WO2010081380A1 - Method and gateway device for local area network access control - Google Patents

Method and gateway device for local area network access control Download PDF

Info

Publication number
WO2010081380A1
WO2010081380A1 PCT/CN2009/076252 CN2009076252W WO2010081380A1 WO 2010081380 A1 WO2010081380 A1 WO 2010081380A1 CN 2009076252 W CN2009076252 W CN 2009076252W WO 2010081380 A1 WO2010081380 A1 WO 2010081380A1
Authority
WO
WIPO (PCT)
Prior art keywords
gateway
packet
user
ipsec
local area
Prior art date
Application number
PCT/CN2009/076252
Other languages
French (fr)
Chinese (zh)
Inventor
张战兵
陈爱平
徐蒙
孙宏
Original Assignee
成都市华为赛门铁克科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 成都市华为赛门铁克科技有限公司 filed Critical 成都市华为赛门铁克科技有限公司
Publication of WO2010081380A1 publication Critical patent/WO2010081380A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method for access control of a local area network and a gateway device.
  • the existing gateway access modes are mainly Security Socket Layer (SSL) and Security Architecture for IP network (IPSec). They are usually connected behind the firewall and before the LAN resources. , providing secure access to external network users.
  • SSL Security Socket Layer
  • IPSec Security Architecture for IP network
  • the user enters a user name and password on the login interface, and the gateway performs a full certificate on the user name and password input by the user according to the saved user information database. After the full certificate is passed, the gateway negotiates an SSL-encrypted key with the user. , then complete the login. Thereafter, the data packets transmitted between the gateway and the user are encrypted using the key, and the gateway and the user can use the key to decapsulate the transmitted data packets. To achieve security control of data transmission.
  • a significant disadvantage of the SSL access gateway is that if a user wants to access multiple physical LANs, it needs to register separately on multiple gateways of the multiple LANs. The user operation is cumbersome and inconvenient.
  • the embodiment of the invention provides a method for accessing a local area network and a gateway device, which can obtain the right to access a plurality of local area network resources after the user registers with a gateway.
  • the embodiment of the invention provides a method for access control of a local area network, including:
  • the first gateway interacts with the second gateway to synchronize the registered user information;
  • the first gateway receives an access request of the user;
  • the first gateway performs access control on the user access to the local area network according to the registered user information synchronized with the second gateway.
  • the embodiment of the invention further provides a gateway device, including:
  • An information synchronization unit configured to perform synchronization with another gateway to perform registration of user information
  • an access control unit configured to receive an access request of the user, and connect the user to access the local area network according to the registered user information synchronized with another gateway Into control.
  • the registration user information is synchronized through the interaction between the gateways; when the user registers with one gateway and then logs in to other gateways, other gateways can access the local area network according to the synchronized registered user information. Perform access control. It is not necessary to repeat the registration in other gateways according to the prior art, which simplifies the process of user registration, so that once the user is used to obtain access rights at a gateway, the user can log in to multiple local area networks to obtain resources, which greatly facilitates the user.
  • FIG. 1 is a schematic diagram of networking in accordance with an embodiment of the present invention.
  • FIG. 2 is a flowchart of a method for access control of a local area network according to an embodiment of the present invention
  • FIG. 3 is a flowchart of a method for access control of a local area network according to an embodiment of the present invention
  • FIG. 4 is a structure of a gateway device according to an embodiment of the present invention
  • FIG. 5 is a schematic structural diagram of a gateway device according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of a communication system according to an embodiment of the present invention.
  • Embodiments of the present invention provide a method for access control of a local area network, and a gateway device and a communication system Method.
  • a networking diagram of an embodiment of the present invention establishes an IPSec (Security Architecture for IP network, IP layer) between gateways (first gateway and second gateway) of different local area networks (LAN 1 and LAN 2). Protocol security structure) tunnel, the first gateway and the second gateway interact through the IPsec channel to maintain synchronization of registered user information.
  • the other gateway can obtain the registration of the user through data synchronization.
  • User information wherein the first gateway is in the local area network 1 and the second gateway is in the local area network 2; in this example, data transmission using the IPSec channel can ensure the security of communication between the local area network 1 and the local area network 2.
  • LAN 1 and LAN 2 are safe for the user. You can directly access the resources of LAN 1 and LAN 2.
  • the data sent to the local area network 2 is intercepted by the first gateway, encapsulated into an IPsec message and sent to the second gateway, and then parsed by the second gateway and forwarded to the local area network 2, and vice versa. It can be understood that the user can directly access the local area network 2 without going through the local area network 1. Since the user has already registered at the first gateway, it is not necessary to repeat the registration at the second gateway, and the resources of the local area network 2 can be directly accessed through the verification of the second gateway.
  • the method for accessing local area network access control includes: A1, the first gateway interacts with the second gateway to synchronize the registered user information;
  • the synchronization process can be divided into an initial synchronization phase and an update synchronization phase:
  • the initial synchronization phase the gateway copies all the registered user information of each other to complete the initial synchronization; when the registered user information between the gateways is completely consistent, the update synchronization phase is entered;
  • Update synchronization phase After the initial synchronization, when the registered user information of a certain gateway changes, the changed data is notified to other gateways with synchronization relationship, and other gateways perform data update.
  • the update is performed.
  • the information is sent to another gateway for configuration updates. To ensure that the first gateway and the second gateway have the same registered user information.
  • the registered user information includes:
  • the user's login identity verification information and the corresponding user access security control policy may be in various forms for identifying the user, generally in the form of a user name and a password, which may be understood, and may also be used, such as: a user's Internet Protocol (IP) address, media access. A control (MAC) address or the like that can identify the identity of the user.
  • IP Internet Protocol
  • MAC control
  • the security control policy includes: a user's permission setting and a local area network resource corresponding to the permission.
  • User permissions can be divided into administrator level, user level, and visitor level;
  • Users with user-level privileges can access and tamper with resources in the shared area;
  • the registration user information changes include: registration of new users, destruction of user information, change of user privilege level, change of resource configuration corresponding to privilege level, and the like.
  • the communication between the first gateway and the second gateway is established by using the embodiment of the present invention.
  • the IPsec tunnel implements data transmission between the first gateway and the second gateway through an IPsec tunnel, and encapsulates the data into an IPsec format before the data transmission. .
  • the communication in the IPsec tunnel mode can make the data exchanged between the gateways more secure, because only the gateway having the tunnel identifier can decapsulate the IPsec packet, and the present invention is not limited to the manner of completing the gateway between the gateways. Communication, existing conventional communication methods can be used, such as a conventional conversation mode, etc., and the specific manner does not constitute a limitation of the present invention. It can be understood that if the IPsec tunnel is disconnected, the first gateway and the second gateway renegotiate to establish an IPsec tunnel to ensure real-time connectivity.
  • the first gateway receives an access request of the user.
  • the first gateway performs access control on the user accessing the local area network according to the registered user information synchronized with the second gateway.
  • the process of determining whether the user is registered in the first gateway includes:
  • the process of specifically determining whether the user is registered in the first gateway may be: acquiring an IP address or a MAC address in the user access request, and checking whether the registration information synchronized with the second gateway includes the The IP address or MAC address, if included, allows access by the user.
  • the method further includes: the first gateway receives the packet and performs packet forwarding processing.
  • the gateway can receive three types of packets and can perform different processing on different packets.
  • the packet received by the first gateway is a Secure Sockets Layer SSL packet
  • the packet is decapsulated, and the security control policy of the user is checked. If the gateway security policy is not met, the packet is discarded. If the security control policy of the gateway is met, the destination address of the packet is further determined. If the destination address is the local area network where the first gateway is located, the forwarding is performed directly, if the destination address of the packet is the second address. The local area network of the gateway is encapsulated into IPsec packets and sent to the second gateway through the IPsec tunnel.
  • the packet received by the first gateway is a packet of the local area network where the first gateway is located, if the destination address of the packet is a public network, the packet is encapsulated into an SSL packet and sent; if the packet is The local area address is the local area network where the second gateway is located, and is encapsulated into an IPsec message and sent to the second gateway through an IPsec tunnel with the second gateway.
  • the packet received by the first gateway is an IPsec packet sent by the second gateway, it is determined whether the destination address of the packet is the local area network of the gateway, and if yes, the IPsec decapsulation is performed and then forwarded.
  • the registration user information is synchronized by the interaction between the gateways; when the user registers with another gateway and then logs in to other gateways, the other gateways can access the local area network according to the synchronized registered user information.
  • the process of registering with other gateways is not required in the prior art, which simplifies the process of user registration, so that once the user is used to obtain access rights at a gateway, the user can log in to multiple local area networks to obtain resources, which greatly facilitates the user.
  • an IPsec tunnel is established between the gateways, and the registered user information is synchronized and data transmitted through the established IPsec tunnel, so that the data transmission between the gateways is more secure and reliable.
  • An embodiment of the present invention describes a feasible processing manner of a gateway for different packets, and the process As shown in Figure 3, it includes:
  • the gateway receives the ⁇ text
  • step B2 checking the type of the message; if the type of the message is an ordinary message, that is, the message is a message inside the local area network of the gateway, proceed to step B3; if the type of the message is an SSL message, continue the step B4; If the type of the packet is an IPsec packet, proceed to step B5;
  • the ordinary message processing is performed, and the specific processing manner is as follows: if the destination address of the ordinary packet is a public network, the packet is sent after being encapsulated by SSL; if the destination address of the ordinary packet is the local area network where the gateway is located If the destination address of the ordinary packet is another local area network, the packet is encapsulated into an IPsec message and sent to the opposite gateway through an IPsec tunnel with the gateway in the other local area network.
  • step B4 parsing the SSL packet and proceeding to step B6.
  • step B6 Performs security policy matching on the data that is synchronized with other gateways. If the matching succeeds, proceed to step B8. If the matching fails, proceed to step B7.
  • step B8 determining whether the destination address of the packet is the local area network of the gateway, and if yes, proceeding to step B9, if no, proceeding to step B10.
  • B9 Forwards the packet according to the destination address, and ends the process.
  • step B10 Search for an IPsec tunnel according to the destination address of the packet. If found, proceed to step B11. If no, continue to step B12.
  • the gateway saves the IPsec tunnel established with other gateways and saves it as an Access Control List (ACL).
  • ACL Access Control List
  • the gateway in the embodiment of the present invention can process IPsec and SSL packets. After the IPsec tunnel is configured, the gateway maintains the communication relationship between the two ends of the IPsec tunnel. Once the tunnel is broken, The gateway will re-negotiate to establish a tunnel. After each tunnel is established, the gateway can re-synchronize the registered user information at both ends.
  • the changed data can be updated to reduce the amount of data transmitted during synchronization, and specifically, the changed data can be sent to the opposite gateway by updating the information.
  • the changed data here can include: modified data, added data, deleted data.
  • a flag bit, a serial number, and an aging bit are set for each registered user information.
  • the registered user information includes: a user's login identity verification information and a corresponding user access security control policy
  • the security control policy includes: a user's permission setting and a local area network resource whose permission corresponds to the access.
  • the registered user information of different gateways has different sequence numbers assigned. This serial number is used to uniquely identify each registered user information.
  • the flag bit is used to identify the status of each registered user information.
  • the meaning of the representation of the value of the flag bit is shown in Table 1.
  • Registered user information with flags 1 and 5 will not take effect and will only be saved in the gateway for synchronization. Registered user information with flags 2, 3, and 4 will take effect; the configuration information with flag 3 indicates that the synchronization between gateways is normal, and other values indicate synchronization exceptions.
  • the flag position of each registered user information is 1. Then the current gateway will send the registered user information to the correspondent gateway, and set the flag bit to 2. Once the confirmation of the peer gateway is received, the flag position is 3. The error retransmission mechanism ensures that information can be sent to the other party.
  • the receiver gateway After receiving the configuration registration user information, the receiver gateway sets the registration user information flag to 2 and sends an acknowledgement message. Once the confirmation message of the other party is received, set the flag to 3.
  • a configuration registration user information will take effect when the status is 2 or 3.
  • the gateway periodically registers the user information with the query flag bit other than 3, sends it to the peer gateway, and modifies the value of the aging bit plus one.
  • the aging bit is the preset number of transmissions.
  • the gateway sets the registered user information flag to 4, reports the network management, the recording configuration is abnormal, and the transmission is no longer sent. Configure registered user information.
  • the first transmission will set the aging position to 1, the second transmission will aging the position 2, the third transmission will aging the position 3, and the critical value will be reached.
  • the user information flag position 4 will be registered.
  • the local gateway For the modified registered user information, the local gateway marks it as changing back to 2 and sends the registered user information to the opposite gateway, and then sets it to 3 after receiving the correct response from the peer. If the local gateway receives the modified registered user information, the registered user information is modified. If the modification is successful, the flag bit is unchanged, and if the flag is 1 J, the flag is set to 5 and reported to the network management.
  • the registered user information is marked with a flag of 5, and the serial number of the registered user information is sent to the opposite gateway. After the other gateway correct response is received, the local delete, no shellfish 1 J, the flag 4 the NMS.
  • the administrator can choose to initiate a resend or delete the information locally.
  • the administrator can also choose to send all local configuration information to overwrite the remote gateway information or request the remote gateway to send all configuration information to the gateway.
  • the gateway device provided by an embodiment of the present invention includes: an information synchronization unit 410, configured to perform synchronization with another gateway to perform registration of user information; and an access control unit 420, configured to receive a user. Access request, according to the synchronization with another gateway The registered user information controls the access of the user to the local area network.
  • the gateway device 500 provides an example of a specific feasible processing manner of the access control unit. This example should be understood as the implementation of the access control unit function applied to a specific scenario.
  • the limitation of the invention is as shown in FIG. 5, which includes:
  • the information synchronization unit 510 is configured to perform synchronization with the other gateway to perform registration of the user information.
  • the access control unit 520 is configured to: when the gateway receives the packet sent by the user, according to the registered user information synchronized with another gateway. The user accesses the local area network for access control.
  • the IPsec tunnel establishing unit 530 is configured to establish an IPsec tunnel with another gateway, where the IPsec tunnel is used to transmit data between the gateways, and the data is encapsulated into an IPsec format before the data transmission. .
  • the packet forwarding unit 540 is configured to receive the packet and perform forwarding processing.
  • the packet forwarding unit 540 includes:
  • the message classification unit 541 is configured to detect the type of the received message; if the received message is an SSL message, the message is sent to the SSL message processing unit; if the received message is an ordinary message, The packet is sent to the normal packet processing unit for processing; if the received packet is an IPsec packet, the packet is sent to the IPsec packet processing unit for processing;
  • the SSL packet processing unit 542 is configured to receive the SSL packet of the packet classification unit 541, and then perform the packet unblocking; check the security control policy of the user, and if the gateway security policy is not met, discard the packet; The security control policy of the gateway further determines the destination address of the packet. If the destination address is the local area network where the first gateway is located, the device directly forwards the packet if the destination address of the packet is the second gateway. The local area network is encapsulated into an IPsec message and sent to another gateway through an IPsec tunnel;
  • the normal packet processing unit 543 is configured to receive the normal packet of the packet classification unit 541. If the destination address of the packet is a public network, the packet is encapsulated into an SSL packet, and the destination address of the packet is The local area network where the other gateway is located is encapsulated into an IPsec packet and sent to another gateway through an IPsec tunnel;
  • the IPsec packet processing unit 544 is configured to receive the IPsec packet of the packet classification unit 541, and determine whether the destination address of the packet is the local area network where the gateway is located, and if yes, perform IPsec decapsulation and then forward the packet.
  • the registration of the user information is synchronized by the interaction between the gateways.
  • the gateway can access the local area network according to the registered user information synchronized with the other gateways. control.
  • the process of user authentication and authorization is more convenient and simpler. Once used to obtain access rights in a gateway, it is possible to repeatedly log in to other gateways without the prior art, and directly and freely access other local area networks through unified security policy management. Great convenience for users.
  • the changed data when data synchronization is performed between gateways, only the changed data may be updated, that is, the changed data is sent to the opposite gateway by the update information to achieve the purpose of reducing the amount of synchronized data. Synchronization is achieved by making the data exchanged less between the gateways, thereby saving network bandwidth and improving synchronization efficiency.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).
  • ROM read-only memory
  • RAM random access memory

Abstract

A method for local area network (LAN) access control includes that: a first gateway performs the registration user information synchronization interacting with a second gateway; the first gateway receives an access request of the user; according to the registration user information synchronized with the second gateway, the first gateway performs the access control for the user accessing a LAN. A gateway device includes: an information synchronization unit which is used to perform the registration user information synchronization interacting with another gateway; an access control unit which is used to receive the access request of the user, and perform the access control for the user accessing a LAN according to the registration user information synchronized with another gateway. It can be implemented that the user can obtain the authority of accessing multiple LANs resources after registering at one gateway.

Description

局域网访问控制的方法以及网关设备  LAN access control method and gateway device
本申请要求于 2009 年 1 月 19 日提交中国专利局、 申请号为 200910005547.X, 发明名称为 "局域网访问控制的方法以及网关设备" 的中国 专利申请的优先权, 其全部内容通过引用结合在本申请中。  This application claims priority to Chinese Patent Application No. 200910005547.X, filed on Jan. 19, 2009, entitled "LAN Access Control Method and Gateway Device", the entire contents of which are incorporated by reference. In this application.
技术领域 Technical field
本发明涉及通信技术领域, 具体涉及局域网访问控制的方法以及网关设 备。  The present invention relates to the field of communications technologies, and in particular, to a method for access control of a local area network and a gateway device.
背景技术 Background technique
随着因特网(Internet )网络技术的不断发展, 信息安全和信息保护越来越 受到人们的重视。 现有的网关接入方式主要有安全套接字层( Security Socket Layer, SSL )方式和 IP层协议安全结构 ( Security Architecture for IP network, IPSec ) 方式两种, 一般连接在防火墙之后、 局域网资源之前, 为外网用户提 供安全接入。  With the continuous development of Internet (Internet) network technology, information security and information protection have received more and more attention. The existing gateway access modes are mainly Security Socket Layer (SSL) and Security Architecture for IP network (IPSec). They are usually connected behind the firewall and before the LAN resources. , providing secure access to external network users.
SSL方式接入方式中, 用户如果想访问网关所在局域网的资源, 则需要在 网关进行登陆, 登陆后, 根据网关赋予用户的权限获取资源。 用户登陆网关的 过程一般为:  In the SSL access mode, if you want to access the resources of the LAN where the gateway is located, you need to log in at the gateway. After logging in, you can obtain resources according to the permissions granted to the user by the gateway. The process of users logging in to the gateway is generally:
用户在登陆界面输入用户名和密码,网关根据保存的用户信息数据库对所 述用户输入的用户名和密码进行 3全证, 3全证通过后, 网关与所述用户协商一个 SSL方式加密的密钥后, 则完成登陆。 此后, 网关和所述用户之间传输的数据 包均使用所述密钥加密,网关和所述用户利用所述密钥可以对传输的数据包解 封。 以实现数据传输的安全控制。  The user enters a user name and password on the login interface, and the gateway performs a full certificate on the user name and password input by the user according to the saved user information database. After the full certificate is passed, the gateway negotiates an SSL-encrypted key with the user. , then complete the login. Thereafter, the data packets transmitted between the gateway and the user are encrypted using the key, and the gateway and the user can use the key to decapsulate the transmitted data packets. To achieve security control of data transmission.
SSL方式接入网关的一个显著的缺点是,一个用户如果想访问多个物理分 割的局域网, 就需要在所在所述多个局域网的多台网关上分别进行注册, 用户 操作繁瑣, 十分不便。  A significant disadvantage of the SSL access gateway is that if a user wants to access multiple physical LANs, it needs to register separately on multiple gateways of the multiple LANs. The user operation is cumbersome and inconvenient.
发明内容 Summary of the invention
本发明实施例提供局域网访问控制的方法以及网关设备,可以实现用户在 一个网关注册后, 即可获得访问多个局域网资源的权限。  The embodiment of the invention provides a method for accessing a local area network and a gateway device, which can obtain the right to access a plurality of local area network resources after the user registers with a gateway.
本发明实施例提供了一种局域网访问控制的方法, 包括:  The embodiment of the invention provides a method for access control of a local area network, including:
第一网关与第二网关交互进行注册用户信息的同步; 所述第一网关接收用户的接入请求; The first gateway interacts with the second gateway to synchronize the registered user information; The first gateway receives an access request of the user;
所述第一网关根据与第二网关同步的注册用户信息对所述用户访问局域 网进行接入控制。  The first gateway performs access control on the user access to the local area network according to the registered user information synchronized with the second gateway.
本发明实施例还提供了一种网关设备, 包括:  The embodiment of the invention further provides a gateway device, including:
信息同步单元, 用于与另一网关交互进行注册用户信息的同步; 接入控制单元, 用于接收用户的接入请求,根据与另一网关同步的注册用 户信息对所述用户访问局域网进行接入控制。  An information synchronization unit, configured to perform synchronization with another gateway to perform registration of user information; an access control unit, configured to receive an access request of the user, and connect the user to access the local area network according to the registered user information synchronized with another gateway Into control.
由上技术方案可以看出, 通过网关之间的交互进行注册用户信息的同步; 当用户在一个网关注册后,再登陆其他网关时, 其他网关则可以根据同步的注 册用户信息对该用户访问局域网进行接入控制。无需按照现有技术的方式重复 在其他网关注册, 简化了用户注册的过程,使得用户一旦用于在一个网关获得 访问权限, 则可以登陆多个局域网获得资源, 极大的方便了用户。  It can be seen from the above technical solution that the registration user information is synchronized through the interaction between the gateways; when the user registers with one gateway and then logs in to other gateways, other gateways can access the local area network according to the synchronized registered user information. Perform access control. It is not necessary to repeat the registration in other gateways according to the prior art, which simplifies the process of user registration, so that once the user is used to obtain access rights at a gateway, the user can log in to multiple local area networks to obtain resources, which greatly facilitates the user.
附图说明 DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施 例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地, 下面描述 中的附图仅仅是本发明的一些实施例, 对于本领域普通技术人员来讲, 在不付 出创造性劳动性的前提下, 还可以根据这些附图获得其他的附图。  In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any inventive labor.
图 1是本发明一实施例的组网示意图;  1 is a schematic diagram of networking in accordance with an embodiment of the present invention;
图 2是本发明一实施例提供的局域网访问控制的方法的流程图; 图 3是本发明一实施例提供的局域网访问控制的方法的流程图; 图 4是本发明一实施例网关设备的结构示意图;  2 is a flowchart of a method for access control of a local area network according to an embodiment of the present invention; FIG. 3 is a flowchart of a method for access control of a local area network according to an embodiment of the present invention; FIG. 4 is a structure of a gateway device according to an embodiment of the present invention; Schematic diagram
图 5是本发明一实施例网关设备的结构示意图;  FIG. 5 is a schematic structural diagram of a gateway device according to an embodiment of the present invention; FIG.
图 6是本发明一实施例通信系统的结构示意图。  FIG. 6 is a schematic structural diagram of a communication system according to an embodiment of the present invention.
具体实施方式 detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清 楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明一部分实施例, 而不是 全部的实施例。基于本发明中的实施例, 本领域普通技术人员在没有作出创造 性劳动前提下所获得的所有其他实施例, 都属于本发明保护的范围。  BRIEF DESCRIPTION OF THE DRAWINGS The technical solutions in the embodiments of the present invention will be described in detail below with reference to the accompanying drawings. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative work are within the scope of the present invention.
本发明实施例提供一种局域网访问控制的方法以及网关设备和通信系统 方法。 Embodiments of the present invention provide a method for access control of a local area network, and a gateway device and a communication system Method.
如图 1 所示, 本发明一实施例的组网示意图, 在不同局域网 (局域网 1 和局域网 2 )的网关(第一网关和第二网关)之间设立 IPSec( Security Architecture for IP network, IP层协议安全结构)隧道,第一网关和第二网关通过所述 IPsec 通道进行交互, 保持注册用户信息的同步, 当用户在其中一个网关注册后, 另 一个网关则可以通过数据同步获得该用户的注册用户信息,其中第一网关在局 域网 1内, 第二网关在局域网 2内; 本例中, 用 IPSec通道进行数据传输可以 保证局域网 1与局域网 2之间通信的安全性。  As shown in FIG. 1 , a networking diagram of an embodiment of the present invention establishes an IPSec (Security Architecture for IP network, IP layer) between gateways (first gateway and second gateway) of different local area networks (LAN 1 and LAN 2). Protocol security structure) tunnel, the first gateway and the second gateway interact through the IPsec channel to maintain synchronization of registered user information. When the user registers with one of the gateways, the other gateway can obtain the registration of the user through data synchronization. User information, wherein the first gateway is in the local area network 1 and the second gateway is in the local area network 2; in this example, data transmission using the IPSec channel can ensure the security of communication between the local area network 1 and the local area network 2.
图中用户在第一网关上登录后,局域网 1和局域网 2对用户来说都是安全 的。可以直接访问局域网 1和局域网 2的资源。发往局域网 2的数据由第一网 关截获后, 封装成 IPsec报文后发给第二网关, 再由第二网关解析后转发往局 域网 2, 反之亦然。 可以理解, 用户也可以不通过局域网 1 , 直接访问局域网 2, 因为用户已经在第一网关注册过, 因此无需在第二网关重复注册, 可以直 接通过第二网关的验证访问局域网 2的资源。  After the user logs in on the first gateway, LAN 1 and LAN 2 are safe for the user. You can directly access the resources of LAN 1 and LAN 2. The data sent to the local area network 2 is intercepted by the first gateway, encapsulated into an IPsec message and sent to the second gateway, and then parsed by the second gateway and forwarded to the local area network 2, and vice versa. It can be understood that the user can directly access the local area network 2 without going through the local area network 1. Since the user has already registered at the first gateway, it is not necessary to repeat the registration at the second gateway, and the resources of the local area network 2 can be directly accessed through the verification of the second gateway.
以下对本发明的优选实施例进行详细说明。  Preferred embodiments of the present invention are described in detail below.
本发明一实施例提供的局域网访问控制的方法, 流程如图 2所示, 包括: A1 , 第一网关与第二网关交互进行注册用户信息的同步;  As shown in FIG. 2, the method for accessing local area network access control according to an embodiment of the present invention includes: A1, the first gateway interacts with the second gateway to synchronize the registered user information;
具体的同步方式可以有多种, 例如: 可以将同步的过程分为初始同步阶段 和更新同步阶段:  There are a variety of specific synchronization methods, for example: The synchronization process can be divided into an initial synchronization phase and an update synchronization phase:
初始同步阶段: 网关相互之间拷贝对方所有的注册用户信息, 以完成初始 同步; 当网关之间注册用户信息完全一致后, 则进入更新同步阶段;  The initial synchronization phase: the gateway copies all the registered user information of each other to complete the initial synchronization; when the registered user information between the gateways is completely consistent, the update synchronization phase is entered;
更新同步阶段: 初始同步后, 当某个网关的注册用户信息发生改变则将改 变的数据通知给其他具有同步关系的网关, 其他网关进行数据更新。  Update synchronization phase: After the initial synchronization, when the registered user information of a certain gateway changes, the changed data is notified to other gateways with synchronization relationship, and other gateways perform data update.
本发明实施例中,所述第一网关与第二网关交互进行注册用户信息的同步 后, 若所述第一网关和所述第二网关中一个网关配置的注册用户信息发生改 变, 则通过更新信息将发生改变的数据发送给另一个网关进行配置更新。 以保 证第一网关和第二网关具有相同的注册用户信息。  In the embodiment of the present invention, after the first gateway and the second gateway perform the synchronization of the registered user information, if the registered user information configured by one of the first gateway and the second gateway changes, the update is performed. The information is sent to another gateway for configuration updates. To ensure that the first gateway and the second gateway have the same registered user information.
本实施例中, 注册用户信息包括:  In this embodiment, the registered user information includes:
用户的登陆身份校验信息和对应的用户访问的安全控制策略。 所述用户的登陆身份校验信息可以是用于识别用户的多种形式,一般釆用 用户名、 密码的形式, 可以理解, 也可以釆用如: 用户的网际协议( IP )地址, 介质访问控制 (MAC )地址等可以标识用户身份的信息。 The user's login identity verification information and the corresponding user access security control policy. The login identity verification information of the user may be in various forms for identifying the user, generally in the form of a user name and a password, which may be understood, and may also be used, such as: a user's Internet Protocol (IP) address, media access. A control (MAC) address or the like that can identify the identity of the user.
所述安全控制策略包括:用户的权限设置以及权限对应允许访问的局域网 资源。  The security control policy includes: a user's permission setting and a local area network resource corresponding to the permission.
例如: 用户的权限可以分为管理员级、 用户级、 访客级;  For example: User permissions can be divided into administrator level, user level, and visitor level;
具有管理员级权限的用户具有最高权限,可以访问和修改局域网内的所有 资源, 对局域网的资源配置和数据系统进行管理;  Users with administrator-level privileges have the highest authority to access and modify all resources in the LAN, and manage the resource configuration and data system of the LAN;
具有用户级权限的用户可以访问和^ ί'爹改共享区的资源;  Users with user-level privileges can access and tamper with resources in the shared area;
具有访客级权限的用户只能以 "只读" 方式获得共享区的资源。  Users with guest-level permissions can only get resources for the shared zone in a "read-only" manner.
上述更新同步阶段, 注册用户信息发生改变包括: 新用户的注册、 用户信 息的销毁、 用户权限级别的变更、 权限级别对应的资源配置的变更等。  In the above update synchronization phase, the registration user information changes include: registration of new users, destruction of user information, change of user privilege level, change of resource configuration corresponding to privilege level, and the like.
具体的, 本发明实施例第一网关和第二网关之间的通信是通过建立的 Specifically, the communication between the first gateway and the second gateway is established by using the embodiment of the present invention.
IPsec隧道实现的,所述第一网关和所述第二网关之间通过 IPsec隧道进行数据 传输, 在所述数据传输前, 将所述数据封装成 IPsec格式。。 通过 IPsec隧道方 式进行通信可以使得网关之间交互的数据更加安全,因为只有拥有隧道标识的 网关才可以对 IPsec报文进行解封, 本发明实施例中并不限于此种方式完成网 关之间的通信, 现有的常规通信方式均可使用, 例如传统的会话方式等, 具体 的方式不构成对本发明的限制。 可以理解, 若所述 IPsec隧道断开, 则所述第 一网关和所述第二网关重新协商建立 IPsec隧道, 以保证实时的连通。 The IPsec tunnel implements data transmission between the first gateway and the second gateway through an IPsec tunnel, and encapsulates the data into an IPsec format before the data transmission. . The communication in the IPsec tunnel mode can make the data exchanged between the gateways more secure, because only the gateway having the tunnel identifier can decapsulate the IPsec packet, and the present invention is not limited to the manner of completing the gateway between the gateways. Communication, existing conventional communication methods can be used, such as a conventional conversation mode, etc., and the specific manner does not constitute a limitation of the present invention. It can be understood that if the IPsec tunnel is disconnected, the first gateway and the second gateway renegotiate to establish an IPsec tunnel to ensure real-time connectivity.
A2 , 第一网关接收用户的接入请求;  A2. The first gateway receives an access request of the user.
第一网关根据所述与第二网关同步的注册用户信息对该用户访问局域网 进行接入控制。  The first gateway performs access control on the user accessing the local area network according to the registered user information synchronized with the second gateway.
根据所述与第二网关同步的注册用户信息判断所述用户在所述第一网关 的接入是否合法, 若合法, 则允许所述用户的接入, 若不合法, 则拒绝所述用 户的接入。  Determining, according to the registered user information that is synchronized with the second gateway, whether the user accessing the first gateway is legal, and if the user is legal, allowing the user to access, and if not, rejecting the user. Access.
具体的, 判断所述用户是否在所述第一网关注册过的过程包括:  Specifically, the process of determining whether the user is registered in the first gateway includes:
获取用户接入请求中的用户名和密码;  Obtain the username and password in the user access request;
检查所述与第二网关同步的注册信息中是否有所述用户名;若有所述用户 名; 则继续检查密码是否正确, 若密码正确, 则确认合法; 若没有所述用户的 用户名或者密码不正确, 则确认不合法。 Checking whether the user name is included in the registration information synchronized with the second gateway; if the user is Name; continue to check whether the password is correct, if the password is correct, the confirmation is legal; if the user name or password of the user is not correct, the confirmation is invalid.
可以理解, 具体判断所述用户是否在所述第一网关注册的过程还可以是, 获取用户接入请求中的 IP地址或 MAC地址, 检查所述与第二网关同步的注 册信息中是否包含所述 IP地址或 MAC地址, 若包含, 则允许所述用户的接 入。  It can be understood that the process of specifically determining whether the user is registered in the first gateway may be: acquiring an IP address or a MAC address in the user access request, and checking whether the registration information synchronized with the second gateway includes the The IP address or MAC address, if included, allows access by the user.
本实施例中, 还包括: 第一网关接收报文并进行报文转发处理。 本发明实 施例中, 网关可以接收三种报文并可以对不同的报文进行区分处理。  In this embodiment, the method further includes: the first gateway receives the packet and performs packet forwarding processing. In the embodiment of the present invention, the gateway can receive three types of packets and can perform different processing on different packets.
若所述第一网关收到的报文为安全套接字层 SSL报文, 则进行报文解封, 检查该用户的安全控制策略, 如果不符合网关安全策略, 则丟弃该报文; 若符 合网关的安全控制策略, 则进一步判断所述报文的目的地址,如果目的地址为 所述第一网关所在的局域网, 则直接进行转发,如果所述报文的目的地址是所 述第二网关所在的局域网, 则封装成 IPsec报文, 并通过 IPsec隧道发送给第 二网关。  If the packet received by the first gateway is a Secure Sockets Layer SSL packet, the packet is decapsulated, and the security control policy of the user is checked. If the gateway security policy is not met, the packet is discarded. If the security control policy of the gateway is met, the destination address of the packet is further determined. If the destination address is the local area network where the first gateway is located, the forwarding is performed directly, if the destination address of the packet is the second address. The local area network of the gateway is encapsulated into IPsec packets and sent to the second gateway through the IPsec tunnel.
若所述第一网关收到的报文为所述第一网关所在局域网的报文,如果所述 报文的目的地址为公网, 则封装成 SSL报文后发送; 如果所述报文的目的地 址为所述第二网关所在的局域网, 则封装成 IPsec报文并通过与所述第二网关 之间的 IPsec隧道发送给第二网关。  If the packet received by the first gateway is a packet of the local area network where the first gateway is located, if the destination address of the packet is a public network, the packet is encapsulated into an SSL packet and sent; if the packet is The local area address is the local area network where the second gateway is located, and is encapsulated into an IPsec message and sent to the second gateway through an IPsec tunnel with the second gateway.
若所述第一网关收到的报文为第二网关发送的 IPsec报文, 则判断报文的 目的地址是否为本网关所在的局域网, 若是, 则进行 IPsec解封装后转发。  If the packet received by the first gateway is an IPsec packet sent by the second gateway, it is determined whether the destination address of the packet is the local area network of the gateway, and if yes, the IPsec decapsulation is performed and then forwarded.
本发明实施例中, 通过网关之间的交互进行注册用户信息的同步; 当用户 在一个网关注册后,再登陆其他网关时, 其他网关则可以根据同步的注册用户 信息对该用户访问局域网进行接入控制。则可以无需按照现有技术的方式重复 在其他网关注册, 简化了用户注册的过程,使得用户一旦用于在一个网关获得 访问权限, 则可以登陆多个局域网获得资源, 极大的方便了用户。  In the embodiment of the present invention, the registration user information is synchronized by the interaction between the gateways; when the user registers with another gateway and then logs in to other gateways, the other gateways can access the local area network according to the synchronized registered user information. Into control. The process of registering with other gateways is not required in the prior art, which simplifies the process of user registration, so that once the user is used to obtain access rights at a gateway, the user can log in to multiple local area networks to obtain resources, which greatly facilitates the user.
进一步本发明实施例网关之间建立 IPsec隧道, 并通过建立的 IPsec隧道 进行注册用户信息的同步和数据传输,可以使得网关之间的数据传输更加安全 可靠。  Further, in the embodiment of the present invention, an IPsec tunnel is established between the gateways, and the registered user information is synchronized and data transmitted through the established IPsec tunnel, so that the data transmission between the gateways is more secure and reliable.
本发明一实施例对网关针对不同报文的一种可行处理方式进行描述,流程 如图 3所示, 包括: An embodiment of the present invention describes a feasible processing manner of a gateway for different packets, and the process As shown in Figure 3, it includes:
B1 , 网关接收 ^艮文;  B1, the gateway receives the 艮 text;
B2 , 检查报文的类型; 若报文的类型为普通报文, 即所述报文为网关所 在局域网内部的报文, 则继续步骤 B3 ; 若报文的类型为 SSL报文, 则继续步 骤 B4; 若报文的类型为 IPsec报文, 则继续步骤 B5;  B2, checking the type of the message; if the type of the message is an ordinary message, that is, the message is a message inside the local area network of the gateway, proceed to step B3; if the type of the message is an SSL message, continue the step B4; If the type of the packet is an IPsec packet, proceed to step B5;
B3 , 进行普通报文处理, 具体的处理方式为: 若所述普通报文的目的地 址为公网, 则进行 SSL封装后发送; 若所述普通报文的目的地址为所述网关 所在的局域网, 则直接转发; 若所述普通报文的目的地址为其他局域网, 则封 装成 IPsec报文后, 通过与所述其他局域网内的网关之间的 IPsec隧道发送给 对方网关。  B3, the ordinary message processing is performed, and the specific processing manner is as follows: if the destination address of the ordinary packet is a public network, the packet is sent after being encapsulated by SSL; if the destination address of the ordinary packet is the local area network where the gateway is located If the destination address of the ordinary packet is another local area network, the packet is encapsulated into an IPsec message and sent to the opposite gateway through an IPsec tunnel with the gateway in the other local area network.
B4, 对 SSL报文进行解析并继续步骤 B6。  B4, parsing the SSL packet and proceeding to step B6.
B5 , 判断该 IPsec报文的目的地址是否是本网关所在局域网, 若是, 则进 行解封并转发, 若不是, 则根据目的地址查找 IPsec隧道, 并通过 IPsec隧道 进行转发, 并结束本流程。  B5, determining whether the destination address of the IPsec packet is the local area network of the gateway, and if so, decapsulating and forwarding, if not, searching for the IPsec tunnel according to the destination address, forwarding through the IPsec tunnel, and ending the process.
B6, 结合和其他网关同步的数据对报文进行安全策略匹配, 若匹配通过, 则继续步骤 B8 , 若匹配失败, 则继续步骤 B7。  B6: Performs security policy matching on the data that is synchronized with other gateways. If the matching succeeds, proceed to step B8. If the matching fails, proceed to step B7.
B7, 丟弃报文, 并结束本流程。  B7, discards the packet and ends the process.
B8 , 判断该报文的目的地址是否是本网关所在局域网, 若是, 则继续步 骤 B9, 若否, 则继续步骤 B10。  B8, determining whether the destination address of the packet is the local area network of the gateway, and if yes, proceeding to step B9, if no, proceeding to step B10.
B9, 按照目的地址进行报文转发, 并结束本流程。  B9: Forwards the packet according to the destination address, and ends the process.
B10,根据所述报文的目的地址查找 IPsec隧道,若找到,则继续步骤 B11 , 若否, 则继续所述步骤 B12。  B10: Search for an IPsec tunnel according to the destination address of the packet. If found, proceed to step B11. If no, continue to step B12.
可以理解的是, 网关保存与其他网关建立的 IPsec隧道并保存为一个访问 控制列表 ( Access Control List, ACL ), 在进行 IPsec报文发送时, 则查找该 ACL获得 IPsec隧道。  It can be understood that the gateway saves the IPsec tunnel established with other gateways and saves it as an Access Control List (ACL). When IPsec packets are sent, the ACL is searched for an IPsec tunnel.
Bl 1 , 通过所述查找到的 IPsec隧道将所述 IPsec报文发送给其他网关。 B12 , 丟弃所述 IPsec 文。 并结束本流程。  Bl 1 , sending the IPsec message to other gateways by using the found IPsec tunnel. B12, discarding the IPsec text. And end this process.
基于上述方法,本发明实施例的网关可以处理 IPsec和 SSL报文。而 IPsec 隧道配置建立后, 网关之间保持 IPsec隧道两端的通信关系。 一旦隧道断开, 网关之间会重新进行协商建立隧道。 而每次隧道建立之后, 网关间可以重新将 两端的注册用户信息进行同步。 Based on the foregoing method, the gateway in the embodiment of the present invention can process IPsec and SSL packets. After the IPsec tunnel is configured, the gateway maintains the communication relationship between the two ends of the IPsec tunnel. Once the tunnel is broken, The gateway will re-negotiate to establish a tunnel. After each tunnel is established, the gateway can re-synchronize the registered user information at both ends.
在通过 IPsec隧道进行注册用户信息同步的过程如果每次都把网关之间所 有的注册用户信息逐一传递进行比较,除了耗费较多的时间,还可能造成 IPsec 隧道堵塞, 不利于业务的运行。  In the process of synchronizing the registered user information through the IPsec tunnel, each time the registered user information between the gateways is transmitted one by one for comparison, in addition to spending more time, the IPsec tunnel may be blocked, which is not conducive to the operation of the service.
因此, 本发明实施例中可以通过仅更新变化的数据, 以降低同步的时候传 输的数据量, 具体的可以通过更新信息将发生变化的数据发送给对方网关。这 里的发生变化的数据可以包括: 修改的数据、 新增的数据、 删除的数据。  Therefore, in the embodiment of the present invention, only the changed data can be updated to reduce the amount of data transmitted during synchronization, and specifically, the changed data can be sent to the opposite gateway by updating the information. The changed data here can include: modified data, added data, deleted data.
下面通过一个具体实例进行说明,以下实施例仅作为本发明实现的一种可 行的实施例, 不构成对本发明的限制。  The following examples are given by way of a specific example, and the following examples are merely illustrative of a possible embodiment of the invention and are not intended to limit the invention.
对每一条注册用户信息都设置一个标志位、 一个序列号和一个老化位。 注册用户信息包括:用户的登陆身份校验信息和对应的用户访问的安全控 制策略, 所述安全控制策略包括: 用户的权限设置以及权限对应允许访问的局 域网资源。  A flag bit, a serial number, and an aging bit are set for each registered user information. The registered user information includes: a user's login identity verification information and a corresponding user access security control policy, and the security control policy includes: a user's permission setting and a local area network resource whose permission corresponds to the access.
不同网关的注册用户信息, 其分配的序列号范围不相同。 该序列号用于唯 一的标识每条注册用户信息。  The registered user information of different gateways has different sequence numbers assigned. This serial number is used to uniquely identify each registered user information.
标志位用于标识每条注册用户信息的状态。标志位的值的表示的含义如表 1所示。  The flag bit is used to identify the status of each registered user information. The meaning of the representation of the value of the flag bit is shown in Table 1.
标志位为 1和 5的注册用户信息都不会生效,只会保存在网关中等待同步。 标志位在 2、 3、 4的注册用户信息都会生效; 其中标志位为 3的配置信息 表示网关间同步正常, 其他值则表示同步异常。  Registered user information with flags 1 and 5 will not take effect and will only be saved in the gateway for synchronization. Registered user information with flags 2, 3, and 4 will take effect; the configuration information with flag 3 indicates that the synchronization between gateways is normal, and other values indicate synchronization exceptions.
表 1  Table 1
Figure imgf000009_0001
Figure imgf000009_0001
下面结合本例信息同步的流程对表 1的使用进行说明: 网关初次配置注册用户信息后, 各个注册用户信息的标志位置均为 1。 随 后当前网关将把该注册用户信息发送给对端网关, 把标志位设为 2。 而一旦收 到对端网关的确认, 则标志位置为 3。 通过出错重传机制确保信息可以发送到 对方。 The following uses the information synchronization process in this example to explain the use of Table 1: After the gateway first configures the registered user information, the flag position of each registered user information is 1. Then the current gateway will send the registered user information to the correspondent gateway, and set the flag bit to 2. Once the confirmation of the peer gateway is received, the flag position is 3. The error retransmission mechanism ensures that information can be sent to the other party.
对于接收方网关, 收到配置注册用户信息后,将该注册用户信息标志位设 为 2 , 并发送确认报文。 一旦收到对方的确认报文后, 将标志位设为 3。  After receiving the configuration registration user information, the receiver gateway sets the registration user information flag to 2 and sends an acknowledgement message. Once the confirmation message of the other party is received, set the flag to 3.
一条配置注册用户信息, 在状态为 2或 3时都会生效。 网关会定期将查询 标志位非 3的配置注册用户信息,将其发送到对端网关, 并修改老化位的值加 1。 这里老化位是预置的发送次数, 当发送预置的次数到达临界值, 仍然无法 同步该注册用户信息, 则网关置该注册用户信息标志位为 4 , 上报网管, 记录 配置异常, 不再发送配置注册用户信息。  A configuration registration user information will take effect when the status is 2 or 3. The gateway periodically registers the user information with the query flag bit other than 3, sends it to the peer gateway, and modifies the value of the aging bit plus one. Here, the aging bit is the preset number of transmissions. When the number of times of sending the preset reaches the critical value and the registered user information cannot be synchronized, the gateway sets the registered user information flag to 4, reports the network management, the recording configuration is abnormal, and the transmission is no longer sent. Configure registered user information.
例如: 预置老化位的临界值为 3 , 那么第一发送则把老化位置 1 , 第二次 发送将老化位置 2 , 第三次发送将老化位置 3 , 此时到达临界值, 若还没有收 到对方网关的确认, 则将注册用户信息标志位置 4。  For example, if the threshold value of the preset aging bit is 3, then the first transmission will set the aging position to 1, the second transmission will aging the position 2, the third transmission will aging the position 3, and the critical value will be reached. When the confirmation to the other party's gateway is confirmed, the user information flag position 4 will be registered.
对于修改过的注册用户信息,本地网关将其标志为改回 2并发送该注册用 户信息给对端网关, 收到对端正确回应后再次置为 3。 而本地网关若收到修改 注册用户信息后, 则进行注册用户信息修改, 如果修改成功, 标志位不变, 否 贝1 J , 将标志位置 5 , 上报网管。 For the modified registered user information, the local gateway marks it as changing back to 2 and sends the registered user information to the opposite gateway, and then sets it to 3 after receiving the correct response from the peer. If the local gateway receives the modified registered user information, the registered user information is modified. If the modification is successful, the flag bit is unchanged, and if the flag is 1 J, the flag is set to 5 and reported to the network management.
对于要删除的配置, 该注册用户信息的标志位置 5 , 发送并将该注册用户 信息的序列号发送到对方网关。 收到对方网关正确的应答后, 在本地删除, 否 贝1 J , 将标志位置 4上报网管。 For the configuration to be deleted, the registered user information is marked with a flag of 5, and the serial number of the registered user information is sent to the opposite gateway. After the other gateway correct response is received, the local delete, no shellfish 1 J, the flag 4 the NMS.
收到对方网关要删除的序列号,本地删除后发送应答信息。本地删除失败, 将标志位 5 , 上报网管。  Receive the serial number to be deleted by the gateway of the other party, and send the response message after the local deletion. If the local deletion fails, the flag is 5 and reported to the NMS.
对于标志位为 4、 5的配置, 管理员可以选择预先设置启动重发或在本地 删除该信息。管理员也可以选择发送本地所有配置信息覆盖远端网关信息或请 求远端网关发送所有配置信息到本网关。  For configurations with flags 4 and 5, the administrator can choose to initiate a resend or delete the information locally. The administrator can also choose to send all local configuration information to overwrite the remote gateway information or request the remote gateway to send all configuration information to the gateway.
本发明一实施例提供的网关设备, 其结构示意图如图 4所示, 包括: 信息同步单元 410, 用于与另一网关交互进行注册用户信息的同步; 接入控制单元 420, 用于接收用户的接入请求, 根据所述与另一网关同步 的注册用户信息对该用户访问局域网进行接入控制。 As shown in FIG. 4, the gateway device provided by an embodiment of the present invention includes: an information synchronization unit 410, configured to perform synchronization with another gateway to perform registration of user information; and an access control unit 420, configured to receive a user. Access request, according to the synchronization with another gateway The registered user information controls the access of the user to the local area network.
本发明另一实施例提供的网关设备 500, 对接入控制单元的一种具体可行 的处理方式给出实例,本例应理解为对接入控制单元功能应用于具体场景的实 现, 不构成对本发明的限制, 其结构示意图如图 5所示, 包括:  The gateway device 500 according to another embodiment of the present invention provides an example of a specific feasible processing manner of the access control unit. This example should be understood as the implementation of the access control unit function applied to a specific scenario. The limitation of the invention is as shown in FIG. 5, which includes:
信息同步单元 510, 用于与另一网关交互进行注册用户信息的同步; 接入控制单元 520, 用于在网关收到用户发送的报文时, 根据所述与另一 网关同步的注册用户信息对该用户访问局域网进行接入控制。  The information synchronization unit 510 is configured to perform synchronization with the other gateway to perform registration of the user information. The access control unit 520 is configured to: when the gateway receives the packet sent by the user, according to the registered user information synchronized with another gateway. The user accesses the local area network for access control.
IPsec 隧道建立单元 530, 用于建立与另一网关之间的 IPsec 隧道, 所述 IPsec隧道用于网关之间传输数据 ,在所述数据传输前,将所述数据封装成 IPsec 格式。。  The IPsec tunnel establishing unit 530 is configured to establish an IPsec tunnel with another gateway, where the IPsec tunnel is used to transmit data between the gateways, and the data is encapsulated into an IPsec format before the data transmission. .
报文转发单元 540, 用于接收报文并进行转发处理。  The packet forwarding unit 540 is configured to receive the packet and perform forwarding processing.
其中, 所述报文转发单元 540包括:  The packet forwarding unit 540 includes:
报文分类单元 541 , 用于检测所述接收报文的类型; 若接收的报文为 SSL 报文, 则将报文送 SSL报文处理单元处理; 若接收的报文为普通报文, 则将 报文送普通报文处理单元处理; 若接收的报文为 IPsec报文,则将报文送 IPsec 报文处理单元处理;  The message classification unit 541 is configured to detect the type of the received message; if the received message is an SSL message, the message is sent to the SSL message processing unit; if the received message is an ordinary message, The packet is sent to the normal packet processing unit for processing; if the received packet is an IPsec packet, the packet is sent to the IPsec packet processing unit for processing;
SSL报文处理单元 542,用于接收报文分类单元 541的 SSL报文则进行报 文解封; 检查该用户的安全控制策略, 如果不符合网关安全策略, 则丟弃该报 文; 若符合网关的安全控制策略, 则进一步判断所述报文的目的地址, 如果目 的地址为所述第一网关所在的局域网, 则直接进行转发, 如果所述报文的目的 地址是所述第二网关所在的局域网, 则封装成 IPsec报文, 并通过 IPsec隧道 发送给另一网关;  The SSL packet processing unit 542 is configured to receive the SSL packet of the packet classification unit 541, and then perform the packet unblocking; check the security control policy of the user, and if the gateway security policy is not met, discard the packet; The security control policy of the gateway further determines the destination address of the packet. If the destination address is the local area network where the first gateway is located, the device directly forwards the packet if the destination address of the packet is the second gateway. The local area network is encapsulated into an IPsec message and sent to another gateway through an IPsec tunnel;
普通报文处理单元 543 , 用于接收报文分类单元 541的普通报文, 如果所 述报文的目的地址为公网, 则封装成 SSL报文后发送, 如果所述报文的目的 地址为所述另一网关所在的局域网, 则封装成 IPsec报文, 并通过 IPsec隧道 发送给另一网关;  The normal packet processing unit 543 is configured to receive the normal packet of the packet classification unit 541. If the destination address of the packet is a public network, the packet is encapsulated into an SSL packet, and the destination address of the packet is The local area network where the other gateway is located is encapsulated into an IPsec packet and sent to another gateway through an IPsec tunnel;
IPsec报文处理单元 544, 用于接收报文分类单元 541的 IPsec报文, 判断 报文的目的地址是否为本网关所在的局域网, 若是, 则进行 IPsec解封装后转 发。 本实施例中,通过网关之间的交互进行注册用户信息的同步; 当一个网关 收到用户发送的报文时,可以根据所述与其他网关同步的注册用户信息对该用 户访问局域网进行接入控制。 用户的认证授权的过程更方便、 更简洁, 一旦用 于在一个网关获得访问权限, 则可以无需向现有技术一样重复登陆其他网关, 通过统一的安全策略管理直接的自由的访问其他局域网。 极大的方便了用户。 The IPsec packet processing unit 544 is configured to receive the IPsec packet of the packet classification unit 541, and determine whether the destination address of the packet is the local area network where the gateway is located, and if yes, perform IPsec decapsulation and then forward the packet. In this embodiment, the registration of the user information is synchronized by the interaction between the gateways. When a gateway receives the packet sent by the user, the gateway can access the local area network according to the registered user information synchronized with the other gateways. control. The process of user authentication and authorization is more convenient and simpler. Once used to obtain access rights in a gateway, it is possible to repeatedly log in to other gateways without the prior art, and directly and freely access other local area networks through unified security policy management. Great convenience for users.
进一步本发明实施例中在网关之间进行数据同步时,可以仅更新改变的数 据,即通过更新信息将发生改变的数据发送给对方网关达到降低同步的数据量 的目的。 使得网关之间交互较少的数据即可实现同步, 起到节约网络带宽, 提 高同步效率的目的。  Further, in the embodiment of the present invention, when data synchronization is performed between gateways, only the changed data may be updated, that is, the changed data is sent to the opposite gateway by the update information to achieve the purpose of reducing the amount of synchronized data. Synchronization is achieved by making the data exchanged less between the gateways, thereby saving network bandwidth and improving synchronization efficiency.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程 , 是可以通过计算机程序来指令相关的硬件来完成,所述的程序可存储于一计算 机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。 其中,所述的存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory, ROM )或随机存储记忆体 ( Random Access Memory, RAM )等。 例的说明只是用于帮助理解本发明的方法及其思想; 同时, 对于本领域的一般 技术人员,依据本发明的思想,在具体实施方式及应用范围上均会有改变之处, 综上所述, 本说明书内容不应理解为对本发明的限制。  A person skilled in the art can understand that all or part of the process of implementing the above embodiment method can be completed by a computer program to instruct related hardware, and the program can be stored in a computer readable storage medium, the program When executed, the flow of an embodiment of the methods as described above may be included. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM). The description of the examples is only for helping to understand the method and the idea of the present invention; at the same time, for those skilled in the art, according to the idea of the present invention, there will be changes in the specific embodiments and application scopes. The description is not to be construed as limiting the invention.

Claims

权 利 要 求 Rights request
1.一种局域网访问控制的方法, 其特征在于, 包括:  A method for access control of a local area network, comprising:
第一网关与第二网关交互进行注册用户信息的同步;  The first gateway interacts with the second gateway to synchronize the registered user information;
所述第一网关接收用户的接入请求;  The first gateway receives an access request of the user;
所述第一网关根据与第二网关同步的注册用户信息对所述用户访问局域 网进行接入控制。  The first gateway performs access control on the user access to the local area network according to the registered user information synchronized with the second gateway.
2.如权利要求 1所述的方法, 其特征在于, 所述注册用户信息包括: 用户的登陆身份校验信息和对应的用户访问的安全控制策略。  The method according to claim 1, wherein the registered user information comprises: a login identity verification information of the user and a corresponding security control policy of the user access.
3.如权利要求 1所述的方法, 其特征在于, 所述第一网关与第二网关交互 进行注册用户信息的同步后,若所述第一网关和所述第二网关中一个网关配置 的注册用户信息发生改变,则通过更新信息将发生改变的数据发送给另一个网 关进行配置更新。  The method according to claim 1, wherein, after the first gateway and the second gateway exchange the registration user information, if one of the first gateway and the second gateway is configured When the registered user information changes, the changed data is sent to another gateway for update configuration by updating the information.
4.如权利要求 1所述的方法, 其特征在于, 所述第一网关和所述第二网关 之间通过 IP层协议安全结构 IPsec隧道进行数据传输,其中,所述第一网关或 所述第二网关在所述数据传输前, 将所述数据封装成 IPsec格式。  The method according to claim 1, wherein the first gateway and the second gateway perform data transmission through an IP layer protocol security structure IPsec tunnel, wherein the first gateway or the The second gateway encapsulates the data into an IPsec format before the data transmission.
5.如权利要求 4所述的方法, 其特征在于, 若所述 IPsec隧道断开, 则所 述第一网关和所述第二网关重新协商建立所述 IPsec隧道。  The method according to claim 4, wherein if the IPsec tunnel is disconnected, the first gateway and the second gateway renegotiate to establish the IPsec tunnel.
6.如权利要求 1所述的方法, 其特征在于, 所述第一网关根据与第二网关 同步的注册用户信息对所述用户访问局域网进行接入控制的过程包括:  The method of claim 1, wherein the process for the first gateway to perform access control on the user accessing the local area network according to the registered user information synchronized with the second gateway comprises:
根据所述与第二网关同步的注册用户信息判断所述用户的接入是否合法, 若合法, 则允许所述用户的接入, 若不合法, 则拒绝所述用户的接入。  Determining whether the access of the user is legal according to the registered user information that is synchronized with the second gateway. If the access is legal, the access of the user is allowed. If not, the access of the user is denied.
7. 如权利要求 6所述的方法, 其特征在于, 判断所述用户的接入是否合 法, 包括:  The method according to claim 6, wherein determining whether the access of the user is legal comprises:
获取用户接入请求中的用户名和密码;  Obtain the username and password in the user access request;
检查所述与第二网关同步的注册信息中是否有所述用户名;若有所述用户 名; 则继续检查密码是否正确, 若密码正确, 则确认为合法; 若没有所述用户 的用户名或者密码不正确, 则确认为不合法。  Checking whether the user name is synchronized in the registration information synchronized with the second gateway; if there is the user name; continuing to check whether the password is correct; if the password is correct, the confirmation is legal; if there is no user name of the user If the password is incorrect, it is confirmed to be illegal.
8. 如权利要求 4所述的方法, 其特征在于, 还包括:  8. The method according to claim 4, further comprising:
所述第一网关接收报文并进行报文转发处理。 The first gateway receives the packet and performs packet forwarding processing.
9. 如权利要求 8所述的方法, 其特征在于, 若所述第一网关收到的报文 为安全套接字层 SSL报文, 则进行报文解封; The method of claim 8, wherein if the packet received by the first gateway is a Secure Sockets Layer SSL packet, the packet is decapsulated;
检查所述用户的安全控制策略;  Checking the security control policy of the user;
如果不符合所述第一网关安全策略, 则丟弃所述报文;  If the first gateway security policy is not met, the packet is discarded;
若符合所述第一网关的安全控制策略, 则进一步判断所述报文的目的地 址; 如果目的地址为所述第一网关所在的局域网, 则直接进行转发; 如果所述 报文的目的地址是所述第二网关所在的局域网, 则封装成 IPsec报文, 并通过 IPsec隧道发送给所述第二网关。  If the security policy of the first gateway is met, the destination address of the packet is further determined; if the destination address is the local area network where the first gateway is located, the forwarding is performed directly; if the destination address of the packet is The local area network of the second gateway is encapsulated into an IPsec packet and sent to the second gateway through an IPsec tunnel.
10. 如权利要求 8所述的方法, 其特征在于, 所述第一网关收到的报文为 所述第一网关所在局域网的报文;  The method according to claim 8, wherein the packet received by the first gateway is a packet of a local area network where the first gateway is located;
如果所述报文的目的地址为公网, 则封装成 SSL报文后发送; 如果所述 报文的目的地址为所述第二网关所在的局域网, 则封装成 IPsec报文并通过与 所述第二网关之间的 ipsec隧道发送给所述第二网关。 If the destination address of the packet is a public network, the packet is encapsulated into an SSL packet and sent; if the destination address of the packet is the local area network of the second gateway, the packet is encapsulated into an IPsec packet and passed through the An ip sec tunnel between the second gateways is sent to the second gateway.
11. 如权利要求 8所述的方法, 其特征在于, 所述第一网关收到的报文为 第二网关发送的 IPsec报文, 若第二网关发送的 IPsec报文的目的地址为所述 第一网关所在的局域网, 则所述第一网关进行 IPsec解封装后转发。  The method according to claim 8, wherein the packet received by the first gateway is an IPsec packet sent by the second gateway, and if the destination address of the IPsec packet sent by the second gateway is the The local area network where the first gateway is located, the first gateway performs IPsec decapsulation and then forwards.
12. 一种网关设备, 其特征在于, 包括:  12. A gateway device, comprising:
信息同步单元, 用于与另一网关交互进行注册用户信息的同步; 接入控制单元, 用于接收用户的接入请求,根据与另一网关同步的注册用 户信息对所述用户访问局域网进行接入控制。  An information synchronization unit, configured to perform synchronization with another gateway to perform registration of user information; an access control unit, configured to receive an access request of the user, and connect the user to access the local area network according to the registered user information synchronized with another gateway Into control.
13. 如权利要求 12所述的网关设备, 其特征在于, 所述网关设备还包括: IPsec隧道建立单元, 用于建立与所述另一网关之间的 IPsec隧道, 所述 The gateway device according to claim 12, wherein the gateway device further comprises: an IPsec tunnel establishing unit, configured to establish an IPsec tunnel with the another gateway,
IPsec隧道用于所述网关设备和所述另一网关传输数据。 An IPsec tunnel is used for the gateway device and the other gateway to transmit data.
14. 如权利要求 13所述的网关设备, 其特征在于, 所述网关设备还包括: 报文转发单元, 用于接收报文并进行转发处理。  The gateway device according to claim 13, wherein the gateway device further comprises: a message forwarding unit, configured to receive a message and perform forwarding processing.
15. 如权利要求 14所述的网关设备, 其特征在于, 所述报文转发单元还 包括:  The gateway device according to claim 14, wherein the message forwarding unit further comprises:
报文分类单元, 用于检测所述接收报文的类型; 若接收的报文为 SSL报 文, 则由 SSL报文处理单元处理; 若接收的报文为普通报文, 则由普通报文 处理单元处理; 若接收的报文为 IPsec报文, 则由 IPsec报文处理单元处理; 所述 SSL报文处理单元, 用于接收来自所述报文分类单元的 SSL报文, 并对所述 SSL报文进行报文解封; 检查所述用户的安全控制策略, 若符合所 述网关设备的安全控制策略, 则判断所述报文的目的地址; 如果目的地址为所 述网关设备所在的局域网, 则直接进行转发,如果所述报文的目的地址是所述 另一网关所在的局域网, 则封装成 IPsec报文, 并通过 IPsec隧道发送给所述 另一网关; a message classification unit, configured to detect the type of the received message; if the received message is an SSL message, the message is processed by the SSL message processing unit; if the received message is an ordinary message, the ordinary message is used. Processing by the processing unit; if the received packet is an IPsec packet, the IPsec packet processing unit processes; the SSL packet processing unit is configured to receive an SSL packet from the packet classification unit, and The packet is decapsulated by the SSL packet; the security control policy of the user is checked, and if the security control policy of the gateway device is met, the destination address of the packet is determined; if the destination address is the local area network where the gateway device is located If the destination address of the packet is the local area network of the other gateway, the packet is encapsulated into an IPsec packet and sent to the other gateway through the IPsec tunnel.
普通报文处理单元, 用于接收来自所述报文分类单元的普通报文,如果所 述普通报文的目的地址为公网, 则封装成 SSL报文后发送; 如果所述普通报 文的目的地址为所述另一网关所在的局域网, 则封装成 IPsec报文并通过与所 述另一网关之间的 IPsec隧道发送给所述另一网关;  a normal message processing unit, configured to receive an ordinary message from the message classification unit, and if the destination address of the ordinary message is a public network, the packet is encapsulated into an SSL message and sent; if the ordinary message is The destination address is the local area network where the other gateway is located, and is encapsulated into an IPsec packet and sent to the another gateway through an IPsec tunnel with the other gateway;
IPsec报文处理单元,用于接收来自所述报文分类单元的 IPsec报文,判断  An IPsec packet processing unit, configured to receive an IPsec packet from the packet classification unit, and determine
IPsec解封装后转发。 IPsec is decapsulated and forwarded.
PCT/CN2009/076252 2009-01-19 2009-12-30 Method and gateway device for local area network access control WO2010081380A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910005547.X 2009-01-19
CN200910005547XA CN101478485B (en) 2009-01-19 2009-01-19 Method for local area network access control and network gateway equipment

Publications (1)

Publication Number Publication Date
WO2010081380A1 true WO2010081380A1 (en) 2010-07-22

Family

ID=40839120

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/076252 WO2010081380A1 (en) 2009-01-19 2009-12-30 Method and gateway device for local area network access control

Country Status (2)

Country Link
CN (1) CN101478485B (en)
WO (1) WO2010081380A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113625589A (en) * 2021-09-15 2021-11-09 云茂互联智能科技(厦门)有限公司 Equipment control method and device, electronic equipment and storage medium
CN113992440A (en) * 2021-12-28 2022-01-28 北京安博通科技股份有限公司 Gateway equipment and method for transmitting local data into IPsec tunnel

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101478485B (en) * 2009-01-19 2012-04-04 成都市华为赛门铁克科技有限公司 Method for local area network access control and network gateway equipment
CN101951380B (en) * 2010-09-28 2013-08-28 杭州华三通信技术有限公司 Access control method and device used therein in dual-stack lite network
CN106936779A (en) * 2015-12-29 2017-07-07 北京网御星云信息技术有限公司 A kind of data connecting method, system and device
CN106549864B (en) * 2016-12-06 2019-11-22 上海电器科学研究院 A kind of Realization Method of Communication of cloud gateway
CN110493319B (en) * 2019-07-23 2022-07-12 视联动力信息技术股份有限公司 Data synchronization method, system and device
CN110635979B (en) * 2019-10-21 2022-02-01 杭州鸿雁智能科技有限公司 Method for interconnecting communication devices in local area network
CN114040403A (en) * 2021-10-26 2022-02-11 青岛海尔科技有限公司 Equipment synchronization method, device and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060236382A1 (en) * 2005-04-01 2006-10-19 Hinton Heather M Method and system for a runtime user account creation operation within a single-sign-on process in a federated computing environment
CN101075875A (en) * 2007-06-14 2007-11-21 中国电信股份有限公司 Method and system for realizing monopoint login between gate and system
CN101166173A (en) * 2006-10-20 2008-04-23 北京直真节点技术开发有限公司 A single-node login system, device and method
CN101478485A (en) * 2009-01-19 2009-07-08 成都市华为赛门铁克科技有限公司 Method for local area network access control and network gateway equipment

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100367715C (en) * 2004-09-30 2008-02-06 迈普(四川)通信技术有限公司 Method for realizing communication load equilibrium and gateway, central gateway thereof
CN101262350B (en) * 2008-04-23 2012-02-08 杭州华三通信技术有限公司 A realization method, system and device for Portal dual host hot swap

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060236382A1 (en) * 2005-04-01 2006-10-19 Hinton Heather M Method and system for a runtime user account creation operation within a single-sign-on process in a federated computing environment
CN101166173A (en) * 2006-10-20 2008-04-23 北京直真节点技术开发有限公司 A single-node login system, device and method
CN101075875A (en) * 2007-06-14 2007-11-21 中国电信股份有限公司 Method and system for realizing monopoint login between gate and system
CN101478485A (en) * 2009-01-19 2009-07-08 成都市华为赛门铁克科技有限公司 Method for local area network access control and network gateway equipment

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113625589A (en) * 2021-09-15 2021-11-09 云茂互联智能科技(厦门)有限公司 Equipment control method and device, electronic equipment and storage medium
CN113625589B (en) * 2021-09-15 2023-12-12 云茂互联智能科技(厦门)有限公司 Equipment control method and device, electronic equipment and storage medium
CN113992440A (en) * 2021-12-28 2022-01-28 北京安博通科技股份有限公司 Gateway equipment and method for transmitting local data into IPsec tunnel
CN113992440B (en) * 2021-12-28 2022-08-19 北京安博通科技股份有限公司 Gateway equipment and method for transmitting local data into IPsec tunnel

Also Published As

Publication number Publication date
CN101478485A (en) 2009-07-08
CN101478485B (en) 2012-04-04

Similar Documents

Publication Publication Date Title
WO2010081380A1 (en) Method and gateway device for local area network access control
US9461975B2 (en) Method and system for traffic engineering in secured networks
US6976177B2 (en) Virtual private networks
Housley et al. Guidance for authentication, authorization, and accounting (AAA) key management
JP3844762B2 (en) Authentication method and authentication apparatus in EPON
US7624181B2 (en) Techniques for authenticating a subscriber for an access network using DHCP
US7624431B2 (en) 802.1X authentication technique for shared media
US20070055752A1 (en) Dynamic network connection based on compliance
US20150207793A1 (en) Feature Enablement or Disablement Based on Discovery Message
JP2004213632A (en) Method, computer program and recording medium for improving automation level when computer system prepares to access to network
JP2009533932A (en) Channel coupling mechanism based on parameter coupling in key derivation
US8069473B2 (en) Method to grant access to a data communication network and related devices
WO2010063242A1 (en) Clock synchronization method, device and network system
JP2018514956A (en) Apparatus and method for using certificate data to route data
JP2009163546A (en) Gateway, repeating method and program
JP4920878B2 (en) Authentication system, network line concentrator, authentication method used therefor, and program thereof
US20120079561A1 (en) Access control method for tri-element peer authentication credible network connection structure
EP3510803B1 (en) Secure link layer connection over wireless local area networks
WO2010091579A1 (en) Method and client for packet tranmission based on the virtual private network tunnel
US8819790B2 (en) Cooperation method and system between send mechanism and IPSec protocol in IPV6 environment
JP4630296B2 (en) Gateway device and authentication processing method
KR20170038568A (en) SDN Controller and Method for Identifying Switch thereof
Cisco Tunneling Protocols
Cisco Tunneling Protocols
Cisco Configuring IPSec Network Security

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09838167

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC OF 031111

122 Ep: pct application non-entry in european phase

Ref document number: 09838167

Country of ref document: EP

Kind code of ref document: A1