WO2013107055A1 - Procédé et appareil permettant l'acquisition d'informations utilisateur - Google Patents

Procédé et appareil permettant l'acquisition d'informations utilisateur Download PDF

Info

Publication number
WO2013107055A1
WO2013107055A1 PCT/CN2012/070696 CN2012070696W WO2013107055A1 WO 2013107055 A1 WO2013107055 A1 WO 2013107055A1 CN 2012070696 W CN2012070696 W CN 2012070696W WO 2013107055 A1 WO2013107055 A1 WO 2013107055A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
intranet
port
client device
query
Prior art date
Application number
PCT/CN2012/070696
Other languages
English (en)
Chinese (zh)
Inventor
傅瑜
刘冰
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN201280000103.7A priority Critical patent/CN103503423A/zh
Priority to PCT/CN2012/070696 priority patent/WO2013107055A1/fr
Publication of WO2013107055A1 publication Critical patent/WO2013107055A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols

Definitions

  • the present invention relates to communication technologies, and in particular, to a method and an apparatus for acquiring user information.
  • BACKGROUND In order to implement a client device located on an intranet to access a network resource located in an external network, a carrier-grade network address translation (CGN) device transmits an intranet Internet Protocol (IP) address of the client device. Convert to an external network IP address.
  • IP Internet Protocol
  • the above multiple client devices use the same external IP address, which makes it impossible to distinguish intranet users from the external network.
  • the embodiment of the invention provides a method and a device for acquiring user information, which can obtain user information of the intranet client device from the external network side, thereby realizing the distinction between the intranet users.
  • a method for obtaining user information including:
  • the carrier-level network address translation CGN device queries the intranet IP address of the client device and the intranet of the client device according to the external network Internet Protocol IP address of the client device and the external network port of the client device.
  • the CGN device sends a first query request to the authentication and authorization charging AAA server, where the first query request includes the intranet IP address and the intranet port, so that the AAA server is configured according to the intranet IP address.
  • the CGN device receives the first query response sent by the AAA server, where the first query response is a response corresponding to the first query request, and the first query response includes the user information.
  • the authentication and authorization charging AAA server receives the first query request sent by the CGN device, where the first query request includes the intranet IP address and the intranet port, and the first query request is obtained by:
  • the carrier-level network address translation CGN device queries the intranet IP address of the client device and the intranet of the client device according to the external network Internet Protocol IP address of the client device and the external network port of the client device.
  • the AAA server sends a first query response to the CGN device, where the first query response is a response corresponding to the first query request, and the first query response includes the user information.
  • the authentication and authorization charging AAA server sends a second query request to the carrier-level network address translation CGN device, where the second query request includes an external network Internet protocol IP address of the client device and an external network port of the client device.
  • the second query request includes an external network Internet protocol IP address of the client device and an external network port of the client device.
  • the CGN device In order to facilitate the CGN device to query the internal network IP address of the client device and the internal network port of the client device on the CGN device according to the external network IP address and the external network port;
  • the AAA server queries the user information of the client device according to the intranet IP address and the intranet port.
  • the carrier-level network address translation CGN device receives the second-query request sent by the AAA server, and the second query request includes the external network Internet protocol of the client device.
  • the CGN device queries the CGN device for the intranet IP address of the client device and the intranet port of the client device according to the external network IP address and the external network port;
  • the second query response sent by the CGN device to the AAA server is a response corresponding to the second query request, and the second query response includes the intranet IP address and the An intranet port, so that the AAA server queries the user information of the client device according to the intranet IP address and the intranet port.
  • the network management server sends a third query request to the carrier-level network address translation CGN device, where the third query request includes an external network Internet protocol IP address of the client device and an external network port of the client device, so as to facilitate the
  • the CGN device queries the CGN device for the intranet IP address and the intranet port of the client device according to the external network IP address and the external network port;
  • the network management server sends a fourth query request to the authentication and authorization charging AAA server, where the fourth query request includes the intranet IP address and the intranet port, so that the AAA server is configured according to the intranet IP address. And the intranet port, querying user information of the client device;
  • the network management server receives the fourth query response sent by the AAA server, the fourth query response is a response corresponding to the fourth query request, and the fourth query response includes the user information.
  • an apparatus for obtaining user information including:
  • a querying unit configured to query an intranet IP address of the client device and the client according to an external network Internet Protocol IP address of the client device and an external network port of the client device The internal network port of the device;
  • a sending unit configured to send a first query request to the authentication and authorization charging AAA server, where the first query request includes the intranet IP address and the intranet port, so that the AAA server is configured according to the intranet Querying the user information of the client device by using the IP address and the intranet port;
  • the receiving unit is configured to receive the first query response sent by the AAA server, where the first query response is a response corresponding to the first query request, and the first query response includes the user information.
  • another apparatus for obtaining user information including:
  • a sending unit configured to send a second query request to the carrier-level network address translation CGN device, where the second query request includes an external network Internet Protocol IP address of the client device and an external network port of the client device, so that The CGN device queries the CGN device for the intranet IP address of the client device and the intranet port of the client device according to the external network IP address and the external network port;
  • a receiving unit configured to receive a second query response sent by the CGN device, where the second query response is a response corresponding to the second query request, where the second query response includes the intranet IP address and the Said internal network port;
  • a querying unit configured to query user information of the client device according to the intranet IP address and the intranet port.
  • another apparatus for obtaining user information including:
  • a first sending unit configured to send a third query request to the carrier-level network address translation CGN device, where the third query request includes an external network Internet Protocol IP address of the client device and an external network port of the client device In order to facilitate the CGN device to query the internal network IP address and the intranet port of the client device on the CGN device according to the external network IP address and the external network port;
  • a first receiving unit configured to receive a third query response sent by the CGN device, where the The third query response is a response corresponding to the third query request, where the third query response includes the intranet IP address and the intranet port;
  • a second sending unit configured to send a fourth query request to the authentication and authorization charging AAA server, where the fourth query request includes the intranet IP address and the intranet port, so that the AAA server is configured according to the Querying the user information of the client device by using the network IP address and the internal network port;
  • the second receiving unit is configured to receive a fourth query response sent by the AAA server, where the fourth query response is a response corresponding to the fourth query request, and the fourth query response includes the user information.
  • the foregoing technical solution queries the CGN device for the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port.
  • the AAA server queries the user information of the client device.
  • FIG. 1 is a network structure diagram of an application scenario of a method and apparatus for acquiring user information according to an embodiment of the present invention
  • FIG. 2 is a flowchart of a method for acquiring user information according to an embodiment of the present invention
  • FIG. 3 is a flowchart of another method for obtaining user information according to an embodiment of the present invention
  • FIG. 5 is a flowchart of another method for obtaining user information according to an embodiment of the present invention
  • FIG. 6 is another method for acquiring user information according to an embodiment of the present invention
  • Flow chart FIG. 7 is a schematic structural diagram of an apparatus for acquiring user information according to an embodiment of the present invention
  • FIG. 8 is a schematic structural diagram of another apparatus for acquiring user information according to an embodiment of the present invention
  • FIG. 10 is a schematic structural diagram of another apparatus for acquiring user information according to an embodiment of the present invention
  • FIG. 11 is a schematic structural diagram of another apparatus for acquiring user information according to an embodiment of the present invention.
  • Embodiments of the present invention relate to a client device located on an intranet, a CGN device located on an intranet and an extranet, and an Authentication Authorization Accounting server (AAA server) located at an external network.
  • the Internet may be an Internet Protocol version 4 (IPv4) network or an Internet Protocol version 6, IPv6 network.
  • IPv4 Internet Protocol version 4
  • IPv6 Internet Protocol version 6, IPv6 network.
  • IPv4 Internet Protocol version 4
  • IPv6 Internet Protocol version 6
  • the internal network can be an IPv4 network or an IPv6 network.
  • the client device is a device located on the intranet.
  • the client device may be a Personal Computer (PC), a Set Top Box (STB), a Customer Premises Equipment (CPE), or a Home Gateway (HG).
  • PC Personal Computer
  • STB Set Top Box
  • CPE Customer Premises Equipment
  • HG Home Gateway
  • the CGN device can record the intranet IP address assigned by the Dynamic Host Configuration Protocol (DHCP) server to the client device.
  • DHCP Dynamic Host Configuration Protocol
  • the CGN device can be based on a session initiated by the client device and within the client device
  • the network IP address generates a first correspondence.
  • the first correspondence includes an external network IP address, an intranet IP address, an external network port, and an intranet port of the client device. The first in the first correspondence is not used to limit the order.
  • the present invention does not limit the specific implementation manner in which the CGN device generates the first correspondence.
  • the following provides an implementation of the CGN device to generate the first correspondence. Please refer to:
  • the user of the client device requests the operator of the external network to open the permission of the client device to access the external network resource.
  • the operator of the external network stores the account and password corresponding to the rights of the client device to access the external network resources in the AAA server.
  • the operator of the external network records the user information of the user of the client device on the AAA server.
  • the user information may be the identity card number of the user of the client device, the passport number, or the military officer number.
  • the user of the client device sends an access request to the Broadband Remote Access Server (BRAS).
  • the BRAS sends an authentication request to the AAA server.
  • the BRAS device and the CGN device can be the same device.
  • the BRAS device and the CGN device may not be the same device.
  • the CGN device can log in and access the BRAS device.
  • the AAA server authenticates the client device based on pre-stored accounts and passwords. If the authentication is passed, the client device can access the external network resources.
  • the BRAS device acts as a DHCP server and dynamically allocates intranet IP addresses to client devices.
  • the client device sends a session establishment request to the application server of the external network.
  • the IP header of the session establishment request carries the intranet IP address of the client device and the intranet port.
  • the application server can be a web server, a video server, or an Internet Protocol television (IPTV) server.
  • the CGN device After receiving the session establishment request, the CGN device determines the external network IP address and the external network port for the client device, and forwards the session establishment request through the external network port. The CGN device saves the CGN device to generate a first correspondence according to the intranet IP address, the intranet port, the external network IP address, and the external network port.
  • Embodiments of the present invention relate to a Remote Authentication Dial In User Service (RADius). For details on the Radius protocol, see RFC2865.
  • Section 5 of the Radius Protocol defines 29 attributes (Attributes). Among them, the Radius protocol, Chapter 5, Section 5.1 defines the User-Name attribute. According to Section 5.1 of Chapter 5, the user information of the client device can be carried on the username attribute of the Radius protocol packet. Specifically, it can be carried in the String field of the username attribute.
  • the embodiment of the present invention defines a new attribute, namely a User-Identity attribute.
  • User information is carried in the user identity attribute.
  • Table 1 shows a specific implementation of the user identity attribute:
  • Table 1 Schematic diagram of a user identity attribute
  • the user identity attribute consists of three fields, a Type field, a Length field, and a String field.
  • a Type field refers to the description of the format of the username attribute in Section 5.1 of Chapter 5 of the Radius Protocol.
  • the value of the Type field in the User Identity attribute is a value other than the value of the Type field defined in Sections 5.1 through 5.29 of Chapter 5 of the Radius Protocol.
  • the value of the length field in the user identity attribute is greater than or equal to 3, and the length used to identify the user identity attribute is greater than or equal to 3 bytes.
  • a string field in the user identity attribute can be used to carry user information.
  • the user information can be an ID number, a passport number, a military officer number, or a mobile number.
  • the embodiment of the present invention defines another new attribute, that is, the ground, based on the Radius protocol.
  • Address and port properties Table 2 shows a specific implementation of the address and port attributes: Table 2: A schematic diagram of the structure of the address and port attributes
  • Type field A number used to identify the attribute, which is 8 bits long.
  • Length field Used to identify the length of the address and port attributes. The length of this field is 8 bits.
  • I field Used to identify the type of the intranet IP address, 0 corresponds to IPv4, and 1 corresponds to IPv6. This field is 1 bit long.
  • E field Used to identify the type of the external network IP address, 0 corresponds to IPv4, and 1 corresponds to IPv6. This field is 1 bit long.
  • Reserved field Reserved. This field is 14 bits long.
  • Internal Port The internal port. This field is 16 bits long.
  • External Port External port. This field is 16 bits long.
  • Internal IP Address The internal network IP address. This field is 128 bits long.
  • FIG. 1 is a structural diagram of networking of an application scenario according to an embodiment of the present invention.
  • the networking diagram of Figure 1 includes two networks and four network elements.
  • the two networks are the external network and the internal network.
  • the four network elements are the client device 1, the CGN device, the AAA server, and the network management server.
  • the client device 1 is located on the intranet.
  • the CGN device is located at the edge of the internal network and at the edge of the external network.
  • the AAA server and the network management server are located on the external network.
  • Embodiment 1 is a diagrammatic representation of Embodiment 1:
  • FIG. 2 is a flowchart of a method for obtaining user information according to this embodiment, where the method includes:
  • the CGN device queries the internal network IP address of the client device and the internal network port of the client device according to the external network IP address of the client device and the external network port of the client device.
  • the CGN device can query the intranet IP address and the intranet port of the client device in the first correspondence according to the external network IP address of the client device and the external network port.
  • the CGN device sends a first query request to the AAA server, where the first query request includes the intranet IP address and the intranet port, so that the AAA server queries according to the intranet IP address and the intranet port.
  • User information for this client device is not limited to the Internet IP address and the intranet port.
  • the first query request is used to query the AAA server for user information of the client device.
  • the first query request may be a Radius protocol message.
  • the address and port attributes may be included in the corresponding Radius protocol packet of the first query request.
  • the intranet IP address of the client device is carried in the intranet IP address field of the address and port attributes.
  • the intranet port of the client device carries the intranet port field of the address and port attributes.
  • the CGN device receives a first query response sent by the AAA server, where the first check is performed.
  • the response response is a response corresponding to the first query request, and the first query response includes the user information.
  • the first query response is used to send user information of the client device to the CGN device.
  • the first query response may be a Radius protocol message.
  • the user name attribute may be included in the corresponding Radius protocol packet of the first query request.
  • User information is carried in the string field of the username attribute.
  • the Radius protocol message may include a user identity attribute.
  • User information is carried in the user identity attribute.
  • the user information is carried in the string field of the user identity attribute.
  • the user information can be an ID number, a passport number, a military officer number, or a mobile number.
  • the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port.
  • the user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port.
  • the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
  • the first query request message is a first Radius protocol message
  • the first query response message is a second Radius protocol message.
  • the first Radius protocol packet is a Radius protocol packet.
  • the second Radius protocol packet is a Radius protocol packet.
  • the "first" and “second" in the first Radius protocol packet and the second Radius protocol packet are used to distinguish the first Radius protocol packet from the second Radius protocol packet, and are not used to limit the sequence.
  • the intranet IP address and the intranet port are carried in the address and port attributes of the first Radius protocol packet, and the user information is carried on the username attribute or the user identity attribute of the second Radius protocol packet.
  • Embodiment 2 is a diagrammatic representation of the first Radius protocol packet, and the user information is carried on the username attribute or the user identity attribute of the second Radius protocol packet.
  • FIG. 3 is a flowchart of a method for obtaining user information according to this embodiment, where the method includes:
  • the AAA server receives a first query request sent by the CGN device, where the first query request includes the intranet IP address and the intranet port, and the first query request is obtained by: a carrier-level network address translation CGN device. According to the external network Internet Protocol IP address of the client device and the external network port of the client device, the intranet IP address of the client device and the intranet port of the client device are queried.
  • the AAA server queries the user information of the client device according to the intranet IP address and the intranet port.
  • the AAA server sends a first query response to the CGN device, where the first query response is a response corresponding to the first query request, where the first query response includes the user information.
  • the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port.
  • the user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port.
  • the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
  • the first query request is a first remote user dialing authentication service Radius protocol packet
  • the first query response packet is a second Radius protocol packet.
  • the first Radius protocol packet is a Radius protocol packet.
  • the second Radius protocol packet is a Radius protocol packet. The first and second addresses in the first Radius protocol packet and the second Radius protocol packet are used to distinguish the first Radius protocol packet from the second Radius protocol packet, and are not used to limit the sequence.
  • the intranet IP address and the intranet port are carried on the address and port attributes of the first Radius protocol packet, and the user information is carried on the username attribute or the user identity attribute of the second Radius protocol packet.
  • Embodiment 3 is a diagrammatic representation of Embodiment 3
  • FIG. 4 is a flowchart of a method for acquiring user information according to this embodiment, where the method includes:
  • the AAA server sends a second query request to the CGN device, where the second query request includes an external network IP address of the client device and an external network port of the client device, so as to facilitate the
  • the CGN device queries the CGN device for the intranet IP address of the client device and the intranet port of the client device according to the external network IP address and the external network port.
  • the CGN device can query the intranet IP address and the intranet port of the client device in the first correspondence according to the external network IP address of the client device and the external network port.
  • the second query request is used to query the CGN for the intranet IP address of the client device and the intranet port.
  • the "second" in the second query request is not used to limit the order.
  • the second query request may be a Radius protocol message.
  • the address and port attributes may be included in the corresponding Radius protocol packet of the second query request.
  • the external network IP address of the client device is carried in the external network IP address field of the address and port attributes.
  • the external network port of the client device carries the external network port field of the address and port attributes.
  • the AAA server receives a second query response sent by the CGN device, where the second query is performed.
  • the response response is a response corresponding to the second query request, and the second query response includes the intranet IP address and the intranet port.
  • the second query response is used to send the intranet IP address of the client device and the intranet port to the AAA server.
  • the intranet IP address of the client device is carried in the intranet IP address field of the address and port attributes.
  • the intranet port of the client device is carried in the intranet port field of the address and port attributes.
  • the "second" in the second query response is not used to qualify the order.
  • the AAA server queries the user information of the client device according to the intranet IP address and the intranet port.
  • the user information of the client device may be an identity card number, a passport number, a military officer number, or a mobile phone number.
  • the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port.
  • the user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port.
  • the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
  • the second query request is a first Radius protocol message
  • the second query response is a second Radius protocol message
  • the first and second Radius protocol packets in the first Radius protocol packet and the second Radius protocol packet are used to distinguish the first Radius protocol packet from the second Radius protocol packet, and are not used to limit the sequence.
  • Embodiment 4 The external network IP address and the external network port are carried on the address and port attributes of the first Radius protocol packet, and the internal network IP address and the address and port attribute of the second Radius protocol packet are carried by the internal network port. on. Embodiment 4:
  • FIG. 5 is a flowchart of a method for obtaining user information according to this embodiment, where the method includes:
  • the CGN device receives a second query request sent by the AAA server, where the second query request includes an external network IP address of the client device and an external network port of the client device.
  • the CGN device queries the CGN device for the intranet IP address of the client device and the intranet port of the client device according to the external network IP address and the external network port.
  • the second query response sent by the CGN device to the AAA server, where the second query response is a response corresponding to the second query request, where the second query response includes the intranet IP address and the intranet port, so that The AAA server queries the user information of the client device according to the intranet IP address and the intranet port.
  • the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port.
  • the user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port.
  • the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
  • the second query request is a first Radius protocol message
  • the second query response is a second Radius protocol message
  • the first Radius protocol message and the second Radius protocol message are "first” and "second,” It is used to distinguish between the first Radius protocol packet and the second Radius protocol packet, and is not used to limit the sequence.
  • the external network IP address and the external network port are carried on the address and port attributes of the first Radius protocol packet, and the internal network IP address and the address and port attribute of the second Radius protocol packet are carried by the internal network port. on.
  • Embodiment 5 is a diagrammatic representation of Embodiment 5:
  • FIG. 6 is a flowchart of a method for acquiring user information according to this embodiment, where the method includes:
  • the network management server sends a third query request to the CGN device, where the third query request includes an external network IP address of the client device and an external network port of the client device, so as to facilitate the
  • the CGN device queries the CGN device for the intranet IP address and the intranet port of the client device according to the external network IP address and the external network port.
  • the CGN device can query the intranet IP address and the intranet port of the client device in the first correspondence according to the external network IP address of the client device and the external network port.
  • the third query request is used to query the CGN for the intranet IP address of the client device and the intranet port.
  • the "third" in the third query request is not used to limit the order.
  • the third query request may be an application layer protocol message.
  • the application layer protocol can be a simple object access protocol (SOAP).
  • SOAP simple object access protocol
  • the external network IP address of the client device and the external network port can be carried in the payload of the SOAP packet.
  • the network management server can identify that the third query request is sent by the CGN device for querying the intranet IP address of the client device and the intranet port according to the external network IP address of the client device and the external network port.
  • the CGN device can perform the query in the first correspondence. 602.
  • the network management server receives a third query response sent by the CGN device, where the third query response is a response corresponding to the third query request, where the third query response includes the intranet IP address and the intranet port.
  • the third query response is used to send the intranet IP address of the client device and the intranet port to the network management server.
  • the "third" in the third query response is not used to limit the order.
  • the third query response may be an application layer protocol message.
  • the application layer protocol can be SOAP.
  • the intranet IP address of the client device and the intranet port can be carried in the payload of the SOAP message.
  • the network management server sends a fourth query request to the AAA server, where the fourth query request includes the intranet IP address and the intranet port, so that the AAA server queries the intranet IP address and the intranet port.
  • the fourth query request includes the intranet IP address and the intranet port, so that the AAA server queries the intranet IP address and the intranet port.
  • the fourth query request is used to query the AAA server for user information of the client device.
  • the "fourth" in the fourth inquiry request is not used to limit the order.
  • the fourth query request may be a Radius protocol message.
  • the address and port attributes may be included in the corresponding Radius protocol packet of the fourth query request.
  • the intranet IP address of the client device is carried in the intranet IP address field of the address and port attributes.
  • the intranet port of the client device carries the intranet port field of the address and port attributes.
  • the network management server receives a fourth query response sent by the AAA server, where the fourth query response is a response corresponding to the fourth query request, where the fourth query response includes the user information.
  • the fourth query response is used to send the user information of the client device to the network management server.
  • the "fourth" in the fourth query response is not used to limit the order.
  • the fourth query response may be a Radius protocol message.
  • the Radius protocol packet corresponding to the fourth query request includes a username attribute.
  • User information can be carried in a string field of the username attribute.
  • the Radius protocol packet may be To include the user identity attribute.
  • User information can be hosted in the user identity attribute.
  • the user information is carried in a string field of the user identity attribute.
  • the user information can be an ID number, a passport number, a military officer number, or a mobile number.
  • the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port.
  • the user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port.
  • the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
  • the fourth query request is a first Radius protocol message
  • the fourth query response is a second Radius protocol message.
  • the first Radius protocol packet is a Radius protocol packet.
  • the second Radius protocol packet is a Radius protocol packet.
  • the first and second Radius protocol packets in the first Radius protocol packet and the second Radius protocol packet are used to distinguish the first Radius protocol packet from the second Radius protocol packet, and are not used to limit the sequence.
  • the intranet IP address and the intranet port are carried on the address and port attributes of the first Radius protocol packet, and the user information is carried on the username attribute or the user identity attribute of the second Radius protocol packet.
  • the third query request is a first application layer protocol message
  • the fourth query response is a second application layer protocol message.
  • the first application layer protocol packet is an application layer protocol packet.
  • the second application layer protocol packet is an application layer protocol packet.
  • the first application layer protocol packet and the second application layer protocol packet are used to distinguish the first application layer protocol packet from the second application layer protocol packet. Text, not used to limit the order.
  • FIG. 7 is a schematic structural diagram of an apparatus for acquiring user information according to this embodiment, where the apparatus includes:
  • the query unit 701 is configured to query an intranet IP address of the client device and an intranet port of the client device according to the external network Internet Protocol IP address of the client device and the external network port of the client device.
  • query unit 701 For specific implementation of the query unit 701, refer to 201 in the first embodiment.
  • the sending unit 702 is configured to send a first query request to the authentication and authorization charging AAA server, where the first query request includes the intranet IP address and the intranet port, so that the AAA server according to the intranet IP address and the The intranet port queries the user information of the client device.
  • the receiving unit 703 is configured to receive a first query response sent by the AAA server, where the first query response is a response corresponding to the first query request, where the first query response includes the user
  • the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port.
  • the user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port.
  • the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
  • Example 7 This embodiment provides an apparatus for acquiring user information, which can obtain user information of an intranet user from an external network side.
  • the apparatus for acquiring user information provided in this embodiment may be applied to the networking structure shown in FIG. 1.
  • the device for obtaining user information provided in this embodiment may be the AAA server in FIG. 1 .
  • FIG. 8 is a schematic structural diagram of an apparatus for acquiring user information according to this embodiment, where the apparatus includes:
  • the receiving unit 801 is configured to receive a first query request sent by the CGN device, where the first query request includes the intranet IP address and the intranet port, and the first query request is obtained by: a carrier-level network address translation
  • the CGN device queries the internal network IP address of the client device and the intranet port of the client device according to the external network Internet Protocol IP address of the client device and the external network port of the client device.
  • the query unit 802 is configured to query user information of the client device according to the intranet IP address and the intranet port.
  • query unit 802 For the specific implementation of the query unit 802, refer to 302 in the second embodiment.
  • the sending unit 803 is configured to send a first query response to the CGN device, where the first query response is a response corresponding to the first query request, where the first query response includes the user information.
  • the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port.
  • the user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port.
  • the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
  • FIG. 9 is a schematic structural diagram of an apparatus for acquiring user information according to this embodiment, where the apparatus includes:
  • the sending unit 901 is configured to send a second query request to the CGN device, where the second query request includes an external network Internet Protocol IP address of the client device and an external network port of the client device, so that the CGN device is configured according to the external The IP address of the network and the external network port are queried on the CGN device for the intranet IP address of the client device and the intranet port of the client device.
  • the receiving unit 902 is configured to receive a second query response sent by the CGN device, where the second query response is a response corresponding to the second query request, where the second query response includes the intranet IP address and the intranet port.
  • the query unit 903 is configured to query the user information of the client device according to the intranet IP address and the intranet port.
  • the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port.
  • the user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port.
  • the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
  • This embodiment provides an apparatus for acquiring user information, which can obtain user information of an intranet user from an external network side.
  • the apparatus for acquiring user information provided in this embodiment may be applied to the networking structure shown in FIG. 1.
  • the device for obtaining user information provided by this embodiment may be the CGN device in FIG. 1 .
  • FIG. 10 is a method for acquiring a user provided in this embodiment.
  • a schematic diagram of the structure of the device, the device comprising:
  • the receiving unit 1001 is configured to receive a second query request sent by the AAA server by the authentication and authorization charging, where the second query request includes an external network Internet protocol IP address of the client device and an external network port of the client device.
  • the query unit 1002 is configured to query, on the CGN device, an intranet IP address of the client device and an intranet port of the client device according to the external network IP address and the external network port.
  • query unit 1002 For specific implementation of the query unit 1002, refer to 502 in the fourth embodiment.
  • the sending unit 1003 is configured to send a second query response to the AAA server, where the second query response is a response corresponding to the second query request, where the second query response includes the intranet IP address and the intranet port.
  • the AAA server queries the user information of the client device according to the intranet IP address and the intranet port.
  • the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port.
  • the user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port.
  • the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
  • FIG. 11 is a schematic structural diagram of an apparatus for acquiring user information according to this embodiment, where the apparatus includes:
  • the first sending unit 1101 is configured to send a third query request to the CGN device, where the third query
  • the request includes the external network Internet Protocol IP address of the client device and the external network port of the client device, so that the CGN device queries the CGN device according to the external network IP address and the external network port.
  • Intranet IP address and intranet port are examples of Cisco Systems, Inc.
  • the first receiving unit 1102 is configured to receive a third query response sent by the CGN device, where the third query response is a response corresponding to the third query request, where the third query response includes the intranet
  • IP address and the intranet port are IP addresses and the intranet port.
  • the first receiving unit 1102 For specific implementation of the first receiving unit 1102, refer to 602 in the fifth embodiment.
  • a second sending unit 1103 configured to send a fourth query request to the AAA server, where the fourth query request includes the intranet IP address and the intranet port, so that the AAA server according to the intranet IP address and the intranet port , query the user information of the client device.
  • the second receiving unit 1104 is configured to receive a fourth query response sent by the AAA server, where the fourth query response is a response corresponding to the fourth query request, where the fourth query response includes the user information.
  • the CGN device queries the intranet IP address and the intranet port of the client device according to the external network IP address of the client device and the external network port.
  • the user information of the client device is queried in the AAA server according to the intranet IP address of the client device and the intranet port.
  • the user information of the intranet client device can be obtained from the external network side, so that the intranet user can be distinguished.
  • the disclosed systems, devices, and methods may be implemented in other ways.
  • the device embodiments described above are only schematic.
  • the division of the unit may be only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined. Either can be integrated into another system, or some features can be ignored, or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, i.e., may be located in one place, or may be distributed over multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product.
  • the technical solution of the present invention which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including
  • the instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a USB flash drive, a mobile hard disk, and a read only memory (abbreviated as ROM, English full name Read-Only Memory), random access memory (abbreviated as RAM, English full name called Random Access Memory), disk or optical disc and other media that can store program code.
  • ROM read only memory
  • RAM random access memory
  • disk or optical disc and other media that can store program code.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Les modes de réalisation de la présente invention concernent un procédé permettant l'acquisition d'informations utilisateur, ledit procédé comprenant les étapes suivantes : un dispositif CGN demande, en fonction d'une adresse IP de réseau externe et d'un port de réseau externe d'un dispositif client, une adresse IP de réseau interne et un port de réseau interne du dispositif client ; le dispositif CGN envoie à un serveur AAA une première requête contenant l'adresse IP de réseau interne et le port de réseau interne, de sorte que le serveur AAA demande, en fonction de l'adresse IP de réseau interne et du port de réseau interne, les informations utilisateur du dispositif client ; et le dispositif CGN reçoit une première réponse envoyée par le serveur AAA, la première réponse étant une réponse qui correspond à la première requête et qui contient les informations utilisateur. Les modes de réalisation de la présente invention concernent également d'autres procédés et appareils. Les solutions techniques des modes de réalisation de la présente invention permettent l'acquisition des informations utilisateur d'un dispositif client de réseau interne à partir du côté réseau externe, ce qui permet de distinguer les utilisateurs du réseau interne.
PCT/CN2012/070696 2012-01-21 2012-01-21 Procédé et appareil permettant l'acquisition d'informations utilisateur WO2013107055A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201280000103.7A CN103503423A (zh) 2012-01-21 2012-01-21 获取用户信息的方法及装置
PCT/CN2012/070696 WO2013107055A1 (fr) 2012-01-21 2012-01-21 Procédé et appareil permettant l'acquisition d'informations utilisateur

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2012/070696 WO2013107055A1 (fr) 2012-01-21 2012-01-21 Procédé et appareil permettant l'acquisition d'informations utilisateur

Publications (1)

Publication Number Publication Date
WO2013107055A1 true WO2013107055A1 (fr) 2013-07-25

Family

ID=48798540

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/070696 WO2013107055A1 (fr) 2012-01-21 2012-01-21 Procédé et appareil permettant l'acquisition d'informations utilisateur

Country Status (2)

Country Link
CN (1) CN103503423A (fr)
WO (1) WO2013107055A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107819889A (zh) * 2016-09-14 2018-03-20 华为技术有限公司 一种网络地址转换nat的方法、设备及系统
US9973399B2 (en) 2012-12-27 2018-05-15 Huawei Technologies Co., Ltd. IPV6 address tracing method, apparatus, and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1972225A (zh) * 2005-11-24 2007-05-30 华为技术有限公司 下一代网络中不同子系统之间交互用户信息的方法
CN101056211A (zh) * 2007-06-22 2007-10-17 中兴通讯股份有限公司 一种实现用户上网行为审计的方法及系统
CN102036227A (zh) * 2009-09-27 2011-04-27 中国移动通信集团公司 一种数据业务的用户标识获取方法、系统及装置
CN102136938A (zh) * 2010-12-29 2011-07-27 华为技术有限公司 向cgn设备提供用户信息的方法及装置

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101052009B (zh) * 2007-05-14 2010-08-18 中兴通讯股份有限公司 私网网元用公网地址借助nat设备实现内部访问的方法
CN101150519B (zh) * 2007-10-30 2010-06-23 杭州华三通信技术有限公司 网络地址转换业务控制方法及装置
TWI441493B (zh) * 2007-11-27 2014-06-11 Ind Tech Res Inst 網路位址轉換的系統與方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1972225A (zh) * 2005-11-24 2007-05-30 华为技术有限公司 下一代网络中不同子系统之间交互用户信息的方法
CN101056211A (zh) * 2007-06-22 2007-10-17 中兴通讯股份有限公司 一种实现用户上网行为审计的方法及系统
CN102036227A (zh) * 2009-09-27 2011-04-27 中国移动通信集团公司 一种数据业务的用户标识获取方法、系统及装置
CN102136938A (zh) * 2010-12-29 2011-07-27 华为技术有限公司 向cgn设备提供用户信息的方法及装置

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9973399B2 (en) 2012-12-27 2018-05-15 Huawei Technologies Co., Ltd. IPV6 address tracing method, apparatus, and system
CN107819889A (zh) * 2016-09-14 2018-03-20 华为技术有限公司 一种网络地址转换nat的方法、设备及系统
CN107819889B (zh) * 2016-09-14 2021-09-07 华为技术有限公司 一种网络地址转换nat的方法、设备及系统

Also Published As

Publication number Publication date
CN103503423A (zh) 2014-01-08

Similar Documents

Publication Publication Date Title
TWI274491B (en) Network interconnection apparatus, network interconnection method, name resolution apparatus and computer program
US7856023B2 (en) Secure virtual private network having a gateway for managing global ip address and identification of devices
CN100388739C (zh) 实现dhcp地址安全分配的方法及系统
US9973399B2 (en) IPV6 address tracing method, apparatus, and system
EP2346217B1 (fr) Procédé, dispositif et système d'identification d'une session IPv6
US10142159B2 (en) IP address allocation
TW201204098A (en) Dynamic service groups based on session attributes
WO2012088911A1 (fr) Procédé et dispositif permettant à un terminal ip d'accéder à un réseau
WO2016192608A2 (fr) Procédé d'authentification, système d'authentification et dispositif associé
CN101141492A (zh) 实现dhcp地址安全分配的方法及系统
WO2012034413A1 (fr) Procédé de gestion d'utilisateur de double pile et serveur d'accès à large bande
WO2013056619A1 (fr) Procédé, idp, sp et système pour la fédération d'identités
WO2011144152A1 (fr) Procédé de fourniture d'informations, passerelle domestique et système de réseau domestique
US8769623B2 (en) Grouping multiple network addresses of a subscriber into a single communication session
WO2015184853A1 (fr) Procédé et appareil d'authentification pour auto-configuration ipv6 sans état
CN103581350A (zh) 跨越nat发布互联网服务的方法、终端、设备和系统
US9521033B2 (en) IPoE dual-stack subscriber for bridged residential gateway configuration
WO2013120315A1 (fr) Procédé de traitement d'information de nom de domaine, routeur sans fil, et client
WO2021121040A1 (fr) Procédé et appareil d'accès à large bande, dispositif et support de stockage
US9319416B2 (en) Priority based radius authentication
WO2014110912A1 (fr) Procédé et appareil pour accéder à un hôte d'une zone démilitarisée sur un réseau local
WO2013107055A1 (fr) Procédé et appareil permettant l'acquisition d'informations utilisateur
WO2013159591A1 (fr) Procédé et appareil de différentiation de terminaux sans fil
US9684774B2 (en) Flexible authentication using multiple radius AVPs
WO2012119537A1 (fr) Procédé et système de traitement de service, et boîtier décodeur

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12866031

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12866031

Country of ref document: EP

Kind code of ref document: A1