所述第一判断单元 (8031 ) 判断的结果是能够查找到所 述用户链路标识对应的逻辑链路标识时, 允许所述用户链路标识对应的用户接入。  a first processing unit (8032), configured to allow the user link identifier to be corresponding when the result of the first determining unit (8031) is that the logical link identifier corresponding to the user link identifier can be found. User access.
3. 如权利要求 1所述的控制设备, 其特征在于, 所述处理模块 (803 ) 包括: 第一查找单元 (8033 ), 用于根据所述解析模块 (802 ) 解析得到用户链路标识查找所 述用户链路标识对应的逻辑链路标识;  The control device according to claim 1, wherein the processing module (803) comprises: a first searching unit (8033), configured to perform a user link identifier search according to the parsing module (802) a logical link identifier corresponding to the user link identifier;
第二判断单元 (8034), 用于判断所述第一查找单元 (8033 ) 查找到的逻辑链路标识已 接入的用户会话个数是否达到预设门限;  a second determining unit (8034), configured to determine whether the number of user sessions that the logical link identifier that is found by the first searching unit (8033) has reached a preset threshold;
第二处理单元 (8035 ), 用于当所述第二判断单元 (8034 ) 判断的结果是所述已接入的 用户会话个数没有达到所述预设门限时, 允许所述用户链路标识对应的用户接入, 并将所 述已接入的用户会话个数加 1。  a second processing unit (8035), configured to allow the user link identifier when the second judgment unit (8034) determines that the number of the accessed user sessions does not reach the preset threshold. The corresponding user accesses, and increases the number of the accessed user sessions by one.
4. 如权利要求 1所述的控制设备, 其特征在于, 所述处理模块 (803 ) 包括: 第二查找单元 (8036 ), 用于根据所述解析模块 (802 ) 解析得到用户链路标识查找所 述用户链路标识对应的逻辑链路标识;  The control device according to claim 1, wherein the processing module (803) comprises: a second searching unit (8036), configured to perform a user link identifier search according to the parsing module (802) a logical link identifier corresponding to the user link identifier;
第三判断单元 (8037 ), 用于判断所述接入请求报文中携带的用户类型是否和所述第二 查找单元 (8036 ) 查找到的逻辑链路标识上的预设的用户类型一致;  The third determining unit (8037) is configured to determine whether the user type carried in the access request packet is consistent with a preset user type on the logical link identifier found by the second searching unit (8036);
第三处理单元 (8038 ), 用于当所述第三判断单元 (8037 ) 判断的结果是所述接入请求 报文中携带的用户类型和所述查找单元查找到的逻辑链路标识上预设的用户类型一致时, 允许所述用户链路标识对应的用户接入。  a third processing unit (8038), configured to: when the third determining unit (8037) determines that the result is that the type of the user carried in the access request message and the logical link identifier that is found by the searching unit When the user types are the same, the user corresponding to the link identifier of the user is allowed to access.
5. 如权利要求 1所述的控制设备, 其特征在于, 所述设备还包括:  The control device according to claim 1, wherein the device further comprises:
第一记录模块 (804), 用于当所述处理模块 (803 ) 允许所述用户链路标识对应的用户 接入时, 根据所述接入请求报文将用户的媒体访问控制地址、 IP地址、 用户链路标识以及 逻辑链路标识记录在用户接入表中; a first recording module (804), configured to: when the processing module (803) allows the user corresponding to the user link identifier During the access, the media access control address, the IP address, the user link identifier, and the logical link identifier of the user are recorded in the user access table according to the access request message;
第 .配置模块 (805 ), 用于根据所述第 .记录模块 (804 ) 在所述用户接入表中记录的 逻辑链路标识为所述逻辑链路标识配置控制策略。  The configuration module (805) is configured to configure a control policy for the logical link identifier according to the logical link identifier recorded in the user access table by the first recording module (804).
第一控制模块 (806 ), 用于当接收到用户发送的数据报文时, 根据所述数据报文中携 带的媒体访问控制地址和 IP地址在所述第一记录模块 (804 ) 的用户接入表中查找对应的 逻辑链路标识, 根据查找到的逻辑链路标识对应的控制策略, 对所述数据报文进行控制; 第二控制模块 (807 ), 用于当接收到发往所述用户的数据报文时, 根据所述发往所述 用户的数据报文中携带的媒体访问控制地址在所述第一记录模块 (804 ) 中查找对应的逻辑 链路标识, 根据查找到的逻辑链路标识对应的控制策略, 对所述发往所述用户的数据报文 进行控制。  The first control module (806) is configured to: when receiving the data packet sent by the user, according to the media access control address and the IP address carried in the data packet, the user of the first recording module (804) Querying the corresponding logical link identifier in the entry table, and controlling the data packet according to the control policy corresponding to the found logical link identifier; the second control module (807) is configured to receive the Searching for the corresponding logical link identifier in the first recording module (804) according to the media access control address carried in the data packet sent to the user according to the data packet of the user, according to the found logic A control policy corresponding to the link identifier controls the data packet sent to the user.
6. 如权利要求 1所述的控制设备, 其特征在于, 所述设备还包括:  The control device according to claim 1, wherein the device further comprises:
第二记录模块 (808 ), 用于当所述处理模块 (803 ) 允许所述用户链路标识对应的用户 接入时, 根据所述接入请求报文将用户的媒体访问控制地址、 TP地址、 用户链路标识以及 逻辑链路标识记录在用户接入表中;  a second recording module (808), configured to: when the processing module (803) allows the user corresponding to the user link identifier to access, the user access control address and the TP address according to the access request message The user link identifier and the logical link identifier are recorded in the user access table.
第二配置模块 (809 ), 用于根据所述第二记录模块 (808 ) 记录的逻辑链路标识为所述 逻辑链路标识配置组播控制策略。  The second configuration module (809) is configured to configure a multicast control policy for the logical link identifier according to the logical link identifier recorded by the second recording module (808).
组播控制模块 (8010), 用于当接收到用户发送的请求加入组播组的网络组管理协议报 文时,根据所述网络组管理协议报文中携带的媒体访问控制地址在所述第二记录模块(808 ) 的用户接入表中查找对应的逻辑链路标识, 根据查找到的逻辑链路标识对应的组播控制策 略, 判断是否允许所述用户加入组播组, 如果是, 允许所述用户加入组播组。  The multicast control module (8010) is configured to: when receiving the network group management protocol packet sent by the user to join the multicast group, according to the media access control address carried in the network group management protocol packet The user access table of the second recording module (808) searches for the corresponding logical link identifier, and determines whether the user is allowed to join the multicast group according to the multicast control policy corresponding to the found logical link identifier. If yes, allow The user joins a multicast group.
7.—种用户接入安全控制的方法, 其特征在于, 所述方法包括:  A method for user access security control, characterized in that the method comprises:
接收接入请求报文, 所述接入请求报文携带用户链路标识;  Receiving an access request message, where the access request message carries a user link identifier;
解析所述接入请求报文得到所述用户链路标识;  Parsing the access request packet to obtain the user link identifier;
根据所述用户链路标识判断所述接入请求报文是否满足预设接入条件;  Determining, according to the user link identifier, whether the access request packet meets a preset access condition;
如果是, 允许所述用户链路标识对应的用户接入。  If yes, the user corresponding to the user link identifier is allowed to access.
8. 如权利要求 7所述的用户接入安全控制的方法, 其特征在于, 所述根据所述用户链 路标识判断所述接入请求报文是否满足预设接入条件的歩骤包括:  The method for the user to access the security control according to claim 7, wherein the determining, according to the user link identifier, whether the access request packet meets a preset access condition comprises:
判断是否能够查找到所述用户链路标识对应的逻辑链路标识;  Determining whether the logical link identifier corresponding to the user link identifier can be found;
如果是, 满足预设接入条件。 If yes, the default access conditions are met.
9. 如权利要求 7所述的用户接入安全控制的方法, 其特征在于, 所述根据所述用户链 路标识判断所述接入请求报文是否满足预设接入条件的歩骤包括: The method for the user to access the security control according to claim 7, wherein the determining, according to the user link identifier, whether the access request packet meets a preset access condition comprises:
查找所述用户链路标识对应的逻辑链路标识;  Finding a logical link identifier corresponding to the user link identifier;
检查所述逻辑链路标识已接入的用户会话个数是否达到预设门限, 如果没有达到所述 预设门限, 则满足预设接入条件;  Checking whether the number of user sessions that have been accessed by the logical link identifier reaches a preset threshold. If the preset threshold is not met, the preset access condition is met;
相应地, 所述允许所述用户链路标识对应的用户接入的歩骤后还包括:  Correspondingly, the step of allowing the user access corresponding to the user link identifier further includes:
将所述已接入的用户会话个数加 1。  The number of the accessed user sessions is increased by one.
10. 如权利要求 7 所述的用户接入安全控制的方法, 其特征在于, 所述接入请求报文 中还携带用户类型;  The user access security control method according to claim 7, wherein the access request message further carries a user type;
相应地, 所述根据所述用户链路标识判断所述接入请求报文是否满足预设接入条件的 歩骤包括:  Correspondingly, the step of determining, according to the user link identifier, whether the access request packet meets a preset access condition comprises:
查找所述用户链路标识对应的逻辑链路标识;  Finding a logical link identifier corresponding to the user link identifier;
判断所述接入请求报文中携带的用户类型是否和所述逻辑链路标识预设的用户类型一 致, 如果是, 满足预设接入条件。  Determining whether the user type carried in the access request packet is consistent with the preset user type of the logical link identifier, and if yes, the preset access condition is met.
11. 如权利要求 7 所述的用户接入安全控制的方法, 其特征在于, 所述允许所述用户 链路标识对应的用户接入的歩骤之后还包括:  The method for the user to access the security control according to claim 7, wherein the step of allowing the user access corresponding to the user link identifier further comprises:
根据所述接入请求报文将用户的媒体访问控制地址、 IP地址、 用户链路标识以及逻辑 链路标识记录在用户接入表中, 为所述逻辑链路标识对应的用户配置控制策略;  Recording, according to the access request message, the media access control address, the IP address, the user link identifier, and the logical link identifier of the user in the user access table, and configuring a control policy for the user corresponding to the logical link identifier;
当接收到用户发送的数据报文时, 根据所述数据报文中携带的媒体访问控制地址和 IP 地址在所述用户接入表中查找对应的逻辑链路标识, 根据查找到的逻辑链路标识对应的控 制策略, 对所述数据报文进行控制;  When the data packet sent by the user is received, the corresponding logical link identifier is searched in the user access table according to the media access control address and the IP address carried in the data packet, according to the discovered logical link. Identifying a corresponding control policy, and controlling the data packet;
当接收到发往所述用户的数据报文时, 根据所述发往所述用户的数据报文中携带的媒 体访问控制地址在所述用户接入表中査找对应的逻辑链路标识, 根据査找到的逻辑链路标 识对应的控制策略, 对所述发往所述用户的数据报文进行控制。  When the data packet sent to the user is received, the corresponding logical link identifier is searched in the user access table according to the media access control address carried in the data packet sent to the user, according to the The control policy corresponding to the discovered logical link identifier controls the data packet sent to the user.
12. 如权利要求 11所述的用户接入安全控制的方法, 其特征在于, 所述控制策略具体 为:  The method for accessing security control of a user according to claim 11, wherein the control policy is specifically:
访问控制策略, 和 /或,带宽控制策略。  Access control policies, and / or bandwidth control policies.
13. 如权利要求 7 所述的用户接入安全控制的方法, 其特征在于, 所述允许所述用户 链路标识对应的用户接入的歩骤之后还包括:  The method for the user to access the security control according to claim 7, wherein the step of allowing the user access corresponding to the user link identifier further comprises:
根据所述接入请求报文将用户的媒体访问控制地址、 IP地址、 用户链路标识以及逻辑 链路标识记录在用户接入表中, 为所述逻辑链路标识对应的用户配置组播控制策略; 当接收到用户发送的请求加入组播组的网络组管理协议报文时, 根据所述网络组管理 协议报文中携带的媒体访问控制地址在所述用户接入表中查找对应的逻辑链路标识, 根据 查找到的逻辑链路标识对应的组播控制策略, 判断是否允许所述用户加入组播组, 如果是, 允许所述用户加入组播组。 Recording, according to the access request message, the media access control address, the IP address, the user link identifier, and the logical link identifier of the user in the user access table, and configuring multicast control for the user corresponding to the logical link identifier. Strategy When receiving a network group management protocol packet sent by the user to join the multicast group, the device searches for the corresponding logical link in the user access table according to the media access control address carried in the network group management protocol packet. The identifier determines whether the user is allowed to join the multicast group according to the multicast control policy corresponding to the logical link identifier that is found. If yes, the user is allowed to join the multicast group.
14.一种用户接入安全控制的系统, 其特征在于, 所述系统包括:  A system for user access security control, characterized in that the system comprises:
用户节点 (601 ), 用于发送接入请求报文;  a user node (601), configured to send an access request message;
接入设备 (602), 用于接收所述用户节点 (601 ) 发送的接入请求报文, 在所述用户节 点 (601 ) 发送的接入请求报文中插入用户链路标识, 发送插入用户链路标识的接入请求报 文;  The access device (602) is configured to receive an access request message sent by the user node (601), insert a user link identifier in the access request message sent by the user node (601), and send the inserted user The access request message of the link identifier;
控制设备 (603 ), 用于接收到所述接入设备 (602 ) 发送的插入用户链路标识的接入请 求报文后, 进行解析得到所述用户链路标识; 根据所述用户链路标识判断所述接入请求报 文是否满足预设接入条件, 如果是, 允许所述用户链路标识对应的所述用户节点 (601 ) 接 入。  The control device (603) is configured to: after receiving the access request message that is sent by the access device (602) and insert the user link identifier, perform the parsing to obtain the user link identifier; according to the user link identifier Determining whether the access request packet meets a preset access condition, and if yes, allowing the user node (601) corresponding to the user link identifier to access.
15.如权利要求 14所述的用户接入安全控制的系统,其特征在于,所述控制设备(603 ) 包括:  The system for accessing security control of a user according to claim 14, wherein the control device (603) comprises:
第一接收模块 (6031 ), 用于接收所述接入设备 (602 ) 发送的接入请求报文; 第一解析模块 (6032), 用十解析所述第一接收模块 (6031 ) 接收的接入请求报文得到 所述用户链路标识;  The first receiving module (6031) is configured to receive an access request message sent by the access device (602), and the first parsing module (6032) parses the receiving received by the first receiving module (6031) The incoming request message obtains the user link identifier;
第一判断模块 (6033 ), 用于根据所述第一解析模块 (6032 ) 解析得到的用户链路标识 判断是否能够查找到所述用户链路标识对应的逻辑链路标识;  a first determining module (6033), configured to determine, according to the user link identifier that is parsed by the first parsing module (6032), whether the logical link identifier corresponding to the user link identifier can be found;
第一处理模块 (6034), 当所述第一判断模块 (6033 ) 判断的结果是能够查找到所述用 户链路标识对应的逻辑链路标识时, 允许所述用户链路标识对应的用户节点 (601 ) 接入。  a first processing module (6034), when the first determining module (6033) determines that the logical link identifier corresponding to the user link identifier is found, the user node corresponding to the user link identifier is allowed. (601) Access.
16.如权利要求 14所述的用户接入安全控制的系统,其特征在于,所述控制设备(603 ) 包括:  The system for accessing security control of a user according to claim 14, wherein the control device (603) comprises:
第二接收模块 (6035 ), 用于接收所述接入设备 (602 ) 发送的接入请求报文; 第二解析模块 (6036), 用于解析所述第二接收模块 (6035 ) 接收的接入请求报文得到 所述用户链路标识;  a second receiving module (6035), configured to receive an access request message sent by the access device (602), and a second parsing module (6036) configured to parse the received end of the second receiving module (6035) The incoming request message obtains the user link identifier;
第一查找模块 (6037 ), 用于根据所述第二解析模块 (6036 ) 解析得到用户链路标识查 找所述用户链路标识对应的逻辑链路标识;  The first search module (6037) is configured to: according to the second parsing module (6036), parse the user link identifier to find a logical link identifier corresponding to the user link identifier;
第二判断模块 (6038 ), 用于判断所述第一查找模块 (6037 ) 查找到的逻辑链路标识已 接入的用户会话个数是否达到预设门限; 第二处理模块 (6039), 用于当所述第二判断模块 (6038) 判断的结果是所述已接入的 用户会话个数没有达到所述预设门限时,允许所述用户链路标识对应的所述用户节点(601) 接入, 并将所述已接入的用户会话个数加 1。 a second judging module (6038), configured to determine whether the number of user sessions that the logical link identifier that is found by the first searching module (6037) has reached a preset threshold; a second processing module (6039), configured to allow the user link identifier when the second judgment module (6038) determines that the number of the accessed user sessions does not reach the preset threshold. The corresponding user node (601) accesses and increases the number of the accessed user sessions by one.
17.如权利要求 14所述的用户接入安全控制的系统,其特征在于,所述控制设备(603) 包括:  The system for accessing security control of a user according to claim 14, wherein the control device (603) comprises:
第三接收模块 (60310), 用于接收所述接入设备 (602) 发送的接入请求报文; 第三解析模块 (60311), 用于解析所述第三接收模块 (60310) 接收的接入请求报文得 到所述用户链路标识;  a third receiving module (60310), configured to receive an access request message sent by the access device (602), and a third parsing module (60311), configured to parse the received end of the third receiving module (60310) The incoming request message obtains the user link identifier;
第二查找模块 (60312), 用于根据所述第三解析模块 (60311) 解析得到用户链路标识 查找所述用户链路标识对应的逻辑链路标识;  a second search module (60312), configured to perform, according to the third parsing module (60311), the user link identifier to obtain a logical link identifier corresponding to the user link identifier;
第三判断模块 (60313), 用于判断所述接入请求报文中携带的用户类型是否和所述第 二查找模块 (60312) 查找到的逻辑链路标识上预设的用户类型一致;  The third judging module (60313) is configured to determine whether the user type carried in the access request packet is consistent with a preset user type on the logical link identifier found by the second searching module (60312);
第三处理模块 (60314), 用于当所述第三判断模块 (60313) 判断的结果是所述接入请 求报文中携带的用户类型和所述第一-查找模块 (60312) 查找到的逻辑链路标识上预设的用 户类型一致时, 允许所述用户链路标识对应的所述用户节点 (601) 接入。  a third processing module (60314), configured to: when the third determining module (60313) determines that the result is a user type carried in the access request message and the first-find module (60312) finds When the preset user types on the logical link identifier are the same, the user node (601) corresponding to the user link identifier is allowed to access.
18.—种接入设备, 其特征在于, 所述设备包括:  18. An access device, the device comprising:
接收模块 (701), 用十接收用户发送的接入请求报文;  The receiving module (701) receives, by using ten, an access request message sent by the user;
标识插入模块 (702), 用于在所述接收模块 (701) 接收的接入请求报文中插入用户链 路标识;  An identifier insertion module (702), configured to insert a user link identifier in an access request message received by the receiving module (701);
发送模块 (703), 用于发送所述标识插入模块 (702) 插入用户链路标识后的接入请求 报文。  The sending module (703) is configured to send an access request message after the identifier insertion module (702) inserts the user link identifier.
PCT/CN2008/072243 2007-11-28 2008-09-02 Method, system and device for user access security control WO2009067871A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2007101951023A CN101188614B (en) 2007-11-28 2007-11-28 A method, system and device for secure control of the user access
CN200710195102.3 2007-11-28

Publications (1)

Publication Number Publication Date
WO2009067871A1 true WO2009067871A1 (en) 2009-06-04

Family

ID=39480803

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/072243 WO2009067871A1 (en) 2007-11-28 2008-09-02 Method, system and device for user access security control

Country Status (2)

Country Link
CN (1) CN101188614B (en)
WO (1) WO2009067871A1 (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101188614B (en) * 2007-11-28 2011-01-19 华为技术有限公司 A method, system and device for secure control of the user access
CN101902743B (en) * 2010-08-02 2015-05-13 中兴通讯股份有限公司 Terminal safety control method and device
CN102457478B (en) * 2010-10-15 2015-04-29 华为技术有限公司 Method and equipment for marking primary control program (PCP) and identifying user
CN102164075A (en) * 2011-03-18 2011-08-24 杭州华三通信技术有限公司 Internet protocol video monitoring method and access layer switchboard
CN102413009B (en) * 2011-11-17 2014-04-02 盛科网络(苏州)有限公司 Interface expanding method and device for network equipment test
CN103780513B (en) * 2012-10-24 2018-08-10 中兴通讯股份有限公司 A kind of response method, system and relevant device based on the ponds BNG
CN103905236A (en) * 2012-12-28 2014-07-02 中国移动通信集团福建有限公司 Terminal positioning method, system and device
CN104426686B (en) * 2013-08-22 2018-06-08 中国电信股份有限公司 Broad access network gate user access method, device and broad access network gate
CN104202219A (en) * 2014-09-17 2014-12-10 上海斐讯数据通信技术有限公司 Multi-service wan connection binding testing method and system
CN104363111B (en) * 2014-10-29 2019-05-17 中国建设银行股份有限公司 A kind of control method and equipment of third party system access
CN105635068B (en) * 2014-11-04 2019-06-04 阿里巴巴集团控股有限公司 A kind of method and device carrying out service security control
CN104506349A (en) * 2014-12-18 2015-04-08 易联众信息技术股份有限公司 Service platform and service management method thereof
WO2017012443A2 (en) * 2015-07-17 2017-01-26 华为技术有限公司 Message transmission method, access node, access controller and access system
CN106357483B (en) 2015-07-17 2021-06-01 华为技术有限公司 Message transmission method, access node, access controller and access system
CN110297211A (en) * 2019-06-12 2019-10-01 Oppo(重庆)智能科技有限公司 A kind of localization method and electronic equipment
CN114389828A (en) * 2020-10-19 2022-04-22 南京中兴软件有限责任公司 Communication control method, electronic device, and storage medium
CN112565031B (en) * 2020-11-30 2023-05-05 福州汇思博信息技术有限公司 Parameter configuration method and terminal for PPP connection

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1553674A (en) * 2003-05-26 2004-12-08 广东省电信有限公司科学技术研究院 Method for wideband connection server to obtain port numbers of its uers
CN1592220A (en) * 2003-09-04 2005-03-09 华为技术有限公司 Method for controlling wide band network user to access network
US20060136715A1 (en) * 2004-12-22 2006-06-22 Kyeong Soo Han MAC security entity for link security entity and transmitting and receiving method therefor
CN101188614A (en) * 2007-11-28 2008-05-28 华为技术有限公司 A method, system and device for secure control of the user access

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1553674A (en) * 2003-05-26 2004-12-08 广东省电信有限公司科学技术研究院 Method for wideband connection server to obtain port numbers of its uers
CN1592220A (en) * 2003-09-04 2005-03-09 华为技术有限公司 Method for controlling wide band network user to access network
US20060136715A1 (en) * 2004-12-22 2006-06-22 Kyeong Soo Han MAC security entity for link security entity and transmitting and receiving method therefor
CN101188614A (en) * 2007-11-28 2008-05-28 华为技术有限公司 A method, system and device for secure control of the user access

Also Published As

Publication number Publication date
CN101188614A (en) 2008-05-28
CN101188614B (en) 2011-01-19

Similar Documents

Publication Publication Date Title
WO2009067871A1 (en) Method, system and device for user access security control
US7801123B2 (en) Method and system configured for facilitating residential broadband service
US7746799B2 (en) Controlling data link layer elements with network layer elements
US8908687B2 (en) Method for transmitting policy information between network equipment
EP3499809B1 (en) Point-to-multipoint functionality in a network with bridges
JP4236398B2 (en) Communication method, communication system, and communication connection program
WO2009021458A1 (en) Method, apparatus and system for connecting layer2 network and layer3 network
WO2008017270A1 (en) Method and device and system of ethernet supporting source specific multicast forwarding
WO2005029773A1 (en) Method of implementing user location identifier transfer
WO2012016536A1 (en) Service communication method and system for access network apparatus
JP2007536851A (en) Session-based packet switching equipment
WO2007124679A1 (en) Method and system of network communication
WO2006122502A1 (en) A transmission method for message in layer 2 and an access device
WO2012130142A1 (en) Method, system, and access device for user service access
WO2008058477A1 (en) Location information management method, apparatus and system
WO2014153860A1 (en) Network access method, gateway and system
WO2014040553A1 (en) Method, system and apparatus for establishing communication link
WO2008037212A1 (en) An access terminal and a method for the terminal binding to the operator
EP2073432B1 (en) Method for binding an access terminal to an operator and corresponding access terminal
WO2011147233A1 (en) Method and device for realizing flow rate-limiting in virtual private network
WO2007016809A1 (en) A managing method of bridging device
WO2005101948A1 (en) A method for routing the concourse service
Bouchat et al. QoS in DSL access
WO2009030142A1 (en) A method, communication system and related equipment for locating user resource
Reddy Building MPLS-based broadband access VPNs

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08800755

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08800755

Country of ref document: EP

Kind code of ref document: A1