WO2011082583A1 - Implementation method, network, terminal and interworking node for data packets classification processing - Google Patents

Implementation method, network, terminal and interworking node for data packets classification processing Download PDF

Info

Publication number
WO2011082583A1
WO2011082583A1 PCT/CN2010/075978 CN2010075978W WO2011082583A1 WO 2011082583 A1 WO2011082583 A1 WO 2011082583A1 CN 2010075978 W CN2010075978 W CN 2010075978W WO 2011082583 A1 WO2011082583 A1 WO 2011082583A1
Authority
WO
WIPO (PCT)
Prior art keywords
data packet
network
source
packet
identifier
Prior art date
Application number
PCT/CN2010/075978
Other languages
French (fr)
Chinese (zh)
Inventor
张世伟
符涛
黄兵
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011082583A1 publication Critical patent/WO2011082583A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2441Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]

Definitions

  • the present invention relates to the field of mobile communications, and in particular, to a method for processing data packets sent by users of different trust levels at a network boundary and a user terminal.
  • IP Internet Protocol
  • the technical problem to be solved by the present invention is to provide a method for implementing data packet classification processing, a network, a terminal, and an interworking service node, so as to implement classification processing of data packets to improve network security.
  • the present invention provides a method for implementing data packet classification processing, which is implemented based on a data packet classification processing network for classifying data packets, and the implementation method includes the terminal pair data packet. Processing, the processing includes:
  • the terminal receives the data packet, where the specific bit in the source end identifier of the data packet is the source end category identifier of the packet, and the source end identifier of the packet is used to indicate the source of the data packet.
  • the terminal performs different processing on the data packet according to the source end category of the packet.
  • the implementation method further includes processing, by the access device, the data packet, the processing method:
  • the access device receives a data packet sent by the terminal;
  • the access device checks whether the source end class identifier of the packet in the source end identifier of the data packet is consistent with the category of the terminal, and if they are consistent, the packet is forwarded normally; if not, the packet is discarded or
  • the class of the terminal modifies the source end identifier of the data packet, and then forwards the packet;
  • the category of the terminal is sent by the authentication server to the access device during the access authentication process of the terminal.
  • the implementation method further includes processing the data packet by the interworking service node (ISN), where the processing includes:
  • the source end category identifier modifies the source end identifier of the data packet
  • the ISN routes the converted data packet in the data packet classification processing network.
  • the step of the terminal processing the received data packet by the terminal includes: determining, according to the source type of the packet, the confidentiality of the service application, and determining the processing manner of the data packet according to the terminal's own attribute .
  • the method is implemented by using an Internet network or an identity and location separation network (SILSN), where the source identifier of the packet is an IP address of the source of the data packet in an Internet network or an access identifier in the SILSN ( AID).
  • SILSN identity and location separation network
  • the source categories of the source include: trusted users in the domain, group users in the domain, users in the intranet, users of the same type that are trusted outside the domain, heterogeneous network users that are trusted outside the domain, or network users that are not trusted outside the domain.
  • the present invention further provides a terminal, where the terminal is implemented based on a communication network, and the terminal includes:
  • a receiving module configured to: receive a data packet, where a specific bit in the source end identifier of the data packet is a source end class identifier, and the source end identifier is used to indicate a data packet Source
  • a message source class determining module connected to the receiving module, configured to: according to the datagram The source end category identifier in the source end identifier of the text determines the source end category; the data packet processing module is connected to the packet source end category determining module, and is configured to: according to the source end of the packet The class distinguishes the data packet.
  • the data packet processing module is configured to: determine, according to the source type of the packet, the manner in which the data packet is processed according to the confidentiality of the service application.
  • the communication network is an Internet network or an identity and location separation network (SILSN), and the source identifier of the packet is an IP address of the source of the data packet in an Internet network or an access identifier in the SILSN ( AID).
  • SILSN identity and location separation network
  • the source categories of the source include: trusted users in the domain, group users in the domain, users in the intranet, users of the same type that are trusted outside the domain, heterogeneous network users that are trusted outside the domain, or network users that are not trusted outside the domain.
  • the present invention further provides a network for processing data packet classification, wherein the system sets a specific bit in a source end identifier of a data packet as a source end category identifier of the packet, and the report The source end identifier is used to indicate the source of the data packet, and the network includes:
  • the terminal is configured to: send and receive a data packet, and perform differential processing on the received data packet according to the source type identifier of the packet in the data packet;
  • the access device is connected to the terminal, and is configured to: forward the data packet to the terminal, and receive the data packet sent by the terminal, and further verify the source of the packet in the data packet sent by the terminal. Whether the category identifier is consistent with the category of the terminal, and if they are consistent, the packet is forwarded normally; if not, the packet is discarded or the source identifier of the packet in the data packet is modified according to the type of the terminal, and then forwarded;
  • the authentication server is connected to the access server, and is configured to: perform user identification and authentication on the terminal, and notify the access device where the terminal is located in the authentication process.
  • the ISN includes:
  • a receiving module configured to: receive a data packet sent by another network to a data packet classification processing network
  • a message source class determining module connected to the receiving module, configured to: according to the number Determining, according to the source of the message, the source identifier of the source of the data packet in the data packet classification processing network,
  • the data packet conversion module is connected to the packet source class determining module, and is configured to: convert the data packet from another network format to a data packet classification processing network format, including: determining the source class identifier according to the determined packet Modifying the source identifier of the packet of the data packet;
  • the data packet forwarding module is connected to the data packet conversion module, and is configured to: route the converted data packet in the data packet classification processing network.
  • the data packet conversion module of the ISN is further configured to save a correspondence relationship between the source end identifiers of the packets before and after the modification, and perform format conversion on the data packets sent to other networks according to the corresponding relationship.
  • the method for processing the data packet is determined according to the source type of the packet and the confidentiality of the service application in combination with the attribute of the terminal itself.
  • the network is an Internet network or an identity and location separation network (SILSN), and the source identifier of the packet is an IP address of the source of the data packet in the Internet network or an access identifier (AID) in the SILSN. ).
  • SILSN identity and location separation network
  • AID access identifier
  • the source end category includes at least one of the following: a trusted user in the domain, a group user in the domain, an Internet cafe user in the domain, a similar network user trusted outside the domain, a heterogeneous network user trusted outside the domain, and an untrusted network user outside the domain.
  • the present invention further provides an interworking service node, where the interworking service node (ISN) is used to implement interworking between two first networks and a second network, and the first network sets data packets.
  • the specific bit in the source identifier of the packet is the source identifier of the packet, and the source identifier of the packet is used to indicate the source of the data packet.
  • the ISN includes:
  • a receiving module configured to: receive a data packet sent by the second network to the first network; a packet source class determining module, connected to the receiving module, configured to: determine, according to the source of the data packet The data packet source is identified in the source end category of the first network; the data packet conversion module is connected to the packet source end category determining module, and is configured to: send the data packet from the second network Converting the format to the first network format, including modifying the source identifier of the data packet according to the determined source source category identifier; The data packet forwarding module is connected to the data packet conversion module, and is configured to: forward the data packet converted by the packet format to the first network.
  • the data packet conversion module is further configured to: save a correspondence between the source end identifiers of the packets before and after the modification, and perform format conversion on the data packets sent to the second network according to the corresponding relationship.
  • the network is an Internet network or an identity and location separation network (SILSN), and the source identifier of the packet is an IP address of the source of the data packet in the Internet network or an access identifier (AID) in the SILSN.
  • the second network is a homogeneous or heterogeneous network of the first network.
  • the present invention uses the specific bit in the source end identifier of the data packet to carry the packet source end class identifier, so that the terminal receiving the data packet can determine the data according to the source end category identifier of the packet in the source end identifier of the packet.
  • the source of the packet, the credibility of the data packet is identified, and the data packet is differentiated according to different policies (trust level), so that the end user can classify the data packet sent by the user with different trust levels. Therefore, the security of the network can be improved. For example, for a highly confidential service, only trusted users can be accessed. For a low security level service, users with low trust levels such as an external network can be appropriately accessed.
  • FIG. 1 is a schematic diagram of a method for implementing data packet classification processing according to the present invention
  • FIG. 2 is a system architecture diagram of the SILSN network
  • Figure 3 is a schematic diagram of the ASN obtaining an AID type from the authentication server and verifying it;
  • FIG. 4 is a schematic diagram of ASN distinguishing and replacing data packets sent by intranet users
  • FIG. 5 is a schematic diagram of a method for classifying a source end category identifier of a packet
  • FIG. 6 is a schematic diagram of the ISN replacing a source end identifier of a packet originating from an external network and an intranet data packet;
  • FIG. 7 is a detailed flowchart of the ISN replacing the source type identifier of the packet originating from the external network data packet;
  • FIG. 8 is a schematic diagram of the method for the ISN to identify the trusted external network user;
  • FIG. 9 is an example of a SILSN user classifying data packets received by different source class identifiers. Preferred embodiment of the invention
  • the main idea of the data packet classification processing method, the network, the terminal, and the interworking service node of the present invention is to use the specific bit in the source end identifier of the data packet to carry the packet source end category identifier, so that the datagram is received.
  • the terminal can determine the source of the data packet according to the source type identifier of the packet in the source identifier of the packet, so that the data packet is processed differently according to different policies (trust levels).
  • the source end identifier of the packet is used to indicate the source of the data packet, and specifically may be the source IP address in the data packet of the existing Internet network, or the source end in the data packet of the specific private network.
  • the identifier is generally indicated by a number of bits, and the present invention sets one or several bits of the packet as the source source class identifier.
  • the source end identifier is N bits, and the first n bits (n ⁇ N) are used as the source source class identifier.
  • the method of the present invention is based on a data packet classification processing network for classifying a data packet.
  • the implementation method includes a method for processing a data packet by a terminal. As shown in FIG. 1, the processing method of the data file by the terminal includes:
  • Step 101 The terminal receives the data packet, where the specific bit in the source end identifier of the data packet is the source end category identifier of the packet, and the source end identifier of the packet is used to indicate the source of the data packet.
  • 102 The terminal determines, according to the source end category identifier of the packet in the source identifier of the data packet, a source category of the ⁇ text source;
  • Step 103 The terminal performs differential processing on the data packet according to the source type of the packet.
  • the source source category can be divided into trusted users, group users, Internet cafe users, etc.
  • the terminal determines that the " ⁇ source source category can be processed separately according to the type of service performed.
  • the IP address in the Control Protocol/Internet Protocol has a dual function, which serves as both the location identifier of the network interface of the network layer host in the network topology and the identity of the host network interface of the transport layer.
  • the TCP/IP protocol was not designed at the beginning of the host. But when When host mobility becomes more and more common, the semantic overload defects of such IP addresses become increasingly apparent. In order to solve the problem of semantic overload of IP address and serious routing load and security, a network architecture with multiple identity and location identifiers has been proposed.
  • the identity identification and location separation system includes an Access Service Node (ASN), a User Equipment (UE), and an Identity Location. Identification & Location Register (ILR), authentication server, Interworking Service Node (ISN), etc.
  • the access service node is used to access the user terminal, is responsible for realizing the access of the user terminal, and is responsible for charging and switching functions; the ILR assumes the location registration function of the user, and the authentication server assumes the user identity identification and authentication function, and the ISN user Interconnect with external network users.
  • Each user terminal has a unique identity identifier, which is an Access Identification (AID).
  • AID Access Identification
  • the access servers ASN1 and ASN2 are used to access the user terminal devices UE1, UE3, UE1 and UE3 respectively having unique identity identifiers AID 1 and AID3.
  • SILSN Subscriber Identifier & Locator Separation Network
  • the SILSN and the existing Internet need to communicate with each other.
  • data packets sent by users in the SILSN network are forwarded to the ISN via the ASN, and then forwarded by the ISN to the Internet such as the Internet.
  • the IP address of the external network is converted into the corresponding AID identifier of the SILSN network and sent to the user in the SILSN.
  • the user of the SILSN can receive the data packet of the intranet user or the data packet of the untrusted user of the external network.
  • the two data packets are identified by the AID in the SILSN network, if no specific The AID type rule makes it difficult for the intranet users to distinguish between the two types of data packets, and the user cannot perform separate processing, which greatly affects the traceability and security of the SILSN network.
  • the SILSN network node In order to allow the SILSN intranet users to distinguish between the user's credentials from the intranet users and the external network users, the SILSN network node must make some changes to help the user distinguish the received data packets from the packets.
  • the intranet can trust users, external network trusted users, or external network untrusted users, etc., to perform differentiated processing.
  • the present invention is to implement a method for distinguishing users of different trust types in SILSN and performing separate processing.
  • the source end identifier of the message refers to the source end of the data packet.
  • the unique access identifier (AID) in the SILSN can be referred to as the source AID class.
  • the SILSN network is regarded as a domain, and the corresponding users in the SILSN network are called intra-domain users, and users not in the SILSN network are called extra-domain users.
  • the data packets received by the SILSN user exist in the following sources:
  • the present invention divides the source AID space. Considering that a certain space is reserved for other types of AIDs in the future, three binary bits are taken out from the AID addressing space, respectively, as follows. , divided as follows:
  • the ASN needs to be processed as follows:
  • the ASN verifies the AID type sent by the user of the local network. For different types of users, the audit uses the corresponding type of AID. For example, if the user is a trusted individual user in the SILSN network, the corresponding identifier in the AID must be 000; if the group user in the SILSN network, the corresponding target The identification must be 001. If the Internet cafe user in the SILSN network, the corresponding identification bit must be 010. If the type of the AID in the data packet sent by the user is different from the specified type, the ASN can discard the data packet.
  • the ASN obtains the AID type of the user from the authentication server.
  • the ASN requests the authentication server to authenticate the user and passes the authentication, the ASN is sent by the authentication server to the corresponding ASN. Then, when the user sends the data packet, the ASN will Verify that the AID type of the data message sent by the user is the specified type.
  • FIG. 3 is a schematic diagram of the ASN obtaining an AID type from an authentication server and performing AID type verification on a data packet sent by the user.
  • the ASN first authenticates to the authentication server, and after the authentication server passes the authentication, the type of the AID is returned. The ASN saves the type of the user.
  • the ASN verifies the packet. If the packet does not match the type of the user, the packet is discarded or the AID type in the packet is replaced with the correct type.
  • Step 301 The user terminal UE initiates an access request to the ASN.
  • Step 302 The ASN initiates an authentication process for the UE to the authentication server. 301 and 302 may have multiple message interactions to authenticate each other.
  • Step 303 After the authentication is passed, the authentication server returns the AID type of the user to the ASN.
  • Step 305 The ASN notifies the UE that the authentication passes, and allows access.
  • Step 306 the UE starts to send a data message.
  • Step 307 The ASN checks whether the type of the AID carried in the packet sent by the UE is the correct type. If yes, forward normally, if not, or discard, or switch to the correct AID type and forward again.
  • Figure 4 is a step of the ASN distinguishing and replacing the data packets sent by the intranet users.
  • the ASN checks and replaces the data packets sent by the user according to the saved AID type.
  • the ASN determines whether the user is an ordinary user, a group user, or an Internet cafe user, and sets the AID identifiers of the data sent by these users to 000, 001, and 010, respectively. In practice, you can replace only 3 bits in the AID or replace the entire AID.
  • FIG. 2 is a system architecture diagram of the SILSN network, where UE1 and UE3 are SILSN intranet users, UE2 is an extranet user, ASN1 and ASN2 are access devices, and ISN1 is used to process data packets from outside the network, to the SILSN.
  • the network data format and the external network data format are converted.
  • the ILR is a register of identity and location identifiers used to hold the location where the user is roaming.
  • the authentication server is used to authenticate users to access.
  • UE3 can receive the data message from UE1 of the intranet of the SILSN and the data message of UE2 from the external network.
  • This application example can implement intra-network user UE3 to distinguish these packets with different sources and different trust levels, and process them separately.
  • the data message received by the SILSN user exists in the following sources:
  • the present invention divides the source AID space, and considers that for the future, other types of AIDs reserve a certain space, and three binary bits are taken out from the AID addressing space, and there are 8 kinds of bits.
  • Type as the AID type identifier, this method defines six types, and two types are reserved for future expansion, as shown in Figure 5: 000 trusted users within the domain.
  • the SILSN when the SILSN communicates with other networks, when users in the SILSN network receive data packets sent by other users, they can distinguish whether the source of the packets can be trusted and trusted according to the AID identifier. How much is done, then differentiate it.
  • the ASN processing method in this embodiment is not different from Embodiment 1, and details are not described herein again.
  • the ISN needs to assume a very important role, including the following functions:
  • the corresponding identifier is set to 100. If the ISN receives the data packet sent by the untrusted user of the external network, Set the corresponding flag to 110.
  • the data of the user outside the network is sent to the user in the network.
  • the destination address of the ⁇ text is converted to the original address of the user outside the network.
  • the source AIDs carried in the data packets received by the users in the SILSN network and the sources in the original data packets are received after the data packets are received by the users in the SILSN network.
  • the AID is different.
  • the destination AID type in the sent data is the type modified by the ISN. Therefore, the destination AID is not the original identifier of the external network user. As the original identifier, the external network intermediate routing device cannot forward data packets to the original user. To this end, the ISN should maintain a copy of the source address modification table.
  • the AID type of the corresponding destination address is modified to the original AID type or the original address.
  • Figure 6 is a schematic diagram of the ISN replacing the AID type of the data packets originating from the external network and the internal network. After receiving the packet from the external network, the ISN replaces the type bit of the source AID identifier in the packet according to the trustworthiness of the external network. After receiving the packet from the intranet, the ISN also needs to replace the type identifier of the destination AID in the text according to the trustworthiness of the external network.
  • Step 601 The external network user sends a data packet to the ISN.
  • Step 602 The ISN determines, according to the source of the data packet, whether the user is from a trusted SILSN network, another trusted network, or an untrusted network, and replaces the AID with the corresponding AID type for each case.
  • the ISN may also need to convert the packet format, such as converting the IPv4 packet format of the external network into the packet format of the SILSN network.
  • Step 603 The ISN sends the converted data packet to the ASN, and the ASN forwards the packet to the actual intranet user.
  • Step 605 The ISN performs a restoration process on the AID type according to the trusted condition of the network where the destination AID address is located.
  • the type of the destination AID sent by the intranet user is restored to the type recognized by the external network user.
  • the ISN may also need to additionally convert the intranet data format to the external network data format.
  • Step 606 The ISN sends the converted data packet to the external network.
  • FIG. 7 is a detailed flowchart of the ASN type replacement of the data packet originating from the external network by the ISN.
  • the ISN determines whether the source network is a trusted SILSN network, or is trustworthy.
  • the network, or the untrusted network sets the AID type in the data packets of these sources to 100, 101, 111, and so on.
  • the user terminal in the SILSN can perform classification processing according to the status of the identifier when receiving the data packets of the above types of identifiers, for example, for relatively confidential
  • a server-type terminal can deny access to users with an AID of 111 (untrusted external network users) to avoid leakage of confidential information.
  • the means for distinguishing the users of the network from the network and the users of the network and the trusted users and the untrusted users are provided technically, and the security of the user and the upper layer services can be distinguished according to the type of the user AID.
  • the SILSN can realize the interconnection and intercommunication between the SILSN and the network, and meet the common service requirements of the user.
  • the SILSN user can also identify the untrusted user for corresponding processing, thereby improving the SILSN networking and deployment flexibility.
  • the security of the SILSN network is well guaranteed.
  • Figure 8 shows how the ISN analyzes whether external network data packets come from a trusted network. How the ISN identifies the source of the external network data message is not the focus of the invention. In order to ensure that the solution is implementable, the description is hereby made.
  • a secure tunnel such as IPSec can be established to contact.
  • IPSec a secure tunnel
  • the data packets sent by SILSN B to SILSN A are trusted.
  • ISN in SILSN A After receiving these >3 ⁇ 4 texts, set the corresponding AID type to 100.
  • the SILSN of this network can also establish mutual trust relationship with other types of networks, and can also send data packets through a secure tunnel. As shown in (b) of Figure 8, other trusted networks can pass through a secure tunnel.
  • SILSN A sends a data packet. After receiving the packet, the ISN in SILSN A sets the corresponding AID type to 101.
  • FIG. 9 is a specific application scenario of the present invention, which is an example of classifying processing when different types of AIDs are received by SILSN users. Since the SILSN network has classified the AIDs from different sources in detail, users in the SILSN network can clearly know which users are external network users, which users are internal network users, which are trusted, and which are untrustworthy. . Then, according to the type of business performed, separate processing is performed.
  • Step 901 The SILSN user receives a data packet, and according to the attributes of the user and the confidentiality of the service application, analyzes which users are allowed to use in the current service type, and according to the confidentiality of the service type, the query policy database is correspondingly obtained.
  • Processing methods, 902 ⁇ 904 are examples of corresponding policy implementations.
  • Step 902 When the user of the local network is a private network user such as the public security network, the user of the local network may be restricted from processing any data packet of the external network user, and therefore only the data packets with the AID type of 000, 001 and the like may be accepted. As a group user, it can only receive data packets with AID type 001. Other Internet cafe users (010) and data packets from external users will be blocked.
  • Step 903 When the user of the network is a server of the group user, only the data packet with the AID type of 001 (group user) can be accepted, and the packets of other sources are not accepted.
  • Step 904 When the user of the local network is a BBS server that involves political sensitivity, the user of the Internet cafe 010 and the user of the external network are only allowed to browse the BBS information, and the BBS information is not allowed to be modified and released, thereby effectively avoiding users from the external network. s attack.
  • the present invention is also applicable to the existing Internet network.
  • the source end identifier of the packet is an IP address
  • the base station in the Internet network is used to implement the ASN in the SILSN network of the present invention.
  • Processing power, ASN and Internet network in SILSN network can be collectively referred to as access devices for implementing terminal access; and the interworking service node ISN can also implement interworking between the first network (such as an Internet network) and the second network (such as other networks).
  • the present invention further provides a terminal, where the terminal is implemented based on a communication network, where the terminal includes:
  • a receiving module configured to receive a data packet, where a specific bit in the source end identifier of the data packet is a source end category identifier, and the source end identifier is used to indicate a source of the data packet;
  • a packet source end category determining module configured to be connected to the receiving module, configured to determine, according to the >3 ⁇ 4 source source category identifier in the source identifier of the data packet, the source end category;
  • the data packet processing module is connected to the packet source class determining module, and configured to perform different processing on the data packet according to the source class of the packet.
  • the data packet processing module When the data packet processing module performs the difference processing on the received data packet, determining the data packet according to the source type of the packet and the confidentiality of the service application according to the terminal's own attribute. Approach.
  • the communication network is an Internet network or an identity and location separation network (SILSN), and the source identifier of the packet is an IP address of the data packet at an IP address of the Internet network or an access identifier (AID) in the SILSN. ).
  • SILSN identity and location separation network
  • AID access identifier
  • the source end category includes at least one of the following: a trusted user in the domain, a group user in the domain, an Internet cafe user in the domain, a similar network user trusted outside the domain, a heterogeneous network user trusted outside the domain, and an untrusted network user outside the domain.
  • the present invention further provides a network for classifying a data packet, wherein the system sets a specific bit in the source end identifier of the data packet as the source end class identifier of the packet, and the source end identifier of the packet Used to indicate the source of the data message, the network includes:
  • the terminal is configured to send and receive a data packet, and perform differential processing on the received data packet according to the source type identifier of the packet in the data packet;
  • the terminal When the terminal performs the difference processing on the received data packet, the terminal determines the location of the data packet according to the source type of the packet and the confidentiality of the service application in combination with the terminal's own attribute. Method.
  • the access device is connected to the terminal, and is configured to forward the data packet to the terminal, and receive the data packet sent by the terminal, and is also used to verify the source identifier of the packet in the data packet sent by the terminal. Whether it is consistent with the category of the terminal, if it is consistent, it is forwarded normally; otherwise, it is discarded or the source identifier of the packet in the data packet is modified according to the type of the terminal, and then forwarded;
  • the authentication server is connected to the access server, and is configured to perform user identification and authentication on the terminal, and notify the access device where the terminal is located in the authentication process.
  • the source identifier of the packet is an IP address of the data packet at the source end of the Internet network or an access identifier (AID) in the SILSN. ).
  • the ISN includes:
  • a receiving module configured to receive a data packet sent by the other network to the data packet classification processing network;
  • the packet source end category determining module is connected to the receiving module, and configured to determine the data according to the source of the data packet The source end of the packet is classified in the source end of the packet of the data packet classification processing network.
  • the data packet conversion module is connected to the packet source class determining module, and is configured to convert the data packet from another network format into a data packet classification processing network format, including modifying the identifier according to the determined source source category identifier.
  • the source end identifier of the data packet is also used to save the correspondence between the source end identifiers of the packets before and after the modification, and format the data to be sent to other networks according to the correspondence relationship;
  • the data packet forwarding module is configured to be connected to the data packet conversion module, and configured to route the converted data packet in a network processed by the data packet classification process.
  • the present invention also provides an interworking service node, where the interworking service node is configured to implement interworking between two first networks and a second network, and the first network sets a specific bit in the source end identifier of the data packet.
  • the bit is the source end class identifier of the packet, and the source end identifier of the packet is used to indicate the data packet.
  • Source, the interworking service node (ISN) includes:
  • a receiving module configured to receive a data packet sent by the second network to the first network
  • a packet source end category determining module configured to be connected to the receiving module, configured to determine, according to the source of the data packet, a source identifier of the source end of the data packet in the first network
  • the data packet conversion module is connected to the packet source class determining module, and is configured to convert the data packet from the second network format to the first network format, including modifying the data according to the determined packet source class identifier.
  • the source end identifier of the packet is also used to save the correspondence between the source end identifiers of the packets before and after the modification, and format the data packets sent to the second network according to the corresponding relationship; the data packet forwarding module,
  • the data packet conversion module is connected to the data packet that is converted by the packet format and forwarded to the first network.
  • the first network is an Internet network or an identity and location separation network (SILSN), and the source identifier of the packet is an IP address of the source of the data packet on the Internet network or an access identifier in the SILSN. (AID), the second network is a homogeneous or heterogeneous network of the first network.
  • SILSN identity and location separation network
  • AID access identifier in the SILSN.
  • the present invention uses the specific bit in the source end identifier of the data packet to carry the packet source end class identifier, so that the terminal receiving the data packet can determine the data according to the source end category identifier of the packet in the source end identifier of the packet.
  • the source of the packet, the credibility of the data packet is identified, and the data packet is differentiated according to different policies (trust level), so that the terminal user can send the user with different trust levels.
  • the data packets are classified and processed to improve the security of the network. For example, for highly confidential services, only trusted users can be allowed to access. For services with low security levels, users with low trust levels such as external networks can be appropriately accessed. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An implementation method, a network, a terminal and an interworking node for data packets classification processing are disclosed in the present invention, and the method is implemented based on a data packet classification processing network which performs classification processing on the data packets. The implementation method includes the processing of a terminal on the data packets, and the processing includes that: the terminal receives a data packet, wherein the specific bit position in a packet source-end identifier of the data packet is a packet source-end category identifier, and the packet source-end identifier is used for indicating the source of the data packet; the terminal determines the category of the packet source-end according to the packet source-end category identifier in the packet source-end identifier of the data packet; and the terminal performs different processing on the data packet according to the category of the packet source-end. Using the present invention, it is convenient for the user of the terminal to perform classification processing on the data packets sent from the users of different credit grades, thereby the security of the network is improved.

Description

数据报文分类处理的实现方法、 网络、 终端及互通服务节点  Method for realizing data message classification processing, network, terminal and interworking service node
技术领域 Technical field
本发明涉及移动通讯领域, 尤其涉及一种对不同信任等级的用户所发出 的数据报文在网络边界和用户终端的处理方法。  The present invention relates to the field of mobile communications, and in particular, to a method for processing data packets sent by users of different trust levels at a network boundary and a user terminal.
背景技术 Background technique
现有互联网^ ^于互联网络协议(IP )技术构建的, IP 网络的开放性促 成了互联网的繁荣, 也带来了大量的安全问题, 互联网中的节点受多个国家 的多个机构管理, 有些节点是可信任的, 也可能是不可信任的, 网络中的用 户可能收到信任节点的数据报文, 也可能收到不可信任节点的数据报文, 在 现有技术下, IP用户无法分辨出哪些数据报文是可信节点发来的, 哪些数据 报文是不可信节点发来的, 无法进行区分处理, 从而为不可信节点冒充可信 节点访问网络留下了攻击空间, 严重降低了网络的安全性。  The existing Internet ^ ^ built on Internet Protocol (IP) technology, the openness of the IP network has contributed to the prosperity of the Internet, but also brought a large number of security issues, the nodes in the Internet are managed by multiple agencies in multiple countries, Some nodes are trusted or untrustworthy. Users in the network may receive data packets from trusted nodes and may receive data packets from untrusted nodes. Under the prior art, IP users cannot distinguish between them. Which data packets are sent by trusted nodes, and which data packets are sent by untrusted nodes, cannot be distinguished, thus leaving an attack space for untrusted nodes to impersonate trusted nodes to access the network, which seriously reduces the attack space. Network security.
发明内容 Summary of the invention
本发明要解决的技术问题是提供一种数据报文分类处理的实现方法、 网 络、 终端及互通服务节点, 以实现数据报文的分类处理提高网络安全性。  The technical problem to be solved by the present invention is to provide a method for implementing data packet classification processing, a network, a terminal, and an interworking service node, so as to implement classification processing of data packets to improve network security.
为解决以上技术问题,本发明提供了一种数据报文分类处理的实现方法, 所述方法基于对数据报文进行分类处理的数据报文分类处理网络实现, 该实 现方法包括终端对数据报文的处理, 该处理包括:  In order to solve the above technical problem, the present invention provides a method for implementing data packet classification processing, which is implemented based on a data packet classification processing network for classifying data packets, and the implementation method includes the terminal pair data packet. Processing, the processing includes:
终端接收数据报文, 所述数据报文的报文源端标识中的特定比特位为报 文源端类别标识, 所述报文源端标识用于表示数据报文的来源;  The terminal receives the data packet, where the specific bit in the source end identifier of the data packet is the source end category identifier of the packet, and the source end identifier of the packet is used to indicate the source of the data packet.
所述终端根据所述数据报文的报文源端标识中的所述报文源端类别标识 确定报文源端类别;  Determining, by the terminal, the source type of the packet according to the source end category identifier of the packet in the source end identifier of the data packet;
所述终端根据所述报文源端类别对所述数据报文进行区别处理。  The terminal performs different processing on the data packet according to the source end category of the packet.
该实现方法还包括接入设备对数据报文的处理, 该处理方法:  The implementation method further includes processing, by the access device, the data packet, the processing method:
所述接入设备接收终端发送的数据报文; 所述接入设备检查所述数据报文中的报文源端标识中的报文源端类别标 识是否与所述终端的类别一致, 若一致, 则正常转发, 若不一致, 则丟弃或 根据所述终端的类别修改所述数据报文中的报文源端标识后再转发; The access device receives a data packet sent by the terminal; The access device checks whether the source end class identifier of the packet in the source end identifier of the data packet is consistent with the category of the terminal, and if they are consistent, the packet is forwarded normally; if not, the packet is discarded or The class of the terminal modifies the source end identifier of the data packet, and then forwards the packet;
其中, 所述终端的类别是在所述终端的接入认证过程中由认证服务器发 送给所述接入设备的。  The category of the terminal is sent by the authentication server to the access device during the access authentication process of the terminal.
所述数据报文分类处理网络与外网进行互通时, 该实现方法还包括互通 服务节点 (ISN )对数据报文的处理, 该处理包括:  When the data packet classification processing network communicates with the external network, the implementation method further includes processing the data packet by the interworking service node (ISN), where the processing includes:
所述 ISN接收外网发送给数据报文分类处理网络的数据报文;  Receiving, by the ISN, a data packet sent by the external network to the data packet classification processing network;
所述 ISN根据所述数据报文的来源确定所述数据报文源端在所述数据报 文分类处理网络中的报文源端类别标识, 并对数据报文进行转换, 包括根据 确定的报文源端类别标识修改所述数据报文的报文源端标识;  Determining, according to the source of the data packet, the source identifier of the source of the data packet in the data packet classification processing network, and converting the data packet, including the determined report The source end category identifier modifies the source end identifier of the data packet;
所述 ISN将转换后的数据报文在所述数据报文分类处理网络内路由发 送。  The ISN routes the converted data packet in the data packet classification processing network.
所述终端对接收的所述数据报文进行区别处理的步骤包括: 根据所述报 文源端类别, 并结合该终端自身属性以业务应用的机密性, 确定对所述数据 报文的处理方式。  The step of the terminal processing the received data packet by the terminal includes: determining, according to the source type of the packet, the confidentiality of the service application, and determining the processing manner of the data packet according to the terminal's own attribute .
所述方法基于 Internet网络或身份标识和位置分离网络( SILSN ) 实现, 所述报文源端标识是所述数据报文源端在 Internet 网络的 IP地址或在所述 SILSN中的接入标识( AID ) 。  The method is implemented by using an Internet network or an identity and location separation network (SILSN), where the source identifier of the packet is an IP address of the source of the data packet in an Internet network or an access identifier in the SILSN ( AID).
所述才艮文源端类别包括: 域内可信任用户、 域内集团用户、 域内网吧用 户、 域外可信任的同类网络用户、 域外可信任的异类网络用户或域外不可信 任的网络用户。  The source categories of the source include: trusted users in the domain, group users in the domain, users in the intranet, users of the same type that are trusted outside the domain, heterogeneous network users that are trusted outside the domain, or network users that are not trusted outside the domain.
为解决上述技术问题, 本发明还提供了一种终端, 所述终端基于通讯网 络实现, 所述终端包括:  In order to solve the above technical problem, the present invention further provides a terminal, where the terminal is implemented based on a communication network, and the terminal includes:
接收模块, 其设置为: 接收数据报文, 所述数据报文的报文源端标识中 的特定比特位为报文源端类别标识, 所述报文源端标识用于表示数据报文的 来源;  a receiving module, configured to: receive a data packet, where a specific bit in the source end identifier of the data packet is a source end class identifier, and the source end identifier is used to indicate a data packet Source
报文源端类别确定模块, 与所述接收模块连接, 其设置为: 根据数据报 文的 文源端标识中的所述 文源端类别标识确定 文源端类别; 数据报文处理模块, 与所述报文源端类别确定模块连接, 其设置为: 根 据所述报文源端类别对所述数据报文进行区别处理。 a message source class determining module, connected to the receiving module, configured to: according to the datagram The source end category identifier in the source end identifier of the text determines the source end category; the data packet processing module is connected to the packet source end category determining module, and is configured to: according to the source end of the packet The class distinguishes the data packet.
所述数据报文处理模块是设置为: 根据所述报文源端类别, 并结合该终 端自身属性以业务应用的机密性, 确定对所述数据报文的处理方式。  The data packet processing module is configured to: determine, according to the source type of the packet, the manner in which the data packet is processed according to the confidentiality of the service application.
所述通讯网络是 Internet网络或身份标识和位置分离网络(SILSN ) , 所 述报文源端标识是所述数据报文源端在 Internet 网络的 IP 地址或在所述 SILSN中的接入标识( AID ) 。  The communication network is an Internet network or an identity and location separation network (SILSN), and the source identifier of the packet is an IP address of the source of the data packet in an Internet network or an access identifier in the SILSN ( AID).
所述才艮文源端类别包括: 域内可信任用户、 域内集团用户、 域内网吧用 户、 域外可信任的同类网络用户、 域外可信任的异类网络用户或域外不可信 任的网络用户。  The source categories of the source include: trusted users in the domain, group users in the domain, users in the intranet, users of the same type that are trusted outside the domain, heterogeneous network users that are trusted outside the domain, or network users that are not trusted outside the domain.
为解决上述技术问题, 本发明还提供了一种数据报文分类处理的网络, 所述系统设置数据报文的报文源端标识中的特定比特位为报文源端类别标 识, 所述报文源端标识用于表示数据报文的来源, 所述网络包括:  In order to solve the above technical problem, the present invention further provides a network for processing data packet classification, wherein the system sets a specific bit in a source end identifier of a data packet as a source end category identifier of the packet, and the report The source end identifier is used to indicate the source of the data packet, and the network includes:
终端, 其设置为: 发送及接收数据报文, 以及根据数据报文中的报文源 端类别标识对接收的数据报文进行区别处理;  The terminal is configured to: send and receive a data packet, and perform differential processing on the received data packet according to the source type identifier of the packet in the data packet;
接入设备, 与所述终端连接, 其设置为: 向所述终端转发数据报文, 以 及接收终端发送的数据报文, 还用于验证所述终端发送的数据报文中的报文 源端类别标识是否与所述终端的类别一致, 若一致, 则正常转发, 若不一致, 则丟弃或根据所述终端的类别修改所述数据报文中的报文源端标识后再转 发;  The access device is connected to the terminal, and is configured to: forward the data packet to the terminal, and receive the data packet sent by the terminal, and further verify the source of the packet in the data packet sent by the terminal. Whether the category identifier is consistent with the category of the terminal, and if they are consistent, the packet is forwarded normally; if not, the packet is discarded or the source identifier of the packet in the data packet is modified according to the type of the terminal, and then forwarded;
认证服务器, 与所述接入服务器连接, 其设置为: 对终端进行用户身份 识别及认证,以及在认证过程中将终端的类别通知所述终端所在的接入设备。  The authentication server is connected to the access server, and is configured to: perform user identification and authentication on the terminal, and notify the access device where the terminal is located in the authentication process.
ISN包括: The ISN includes:
接收模块, 其设置为: 接收其他网络发送给数据报文分类处理网络的数 据报文;  a receiving module, configured to: receive a data packet sent by another network to a data packet classification processing network;
报文源端类别确定模块, 与所述接收模块连接, 其设置为: 根据所述数 据报文的来源确定所述数据报文源端在所述数据报文分类处理网络的报文源 端类别标识, a message source class determining module, connected to the receiving module, configured to: according to the number Determining, according to the source of the message, the source identifier of the source of the data packet in the data packet classification processing network,
数据报文转换模块, 与所述报文源端类别确定模块连接, 其设置为: 将 数据报文从其他网络格式转换为数据报文分类处理网络格式, 包括根据确定 的报文源端类别标识修改所述数据报文的报文源端标识;  The data packet conversion module is connected to the packet source class determining module, and is configured to: convert the data packet from another network format to a data packet classification processing network format, including: determining the source class identifier according to the determined packet Modifying the source identifier of the packet of the data packet;
数据报文转发模块, 与所述数据报文转换模块连接, 其设置为: 将所述 转换后的数据报文在所述数据报文分类处理网络内路由发送。  The data packet forwarding module is connected to the data packet conversion module, and is configured to: route the converted data packet in the data packet classification processing network.
所述 ISN的数据报文转换模块还用于保存修改前后的报文源端标识的对 应关系, 以及根据该对应关系对发往其他网络的数据报文进行格式转换。  The data packet conversion module of the ISN is further configured to save a correspondence relationship between the source end identifiers of the packets before and after the modification, and perform format conversion on the data packets sent to other networks according to the corresponding relationship.
所述终端对接收的所述数据报文进行区别处理时, 根据所述报文源端类 别, 并结合该终端自身属性以业务应用的机密性, 确定对所述数据报文的处 理方法。  When the terminal performs the difference processing on the received data packet, the method for processing the data packet is determined according to the source type of the packet and the confidentiality of the service application in combination with the attribute of the terminal itself.
所述网络为 Internet网络或身份标识和位置分离网络( SILSN ) , 所述报 文源端标识是所述数据报文源端在 Internet网络的 IP地址或在所述 SILSN中 的接入标识(AID ) 。  The network is an Internet network or an identity and location separation network (SILSN), and the source identifier of the packet is an IP address of the source of the data packet in the Internet network or an access identifier (AID) in the SILSN. ).
所述 文源端类别包括以下至少一个: 域内可信任用户、域内集团用户、 域内网吧用户、 域外可信任的同类网络用户、 域外可信任的异类网络用户、 域外不可信任的网络用户。  The source end category includes at least one of the following: a trusted user in the domain, a group user in the domain, an Internet cafe user in the domain, a similar network user trusted outside the domain, a heterogeneous network user trusted outside the domain, and an untrusted network user outside the domain.
为解决以上技术问题, 本发明还提供了一种互通服务节点, 所述互通服 务节点(ISN )用于实现两个第一网络和第二网络之间的互通, 且第一网络设 置数据报文的报文源端标识中的特定比特位为报文源端类别标识, 所述报文 源端标识用于表示数据报文的来源, 所述 ISN包括:  To solve the above technical problem, the present invention further provides an interworking service node, where the interworking service node (ISN) is used to implement interworking between two first networks and a second network, and the first network sets data packets. The specific bit in the source identifier of the packet is the source identifier of the packet, and the source identifier of the packet is used to indicate the source of the data packet. The ISN includes:
接收模块, 其设置为: 接收第二网络发送给第一网络的数据报文; 报文源端类别确定模块, 与所述接收模块连接, 其设置为: 根据所述数 据报文的来源确定所述数据报文源端在所述第一网络的报文源端类别标识; 数据报文转换模块, 与所述报文源端类别确定模块连接, 其设置为: 将 数据报文从第二网络格式转换为第一网络格式, 包括根据确定的报文源端类 别标识修改所述数据报文的报文源端标识; 数据报文转发模块, 与所述数据报文转换模块连接, 其设置为: 将报文 格式转换后的数据报文路由转发到所述第一网络。 a receiving module, configured to: receive a data packet sent by the second network to the first network; a packet source class determining module, connected to the receiving module, configured to: determine, according to the source of the data packet The data packet source is identified in the source end category of the first network; the data packet conversion module is connected to the packet source end category determining module, and is configured to: send the data packet from the second network Converting the format to the first network format, including modifying the source identifier of the data packet according to the determined source source category identifier; The data packet forwarding module is connected to the data packet conversion module, and is configured to: forward the data packet converted by the packet format to the first network.
所述数据报文转换模块还设置为: 保存修改前后的报文源端标识的对应 关系, 以及根据该对应关系对发往第二网络的数据报文进行格式转换。  The data packet conversion module is further configured to: save a correspondence between the source end identifiers of the packets before and after the modification, and perform format conversion on the data packets sent to the second network according to the corresponding relationship.
所述网络为 Internet网络或身份标识和位置分离网络( SILSN ) , 所述报 文源端标识是所述数据报文源端在 Internet网络的 IP地址或在所述 SILSN中 的接入标识(AID ) , 所述第二网络是第一网络的同类或异类网络。  The network is an Internet network or an identity and location separation network (SILSN), and the source identifier of the packet is an IP address of the source of the data packet in the Internet network or an access identifier (AID) in the SILSN. The second network is a homogeneous or heterogeneous network of the first network.
本发明利用数据报文的报文源端标识中的特定比特位承载报文源端类别 标识, 使得接收到数据报文的终端能根据报文源端标识中的报文源端类别标 识判断数据报文的来源, 识别数据报文的可信度, 从而根据不同的策略(信 任等级)对数据报文进行区别处理, 便于终端用户对不同信任等级的用户发 来的数据报文进行分类处理, 从而提高网络的安全性, 例如, 对于高机密的 业务, 可以只允许信任用户访问, 对于低安全等级的业务, 可以适当允许外 网等低信任等级的用户访问。  The present invention uses the specific bit in the source end identifier of the data packet to carry the packet source end class identifier, so that the terminal receiving the data packet can determine the data according to the source end category identifier of the packet in the source end identifier of the packet. The source of the packet, the credibility of the data packet is identified, and the data packet is differentiated according to different policies (trust level), so that the end user can classify the data packet sent by the user with different trust levels. Therefore, the security of the network can be improved. For example, for a highly confidential service, only trusted users can be accessed. For a low security level service, users with low trust levels such as an external network can be appropriately accessed.
附图概述 BRIEF abstract
图 1为本发明数据报文分类处理的实现方法的示意图;  1 is a schematic diagram of a method for implementing data packet classification processing according to the present invention;
图 2为 SILSN网络的系统架构图;  Figure 2 is a system architecture diagram of the SILSN network;
图 3为 ASN从认证服务器获取 AID类型并验证的示意图;  Figure 3 is a schematic diagram of the ASN obtaining an AID type from the authentication server and verifying it;
图 4为 ASN区分并替换内网用户发出的数据报文的示意图;  4 is a schematic diagram of ASN distinguishing and replacing data packets sent by intranet users;
图 5为报文源端类别标识分类方法示意图;  FIG. 5 is a schematic diagram of a method for classifying a source end category identifier of a packet;
图 6为 ISN对源于外网和内网数据报文的报文源端类别标识替换的示意 图;  6 is a schematic diagram of the ISN replacing a source end identifier of a packet originating from an external network and an intranet data packet;
图 7为 ISN对源于外网数据报文的报文源端类别标识替换的详细流程图; 图 8为 ISN识别可信任的外网用户的方法示意图;  7 is a detailed flowchart of the ISN replacing the source type identifier of the packet originating from the external network data packet; FIG. 8 is a schematic diagram of the method for the ISN to identify the trusted external network user;
图 9为 SILSN用户对接收到的不同报文源端类别标识的数据报文进行分 类处理的示例。 本发明的较佳实施方式 FIG. 9 is an example of a SILSN user classifying data packets received by different source class identifiers. Preferred embodiment of the invention
本发明数据报文分类处理的实现方法、 网络、 终端及互通服务节点的主 要思想是利用数据报文的报文源端标识中的特定比特位承载报文源端类别标 识, 使得接收到数据报文的终端能根据报文源端标识中的报文源端类别标识 判断数据报文的来源, 从而根据不同的策略(信任等级)对数据报文进行区 别处理。  The main idea of the data packet classification processing method, the network, the terminal, and the interworking service node of the present invention is to use the specific bit in the source end identifier of the data packet to carry the packet source end category identifier, so that the datagram is received. The terminal can determine the source of the data packet according to the source type identifier of the packet in the source identifier of the packet, so that the data packet is processed differently according to different policies (trust levels).
本发明所说的报文源端标识用于表示数据报文的来源, 具体地可以是现 有 Internet网络的数据报文中的源 IP地址, 或特定专网的数据报文中的源端 的接入标识, 一般来说报文源端标识釆用若干个比特位表示, 本发明设置其 中的一个或几位比特作为 文源端类别标识。 例如 文源端标识为 N位, 釆 用前 n位(n<N )作为报文源端类别标识。  The source end identifier of the packet is used to indicate the source of the data packet, and specifically may be the source IP address in the data packet of the existing Internet network, or the source end in the data packet of the specific private network. The identifier is generally indicated by a number of bits, and the present invention sets one or several bits of the packet as the source source class identifier. For example, the source end identifier is N bits, and the first n bits (n<N) are used as the source source class identifier.
本发明方法基于对数据报文进行分类处理的数据报文分类处理网络实 现, 该实现方法包括终端对数据报文的处理方法, 如图 1所示, 终端对数据 文的处理方法包括:  The method of the present invention is based on a data packet classification processing network for classifying a data packet. The implementation method includes a method for processing a data packet by a terminal. As shown in FIG. 1, the processing method of the data file by the terminal includes:
步骤 101 : 终端接收数据报文, 所述数据报文的报文源端标识中的特定 比特位为报文源端类别标识, 所述报文源端标识用于表示数据报文的来源; 步骤 102: 所述终端根据所述数据报文的报文源端标识中的所述报文源 端类别标识确定 "^文源端类别;  Step 101: The terminal receives the data packet, where the specific bit in the source end identifier of the data packet is the source end category identifier of the packet, and the source end identifier of the packet is used to indicate the source of the data packet. 102: The terminal determines, according to the source end category identifier of the packet in the source identifier of the data packet, a source category of the ^^ text source;
步骤 103 : 所述终端根据所述报文源端类别对所述数据报文进行区别处 理。  Step 103: The terminal performs differential processing on the data packet according to the source type of the packet.
>¾文源端类别可以分为可信任的用户、 集团用户、 网吧用户等, 终端确 定 "^文源端类别后可根据进行的业务类型, 进行分别处理。  >3⁄4 The source source category can be divided into trusted users, group users, Internet cafe users, etc. The terminal determines that the "^ source source category can be processed separately according to the type of service performed.
现有因特网广泛使用的传输控制协议 /因特网互联协议 ( TransmissionTransmission Control Protocol/Internet Interconnection Protocol (Transmission) widely used on the Internet
Control Protocol/Internet Protocol, TCP/IP ) 中 IP地址具有双重功能, 既作为 网络层主机的网络接口在网络拓朴中的位置标识, 又作为传输层的主机网络 接口的身份标识。 TCP/IP协议设计之初并未考虑主机移动的情况。 但是, 当 主机移动越来越普遍时, 这种 IP地址的语义过载缺陷日益明显。 为解决 IP 地址的语义过载和路由负载严重以及安全等问题, 目前已经提出了多种身份 标识与位置标识分离的网络的架构。 The IP address in the Control Protocol/Internet Protocol (TCP/IP) has a dual function, which serves as both the location identifier of the network interface of the network layer host in the network topology and the identity of the host network interface of the transport layer. The TCP/IP protocol was not designed at the beginning of the host. But when When host mobility becomes more and more common, the semantic overload defects of such IP addresses become increasingly apparent. In order to solve the problem of semantic overload of IP address and serious routing load and security, a network architecture with multiple identity and location identifiers has been proposed.
其中, 一种身份标识和位置分离网络架构如图 2所示, 该身份标识和位 置分离系统包含接入服务节点( Access Service Node , ASN )、用户终端( User Equipment, UE )、 身份位置哥存器 ( Identification & Location Register, ILR ) 、 认证服务器、 互联互通服务节点 ISN ( Interworking Service Node )等。 其中, 接入服务节点用于接入用户终端, 负责实现用户终端的接入, 并承担计费以 及切换等功能; ILR承担用户的位置注册功能, 认证服务器承担用户身份识 别和认证功能, ISN用户和外网用户进行互联互通。 每一个用户终端都存在 唯一的身份标识符, 即接入标识( Access Identification, AID ) 。 图 2中, 接 入服务器 ASN1和 ASN2用来接入用户终端设备 UE1、 UE3 , UE1和 UE3 分别存在唯一的身份标识符 AID 1和 AID3。  An identity identification and location separation network architecture is shown in FIG. 2. The identity identification and location separation system includes an Access Service Node (ASN), a User Equipment (UE), and an Identity Location. Identification & Location Register (ILR), authentication server, Interworking Service Node (ISN), etc. The access service node is used to access the user terminal, is responsible for realizing the access of the user terminal, and is responsible for charging and switching functions; the ILR assumes the location registration function of the user, and the authentication server assumes the user identity identification and authentication function, and the ISN user Interconnect with external network users. Each user terminal has a unique identity identifier, which is an Access Identification (AID). In Figure 2, the access servers ASN1 and ASN2 are used to access the user terminal devices UE1, UE3, UE1 and UE3 respectively having unique identity identifiers AID 1 and AID3.
为描述方便, 下文将此用户身份标识和位置分离网络简称为 SILSN ( Subscriber Identifier & Locator Separation Network ) 。 下面^夺以 SILSN网络 为基础, 对本发明进行具体说明。  For convenience of description, the user identity and location separation network is simply referred to as SILSN (Subscriber Identifier & Locator Separation Network). The present invention will be specifically described based on the SILSN network.
SILSN网络在建设过程中, SILSN和现有因特网的需要互通, 在互通的 时候, SILSN网内用户发出的数据报文经由 ASN转发到 ISN, 然后由 ISN转 发到因特网等外网。 同样, 外部因特网发出的数据报文, 经过 ISN进行转换 后, 将外网的 IP地址, 转换为 SILSN网的相应 AID标识, 发送到 SILSN中 的用户。  During the construction of the SILSN network, the SILSN and the existing Internet need to communicate with each other. During the interworking, data packets sent by users in the SILSN network are forwarded to the ISN via the ASN, and then forwarded by the ISN to the Internet such as the Internet. Similarly, after the data packet sent by the external Internet is converted by the ISN, the IP address of the external network is converted into the corresponding AID identifier of the SILSN network and sent to the user in the SILSN.
这样 SILSN的用户既能接收到内网用户的数据报文, 也可以接收到外网 不可信任的用户的数据报文,两种数据报文在 SILSN网络中都以 AID来标识, 如果没有制定特定的 AID类型规则, 内网用户就很难区分这两种数据报文, 用户就无法进行分别处理, 使 SILSN网络的溯源以及安全性受到较大影响。  In this way, the user of the SILSN can receive the data packet of the intranet user or the data packet of the untrusted user of the external network. The two data packets are identified by the AID in the SILSN network, if no specific The AID type rule makes it difficult for the intranet users to distinguish between the two types of data packets, and the user cannot perform separate processing, which greatly affects the traceability and security of the SILSN network.
为了能让 SILSN 内网用户区分来自于内网用户的才艮文和外网用户的才艮 文, SILSN的网络节点就必须做一些改变, 以帮助用户区分所收到的数据报 文是来自于内网可信任用户、 外网可信任用户、 还是外网不可信任用户等, 从而进行区分处理。 本发明就是为了在 SILSN中实现对不同信任类型的用户进行区分, 并进 行分别处理的方法。 In order to allow the SILSN intranet users to distinguish between the user's credentials from the intranet users and the external network users, the SILSN network node must make some changes to help the user distinguish the received data packets from the packets. The intranet can trust users, external network trusted users, or external network untrusted users, etc., to perform differentiated processing. The present invention is to implement a method for distinguishing users of different trust types in SILSN and performing separate processing.
实施方式 1  Embodiment 1
1.1 域内源端标识划分方法  1.1 Domain end source identification method
在 SILSN 中, 以上所说报文源端标识是指所述数据报文源端在所述 In the SILSN, the source end identifier of the message refers to the source end of the data packet.
SILSN中的唯一的接入标识(AID ) 。 因此, 报文源端类别可称为源 AID类 别。 The unique access identifier (AID) in the SILSN. Therefore, the source class of the message can be referred to as the source AID class.
在下文中将 SILSN网看作一个域,相应的在 SILSN网内的用户称为域内 用户, 不在 SILSN网内的用户, 称为域外用户。  In the following, the SILSN network is regarded as a domain, and the corresponding users in the SILSN network are called intra-domain users, and users not in the SILSN network are called extra-domain users.
SILSN用户接收到的数据报文, 存在以下来源:  The data packets received by the SILSN user exist in the following sources:
1、 域内可信任的用户。  1. A trusted user in the domain.
2、 域内集团用户  2. Group users in the domain
3、 i或内网吧用户。  3, i or intranet users.
为了区分这几种来源的数据报文, 本发明将源 AID空间进行划分, 考虑 到为将来其他类型的 AID保留一定的空间,将 AID编址空间中取出三个二进 制的 bit位, 分别代表如下, 划分如下:  In order to distinguish the data packets of these several sources, the present invention divides the source AID space. Considering that a certain space is reserved for other types of AIDs in the future, three binary bits are taken out from the AID addressing space, respectively, as follows. , divided as follows:
000 域内可信任的用户。  000 trusted users within the domain.
001 域内集团用户。  Group users within the 001 domain.
010 域内网吧用户。  010 Internet cafe users in the domain.
011 预留  011 reserved
1.2 AS 处理方法 1.2 AS processing method
为保证上述 AID类型在 SILSN网络中的实现和应用, ASN需要进行如 下处理:  In order to ensure the implementation and application of the above AID type in the SILSN network, the ASN needs to be processed as follows:
ASN验证自于本网用户发出的 AID类型, 对不同类型的用户, 审核是否 釆用了相应类型的 AID。例如,如果用户是本 SILSN网内可信任的个人用户, 则 AID中相应标识位必须为 000; 如果本 SILSN网内的集团用户, 相应的标 识位必须是 001 , 如果本 SILSN网内的网吧用户, 相应的标识位必须是 010 等。 如果用户发出的数据报文中的 AID类型和规定的类型不同, ASN可以将 此数据报文丟弃。 The ASN verifies the AID type sent by the user of the local network. For different types of users, the audit uses the corresponding type of AID. For example, if the user is a trusted individual user in the SILSN network, the corresponding identifier in the AID must be 000; if the group user in the SILSN network, the corresponding target The identification must be 001. If the Internet cafe user in the SILSN network, the corresponding identification bit must be 010. If the type of the AID in the data packet sent by the user is different from the specified type, the ASN can discard the data packet.
ASN从认证服务器中获取确定用户的 AID类型, 此用户类型由 ASN向 认证服务器请求对用户认证并通过认证时,由认证服务器下发给相应的 ASN, 之后当用户发送数据报文时, ASN将验证用户发出的数据报文的 AID类型是 否是规定的类型。  The ASN obtains the AID type of the user from the authentication server. When the ASN requests the authentication server to authenticate the user and passes the authentication, the ASN is sent by the authentication server to the corresponding ASN. Then, when the user sends the data packet, the ASN will Verify that the AID type of the data message sent by the user is the specified type.
图 3是 ASN从认证服务器获取 AID类型并对用户发出的数据报文进行 AID类型验证的示意图。 当用户 UE接入网络时, 首先要经 ASN向认证服务 器进行认证, 认证服务器在通过认证后, 返回 AID的类型。 ASN保存此用户 的类型, 在后续用户发出数据报文的时候, 进行验证, 如果不符合用户的类 型, 或者将报文丟弃, 或者将报文中的 AID类型替换为正确的类型。  FIG. 3 is a schematic diagram of the ASN obtaining an AID type from an authentication server and performing AID type verification on a data packet sent by the user. When the user UE accesses the network, the ASN first authenticates to the authentication server, and after the authentication server passes the authentication, the type of the AID is returned. The ASN saves the type of the user. When the subsequent user sends a data packet, the ASN verifies the packet. If the packet does not match the type of the user, the packet is discarded or the AID type in the packet is replaced with the correct type.
步骤 301 , 用户终端 UE向 ASN发起接入请求。  Step 301: The user terminal UE initiates an access request to the ASN.
步骤 302, ASN向认证服务器发起对 UE的认证过程。 301和 302可能存 在多次消息交互, 以相互认证。  Step 302: The ASN initiates an authentication process for the UE to the authentication server. 301 and 302 may have multiple message interactions to authenticate each other.
步骤 303 , 当认证通过后, 认证服务器向 ASN返回该用户的 AID类型。 步骤 304, ASN保存该用户的 AID类型, 以便后续检查使用。  Step 303: After the authentication is passed, the authentication server returns the AID type of the user to the ASN. Step 304: The ASN saves the AID type of the user for subsequent check and use.
步骤 305, ASN通知 UE认证通过, 允许接入。  Step 305: The ASN notifies the UE that the authentication passes, and allows access.
步骤 306, UE开始发出数据报文。  Step 306, the UE starts to send a data message.
步骤 307, ASN检查 UE发出的报文中携带的 AID类型是否为正确的类 型。 如果是, 正常转发, 如果不是, 或者丟弃, 或者换为正确的 AID类型再 转发。  Step 307: The ASN checks whether the type of the AID carried in the packet sent by the UE is the correct type. If yes, forward normally, if not, or discard, or switch to the correct AID type and forward again.
图 4是 ASN区分并替换内网用户发出的数据报文的步骤 , ASN根据已经 保存的 AID类型, 对用户发出的数据报文进行检查和替换的具体方法。 Figure 4 is a step of the ASN distinguishing and replacing the data packets sent by the intranet users. The ASN checks and replaces the data packets sent by the user according to the saved AID type.
ASN分别判断用户是普通用户、 集团用户还是网吧用户, 分别将这些用 户发出的数据才艮文的 AID标识置为 000、 001和 010。 实际操作中, 可以只替换 AID中的 3个 bit , 也可以替换整个 AID。 The ASN determines whether the user is an ordinary user, a group user, or an Internet cafe user, and sets the AID identifiers of the data sent by these users to 000, 001, and 010, respectively. In practice, you can replace only 3 bits in the AID or replace the entire AID.
实施方式 2 Embodiment 2
在构建 SILSN网络时, 势必会出现 SILSN与现有因特网共存的局面, 而 SILSN网络与因特网之间的互通也不可避免, 以下就 SILSN与因特网互通的 架构进行介绍。  When building a SILSN network, there is bound to be a situation where SILSN coexists with the existing Internet, and interworking between the SILSN network and the Internet is inevitable. The following describes the architecture of SILSN and Internet interworking.
图 2是 SILSN网络的系统架构图,其中 UE1和 UE3是 SILSN内网用户, UE2是外网用户, ASN1和 ASN2是接入设备, ISN1用于处理来自于网外的 数据报文, 对 SILSN内网数据格式和外网数据格式进行转换。 ILR是身份标 识和位置标识的寄存器, 用于保存用户所漫游的位置。 认证服务器用于对用 户接入认证。在图 2中, UE3能收到来自于 SILSN内网的 UE1的数据报文和 来自于外网的 UE2的数据报文。本应用实例可实现内网用户 UE3区分这些不 同来源和不同信任度的报文, 并分别处理。  Figure 2 is a system architecture diagram of the SILSN network, where UE1 and UE3 are SILSN intranet users, UE2 is an extranet user, ASN1 and ASN2 are access devices, and ISN1 is used to process data packets from outside the network, to the SILSN. The network data format and the external network data format are converted. The ILR is a register of identity and location identifiers used to hold the location where the user is roaming. The authentication server is used to authenticate users to access. In FIG. 2, UE3 can receive the data message from UE1 of the intranet of the SILSN and the data message of UE2 from the external network. This application example can implement intra-network user UE3 to distinguish these packets with different sources and different trust levels, and process them separately.
2.1 域间源端标识划分方法 2.1 Method for dividing the source end identifier between domains
在 SILSN和外网用户互通的时候, SILSN用户接收到的数据报文, 存在 以下来源:  When the SILSN and the external network user communicate with each other, the data message received by the SILSN user exists in the following sources:
1、 域内可信任的用户。  1. A trusted user in the domain.
2、 域内的集团用户  2. Group users in the domain
3、 域内的网吧用户。  3. Internet cafe users in the domain.
4、 域外可信任的同类网络用户。  4. Similar network users that are trusted outside the domain.
5、 域外可信任的异类网络用户 (如 IPV6源地址认证用户)  5. Heterogeneous network users that are trusted outside the domain (such as IPV6 source address authentication users)
6、 域外不可信任的网络用户。  6. Untrusted network users outside the domain.
为了区分这几种来源的数据报文, 本发明将源 AID空间进行划分, 考虑 到为将来其他类型的 AID保留一定的空间,将 AID编址空间中取出三个二进 制的 bit位, 共有 8种类型, 作为 AID类型标识, 本方法定义了 6种, 预留 了 2种供以后扩展使用, 具体如图 5所示: 000 域内可信任的用户。 In order to distinguish the data packets of these several sources, the present invention divides the source AID space, and considers that for the future, other types of AIDs reserve a certain space, and three binary bits are taken out from the AID addressing space, and there are 8 kinds of bits. Type, as the AID type identifier, this method defines six types, and two types are reserved for future expansion, as shown in Figure 5: 000 trusted users within the domain.
001 域内集团用户。  Group users within the 001 domain.
010 域内网吧用户。  010 Internet cafe users in the domain.
on 保留为未来使用。  On is reserved for future use.
100 域外可信任的同类网络用户。  100 Similar network users that are trusted outside the domain.
101 域外可信任的异类网络用户。  101 A heterogeneous network user that is trusted outside the domain.
110 保留为未来使用  110 reserved for future use
111 域外不可信任的网络用户。  111 Untrusted network users outside the domain.
经过上述划分后, SILSN与其他网络互通的情况下, SILSN网络内部的 用户在收到其他用户发来的数据报文时, 就可以根据 AID标识, 区分出报文 的来源是否可以信任以及可信任程度如何, 然后进行区分处理。  After the above-mentioned division, when the SILSN communicates with other networks, when users in the SILSN network receive data packets sent by other users, they can distinguish whether the source of the packets can be trusted and trusted according to the AID identifier. How much is done, then differentiate it.
值得指出的是, 以上示例只是个给出不同用户类型的 AID的划分办法, 实际网络中 AID信任类型不一定严格按照上述顺序排布,这些 AID类型顺序 前后调换也属于本发明保护的范围内。 It should be noted that the above example is only a method for dividing the AIDs of different user types. The AID trust types in the actual network are not necessarily arranged in strict accordance with the above order. The order of these AID types is also within the scope of protection of the present invention.
2.2 AS 处理方法 2.2 AS processing method
本实施方式中 ASN处理方法与实施方式 1并无区别, 在此不再赘述。  The ASN processing method in this embodiment is not different from Embodiment 1, and details are not described herein again.
2.3 ISN处理方法 2.3 ISN processing method
在 AID类型区分中, ISN需要承担很重要的角色, 包括如下功能: In the AID type distinction, the ISN needs to assume a very important role, including the following functions:
1、 区分来自于外网的数据报文中的源用户标识类型, 对外网可信任的 SILSN用户、 外网其他可信任网络用户、 外网不可信任用户分别分配不同类 型的 AID。 1. Differentiate the source user identifier type in the data packets from the external network, and assign different types of AIDs to the SILSN users trusted by the external network, other trusted network users on the external network, and untrusted users on the external network.
例如, 当 ISN在收到外网可信任的 SILSN网络用户的数据报文时, 将相 应的标识置为 100, 如果 ISN收到外网不可信任的用户发来的数据报文时, 将相应的标识置为 110。 For example, when the ISN receives the data packet of the SILSN network user that the external network can trust, the corresponding identifier is set to 100. If the ISN receives the data packet sent by the untrusted user of the external network, Set the corresponding flag to 110.
2、对网内用户发网外用户的数据 "^文的目的地址, 转换为网外用户原有 的地址。  2. The data of the user outside the network is sent to the user in the network. The destination address of the ^^ text is converted to the original address of the user outside the network.
由于 ISN对来自于外网用户的源 AID做了区分和替换,因此 SILSN网内 用户收到数据报文后, 其收到的数据报文中携带的源 AID和原有数据报文中 的源 AID已不同, 当内网用户向网外用户回复消息时, 所发出的数据 文中 的目的 AID类型是被 ISN修改过的类型,因而目的 AID就不是外网用户的原 来的标识符, 如果不更换为原来的标识符, 外网中间路由设备是无法将数据 报文转发到原始用户的。 为此 ISN应保存一份源地址修改的对照表, 当接收 到内网用户发到外网的数据报文时, 将相应的目的地址的 AID类型修改为原 始 AID类型或者原始的地址。  Since the ISN distinguishes and replaces the source AIDs from the external network users, the source AIDs carried in the data packets received by the users in the SILSN network and the sources in the original data packets are received after the data packets are received by the users in the SILSN network. The AID is different. When the intranet user replies to the message to the out-of-network user, the destination AID type in the sent data is the type modified by the ISN. Therefore, the destination AID is not the original identifier of the external network user. As the original identifier, the external network intermediate routing device cannot forward data packets to the original user. To this end, the ISN should maintain a copy of the source address modification table. When receiving the data message sent by the intranet user to the external network, the AID type of the corresponding destination address is modified to the original AID type or the original address.
图 6为 ISN对源于外网和内网数据报文的 AID类型替换的示意图。 ISN 收到来自于外网的报文后, 根据外网的可信任情况, 对报文中的源 AID标识 的类型 bit进行替换处理。 ISN收到来自于内网的报文后, 同样需要根据外网 的可信任情况, 对"¾文中的目的 AID的类型标识进行替换处理。  Figure 6 is a schematic diagram of the ISN replacing the AID type of the data packets originating from the external network and the internal network. After receiving the packet from the external network, the ISN replaces the type bit of the source AID identifier in the packet according to the trustworthiness of the external network. After receiving the packet from the intranet, the ISN also needs to replace the type identifier of the destination AID in the text according to the trustworthiness of the external network.
步骤 601 , 外网用户向 ISN发送一条数据报文。  Step 601: The external network user sends a data packet to the ISN.
步骤 602 , ISN根据数据报文来源,确定此用户是来源于可信任的 SILSN 网络, 还是可信任的其他网络, 或者是不可信任的网络, 对每种情况分别将 AID替换为相应的 AID类型。 另外, ISN可能还需要对报文格式进行转换, 如将外网的 IPv4报文格式转换为 SILSN网的报文格式等。  Step 602: The ISN determines, according to the source of the data packet, whether the user is from a trusted SILSN network, another trusted network, or an untrusted network, and replaces the AID with the corresponding AID type for each case. In addition, the ISN may also need to convert the packet format, such as converting the IPv4 packet format of the external network into the packet format of the SILSN network.
步骤 603 , ISN将转换后的数据报文发送给 ASN, 由 ASN转发给实际的 内网用户; 文。  Step 603: The ISN sends the converted data packet to the ASN, and the ASN forwards the packet to the actual intranet user.
步骤 605, ISN根据目的 AID地址所在的网络的可信任情况, 对 AID类 型做还原处理。 即将内网用户发送的目的 AID的类型位, 复原为外网用户可 识别的类型。 此处 ISN可能还需要另外将内网数据格式, 转换为外网数据格 式。 步骤 606 , ISN将转换后的数据报文发送到外网。 Step 605: The ISN performs a restoration process on the AID type according to the trusted condition of the network where the destination AID address is located. The type of the destination AID sent by the intranet user is restored to the type recognized by the external network user. Here, the ISN may also need to additionally convert the intranet data format to the external network data format. Step 606: The ISN sends the converted data packet to the external network.
图 7为 ISN对源于外网数据报文的 AID类型替换的详细流程图, ISN收 到来自于外网的数据报文后, 判断来源的网络是可信任的 SILSN网络, 还是 可信任的其他网络, 或者是不可信的网络, 分别将这些来源的数据报文中的 AID类型置为 100、 101、 111等。 FIG. 7 is a detailed flowchart of the ASN type replacement of the data packet originating from the external network by the ISN. After receiving the data packet from the external network, the ISN determines whether the source network is a trusted SILSN network, or is trustworthy. The network, or the untrusted network, sets the AID type in the data packets of these sources to 100, 101, 111, and so on.
2.4用户处理方法 2.4 User Processing Method
当 ASN和 ISN釆用上述方法验证和区分 AID类型后, SILSN中的用户 终端在收到上述几种类型标识符的数据报文时, 可以根据标识位情况进行分 类处理, 例如, 对于比较机密的服务器类终端, 可以拒绝 AID标识位为 111 的用户 (不受信任的外网用户)访问, 避免机密信息泄露。 另外, 对于一些 敏感的 BBS论坛服务器,可以对那些不易溯源的网吧用户进行一些功能限制, 如只允许浏览论坛, 不允许发帖等, 从而保证 BBS论坛的秩序, 避免不法分 子在 BBS论坛上发布恶意信息。  After the ASN and the ISN use the above method to verify and distinguish the AID type, the user terminal in the SILSN can perform classification processing according to the status of the identifier when receiving the data packets of the above types of identifiers, for example, for relatively confidential A server-type terminal can deny access to users with an AID of 111 (untrusted external network users) to avoid leakage of confidential information. In addition, for some sensitive BBS forum servers, you can perform some functional restrictions on those Internet cafe users who are not easy to trace, such as only allowing browsing forums, not allowing postings, etc., thus ensuring the order of BBS forums, and avoiding malicious elements from posting malicious messages on BBS forums. information.
可以看出, 对 AID进行上述分类后, 从技术上提供了区分网外用户和网 内用户以及可信用户与不可信用户的手段, 用户及上层业务的安全性都可以 依据用户 AID类型进行区分处理, 既实现了 SILSN网内和网外的互联互通, 满足用户的普通业务需求, 也可以使 SILSN用户识别出不可信用户进行相应 处理, 从而在提高 SILSN组网和部署灵活性的同时, 也很好保证了 SILSN网 络的安全性。 It can be seen that after the foregoing classification of the AID, the means for distinguishing the users of the network from the network and the users of the network and the trusted users and the untrusted users are provided technically, and the security of the user and the upper layer services can be distinguished according to the type of the user AID. The SILSN can realize the interconnection and intercommunication between the SILSN and the network, and meet the common service requirements of the user. The SILSN user can also identify the untrusted user for corresponding processing, thereby improving the SILSN networking and deployment flexibility. The security of the SILSN network is well guaranteed.
图 8为 ISN分析外网数据报文是否来自于可信任的网络的方法。 ISN如 何识别外网数据报文的来源不是本发明的发明重点, 为了保证方案具有可实 施性, 特此进行说明。  Figure 8 shows how the ISN analyzes whether external network data packets come from a trusted network. How the ISN identifies the source of the external network data message is not the focus of the invention. In order to ensure that the solution is implementable, the description is hereby made.
本网 SILSN和其他 SILSN网络如果存在信任关系,可以建立一条安全隧 道如 IPSec来联系, 如图 8中 (a )所示, SILSN B通过此隧道发到 SILSN A 的数据报文, 都属于可信任的网络用户发来的数据报文。 SILSN A中的 ISN 收到这些>¾文后, 将对应的 AID类型置为 100。 If there is a trust relationship between the SILSN and other SILSN networks, a secure tunnel such as IPSec can be established to contact. As shown in (a) of Figure 8, the data packets sent by SILSN B to SILSN A are trusted. Data packets sent by network users. ISN in SILSN A After receiving these >3⁄4 texts, set the corresponding AID type to 100.
同样, 本网 SILSN也可以和其他类型的网络建立互信关系, 也可以通过 安全隧道来发送数据报文, 如图 8中的(b )所示, 其他可信任的网络一样可 以通过安全隧道, 向 SILSN A发送数据报文, SILSN A中的 ISN收到这些报 文后, 将对应的 AID类型置为 101。  Similarly, the SILSN of this network can also establish mutual trust relationship with other types of networks, and can also send data packets through a secure tunnel. As shown in (b) of Figure 8, other trusted networks can pass through a secure tunnel. SILSN A sends a data packet. After receiving the packet, the ISN in SILSN A sets the corresponding AID type to 101.
应用实例  Applications
图 9是本发明的一个具体应用场景,为 SILSN用户接收到的不同类型 AID 时进行分类处理的例子。由于 SILSN网络已经对不同来源的 AID进行了详细 分类, 因而 SILSN网络内的用户就可以很清楚知道哪些用户是外网用户, 哪 些用户是内网用户, 哪些是可信任的, 哪些是不可信任的。 然后根据进行的 业务类型, 进行分别处理。  FIG. 9 is a specific application scenario of the present invention, which is an example of classifying processing when different types of AIDs are received by SILSN users. Since the SILSN network has classified the AIDs from different sources in detail, users in the SILSN network can clearly know which users are external network users, which users are internal network users, which are trusted, and which are untrustworthy. . Then, according to the type of business performed, separate processing is performed.
步骤 901 , SILSN用户收到一个数据报文, 根据用户自身的属性以及业 务应用的机密性, 分析目前进行的业务类型允许哪些用户使用, 根据业务类 型的机密性等特征, 查询策略库得到相应的处理方法, 902 ~ 904为相应的策 略实现例子。  Step 901: The SILSN user receives a data packet, and according to the attributes of the user and the confidentiality of the service application, analyzes which users are allowed to use in the current service type, and according to the confidentiality of the service type, the query policy database is correspondingly obtained. Processing methods, 902 ~ 904 are examples of corresponding policy implementations.
步骤 902, 当本网用户是公安网等机密专网用户时, 可以限定本网用户 不处理任何外网用户的数据报文, 因此只能接受 AID类型为 000, 001等数 据报文, 如果将其作为一个集团用户对待, 则只能接收 AID类型为 001的数 据报文。 其他网吧用户 (010 ) 以及外网用户的数据报文, 将被阻止。  Step 902: When the user of the local network is a private network user such as the public security network, the user of the local network may be restricted from processing any data packet of the external network user, and therefore only the data packets with the AID type of 000, 001 and the like may be accepted. As a group user, it can only receive data packets with AID type 001. Other Internet cafe users (010) and data packets from external users will be blocked.
步骤 903 , 当本网用户是集团用户的一个服务器时, 可只接受 AID类型 为 001 (集团用户) 的数据报文, 不接受其他来源的报文。  Step 903: When the user of the network is a server of the group user, only the data packet with the AID type of 001 (group user) can be accepted, and the packets of other sources are not accepted.
步骤 904, 当本网用户是一个涉及政治敏感性的 BBS服务器时, 对网吧 用户 010 , 以及外网的用户, 只允许浏览 BBS信息, 不允许修改和发布 BBS 信息, 有效避免来自于外网用户的攻击。  Step 904: When the user of the local network is a BBS server that involves political sensitivity, the user of the Internet cafe 010 and the user of the external network are only allowed to browse the BBS information, and the BBS information is not allowed to be modified and released, thereby effectively avoiding users from the external network. s attack.
以上虽然是以 SILSN为例进行说明的,但本发明同样适用于现有 Internet 网络,相应的, 报文源端标识即为 IP地址, Internet网络中的基站用于实现本 发明 SILSN网络中的 ASN的处理能力, SILSN网络中的 ASN和 Internet网络 中的基站可以统称为用于实现终端接入的接入设备; 而互通服务节点 ISN同 样可以实现第一网络(如 Internet网络)与第二网络(如其他网络) 的互通。 Although the above description is based on the SILSN, the present invention is also applicable to the existing Internet network. Correspondingly, the source end identifier of the packet is an IP address, and the base station in the Internet network is used to implement the ASN in the SILSN network of the present invention. Processing power, ASN and Internet network in SILSN network The base stations in the network can be collectively referred to as access devices for implementing terminal access; and the interworking service node ISN can also implement interworking between the first network (such as an Internet network) and the second network (such as other networks).
为实现以上方法, 本发明还提供了一种终端, 所述终端基于通讯网络实 现, 所述终端包括: In order to implement the above method, the present invention further provides a terminal, where the terminal is implemented based on a communication network, where the terminal includes:
接收模块, 用于接收数据报文, 所述数据报文的报文源端标识中的特定 比特位为报文源端类别标识, 所述报文源端标识用于表示数据报文的来源; 报文源端类别确定模块, 与所述接收模块连接, 用于根据数据报文的报 文源端标识中的所述 >¾文源端类别标识确定 ^文源端类别;  a receiving module, configured to receive a data packet, where a specific bit in the source end identifier of the data packet is a source end category identifier, and the source end identifier is used to indicate a source of the data packet; a packet source end category determining module, configured to be connected to the receiving module, configured to determine, according to the >3⁄4 source source category identifier in the source identifier of the data packet, the source end category;
数据报文处理模块, 与所述报文源端类别确定模块连接, 用于根据所述 报文源端类别对所述数据报文进行区别处理。  The data packet processing module is connected to the packet source class determining module, and configured to perform different processing on the data packet according to the source class of the packet.
所述数据报文处理模块对接收的所述数据报文进行区别处理时, 根据所 述报文源端类别, 并结合该终端自身属性以业务应用的机密性, 确定对所述 数据报文的处理方法。  When the data packet processing module performs the difference processing on the received data packet, determining the data packet according to the source type of the packet and the confidentiality of the service application according to the terminal's own attribute. Approach.
所述通讯网络是 Internet网络或身份标识和位置分离网络(SILSN ) , 所 述报文源端标识是所述数据报文源端在 Internet网络的 IP地址或所述 SILSN 中的接入标识(AID ) 。  The communication network is an Internet network or an identity and location separation network (SILSN), and the source identifier of the packet is an IP address of the data packet at an IP address of the Internet network or an access identifier (AID) in the SILSN. ).
所述 文源端类别包括以下至少一个: 域内可信任用户、域内集团用户、 域内网吧用户、 域外可信任的同类网络用户、 域外可信任的异类网络用户、 域外不可信任的网络用户。  The source end category includes at least one of the following: a trusted user in the domain, a group user in the domain, an Internet cafe user in the domain, a similar network user trusted outside the domain, a heterogeneous network user trusted outside the domain, and an untrusted network user outside the domain.
另外, 本发明还提供了一种数据报文分类处理的网络, 所述系统设置数 据报文的报文源端标识中的特定比特位为报文源端类别标识, 所述报文源端 标识用于表示数据报文的来源, 所述网络包括: In addition, the present invention further provides a network for classifying a data packet, wherein the system sets a specific bit in the source end identifier of the data packet as the source end class identifier of the packet, and the source end identifier of the packet Used to indicate the source of the data message, the network includes:
终端, 用于发送及接收数据报文, 以及根据数据报文中的报文源端类别 标识对接收的数据报文进行区别处理;  The terminal is configured to send and receive a data packet, and perform differential processing on the received data packet according to the source type identifier of the packet in the data packet;
所述终端对接收的所述数据报文进行区别处理时, 根据所述报文源端类 别, 并结合该终端自身属性以业务应用的机密性, 确定对所述数据报文的处 理方法。 When the terminal performs the difference processing on the received data packet, the terminal determines the location of the data packet according to the source type of the packet and the confidentiality of the service application in combination with the terminal's own attribute. Method.
接入设备, 与所述终端连接, 用于向所述终端转发数据报文, 以及接收 终端发送的数据报文, 还用于验证所述终端发送的数据报文中的报文源端类 别标识是否与所述终端的类别一致, 若一致, 则正常转发, 否则丟弃或根据 所述终端的类别修改所述数据报文中的报文源端标识后再转发;  The access device is connected to the terminal, and is configured to forward the data packet to the terminal, and receive the data packet sent by the terminal, and is also used to verify the source identifier of the packet in the data packet sent by the terminal. Whether it is consistent with the category of the terminal, if it is consistent, it is forwarded normally; otherwise, it is discarded or the source identifier of the packet in the data packet is modified according to the type of the terminal, and then forwarded;
认证服务器, 与所述接入服务器连接, 用于对终端进行用户身份识别及 认证, 以及在认证过程中将终端的类别通知所述终端所在的接入设备。  The authentication server is connected to the access server, and is configured to perform user identification and authentication on the terminal, and notify the access device where the terminal is located in the authentication process.
所述网络是 Internet网络或身份标识和位置分离网络(SILSN )时, 所述 报文源端标识是所述数据报文源端在 Internet网络的 IP地址或所述 SILSN中 的接入标识(AID ) 。  When the network is an Internet network or an identity and location separation network (SILSN), the source identifier of the packet is an IP address of the data packet at the source end of the Internet network or an access identifier (AID) in the SILSN. ).
( ISN ) , 所述 ISN包括: ( ISN ) , the ISN includes:
接收模块,用于接收其他网络发送给数据报文分类处理网络的数据报文; 报文源端类别确定模块, 与所述接收模块连接, 用于根据所述数据报文 的来源确定所述数据报文源端在所述数据报文分类处理网络的报文源端类别 标识,  a receiving module, configured to receive a data packet sent by the other network to the data packet classification processing network; the packet source end category determining module is connected to the receiving module, and configured to determine the data according to the source of the data packet The source end of the packet is classified in the source end of the packet of the data packet classification processing network.
数据报文转换模块, 与所述报文源端类别确定模块连接, 用于将数据报 文从其他网络格式转换为数据报文分类处理网络格式, 包括根据确定的报文 源端类别标识修改所述数据报文的报文源端标识; 还用于保存修改前后的报 文源端标识的对应关系, 以及根据该对应关系对发往其他网络的数据"¾文进 行格式转换;  The data packet conversion module is connected to the packet source class determining module, and is configured to convert the data packet from another network format into a data packet classification processing network format, including modifying the identifier according to the determined source source category identifier. The source end identifier of the data packet is also used to save the correspondence between the source end identifiers of the packets before and after the modification, and format the data to be sent to other networks according to the correspondence relationship;
数据报文转发模块, 与所述数据报文转换模块连接, 用于将所述转换后 的数据报文在所述数据报文分类处理的网络内路由发送。  The data packet forwarding module is configured to be connected to the data packet conversion module, and configured to route the converted data packet in a network processed by the data packet classification process.
本发明还提供一种互通服务节点, 所述互通服务节点用于实现两个第一 网络和第二网络之间的互通, 且第一网络设置数据报文的报文源端标识中的 特定比特位为报文源端类别标识, 所述报文源端标识用于表示数据报文的来 源, 所述互通服务节点 (ISN ) 包括: The present invention also provides an interworking service node, where the interworking service node is configured to implement interworking between two first networks and a second network, and the first network sets a specific bit in the source end identifier of the data packet. The bit is the source end class identifier of the packet, and the source end identifier of the packet is used to indicate the data packet. Source, the interworking service node (ISN) includes:
接收模块, 用于接收第二网络发送给第一网络的数据报文;  a receiving module, configured to receive a data packet sent by the second network to the first network;
报文源端类别确定模块, 与所述接收模块连接, 用于根据所述数据报文 的来源确定所述数据报文源端在所述第一网络的报文源端类别标识,  And a packet source end category determining module, configured to be connected to the receiving module, configured to determine, according to the source of the data packet, a source identifier of the source end of the data packet in the first network,
数据报文转换模块, 与所述报文源端类别确定模块连接, 用于将数据报 文从第二网络格式转换为第一网络格式, 包括根据确定的报文源端类别标识 修改所述数据报文的报文源端标识; 还用于保存修改前后的报文源端标识的 对应关系, 以及根据该对应关系对发往第二网络的数据报文进行格式转换; 数据报文转发模块, 与所述数据报文转换模块连接, 用于将报文格式转 换后的数据报文路由转发到所述第一网络。  The data packet conversion module is connected to the packet source class determining module, and is configured to convert the data packet from the second network format to the first network format, including modifying the data according to the determined packet source class identifier. The source end identifier of the packet is also used to save the correspondence between the source end identifiers of the packets before and after the modification, and format the data packets sent to the second network according to the corresponding relationship; the data packet forwarding module, The data packet conversion module is connected to the data packet that is converted by the packet format and forwarded to the first network.
所述第一网络为 Internet网络或身份标识和位置分离网络( SILSN ) , 所 述报文源端标识是所述数据报文源端在 Internet 网络的 IP 地址或在所述 SILSN中的接入标识(AID ) , 所述第二网络是第一网络的同类或异类网络。  The first network is an Internet network or an identity and location separation network (SILSN), and the source identifier of the packet is an IP address of the source of the data packet on the Internet network or an access identifier in the SILSN. (AID), the second network is a homogeneous or heterogeneous network of the first network.
尽管为示例目的, 已经公开了本发明的优选实施例, 本领域的技术人员 将意识到各种改进、 增加和取代也是可能的, 因此, 本发明的范围应当不限 于上述实施例。  While the preferred embodiments of the present invention have been disclosed for purposes of illustration, those skilled in the art will recognize that various modifications, additions and substitutions are possible, and the scope of the invention should not be limited to the embodiments described above.
本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序 来指令相关硬件完成, 所述程序可以存储于计算机可读存储介质中, 如只读 存储器、 磁盘或光盘等。 可选地, 上述实施例的全部或部分步骤也可以使用 一个或多个集成电路来实现。 相应地, 上述实施例中的各模块 /单元可以釆用 硬件的形式实现, 也可以釆用软件功能模块的形式实现。 本发明不限制于任 何特定形式的硬件和软件的结合。  One of ordinary skill in the art will appreciate that all or a portion of the steps above may be accomplished by a program to instruct the associated hardware, such as a read-only memory, a magnetic disk, or an optical disk. Alternatively, all or part of the steps of the above embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the above embodiment may be implemented in the form of hardware or in the form of a software function module. The invention is not limited to any specific form of combination of hardware and software.
工业实用性 Industrial applicability
本发明利用数据报文的报文源端标识中的特定比特位承载报文源端类别 标识, 使得接收到数据报文的终端能根据报文源端标识中的报文源端类别标 识判断数据报文的来源, 识别数据报文的可信度, 从而根据不同的策略(信 任等级)对数据报文进行区别处理, 便于终端用户对不同信任等级的用户发 来的数据报文进行分类处理, 从而提高网络的安全性, 例如, 对于高机密的 业务, 可以只允许信任用户访问, 对于低安全等级的业务, 可以适当允许外 网等低信任等级的用户访问。 The present invention uses the specific bit in the source end identifier of the data packet to carry the packet source end class identifier, so that the terminal receiving the data packet can determine the data according to the source end category identifier of the packet in the source end identifier of the packet. The source of the packet, the credibility of the data packet is identified, and the data packet is differentiated according to different policies (trust level), so that the terminal user can send the user with different trust levels. The data packets are classified and processed to improve the security of the network. For example, for highly confidential services, only trusted users can be allowed to access. For services with low security levels, users with low trust levels such as external networks can be appropriately accessed. .

Claims

权 利 要 求 书 Claim
1、 一种数据报文分类处理的实现方法, 其特征在于, 所述方法基于对数 据报文进行分类处理的数据报文分类处理网络实现, 该实现方法包括终端对 数据报文的处理, 该处理包括: A method for implementing data packet classification processing, wherein the method is implemented by a data packet classification processing network for classifying a data packet, where the implementation method comprises: processing, by the terminal, the data packet, Processing includes:
终端接收数据报文, 所述数据报文的报文源端标识中的特定比特位为报 文源端类别标识, 所述报文源端标识用于表示数据报文的来源;  The terminal receives the data packet, where the specific bit in the source end identifier of the data packet is the source end category identifier of the packet, and the source end identifier of the packet is used to indicate the source of the data packet.
所述终端根据所述数据报文的报文源端标识中的所述报文源端类别标识 确定 文源端类别; 以及  Determining, by the terminal, the source end category according to the source end category identifier of the packet in the source end identifier of the data packet;
所述终端根据所述报文源端类别对所述数据报文进行区别处理。  The terminal performs different processing on the data packet according to the source end category of the packet.
2、如权利要求 1所述的实现方法, 该实现方法还包括接入设备对数据报 文的处理, 该处理包括: The implementation method of claim 1, further comprising processing the data message by the access device, the process comprising:
所述接入设备接收终端发送的数据报文; 以及  Receiving, by the access device, a data packet sent by the terminal;
所述接入设备检查所述数据报文中的报文源端标识中的报文源端类别标 识是否与所述终端的类别一致, 若一致, 则正常转发, 若不一致, 则丟弃或 根据所述终端的类别修改所述数据报文中的报文源端标识后再转发;  The access device checks whether the source end class identifier of the packet in the source end identifier of the data packet is consistent with the category of the terminal, and if they are consistent, the packet is forwarded normally; if not, the packet is discarded or The class of the terminal modifies the source end identifier of the data packet, and then forwards the packet;
其中, 所述终端的类别是在所述终端的接入认证过程中由认证服务器发 送给所述接入设备的。  The category of the terminal is sent by the authentication server to the access device during the access authentication process of the terminal.
3、 如权利要求 1所述的实现方法, 其中, 所述数据报文分类处理网络与 外网进行互通时,该实现方法还包括互通服务节点( ISN )对数据报文的处理, 该处理包括: The implementation method of claim 1, wherein, when the data packet classification processing network communicates with the external network, the implementation method further includes processing, by the interworking service node (ISN), the data packet, where the processing includes :
所述 ISN接收外网发送给数据报文分类处理网络的数据报文;  Receiving, by the ISN, a data packet sent by the external network to the data packet classification processing network;
所述 ISN根据所述数据报文的来源确定所述数据报文源端在所述数据报 文分类处理网络中的报文源端类别标识, 并对数据报文进行转换, 包括根据 确定的报文源端类别标识修改所述数据报文的报文源端标识; 以及  Determining, according to the source of the data packet, the source identifier of the source of the data packet in the data packet classification processing network, and converting the data packet, including the determined report The source end category identifier modifies the source end identifier of the data packet; and
所述 ISN将转换后的数据报文在所述数据报文分类处理网络内路由发 送。 The ISN routes the converted data packet in the data packet classification processing network.
4、 如权利要求 1至 3中任一项所述的实现方法, 其中, 所述终端对接收 的所述数据报文进行区别处理的步骤包括: 根据所述报文源端类别, 并结合 该终端自身属性以业务应用的机密性, 确定对所述数据报文的处理方式。 The method according to any one of claims 1 to 3, wherein the step of performing differentiating processing on the received data packet by the terminal comprises: according to the source type of the packet, combined with the The terminal's own attribute determines the processing method of the data packet based on the confidentiality of the service application.
5、 如权利要求 1 至 3 中任一项所述的实现方法, 其中, 所述方法基于 Internet网络或身份标识和位置分离网络(SILSN ) 实现, 所述报文源端标识 是所述数据报文源端在 Internet网络的 IP地址或在所述 SILSN中的接入标识 ( AID ) 0 The implementation method according to any one of claims 1 to 3, wherein the method is implemented based on an Internet network or an identity identification and location separation network (SILSN), and the source identifier of the packet is the datagram. IP address of the source text in the Internet or in the access identification of SILSN (AID) 0
6、 如权利要求 1至 3中任一项所述的实现方法, 其中, 所述报文源端类 别包括: 域内可信任用户、 域内集团用户、 域内网吧用户、 域外可信任的同 类网络用户、 域外可信任的异类网络用户或域外不可信任的网络用户。 The implementation method according to any one of claims 1 to 3, wherein the source category of the packet includes: a trusted user in the domain, a group user in the domain, an intranet user, and a network user trusted by the domain, A heterogeneous network user that is trusted outside the domain or an untrusted network user outside the domain.
7、一种终端,其特征在于, 所述终端基于通讯网络实现, 所述终端包括: 接收模块, 其设置为: 接收数据报文, 所述数据报文的报文源端标识中 的特定比特位为报文源端类别标识, 所述报文源端标识用于表示数据报文的 来源; A terminal, wherein the terminal is implemented based on a communication network, the terminal includes: a receiving module, configured to: receive a data packet, and select a specific bit in a source end identifier of the data packet The source identifier is the source identifier of the packet, and the source identifier of the packet is used to indicate the source of the data packet.
报文源端类别确定模块, 与所述接收模块连接, 其设置为: 根据数据报 文的 文源端标识中的所述 文源端类别标识确定 文源端类别; 以及  a packet source end category determining module, configured to be connected to the receiving module, configured to: determine, according to the source end category identifier in the source end identifier of the data packet, a source end category;
数据报文处理模块, 与所述报文源端类别确定模块连接, 其设置为: 根 据所述报文源端类别对所述数据报文进行区别处理。  The data packet processing module is configured to be connected to the packet source class determining module, and configured to: perform differential processing on the data packet according to the source class of the packet.
8、 如权利要求 7所述的终端, 其中, 所述数据报文处理模块是设置为: 根据所述报文源端类别, 并结合该终端自身属性以业务应用的机密性, 确定 对所述数据报文的处理方式。 The terminal according to claim 7, wherein the data packet processing module is configured to: determine, according to the source type of the packet, combined with the attribute of the terminal, the confidentiality of the service application, How data packets are processed.
9、 如权利要求 7或 8所述的终端, 其中, 所述通讯网络是 Internet网络 或身份标识和位置分离网络(SILSN ) , 所述报文源端标识是所述数据报文 源端在 Internet网络的 IP地址或在所述 SILSN中的接入标识( AID ) 。 The terminal according to claim 7 or 8, wherein the communication network is an Internet network or an identity and location separation network (SILSN), and the source end identifier is the source of the data packet on the Internet. The IP address of the network or the access identifier (AID) in the SILSN.
10、 如权利要求 7或 8所述的终端, 其中, 所述报文源端类别包括: 域 内可信任用户、 域内集团用户、 域内网吧用户、 域外可信任的同类网络用户、 域外可信任的异类网络用户或域外不可信任的网络用户。 The terminal according to claim 7 or 8, wherein the source category of the packet includes: a trusted user in the domain, a group user in the domain, an Internet cafe user in the domain, and a similar network user trusted outside the domain, A heterogeneous network user that is trusted outside the domain or an untrusted network user outside the domain.
11、 一种数据报文分类处理的网络, 其特征在于: 所述系统设置数据报 文的报文源端标识中的特定比特位为报文源端类别标识, 所述报文源端标识 用于表示数据报文的来源, 所述网络包括: A network for processing data packet classification, wherein: the system sets a specific bit in a source end identifier of a data packet as a source end category identifier, and the source end identifier of the packet is used. For indicating the source of the data message, the network includes:
终端, 其设置为: 发送及接收数据报文, 以及根据数据报文中的报文源 端类别标识对接收的数据报文进行区别处理;  The terminal is configured to: send and receive a data packet, and perform differential processing on the received data packet according to the source type identifier of the packet in the data packet;
接入设备, 与所述终端连接, 其设置为: 向所述终端转发数据报文, 以 及接收终端发送的数据报文, 还用于验证所述终端发送的数据报文中的报文 源端类别标识是否与所述终端的类别一致, 若一致, 则正常转发, 若不一致, 则丟弃或根据所述终端的类别修改所述数据报文中的报文源端标识后再转 发;  The access device is connected to the terminal, and is configured to: forward the data packet to the terminal, and receive the data packet sent by the terminal, and further verify the source of the packet in the data packet sent by the terminal. Whether the category identifier is consistent with the category of the terminal, and if they are consistent, the packet is forwarded normally; if not, the packet is discarded or the source identifier of the packet in the data packet is modified according to the type of the terminal, and then forwarded;
认证服务器, 与所述接入服务器连接, 其设置为: 对终端进行用户身份 识别及认证,以及在认证过程中将终端的类别通知所述终端所在的接入设备。  The authentication server is connected to the access server, and is configured to: perform user identification and authentication on the terminal, and notify the access device where the terminal is located in the authentication process.
12、如权利要求 11所述的网络, 所述网络还包括用于与其他网络实现互 通的互通服务节点 (ISN ) , 所述 ISN包括: 12. The network of claim 11, the network further comprising an Interworking Service Node (ISN) for interworking with other networks, the ISN comprising:
接收模块, 其设置为: 接收其他网络发送给数据报文分类处理网络的数 据报文;  a receiving module, configured to: receive a data packet sent by another network to a data packet classification processing network;
报文源端类别确定模块, 与所述接收模块连接, 其设置为: 根据所述数 据报文的来源确定所述数据报文源端在所述数据报文分类处理网络的报文源 端类别标识,  a packet source end category determining module, configured to be connected to the receiving module, configured to: determine, according to a source of the data packet, a source end of the data packet source processing network in the data packet classification processing network Logo,
数据报文转换模块, 与所述报文源端类别确定模块连接, 其设置为: 将 数据报文从其他网络格式转换为数据报文分类处理网络格式, 包括根据确定 的报文源端类别标识修改所述数据报文的报文源端标识; 以及  The data packet conversion module is connected to the packet source class determining module, and is configured to: convert the data packet from another network format to a data packet classification processing network format, including: determining the source class identifier according to the determined packet Modifying the source identifier of the data packet; and
数据报文转发模块, 与所述数据报文转换模块连接, 其设置为: 将所述 转换后的数据报文在所述数据报文分类处理网络内路由发送。  The data packet forwarding module is connected to the data packet conversion module, and is configured to: route the converted data packet in the data packet classification processing network.
13、 如权利要求 12所述的网络, 其中, 所述 ISN的数据报文转换模块还 设置为: 保存修改前后的报文源端标识的对应关系, 以及根据该对应关系对 发往其他网络的数据报文进行格式转换。 The network of claim 12, wherein the data packet conversion module of the ISN is further configured to: save a correspondence between the source end identifiers of the packets before and after the modification, and according to the correspondence relationship Data packets sent to other networks are formatted.
14、 如权利要求 11或 12所述的网络, 其中所述终端是设置为以如下方 式对接收的所述数据报文进行区别处理: 根据所述报文源端类别, 并结合该 终端自身属性以业务应用的机密性, 确定对所述数据报文的处理方式。 The network according to claim 11 or 12, wherein the terminal is configured to perform the difference processing on the received data packet in the following manner: according to the source type of the packet, combined with the terminal's own attribute The processing of the data packet is determined by the confidentiality of the service application.
15、 如权利要求 11或 12所述的网络, 其中, 所述网络为 Internet网络或 身份标识和位置分离网络(SILSN ) , 所述报文源端标识是所述数据报文源 端在 Internet网络的 IP地址或在所述 SILSN中的接入标识( AID ) 。 The network according to claim 11 or 12, wherein the network is an Internet network or an identity and location separation network (SILSN), and the source identifier of the packet is the source of the data packet on an Internet network. IP address or access identifier (AID) in the SILSN.
16、 如权利要求 11或 12所述的网络, 其中, 所述报文源端类别包括: 域内可信任用户、 域内集团用户、 域内网吧用户、 域外可信任的同类网络用 户、 域外可信任的异类网络用户或域外不可信任的网络用户。 The network according to claim 11 or 12, wherein the source class of the message comprises: a trusted user in the domain, a group user in the domain, an Internet cafe user in the domain, a trusted network user in the extra-domain, and an alien trust in the domain. A network user or an untrusted network user outside the domain.
17、 一种互通服务节点 (ISN ) , 其特征在于: 所述 ISN用于实现两个 第一网络和第二网络之间的互通, 且第一网络设置数据报文的报文源端标识 中的特定比特位为报文源端类别标识, 所述报文源端标识用于表示数据报文 的来源, 所述 ISN包括: An interworking service node (ISN), wherein: the ISN is used to implement interworking between two first networks and a second network, and the first network sets the source end identifier of the data packet. The specific bit is the packet source class identifier, and the source identifier of the packet is used to indicate the source of the data packet, and the ISN includes:
接收模块, 其设置为: 接收第二网络发送给第一网络的数据报文; 报文源端类别确定模块, 与所述接收模块连接, 其设置为: 根据所述数 据报文的来源确定所述数据报文源端在所述第一网络的报文源端类别标识; 数据报文转换模块, 与所述报文源端类别确定模块连接, 其设置为: 将 数据报文从第二网络格式转换为第一网络格式, 包括根据确定的报文源端类 别标识修改所述数据 ^艮文的 ^艮文源端标识; 以及  a receiving module, configured to: receive a data packet sent by the second network to the first network; a packet source class determining module, connected to the receiving module, configured to: determine, according to the source of the data packet The data packet source is identified in the source end category of the first network; the data packet conversion module is connected to the packet source end category determining module, and is configured to: send the data packet from the second network Translating the format into the first network format, including modifying the source identifier of the data according to the determined source source category identifier;
数据报文转发模块, 与所述数据报文转换模块连接, 其设置为: 将报文 格式转换后的数据报文路由转发到所述第一网络。  The data packet forwarding module is connected to the data packet conversion module, and is configured to: forward the data packet converted by the packet format to the first network.
18、 如权利要求 17所述的互通服务节点, 其中, 所述数据报文转换模块 还设置为: 保存修改前后的报文源端标识的对应关系, 以及根据该对应关系 对发往第二网络的数据报文进行格式转换。 The interworking service node according to claim 17, wherein the data packet conversion module is further configured to: save a correspondence between the source end identifiers of the packets before and after the modification, and send the packets to the second network according to the correspondence relationship. The data message is formatted.
19、 如权利要求 17所述的互通服务节点, 其中, 所述网络为 Internet网 络或身份标识和位置分离网络(SILSN ) , 所述报文源端标识是所述数据报 文源端在 Internet网络的 IP地址或在所述 SILSN中的接入标识( AID ) , 所 述第二网络是第一网络的同类或异类网络。 19. The interworking service node according to claim 17, wherein the network is an Internet network a network or identity and location separation network (SILSN), the source identifier of the packet is an IP address of the source of the data packet on the Internet network or an access identifier (AID) in the SILSN, where The second network is a homogeneous or heterogeneous network of the first network.
PCT/CN2010/075978 2010-01-11 2010-08-13 Implementation method, network, terminal and interworking node for data packets classification processing WO2011082583A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010001625.1 2010-01-11
CN201010001625.1A CN102123071B (en) 2010-01-11 2010-01-11 The method that realizes, network, terminal and the intercommunication service node that Packet Classification processes

Publications (1)

Publication Number Publication Date
WO2011082583A1 true WO2011082583A1 (en) 2011-07-14

Family

ID=44251529

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/075978 WO2011082583A1 (en) 2010-01-11 2010-08-13 Implementation method, network, terminal and interworking node for data packets classification processing

Country Status (2)

Country Link
CN (1) CN102123071B (en)
WO (1) WO2011082583A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103701837B (en) * 2012-09-27 2018-04-10 中兴通讯股份有限公司 A kind of point-to-point protocol dial on demand method and home gateway
CN104735101B (en) * 2013-12-19 2019-11-26 中兴通讯股份有限公司 Shared processing, sharing method and the device of Internet resources, system
CN105282149A (en) * 2015-09-16 2016-01-27 宇龙计算机通信科技(深圳)有限公司 Data processing method, device, and terminal, and data transmission method, device and terminal
CN109067764B (en) * 2018-08-29 2020-09-04 新华三技术有限公司 Method and device for establishing equipment table entry
CN109492023B (en) * 2018-10-12 2021-02-19 咪咕文化科技有限公司 Automobile information processing method and equipment and computer storage medium
CN112217819B (en) * 2020-10-12 2021-04-27 珠海市鸿瑞信息技术股份有限公司 Industrial control message semantic analysis auditing method based on double-factor authentication system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1801764A (en) * 2006-01-23 2006-07-12 北京交通大学 Internet access method based on identity and location separation
US20070250921A1 (en) * 2002-08-01 2007-10-25 International Business Machines Corporation Multi-Level Security Systems
CN101562558A (en) * 2008-04-15 2009-10-21 华为技术有限公司 Method, system and device for terminal grade classification

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1310467C (en) * 2003-06-24 2007-04-11 华为技术有限公司 Port based network access control method
CN101547127B (en) * 2008-03-27 2013-02-13 北京启明星辰信息技术股份有限公司 Identification method of inside and outside network messages

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070250921A1 (en) * 2002-08-01 2007-10-25 International Business Machines Corporation Multi-Level Security Systems
CN1801764A (en) * 2006-01-23 2006-07-12 北京交通大学 Internet access method based on identity and location separation
CN101562558A (en) * 2008-04-15 2009-10-21 华为技术有限公司 Method, system and device for terminal grade classification

Also Published As

Publication number Publication date
CN102123071B (en) 2016-06-01
CN102123071A (en) 2011-07-13

Similar Documents

Publication Publication Date Title
US11445335B2 (en) Systems and methods for enabling private communication within a user equipment group
Zapata et al. Securing ad hoc routing protocols
JP5497901B2 (en) Anonymous communication method, registration method, message sending / receiving method and system
US11973617B2 (en) Border gateway protocol (BGP) hijacks prefix signing using public/private keys
CN103067337B (en) Identity federation method, identity federation intrusion detection &amp; prevention system (IdP), identity federation service provider (SP) and identity federation system
JPH10135945A (en) Mobile computer system, packet processor and communication control method
EP2512087B1 (en) Method and system for accessing network through public device
JP3813571B2 (en) Border router device, communication system, routing method, and routing program
WO2011044808A1 (en) Method and system for tracing anonymous communication
US10397047B2 (en) Apparatus, system, and method for secure remote configuration of network devices
WO2011082583A1 (en) Implementation method, network, terminal and interworking node for data packets classification processing
US20100306820A1 (en) Control of message to be transmitted from an emitter domain to a recipient domain
JP2018514956A (en) Apparatus and method for using certificate data to route data
US20230396624A1 (en) Extending border gateway protocol (bgp) flowspec origination authorization using path attributes
WO2011050676A1 (en) Anonymous communication method, registration and cancellation method, and access node
WO2011082584A1 (en) Implementing method, network and terminal for processing data packet classification
WO2011041964A1 (en) Method, network system and network access node for network device management
Mahyoub et al. Security analysis of critical 5g interfaces
US20130262672A1 (en) Method and system for monitoring locator/identifier separation network
Zhang et al. A comparison of migration and multihoming support in IPv6 and XIA
WO2012075770A1 (en) Blocking method and system in an identity and location separation network
He et al. Network-layer accountability protocols: a survey
WO2023179656A1 (en) Srv6 message processing method and apparatus, communication device, and storage medium
US20240137338A1 (en) Border gateway protocol (bgp) flowspec origination authorization using route origin authorization (roa)
US10841283B2 (en) Smart sender anonymization in identity enabled networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10841926

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10841926

Country of ref document: EP

Kind code of ref document: A1