WO2016082363A1 - User data management method and apparatus - Google Patents

User data management method and apparatus Download PDF

Info

Publication number
WO2016082363A1
WO2016082363A1 PCT/CN2015/073522 CN2015073522W WO2016082363A1 WO 2016082363 A1 WO2016082363 A1 WO 2016082363A1 CN 2015073522 W CN2015073522 W CN 2015073522W WO 2016082363 A1 WO2016082363 A1 WO 2016082363A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
access
global
ipsec
service card
Prior art date
Application number
PCT/CN2015/073522
Other languages
French (fr)
Chinese (zh)
Inventor
唐骁琨
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016082363A1 publication Critical patent/WO2016082363A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks

Definitions

  • the present invention relates to the field of communications, and in particular to a user data management method and apparatus.
  • IPsec Internet Protocol Security
  • IETF Internet Engineering Task Force
  • IPsec remote access is a virtual private network (VPN) access technology based on IPsec tunnel encryption protection.
  • VPN virtual private network
  • remote access uses a client-server model.
  • IKE Internet Key Exchange
  • remote access requires extended authentication and mode configuration exchange between the first phase and the second phase.
  • the first phase provides device-level authentication by means of a pre-shared key or certificate; and the extended authentication is outside the use of existing widely used authentication mechanisms, such as Remote Authentication Dial-In User Service (Remote Authentication Dial-In User Service, RADIUS), Secure ID (SecurID) and One Time Programmable (OTP) provide user-level authentication.
  • RADIUS Remote Authentication Dial-In User Service
  • SecurID Secure ID
  • OTP One Time Programmable
  • the client After the client expands the authentication, it enters the mode configuration exchange phase.
  • the client obtains the configuration information required to access the internal network from the IPsec VPN gateway, including the internal IP address assigned by the gateway, the internal DNS server, and the IP address of the WINS server.
  • the IKE is negotiated in the second phase to generate a security association. The negotiation is complete. After that, the remote client can access the internal network resources protected by the IPsec VPN gateway by using the assigned internal IP address under the protection of the previously established IPsec tunnel.
  • the IPsec VPN gateway is responsible for managing and maintaining remote access client information.
  • all remote users are connected to the master to facilitate maintenance of user information.
  • the capacity of the centralized system access user is limited.
  • the device usually needs to bear other services at the same time.
  • the user access speed and IPsec packet processing performance are weak.
  • Distributed systems have significant advantages over centralized systems in terms of performance and capacity.
  • the distributed system is generally composed of the main control, line card, and IPsec service card.
  • the main control is mainly responsible for various management tasks, such as gateway configuration management and routing table management;
  • the line card is mainly responsible for packet forwarding;
  • the service card is mainly responsible for processing application protocols.
  • the IPsec protocol, the hardware encryption and decryption chip of the service card can provide powerful IPsec processing capability.
  • the IPsec service cards are processed at the same time, and the problem introduced is that users are distributed over multiple service cards, resulting in very complicated user management.
  • the present invention provides a user data management method and apparatus, so as to at least solve the problem that the related technology is reduced in management efficiency due to excessive access users.
  • a user data management method including:
  • the user information in the user information list includes at least one of the following: a user group, a service card address, and IPsec configuration information, where the IPsec configuration information is used to configure an intranet resource for the access user; the user information list further includes: The user index table is used to index access users.
  • the access user index table is composed of an IPsec interface and a user intranet IP.
  • the accessed user is managed by the global user table by at least one of the following methods:
  • the first step is to determine, according to the preset threshold, whether the number of access users in the user group is greater than a preset threshold in the global user table; if the determination result is yes, the access interface is closed;
  • an abnormal service card is obtained by querying the global user table; all users on the upper line in the abnormal service card are deleted;
  • the access user is searched according to the access user index table, and the preset operation is performed on the access user.
  • the preset operation includes at least one of the following: query and delete.
  • the method further includes: generating an entry according to the user information in the global user table; and establishing communication with the user access device according to the entry.
  • establishing communication with the user access device according to the entry includes: mode 1: receiving an encrypted message sent by the user access device; decapsulating the encrypted message by using an Internet protocol security IPsec, and obtaining the decapsulated inner layer The packet is sent to the intranet device corresponding to the user access device.
  • mode 1 receiving an encrypted message sent by the user access device; decapsulating the encrypted message by using an Internet protocol security IPsec, and obtaining the decapsulated inner layer The packet is sent to the intranet device corresponding to the user access device.
  • the second method is to receive the plaintext sent by the intranet device, and encapsulate the plaintext by using the Internet Protocol security IPsec to obtain the encapsulated packet; and send the packet to the user access device.
  • a user data management apparatus including:
  • a receiving module configured to receive a list of user information including Internet Protocol security IPsec configuration information; a generating module configured to generate a global user node according to user information in the user information list; and a management module configured to join the global user node to the global user In the table, users who are accessed through the global user table are managed.
  • the user information in the user information list includes at least one of the following: a user group, a service card address, and IPsec configuration information, where the IPsec configuration information is used to configure an intranet resource for the access user; the user information list further includes: The user index table is used to index access users.
  • the access user index table is composed of an IPsec interface and a user intranet IP.
  • the management module is configured to manage the accessed user through the global user table by using at least one of the following manners: the first management unit is configured to determine, according to the preset threshold, whether the number of access users of the user group is in the global user table. If the result is YES, the access interface is closed; the second management unit is configured to obtain an abnormal service card by querying the global user table; deleting all users of the online line in the abnormal service card; The management unit is configured to search for an access user according to the access user index table, and perform a preset operation on the access user, where the preset operation includes at least one of the following: querying and deleting.
  • the device further includes: an entry generating module, configured to generate a table according to user information in the global user table after managing the accessed user through the global user table; and the communication module is configured to generate according to the entry generating module The entry establishes communication with the user access device.
  • an entry generating module configured to generate a table according to user information in the global user table after managing the accessed user through the global user table
  • the communication module is configured to generate according to the entry generating module The entry establishes communication with the user access device.
  • the communication module includes: a first receiving unit configured to receive an encrypted message sent by the user access device; and a decapsulation unit configured to perform Internet Protocol security IPsec decapsulation on the encrypted message received by the first receiving unit And obtaining the decapsulated inner layer packet; the first sending unit is configured to send the decapsulated memory message to the intranet device corresponding to the user access device; or the second receiving unit is configured to receive the intranet The plaintext sent by the device; the encapsulation unit is configured to encapsulate the plaintext through the Internet Protocol security IPsec encapsulation, and the second sending unit is configured to send the packet to the user access device.
  • a user information list containing Internet Protocol security IPsec configuration information is received; a global user node is generated according to user information in the user information list; and a global user node is added to the global user table.
  • the problem of reduced management efficiency due to excessive access users is solved, thereby improving the efficiency of managing access users.
  • FIG. 1 is a flowchart of a user data management method according to an embodiment of the present invention.
  • FIG. 2 is a structural diagram of a user information list according to an embodiment of the present invention.
  • FIG. 3 is a structural diagram of managing a user through a global user table according to an embodiment of the present invention.
  • FIG. 4 is a block diagram showing the structure of a user data management apparatus according to an embodiment of the present invention.
  • FIG. 5 is a structural block diagram of a user data management apparatus according to a preferred embodiment of the present invention.
  • FIG. 6 is a structural block diagram of a user data management apparatus according to a preferred embodiment of the present invention.
  • FIG. 7 is a structural block diagram of a user data management apparatus according to a preferred embodiment of the present invention.
  • FIG. 8 is a schematic illustration of an operating environment suitable for use in accordance with an embodiment of the present invention.
  • FIG. 9 is a schematic diagram of a process for processing an IPC VPN gateway to a client access request according to an embodiment of the present invention.
  • FIG. 1 is a flowchart of a user data management method according to an embodiment of the present invention. As shown in FIG. 1, the process includes the following steps:
  • Step S102 Receive a user information list including Internet Protocol security IPsec configuration information.
  • Step S104 Generate a global user node according to the user information in the user information list.
  • Step S106 The global user node is added to the global user table, and the accessed user is managed by the global user table.
  • the user data management method provided by the embodiment of the present invention is applicable to an Internet Protocol Security (IPsec) gateway device, where at least one of the following is included in the gateway device: a main control, a service card, and a line card.
  • Steps 102 to 106 are applied to the master control.
  • the master generates a global user node according to the user information in the user information list reported by the received service card, and adds the generated global user node to the global user table, and manages the global user table.
  • Access user Before the step 102, the service card receives the negotiation form of the access user forwarded by the line card, performs IPsec processing according to the negotiation message, and obtains the internal network address and user group configuration information corresponding to the access user, and according to the above internal network address. And the user group configuration information is generated on the user node of the service card, and the user node is added to the user information list of the service board, and the user information list is uploaded to the main control, and then step S102 is performed.
  • IPsec Internet Protocol
  • the user information list including the Internet Protocol security IPsec configuration information is received; the global user node is generated according to the user information in the user information list; the global user node is added to the global user table, and the access is managed through the global user table.
  • the user solves the problem that the management efficiency is reduced due to too many access users, thereby achieving the effect of improving the management efficiency of the access user.
  • the user information in the user information list includes at least one of the following: a user group, a service card address, and IPsec configuration information, where the IPsec configuration information is used to configure an intranet resource for the access user;
  • the user information list further includes: an access user index table, which is used to index the access user, and the access user index table is composed of an IPsec interface and a user intranet IP.
  • FIG. 2 is a structural diagram of a user information list according to an embodiment of the present invention, including:
  • the user information list in the service card uses the IPsec interface and the user intranet IP as an index, and is used to index the corresponding user node;
  • the user information stored at the user node includes at least one of the following: an access user group, a service card address, an external network address of the access user, and IPsec configuration information.
  • the IPsec configuration information is the IPsec configuration of the negotiation packet processed by the IKE protocol on the service card. That is, the access user uses the network resources and network devices available on the intranet according to the assigned intranet IP address.
  • FIG. 3 is a structural diagram of managing a user through a global user table according to an embodiment of the present invention, as follows:
  • the first step is to determine, according to the preset threshold, whether the number of access users in the user group is greater than a preset threshold in the global user table; if the determination result is yes, the access interface is closed;
  • the IPsec VPN gateway stores the user node under the user group corresponding to the IPsec interface according to the parameters carried in the negotiation of the access user. These users can go online from different business cards.
  • the master can know the distribution of each user group's access users in each service card in real time. When the number of users in the user group reaches the maximum allowed number, the master notifies the client to turn off the user access function.
  • an abnormal service card is obtained by querying the global user table; all users on the upper line in the abnormal service card are deleted;
  • the service card When the service card uploads user information, it carries the service card address information, and the master controls all users who are online on the service card. These users can belong to different user groups. When the service card is abnormal or is pulled out from the device, the master can sense and delete all users who are online on the service card.
  • the access user is searched according to the access user index table, and the preset operation is performed on the access user.
  • the preset operation includes at least one of the following: query and delete.
  • the master Use the access user's IPsec interface and the user's intranet IP as the key value for indexing.
  • the purpose of this index table is to quickly find users.
  • the gateway administrator needs to kick a user to go offline, the master obtains the input IPsec interface and the user's intranet IP. After the master finds the user, the user deletes the user and notifies the service card to delete. .
  • the master can also quickly find the user and display the user information through the obtained query request.
  • the method further includes: generating an entry according to the user information in the global user table; and establishing communication with the user access device according to the entry.
  • establishing communication with the user access device according to the entry includes: mode 1: receiving an encrypted message sent by the user access device; decapsulating the encrypted message by using an Internet protocol security IPsec, and obtaining the decapsulated inner layer The packet is sent to the intranet device corresponding to the user access device.
  • mode 1 receiving an encrypted message sent by the user access device; decapsulating the encrypted message by using an Internet protocol security IPsec, and obtaining the decapsulated inner layer The packet is sent to the intranet device corresponding to the user access device.
  • the second method is to receive the plaintext sent by the intranet device, and encapsulate the plaintext by using the Internet Protocol security IPsec to obtain the encapsulated packet; and send the packet to the user access device.
  • a user data management device is provided, which is used to implement the above-mentioned embodiments and preferred embodiments, and has not been described again.
  • the term "module” can be implemented A combination of software and/or hardware for the intended function.
  • the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
  • FIG. 4 is a structural block diagram of a user data management apparatus according to an embodiment of the present invention. As shown in FIG. 4, the apparatus includes: a receiving module 22, a generating module 24, and a management module 26, where
  • the receiving module 22 is configured to receive a list of user information including Internet Protocol security IPsec configuration information
  • the generating module 24 is connected to the receiving module 22 and configured to generate a global user node according to the user information in the user information list;
  • the management module 26 is connected to the generating module 24, and is configured to add the global user node to the global user table, and manage the accessed user through the global user table.
  • the user information in the user information list includes at least one of the following: a user group, a service card address, and IPsec configuration information, where the IPsec configuration information is used to configure an intranet resource for the access user; the user information list further includes: The user index table is used to index access users.
  • the access user index table is composed of an IPsec interface and a user intranet IP.
  • FIG. 5 is a structural block diagram of a user data management apparatus according to a preferred embodiment of the present invention.
  • the management module 26 further includes: a first management unit 261, a second management unit 262, and a third management unit. 263.
  • the management module 26 is configured to manage the accessed user by using a global user table by using at least one of the following manners:
  • the first management unit 261 is configured to determine, according to the preset threshold, whether the number of access users of the user group is greater than a preset threshold in the global user table; if the determination result is yes, the access interface is closed;
  • the second management unit 262 is configured to obtain an abnormal service card by querying the global user table, and delete all users of the online line in the abnormal service card;
  • the third management unit 263 is configured to search for an access user according to the access user index table, and perform a preset operation on the access user, where the preset operation includes at least one of the following: query, delete.
  • FIG. 6 is a structural block diagram of a user data management apparatus according to a preferred embodiment of the present invention.
  • the apparatus includes, in addition to all the modules shown in FIG. 4, an entry generation module 42 and communication. Module 44, wherein
  • the entry generation module 42 is configured to generate an entry according to user information in the global user table after managing the accessed user through the global user table;
  • the communication module 44 is connected to the entry generation module 42 and configured to establish communication with the user access device according to the entry generated by the entry generation module 42.
  • FIG. 7 is a structural block diagram of a user data management apparatus according to a preferred embodiment of the present invention.
  • the communication module 44 includes: a first receiving unit 441, a decapsulation unit 442, a first sending unit 443, and a second receiving unit 444. Encapsulation unit 445 and second transmission unit 446, wherein
  • the first receiving unit 441 is configured to receive an encrypted message sent by the user access device.
  • the decapsulation unit 442 is connected to the first receiving unit 441, and configured to perform Internet Protocol security IPsec decapsulation on the encrypted packet received by the first receiving unit 441 to obtain a decapsulated inner layer packet.
  • the first sending unit 443 is connected to the decapsulation unit 442, and is configured to send the memory packet decapsulated by the decapsulation unit 442 to the intranet device corresponding to the user access device;
  • the second receiving unit 444 is configured to receive the plaintext sent by the intranet device
  • the encapsulating unit 445 is connected to the second receiving unit 444, and is configured to encapsulate the plaintext through the Internet Protocol security IPsec to obtain the encapsulated packet.
  • the second sending unit 446 is connected to the encapsulating unit 445 and configured to send the packet to the user access device.
  • the technical problem to be solved by the present invention is to overcome the problem of complicated management of IPsec remote access users in a distributed system existing in the prior art, and to provide a distributed user management method for cooperation between a master control and a service card.
  • the IPsec service card is responsible for remote access user negotiation, each IPsec service card maintains a user information list, and the user information is sent to the main control at the same time; the main control maintains the global user table according to the sent information.
  • the user information list maintains all user information of the online service of the service card; the global user table maintains all user information of the service cards of the gateway.
  • the user information includes a private network address assigned to the access user, mode configuration information, a service card address, and the like.
  • the remote access client initiates negotiation, and the line card selects an IPsec service card to process the negotiation packet.
  • the service card If the negotiation is successful, the service card generates a local user node and synchronizes the user information to the master.
  • the master receives the user information sent by the service card, generates a user node, and joins the global user table.
  • the master sends a line card according to the user information generation entry, and the line card checks the sent entry to ensure that the IPsec data packet sent between the subsequent access user and the intranet device is sent to the service card that the user goes online. Process it.
  • the IPsec service card deletes the user node and notifies the master to delete it.
  • the remote access client accesses the public network and obtains the public network IP address (2.1.1.X). Now the client wants to access the intranet resources protected by the IPsec VPN gateway. The client initiates remote access negotiation to the gateway, and requests the gateway to allocate the internal network IP address (1.1.1.X) and other configuration information. After successful, the intranet resource can be accessed by using the intranet address. Data packets sent between the intranet host and the client are protected by IPsec tunnel encryption.
  • the IPsec VPN gateway processes the client access request as follows:
  • the gateway administrator configures the parameters of the negotiation to ensure that the client access negotiation succeeds.
  • the main configuration includes:
  • Step1 Negotiate the relevant parameters of the first phase and the second phase. Usually the negotiation parameters are selected under the configuration template.
  • Step2.IPsec interface An IPsec interface is a logical interface that carries the IPsec protocol. You need to bind the previously generated configuration template to the IPsec interface. When the client negotiates, it first finds the IPsec interface and then obtains the configuration bound to it.
  • Step3. User group. Configure the parameters related to extended authentication and mode configuration in the user group, and the maximum number of access allowed by the user group.
  • the line card packet receiving and receiving module receives the negotiation message sent by the client, selects a service card according to a specific algorithm, and delivers the message to the service card for processing. Subsequent negotiation messages sent by the client are also delivered to the same service card for processing.
  • the service card After receiving the negotiation packet, the service card sends the packet to the IPsec processing module.
  • the IPsec processing module is responsible for the IKE protocol related functions, including the first phase negotiation, the extended authentication/mode configuration negotiation, and the second phase negotiation.
  • the IPsec processing module After the negotiation is successful, the IPsec processing module generates a local user node according to the intranet address and user group configuration information allocated for the client, and joins the user information list.
  • the data structure of the business card user information list is shown in Figure 2:
  • the service card user information list maintains all remote user nodes accessed by the service card.
  • the user information list is indexed using the IPsec interface + user private network IP as the key value.
  • the user information stored by the user node includes: an access user group, a service card address, a client public network address, mode configuration information, and the like.
  • the service card IPsec processing module After the service card IPsec processing module generates the local user node, the user information is sent to the master IPsec processing module to generate a global user node and join the global user table. As shown in Figure 3, the master global user table provides three ways to manage access users:
  • the IPsec VPN gateway stores the user node under the user group corresponding to the IPsec interface according to the parameters carried in the negotiation of the access user. These users can go online from different business cards.
  • the master can know the distribution of each user group's access users in each service card in real time. When the number of users in the user group reaches the maximum allowed number, the master notifies the client to turn off the user access function.
  • the service card When the service card sends user information, it carries the service card address information, and the master controls all users who go online. These users can belong to different user groups. When the service card is abnormal or is pulled out from the device, the master can sense and delete all users who are online on the service card.
  • IPsec interface + user private network IP As the key value for indexing.
  • the purpose of this index table is to quickly find users.
  • the gateway administrator needs to kick a user offline, enter the IPsec interface + user private network IP that the user accesses. After the master finds the user, the user deletes the user and notifies the service card to delete.
  • an administrator views the specific information of a user, it can also quickly find the user and display the user information.
  • the master IPsec processing module generates various entries according to the user information in the global user table, and sends the packet to the line card. These entries are used by the gateway to process IPsec encryption and decryption data packets of the client after the client accesses successfully.
  • the line card packet sending and receiving module performs the following processing according to the delivered entry:
  • the ciphertext sent by the client to the intranet device is delivered to the service card of the client for IPsec decapsulation, and then the service card sends the inner packet back to the line card, and the line card forwards the packet to the client. Access to intranet devices.
  • the service card sent by the intranet device to the client is delivered to the client's online service card for IPsec encapsulation, and then the service card sends the encapsulated packet back to the line card and forwards it to the client.
  • the requirements of all the access users of the management gateway can be realized, including viewing user information, kicking the user offline, user table and associated module linkage, etc., and having the advantages of fast user positioning and diversified management modes:
  • the maximum number of allowed access users is set under the user group. When the maximum number is reached, subsequent requests to access the user group are rejected.
  • the user in the user group can be online on multiple service cards. Therefore, only the master global user table can obtain the current number of access users in the user group. After the master discovers that the number of users reaches the upper limit, the service card is notified to disable the access function of the user group, and the service card rejects all IKE negotiation that is accessed to the user group; due to the timing, the master user group is closed. After the function, the local user node sent by the service card may still be received. At this time, the global user table cannot be added, but the service card should be notified to delete the redundant user. When the user goes offline and the number of users is lower than the maximum number, the master informs the service card to enable the access function of the user group.
  • the administrator can view the user access status of each user group or each service card, and the specific configuration information of each user.
  • the user table and the associated module can be linked. For example, after configuring the management module, after the administrator modifies the gateway configuration, the master can notify the service card to perform corresponding processing. For example, the user group bound to the IPsec interface is deleted, and the master control notifies each service card to delete all access users belonging to the user group, and notifies the client.
  • the administrator can kick the user down the line by accessing the user index table. You can also use the IPsec interface, user group, or service card as the unit to kick the user offline.
  • the master deletes the user from the global user list and notifies the service card to delete.
  • modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein.
  • the steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module.
  • the invention is not limited to any specific combination of hardware and software.
  • a user information list including Internet Protocol security IPsec configuration information is received; a global user node is generated according to user information in the user information list; and a global user node is added to the global user table.
  • the user accessing the user through the global user table solves the problem that the management efficiency is reduced due to excessive access users, thereby improving the efficiency of managing the access user.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Provided are a user data management method and apparatus. The method comprises: receiving a user information list containing internet protocol security (IPsec) configuration information; according to user information in the user information list, generating a global user node; and adding the global user node into a global user table, and managing access users via the global user table. By means of the present invention, the problem in the related art of reduced management efficiency due to excessive access users is solved.

Description

用户数据管理方法及装置User data management method and device 技术领域Technical field
本发明涉及通信领域,具体而言,涉及一种用户数据管理方法及装置。The present invention relates to the field of communications, and in particular to a user data management method and apparatus.
背景技术Background technique
互联网协议安全性(Internet Protocol Security,简称IPsec)是IETF(Internet Engineering Task Force,Internet工程任务组)的IPsec小组建立的一组IP安全协议集。IPsec定义了在网际层使用的安全服务,其功能包括数据加密、对网络单元的访问控制、数据源地址验证、数据完整性检查和防止重放攻击。Internet Protocol Security (IPsec) is a set of IP security protocols established by the IPsec team of the Internet Engineering Task Force (IETF). IPsec defines the security services used at the Internet layer, and its functions include data encryption, access control to network elements, data source address verification, data integrity checking, and replay prevention attacks.
IPsec远程接入是一种基于IPsec隧道加密保护的虚拟专用网络(Virtual Private Network,简称VPN)接入技术。与对等体网络模型不同,远程接入使用客户端-服务器模型。与对等体因特网密钥交换(Internet Key Exchange,简称IKE)协商不同,远程接入在第一阶段和第二阶段之间,需要进行扩展认证和模式配置交换。IKE第一阶段协商完成后,服务器对客户端发起扩展认证。第一阶段通过预共享密钥或者证书的方式提供设备级的认证;而扩展认证在此之外,利用现有广泛使用的认证机制,如远程认证拨号用户服务(Remote Authentication Dial-In User Service,RADIUS),安全ID(SecurID)和一次性口令(One Time Programmable,简称OTP)等提供用户级的认证。客户端通过扩展认证后,进入模式配置交换阶段。客户端向IPsec VPN网关获取访问内部网络所需的配置信息,包括网关为其分配的内部IP地址、内部DNS服务器、WINS服务器的IP地址等。模式配置结束后进入IKE第二阶段协商,生成安全联盟,至此协商完成。此后远程客户端可以在之前建立的IPsec通道保护下,使用分配的内部IP地址访问IPsec VPN网关保护的内部网络资源。IPsec remote access is a virtual private network (VPN) access technology based on IPsec tunnel encryption protection. Unlike the peer network model, remote access uses a client-server model. Unlike peer Internet Key Exchange (IKE) negotiation, remote access requires extended authentication and mode configuration exchange between the first phase and the second phase. After the first phase of IKE negotiation is completed, the server initiates extended authentication to the client. The first phase provides device-level authentication by means of a pre-shared key or certificate; and the extended authentication is outside the use of existing widely used authentication mechanisms, such as Remote Authentication Dial-In User Service (Remote Authentication Dial-In User Service, RADIUS), Secure ID (SecurID) and One Time Programmable (OTP) provide user-level authentication. After the client expands the authentication, it enters the mode configuration exchange phase. The client obtains the configuration information required to access the internal network from the IPsec VPN gateway, including the internal IP address assigned by the gateway, the internal DNS server, and the IP address of the WINS server. After the mode is configured, the IKE is negotiated in the second phase to generate a security association. The negotiation is complete. After that, the remote client can access the internal network resources protected by the IPsec VPN gateway by using the assigned internal IP address under the protection of the previously established IPsec tunnel.
IPsec VPN网关负责管理和维护远程接入客户端信息。在集中式系统中,所有的远程用户都接入到主控,便于维护用户信息。但是集中式系统接入用户容量有限,另外设备通常还需要同时承担其他业务,用户接入速度以及IPsec报文处理性能较弱。分布式系统在性能和容量方面较集中式系统优势有明显的优势。分布式系统一般由主控、线卡、IPsec业务卡组成,主控主要负责各种管理工作,比如网关配置管理和路由表管理等;线卡主要负责报文转发;业务卡主要负责处理应用协议,比如IPsec协议,业务卡的硬件加解密芯片能提供强大的IPsec处理能力。大量用户接入时,可使用多 个IPsec业务卡同时处理,由此引入的问题是用户分布在多个业务卡,导致用户管理非常复杂。The IPsec VPN gateway is responsible for managing and maintaining remote access client information. In a centralized system, all remote users are connected to the master to facilitate maintenance of user information. However, the capacity of the centralized system access user is limited. In addition, the device usually needs to bear other services at the same time. The user access speed and IPsec packet processing performance are weak. Distributed systems have significant advantages over centralized systems in terms of performance and capacity. The distributed system is generally composed of the main control, line card, and IPsec service card. The main control is mainly responsible for various management tasks, such as gateway configuration management and routing table management; the line card is mainly responsible for packet forwarding; the service card is mainly responsible for processing application protocols. For example, the IPsec protocol, the hardware encryption and decryption chip of the service card can provide powerful IPsec processing capability. When a large number of users access, you can use more The IPsec service cards are processed at the same time, and the problem introduced is that users are distributed over multiple service cards, resulting in very complicated user management.
针对相关技术中由于接入用户过多导致管理效率降低的问题,目前尚未提出有效的解决方案。In view of the problem that the management efficiency is lowered due to too many access users in the related art, an effective solution has not been proposed yet.
发明内容Summary of the invention
本发明提供了一种用户数据管理方法及装置,以至少解决相关技术由于接入用户过多导致管理效率降低的问题。The present invention provides a user data management method and apparatus, so as to at least solve the problem that the related technology is reduced in management efficiency due to excessive access users.
根据本发明的一个实施例,提供了一种用户数据管理方法,包括:According to an embodiment of the present invention, a user data management method is provided, including:
接收包含有互联网协议安全性IPsec配置信息的用户信息列表;根据用户信息列表中的用户信息生成全局用户节点;将全局用户节点加入全局用户表中,通过全局用户表管理接入的用户。Receiving a list of user information including Internet Protocol security IPsec configuration information; generating a global user node according to the user information in the user information list; adding the global user node to the global user table, and managing the accessed user through the global user table.
优选地,用户信息列表中的用户信息包括以下至少之一:用户组、业务卡地址、IPsec配置信息,其中,IPsec配置信息用于为接入用户配置内网资源;用户信息列表还包括:接入用户索引表,用于索引接入用户,接入用户索引表由IPsec接口和用户内网IP组成。Preferably, the user information in the user information list includes at least one of the following: a user group, a service card address, and IPsec configuration information, where the IPsec configuration information is used to configure an intranet resource for the access user; the user information list further includes: The user index table is used to index access users. The access user index table is composed of an IPsec interface and a user intranet IP.
优选地,通过以下方式至少之一,通过全局用户表管理接入的用户:Preferably, the accessed user is managed by the global user table by at least one of the following methods:
方案一,根据预设阈值判断全局用户表中,用户组的接入用户数是否大于预设阈值;若判断结果为是,则关闭接入接口;The first step is to determine, according to the preset threshold, whether the number of access users in the user group is greater than a preset threshold in the global user table; if the determination result is yes, the access interface is closed;
方案二,通过查询全局用户表得到异常的业务卡;将异常的业务卡中的上线的全部用户删除;In the second solution, an abnormal service card is obtained by querying the global user table; all users on the upper line in the abnormal service card are deleted;
方案三,根据接入用户索引表查找接入用户,并对接入用户执行预设操作,预设操作包括以下至少之一:查询、删除。In the third solution, the access user is searched according to the access user index table, and the preset operation is performed on the access user. The preset operation includes at least one of the following: query and delete.
优选地,在通过全局用户表管理接入的用户之后,还包括:根据全局用户表中的用户信息生成表项;根据表项与用户接入设备建立通信。Preferably, after managing the accessed user by using the global user table, the method further includes: generating an entry according to the user information in the global user table; and establishing communication with the user access device according to the entry.
优选地,根据表项与用户接入设备建立通信,包括:方式一:接收用户接入设备发送的加密报文;对加密报文进行互联网协议安全性IPsec解封装,得到解封装后的内层报文;将内存报文发送至用户接入设备对应的内网设备; Preferably, establishing communication with the user access device according to the entry includes: mode 1: receiving an encrypted message sent by the user access device; decapsulating the encrypted message by using an Internet protocol security IPsec, and obtaining the decapsulated inner layer The packet is sent to the intranet device corresponding to the user access device.
或者,or,
方式二,接收内网设备发送的明文;通过互联网协议安全性IPsec封装明文,得到封装后的报文;将报文发送至用户接入设备。The second method is to receive the plaintext sent by the intranet device, and encapsulate the plaintext by using the Internet Protocol security IPsec to obtain the encapsulated packet; and send the packet to the user access device.
根据本发明的另一个实施例,提供了一种用户数据管理装置,包括:According to another embodiment of the present invention, a user data management apparatus is provided, including:
接收模块,设置为接收包含有互联网协议安全性IPsec配置信息的用户信息列表;生成模块,设置为根据用户信息列表中的用户信息生成全局用户节点;管理模块,设置为将全局用户节点加入全局用户表中,通过全局用户表管理接入的用户。a receiving module, configured to receive a list of user information including Internet Protocol security IPsec configuration information; a generating module configured to generate a global user node according to user information in the user information list; and a management module configured to join the global user node to the global user In the table, users who are accessed through the global user table are managed.
优选地,用户信息列表中的用户信息包括以下至少之一:用户组、业务卡地址、IPsec配置信息,其中,IPsec配置信息用于为接入用户配置内网资源;用户信息列表还包括:接入用户索引表,用于索引接入用户,接入用户索引表由IPsec接口和用户内网IP组成。Preferably, the user information in the user information list includes at least one of the following: a user group, a service card address, and IPsec configuration information, where the IPsec configuration information is used to configure an intranet resource for the access user; the user information list further includes: The user index table is used to index access users. The access user index table is composed of an IPsec interface and a user intranet IP.
优选地,管理模块,设置为通过以下方式至少之一,通过全局用户表管理接入的用户:第一管理单元,设置为根据预设阈值判断全局用户表中,用户组的接入用户数是否大于预设阈值;若判断结果为是,则关闭接入接口;第二管理单元,设置为通过查询全局用户表得到异常的业务卡;将异常的业务卡中的上线的全部用户删除;第三管理单元,设置为根据接入用户索引表查找接入用户,并对接入用户执行预设操作,预设操作包括以下至少之一:查询、删除。Preferably, the management module is configured to manage the accessed user through the global user table by using at least one of the following manners: the first management unit is configured to determine, according to the preset threshold, whether the number of access users of the user group is in the global user table. If the result is YES, the access interface is closed; the second management unit is configured to obtain an abnormal service card by querying the global user table; deleting all users of the online line in the abnormal service card; The management unit is configured to search for an access user according to the access user index table, and perform a preset operation on the access user, where the preset operation includes at least one of the following: querying and deleting.
优选地,装置还包括:表项生成模块,设置为在通过全局用户表管理接入的用户之后,根据全局用户表中的用户信息生成表项;通信模块,设置为根据表项生成模块生成的表项与用户接入设备建立通信。Preferably, the device further includes: an entry generating module, configured to generate a table according to user information in the global user table after managing the accessed user through the global user table; and the communication module is configured to generate according to the entry generating module The entry establishes communication with the user access device.
优选地,通信模块,包括:第一接收单元,设置为接收用户接入设备发送的加密报文;解封单元,设置为对第一接收单元接收的加密报文进行互联网协议安全性IPsec解封装,得到解封装后的内层报文;第一发送单元,设置为将解封后的内存报文发送至用户接入设备对应的内网设备;或者,第二接收单元,设置为接收内网设备发送的明文;封装单元,设置为通过互联网协议安全性IPsec封装明文,得到封装后的报文;第二发送单元,设置为将报文发送至用户接入设备。Preferably, the communication module includes: a first receiving unit configured to receive an encrypted message sent by the user access device; and a decapsulation unit configured to perform Internet Protocol security IPsec decapsulation on the encrypted message received by the first receiving unit And obtaining the decapsulated inner layer packet; the first sending unit is configured to send the decapsulated memory message to the intranet device corresponding to the user access device; or the second receiving unit is configured to receive the intranet The plaintext sent by the device; the encapsulation unit is configured to encapsulate the plaintext through the Internet Protocol security IPsec encapsulation, and the second sending unit is configured to send the packet to the user access device.
通过本发明,采用接收包含有互联网协议安全性IPsec配置信息的用户信息列表;根据用户信息列表中的用户信息生成全局用户节点;将全局用户节点加入全局用户表 中,通过全局用户表管理接入的用户,解决了由于接入用户过多导致管理效率降低的问题,进而达到了提升对接入用户管理效率的效果。Through the present invention, a user information list containing Internet Protocol security IPsec configuration information is received; a global user node is generated according to user information in the user information list; and a global user node is added to the global user table. In the process of managing access users through the global user table, the problem of reduced management efficiency due to excessive access users is solved, thereby improving the efficiency of managing access users.
附图说明DRAWINGS
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The drawings described herein are intended to provide a further understanding of the invention, and are intended to be a part of the invention. In the drawing:
图1是根据本发明实施例的用户数据管理方法的流程图;1 is a flowchart of a user data management method according to an embodiment of the present invention;
图2是根据本发明实施例的用户信息列表的结构图;2 is a structural diagram of a user information list according to an embodiment of the present invention;
图3是本发明实施例通过全局用户表管理用户的架构图;3 is a structural diagram of managing a user through a global user table according to an embodiment of the present invention;
图4是根据本发明实施例的用户数据管理装置的结构框图;4 is a block diagram showing the structure of a user data management apparatus according to an embodiment of the present invention;
图5是根据本发明优选实施例的用户数据管理装置的结构框图;FIG. 5 is a structural block diagram of a user data management apparatus according to a preferred embodiment of the present invention; FIG.
图6是根据本发明优选实施例的用户数据管理装置的结构框图;6 is a structural block diagram of a user data management apparatus according to a preferred embodiment of the present invention;
图7是根据本发明优选实施例的用户数据管理装置的结构框图;FIG. 7 is a structural block diagram of a user data management apparatus according to a preferred embodiment of the present invention; FIG.
图8是根据本发明实施例适用的运行环境的示意图;Figure 8 is a schematic illustration of an operating environment suitable for use in accordance with an embodiment of the present invention;
图9是根据本发明实施例提供的IPsec VPN网关对客户端接入请求处理流程示意图。FIG. 9 is a schematic diagram of a process for processing an IPC VPN gateway to a client access request according to an embodiment of the present invention.
具体实施方式detailed description
下文中将参考附图并结合实施例来详细说明本发明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。The invention will be described in detail below with reference to the drawings in conjunction with the embodiments. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict.
在本实施例中提供了一种用户数据管理方法,图1是根据本发明实施例的用户数据管理方法的流程图,如图1所示,该流程包括如下步骤:In this embodiment, a user data management method is provided. FIG. 1 is a flowchart of a user data management method according to an embodiment of the present invention. As shown in FIG. 1, the process includes the following steps:
步骤S102,接收包含有互联网协议安全性IPsec配置信息的用户信息列表。Step S102: Receive a user information list including Internet Protocol security IPsec configuration information.
步骤S104,根据用户信息列表中的用户信息生成全局用户节点。Step S104: Generate a global user node according to the user information in the user information list.
步骤S106,将全局用户节点加入全局用户表中,通过全局用户表管理接入的用户。 Step S106: The global user node is added to the global user table, and the accessed user is managed by the global user table.
本发明实施例提供的一种用户数据管理方法适用于互联网协议安全性(Internet Protocol Security,简称IPsec)网关设备,其中,在网关设备中包括以下至少之一:主控、业务卡、线卡。步骤102至步骤106适用与主控,主控依据接收到的业务卡上报的用户信息列表中的用户信息,生成全局用户节点,并将生成的全局用户节点加入全局用户表,通过全局用户表管理接入的用户。在步骤102之前,业务卡接收线卡转发的接入用户的协商表文,依据协商报文进行IPsec处理,得到对应该接入用户的内网地址及用户组配置信息,并根据上述内网地址及用户组配置信息生成业务卡上的用户节点,并将该用户节点加入业务板的用户信息列表中,并将该用户信息列表上传至主控,从而进行步骤S102。The user data management method provided by the embodiment of the present invention is applicable to an Internet Protocol Security (IPsec) gateway device, where at least one of the following is included in the gateway device: a main control, a service card, and a line card. Steps 102 to 106 are applied to the master control. The master generates a global user node according to the user information in the user information list reported by the received service card, and adds the generated global user node to the global user table, and manages the global user table. Access user. Before the step 102, the service card receives the negotiation form of the access user forwarded by the line card, performs IPsec processing according to the negotiation message, and obtains the internal network address and user group configuration information corresponding to the access user, and according to the above internal network address. And the user group configuration information is generated on the user node of the service card, and the user node is added to the user information list of the service board, and the user information list is uploaded to the main control, and then step S102 is performed.
通过上述步骤,采用接收包含有互联网协议安全性IPsec配置信息的用户信息列表;根据用户信息列表中的用户信息生成全局用户节点;将全局用户节点加入全局用户表中,通过全局用户表管理接入的用户,解决了由于接入用户过多导致管理效率降低的问题,进而达到了提升对接入用户管理效率的效果。Through the above steps, the user information list including the Internet Protocol security IPsec configuration information is received; the global user node is generated according to the user information in the user information list; the global user node is added to the global user table, and the access is managed through the global user table. The user solves the problem that the management efficiency is reduced due to too many access users, thereby achieving the effect of improving the management efficiency of the access user.
优选地,用户信息列表中的用户信息包括以下至少之一:用户组、业务卡地址、IPsec配置信息,其中,IPsec配置信息用于为接入用户配置内网资源;Preferably, the user information in the user information list includes at least one of the following: a user group, a service card address, and IPsec configuration information, where the IPsec configuration information is used to configure an intranet resource for the access user;
用户信息列表还包括:接入用户索引表,用于索引接入用户,接入用户索引表由IPsec接口和用户内网IP组成。The user information list further includes: an access user index table, which is used to index the access user, and the access user index table is composed of an IPsec interface and a user intranet IP.
其中,用户信息列表如图2所示,图2是本发明实施例的用户信息列表的结构图,包括:The user information list is as shown in FIG. 2. FIG. 2 is a structural diagram of a user information list according to an embodiment of the present invention, including:
(1)上述业务卡中全部远程用户节点,即接入用户对应在业务卡上生成的用户节点;(1) all the remote user nodes in the service card, that is, the access user corresponding to the user node generated on the service card;
(2)业务卡中的用户信息列表使用IPsec接口和用户内网IP作为索引,用于索引对应的用户节点;(2) The user information list in the service card uses the IPsec interface and the user intranet IP as an index, and is used to index the corresponding user node;
(3)在用户节点存储的用户信息包括以下至少之一:接入用户组、业务卡地址、接入用户的外网地址、IPsec配置信息。其中,IPsec配置信息为协商报文在业务卡上通过IKE协议处理后的IPsec配置,即该接入用户依据分配的内网IP地址,使用内网可用的网络资源和网络设备。(3) The user information stored at the user node includes at least one of the following: an access user group, a service card address, an external network address of the access user, and IPsec configuration information. The IPsec configuration information is the IPsec configuration of the negotiation packet processed by the IKE protocol on the service card. That is, the access user uses the network resources and network devices available on the intranet according to the assigned intranet IP address.
优选地,通过以下方式至少之一,通过全局用户表管理接入的用户,如图3所示,图3是本发明实施例通过全局用户表管理用户的架构图,具体如下: Preferably, the access user is managed by the global user table in at least one of the following manners. As shown in FIG. 3, FIG. 3 is a structural diagram of managing a user through a global user table according to an embodiment of the present invention, as follows:
方案一,根据预设阈值判断全局用户表中,用户组的接入用户数是否大于预设阈值;若判断结果为是,则关闭接入接口;The first step is to determine, according to the preset threshold, whether the number of access users in the user group is greater than a preset threshold in the global user table; if the determination result is yes, the access interface is closed;
IPsec VPN网关根据接入用户协商时携带的参数将用户节点存放至对应IPsec接口的用户组下。这些用户可以从不同的业务卡上线。通过IPsec接口-用户组管理方式,主控可以实时获知每个用户组接入用户在各个业务卡的分布情况。当用户组下的用户数达到允许的最大数量时,主控通知客户端关闭用户接入功能。The IPsec VPN gateway stores the user node under the user group corresponding to the IPsec interface according to the parameters carried in the negotiation of the access user. These users can go online from different business cards. Through the IPsec interface-user group management mode, the master can know the distribution of each user group's access users in each service card in real time. When the number of users in the user group reaches the maximum allowed number, the master notifies the client to turn off the user access function.
方案二,通过查询全局用户表得到异常的业务卡;将异常的业务卡中的上线的全部用户删除;In the second solution, an abnormal service card is obtained by querying the global user table; all users on the upper line in the abnormal service card are deleted;
业务卡上传用户信息时携带业务卡地址信息,主控维护该业务卡上线的所有用户。这些用户可以归属于不同的用户组。当业务卡出现异常或者被从设备上拔出时,主控能够感知,并将该业务卡上线的所有用户删除。When the service card uploads user information, it carries the service card address information, and the master controls all users who are online on the service card. These users can belong to different user groups. When the service card is abnormal or is pulled out from the device, the master can sense and delete all users who are online on the service card.
方案三,根据接入用户索引表查找接入用户,并对接入用户执行预设操作,预设操作包括以下至少之一:查询、删除。In the third solution, the access user is searched according to the access user index table, and the preset operation is performed on the access user. The preset operation includes at least one of the following: query and delete.
使用接入用户的IPsec接口和用户内网IP作为键值进行索引。该索引表的作用是快速查找用户。当网关管理员需要踢某个用户下线时,主控通过获取输入的用户接入的IPsec接口和用户内网IP,主控查找到该用户后,将该用户删除,并通知业务卡进行删除。同样,当管理员查看某个用户的具体信息时,主控也可以通过获取的查询请求快速查找用户,显示用户信息。Use the access user's IPsec interface and the user's intranet IP as the key value for indexing. The purpose of this index table is to quickly find users. When the gateway administrator needs to kick a user to go offline, the master obtains the input IPsec interface and the user's intranet IP. After the master finds the user, the user deletes the user and notifies the service card to delete. . Similarly, when the administrator views the specific information of a certain user, the master can also quickly find the user and display the user information through the obtained query request.
优选地,在通过全局用户表管理接入的用户之后,还包括:根据全局用户表中的用户信息生成表项;根据表项与用户接入设备建立通信。Preferably, after managing the accessed user by using the global user table, the method further includes: generating an entry according to the user information in the global user table; and establishing communication with the user access device according to the entry.
优选地,根据表项与用户接入设备建立通信,包括:方式一:接收用户接入设备发送的加密报文;对加密报文进行互联网协议安全性IPsec解封装,得到解封装后的内层报文;将内存报文发送至用户接入设备对应的内网设备;Preferably, establishing communication with the user access device according to the entry includes: mode 1: receiving an encrypted message sent by the user access device; decapsulating the encrypted message by using an Internet protocol security IPsec, and obtaining the decapsulated inner layer The packet is sent to the intranet device corresponding to the user access device.
或者,or,
方式二,接收内网设备发送的明文;通过互联网协议安全性IPsec封装明文,得到封装后的报文;将报文发送至用户接入设备。The second method is to receive the plaintext sent by the intranet device, and encapsulate the plaintext by using the Internet Protocol security IPsec to obtain the encapsulated packet; and send the packet to the user access device.
在本实施例中还提供了一种用户数据管理装置,该装置用于实现上述实施例及优选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现 预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。In the embodiment, a user data management device is provided, which is used to implement the above-mentioned embodiments and preferred embodiments, and has not been described again. As used below, the term "module" can be implemented A combination of software and/or hardware for the intended function. Although the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
图4是根据本发明实施例的用户数据管理装置的结构框图,如图4所示,该装置包括:接收模块22、生成模块24和管理模块26,其中,4 is a structural block diagram of a user data management apparatus according to an embodiment of the present invention. As shown in FIG. 4, the apparatus includes: a receiving module 22, a generating module 24, and a management module 26, where
接收模块22,设置为接收包含有互联网协议安全性IPsec配置信息的用户信息列表;The receiving module 22 is configured to receive a list of user information including Internet Protocol security IPsec configuration information;
生成模块24,与接收模块22连接,设置为根据用户信息列表中的用户信息生成全局用户节点;The generating module 24 is connected to the receiving module 22 and configured to generate a global user node according to the user information in the user information list;
管理模块26,与生成模块24连接,设置为将全局用户节点加入全局用户表中,通过全局用户表管理接入的用户。The management module 26 is connected to the generating module 24, and is configured to add the global user node to the global user table, and manage the accessed user through the global user table.
优选地,用户信息列表中的用户信息包括以下至少之一:用户组、业务卡地址、IPsec配置信息,其中,IPsec配置信息用于为接入用户配置内网资源;用户信息列表还包括:接入用户索引表,用于索引接入用户,接入用户索引表由IPsec接口和用户内网IP组成。Preferably, the user information in the user information list includes at least one of the following: a user group, a service card address, and IPsec configuration information, where the IPsec configuration information is used to configure an intranet resource for the access user; the user information list further includes: The user index table is used to index access users. The access user index table is composed of an IPsec interface and a user intranet IP.
优选地,图5是根据本发明优选实施例的用户数据管理装置的结构框图,如图5所示,上述管理模块26还包括:第一管理单元261,第二管理单元262和第三管理单元263,其中,管理模块26,设置为通过以下方式至少之一,通过全局用户表管理接入的用户:Preferably, FIG. 5 is a structural block diagram of a user data management apparatus according to a preferred embodiment of the present invention. As shown in FIG. 5, the management module 26 further includes: a first management unit 261, a second management unit 262, and a third management unit. 263. The management module 26 is configured to manage the accessed user by using a global user table by using at least one of the following manners:
第一管理单元261,设置为根据预设阈值判断全局用户表中,用户组的接入用户数是否大于预设阈值;若判断结果为是,则关闭接入接口;The first management unit 261 is configured to determine, according to the preset threshold, whether the number of access users of the user group is greater than a preset threshold in the global user table; if the determination result is yes, the access interface is closed;
第二管理单元262,设置为通过查询全局用户表得到异常的业务卡;将异常的业务卡中的上线的全部用户删除;The second management unit 262 is configured to obtain an abnormal service card by querying the global user table, and delete all users of the online line in the abnormal service card;
第三管理单元263,设置为根据接入用户索引表查找接入用户,并对接入用户执行预设操作,预设操作包括以下至少之一:查询、删除。The third management unit 263 is configured to search for an access user according to the access user index table, and perform a preset operation on the access user, where the preset operation includes at least one of the following: query, delete.
优选地,图6是根据本发明优选实施例的用户数据管理装置的结构框图,如图6所示,该装置除包括图4所示的所有模块外,还包括:表项生成模块42和通信模块44,其中, Preferably, FIG. 6 is a structural block diagram of a user data management apparatus according to a preferred embodiment of the present invention. As shown in FIG. 6, the apparatus includes, in addition to all the modules shown in FIG. 4, an entry generation module 42 and communication. Module 44, wherein
表项生成模块42,设置为在通过全局用户表管理接入的用户之后,根据全局用户表中的用户信息生成表项;The entry generation module 42 is configured to generate an entry according to user information in the global user table after managing the accessed user through the global user table;
通信模块44,与表项生成模块42连接,设置为根据表项生成模块42生成的表项与用户接入设备建立通信。The communication module 44 is connected to the entry generation module 42 and configured to establish communication with the user access device according to the entry generated by the entry generation module 42.
优选地,图7是根据本发明优选实施例的用户数据管理装置的结构框图,通信模块44,包括:第一接收单元441、解封单元442、第一发送单元443、第二接收单元444、封装单元445和第二发送单元446,其中,Preferably, FIG. 7 is a structural block diagram of a user data management apparatus according to a preferred embodiment of the present invention. The communication module 44 includes: a first receiving unit 441, a decapsulation unit 442, a first sending unit 443, and a second receiving unit 444. Encapsulation unit 445 and second transmission unit 446, wherein
第一接收单元441,设置为接收用户接入设备发送的加密报文;The first receiving unit 441 is configured to receive an encrypted message sent by the user access device.
解封单元442,与第一接收单元441连接,设置为对第一接收单元441接收的加密报文进行互联网协议安全性IPsec解封装,得到解封装后的内层报文;The decapsulation unit 442 is connected to the first receiving unit 441, and configured to perform Internet Protocol security IPsec decapsulation on the encrypted packet received by the first receiving unit 441 to obtain a decapsulated inner layer packet.
第一发送单元443,与解封单元442连接,设置为将解封单元442解封后的内存报文发送至用户接入设备对应的内网设备;The first sending unit 443 is connected to the decapsulation unit 442, and is configured to send the memory packet decapsulated by the decapsulation unit 442 to the intranet device corresponding to the user access device;
或者,or,
第二接收单元444,设置为接收内网设备发送的明文;The second receiving unit 444 is configured to receive the plaintext sent by the intranet device;
封装单元445,与第二接收单元444连接,设置为通过互联网协议安全性IPsec封装明文,得到封装后的报文;The encapsulating unit 445 is connected to the second receiving unit 444, and is configured to encapsulate the plaintext through the Internet Protocol security IPsec to obtain the encapsulated packet.
第二发送单元446,与封装单元445连接,设置为将报文发送至用户接入设备。The second sending unit 446 is connected to the encapsulating unit 445 and configured to send the packet to the user access device.
本发明所要解决的技术问题是:克服现有技术中存在的分布式系统中IPsec远程接入用户管理复杂的问题,提供一种主控与业务卡协作的分布式用户管理方法。The technical problem to be solved by the present invention is to overcome the problem of complicated management of IPsec remote access users in a distributed system existing in the prior art, and to provide a distributed user management method for cooperation between a master control and a service card.
本发明采用以下技术方案:IPsec业务卡负责远程接入用户协商,各IPsec业务卡维护用户信息列表,同时将用户信息上送主控;主控根据上送信息维护全局用户表。用户信息列表维护本业务卡上线的所有用户信息;全局用户表维护网关各业务卡上线的所有用户信息。用户信息包括为接入用户分配的私网地址、模式配置信息、业务卡地址等。具体说明如下:The invention adopts the following technical solutions: the IPsec service card is responsible for remote access user negotiation, each IPsec service card maintains a user information list, and the user information is sent to the main control at the same time; the main control maintains the global user table according to the sent information. The user information list maintains all user information of the online service of the service card; the global user table maintains all user information of the service cards of the gateway. The user information includes a private network address assigned to the access user, mode configuration information, a service card address, and the like. The specific instructions are as follows:
(1)远程接入客户端发起协商,线卡选择一个IPsec业务卡来处理协商报文。(1) The remote access client initiates negotiation, and the line card selects an IPsec service card to process the negotiation packet.
(2)协商成功,业务卡生成本地用户节点,并将用户信息同步至主控。 (2) If the negotiation is successful, the service card generates a local user node and synchronizes the user information to the master.
(3)主控接收到业务卡上送的用户信息,生成用户节点,并加入全局用户表。(3) The master receives the user information sent by the service card, generates a user node, and joins the global user table.
(4)主控根据用户信息生成表项下发线卡,线卡通过查下发的表项,确保后续接入用户和内网设备间发送的IPsec数据报文被送到用户上线的业务卡进行处理。(4) The master sends a line card according to the user information generation entry, and the line card checks the sent entry to ensure that the IPsec data packet sent between the subsequent access user and the intranet device is sent to the service card that the user goes online. Process it.
(5)用户下线时,IPsec业务卡删除用户节点,并通知主控删除。(5) When the user goes offline, the IPsec service card deletes the user node and notifies the master to delete it.
具体如下,如图8所示,远程接入客户端接入公网,获取到公网IP地址(2.1.1.X)。现在客户端希望访问IPsec VPN网关保护的内网资源。客户端向网关发起远程接入协商,请求网关分配内网IP地址(1.1.1.X)及其他配置信息,成功后即可用此内网地址访问内网资源。内网主机与客户端之间发送的数据报文受IPsec隧道加密保护。Specifically, as shown in FIG. 8, the remote access client accesses the public network and obtains the public network IP address (2.1.1.X). Now the client wants to access the intranet resources protected by the IPsec VPN gateway. The client initiates remote access negotiation to the gateway, and requests the gateway to allocate the internal network IP address (1.1.1.X) and other configuration information. After successful, the intranet resource can be accessed by using the intranet address. Data packets sent between the intranet host and the client are protected by IPsec tunnel encryption.
如图9所示,IPsec VPN网关对客户端接入请求处理流程如下:As shown in Figure 9, the IPsec VPN gateway processes the client access request as follows:
(1)网关管理员配置协商相关参数,保证客户端接入协商能够成功。主要配置包括:(1) The gateway administrator configures the parameters of the negotiation to ensure that the client access negotiation succeeds. The main configuration includes:
Step1.协商第一阶段、第二阶段相关参数。通常是在配置模板下选择协商参数。Step1. Negotiate the relevant parameters of the first phase and the second phase. Usually the negotiation parameters are selected under the configuration template.
Step2.IPsec接口。IPsec接口是一种承载IPsec协议的逻辑接口。需要将之前生成的配置模板绑定到IPsec接口下,客户端协商时先找到IPsec接口,然后获取其下绑定的配置。Step2.IPsec interface. An IPsec interface is a logical interface that carries the IPsec protocol. You need to bind the previously generated configuration template to the IPsec interface. When the client negotiates, it first finds the IPsec interface and then obtains the configuration bound to it.
Step3.用户组。用户组下配置扩展认证和模式配置相关参数,以及用户组允许接入的最大数等。Step3. User group. Configure the parameters related to extended authentication and mode configuration in the user group, and the maximum number of access allowed by the user group.
(2)线卡报文收发模块收到客户端发送的协商报文,根据特定算法,选定一个业务卡,将报文投递到该业务卡处理。该客户端发送的后续协商报文也被投递到同一个业务卡进行处理。(2) The line card packet receiving and receiving module receives the negotiation message sent by the client, selects a service card according to a specific algorithm, and delivers the message to the service card for processing. Subsequent negotiation messages sent by the client are also delivered to the same service card for processing.
(3)业务卡收到协商报文后,将报文发给IPsec处理模块。IPsec处理模块负责IKE协议相关功能,包括第一阶段协商、扩展认证/模式配置协商和第二阶段协商。(3) After receiving the negotiation packet, the service card sends the packet to the IPsec processing module. The IPsec processing module is responsible for the IKE protocol related functions, including the first phase negotiation, the extended authentication/mode configuration negotiation, and the second phase negotiation.
(4)协商成功后,IPsec处理模块根据为客户端分配的内网地址以及用户组配置信息生成本地用户节点,加入到用户信息列表中。业务卡用户信息列表数据结构如图2所示:(4) After the negotiation is successful, the IPsec processing module generates a local user node according to the intranet address and user group configuration information allocated for the client, and joins the user information list. The data structure of the business card user information list is shown in Figure 2:
业务卡用户信息列表维护本业务卡接入的所有远程用户节点。 The service card user information list maintains all remote user nodes accessed by the service card.
用户信息列表使用IPsec接口+用户私网IP作为键值进行索引。The user information list is indexed using the IPsec interface + user private network IP as the key value.
用户节点存储的用户信息包括:接入用户组、业务卡地址、客户端公网地址、模式配置信息等。The user information stored by the user node includes: an access user group, a service card address, a client public network address, mode configuration information, and the like.
(5)业务卡IPsec处理模块生成本地用户节点后,将用户信息上送至主控IPsec处理模块,生成全局用户节点,加入全局用户表中。如图3所示,主控全局用户表提供三种方式对接入用户进行管理:(5) After the service card IPsec processing module generates the local user node, the user information is sent to the master IPsec processing module to generate a global user node and join the global user table. As shown in Figure 3, the master global user table provides three ways to manage access users:
a、基于IPsec接口-用户组管理。a. Based on IPsec interface - user group management.
IPsec VPN网关根据接入用户协商时携带的参数将用户节点存放至对应IPsec接口的用户组下。这些用户可以从不同的业务卡上线。通过IPsec接口-用户组管理方式,主控可以实时获知每个用户组接入用户在各个业务卡的分布情况。当用户组下的用户数达到允许的最大数量时,主控通知客户端关闭用户接入功能。The IPsec VPN gateway stores the user node under the user group corresponding to the IPsec interface according to the parameters carried in the negotiation of the access user. These users can go online from different business cards. Through the IPsec interface-user group management mode, the master can know the distribution of each user group's access users in each service card in real time. When the number of users in the user group reaches the maximum allowed number, the master notifies the client to turn off the user access function.
b、基于接入用户协商所在业务卡管理。b. Management based on the service card where the access user negotiates.
业务卡上送用户信息时携带业务卡地址信息,主控维护该业务卡上线的所有用户。这些用户可以归属于不同的用户组。当业务卡出现异常或者被从设备上拔出时,主控能够感知,并将该业务卡上线的所有用户删除。When the service card sends user information, it carries the service card address information, and the master controls all users who go online. These users can belong to different user groups. When the service card is abnormal or is pulled out from the device, the master can sense and delete all users who are online on the service card.
c、接入用户索引表。c. Access user index table.
使用接入用户的IPsec接口+用户私网IP作为键值进行索引。这个索引表的作用是快速查找用户。当网关管理员需要踢某个用户下线时,通过输入用户接入的IPsec接口+用户私网IP,主控查找到该用户后,将该用户删除,并通知业务卡进行删除。同样,当管理员查看某个用户的具体信息时,也可以快速查找用户,显示用户信息。Use the access user's IPsec interface + user private network IP as the key value for indexing. The purpose of this index table is to quickly find users. When the gateway administrator needs to kick a user offline, enter the IPsec interface + user private network IP that the user accesses. After the master finds the user, the user deletes the user and notifies the service card to delete. Similarly, when an administrator views the specific information of a user, it can also quickly find the user and display the user information.
(6)主控IPsec处理模块根据全局用户表中的用户信息生成各种表项,下发到线卡的报文收发模块。这些表项是在客户端接入成功后,网关处理客户端的IPsec加解密数据报文使用。线卡报文收发模块根据下发的表项做如下处理:(6) The master IPsec processing module generates various entries according to the user information in the global user table, and sends the packet to the line card. These entries are used by the gateway to process IPsec encryption and decryption data packets of the client after the client accesses successfully. The line card packet sending and receiving module performs the following processing according to the delivered entry:
a、将客户端发送给内网设备的密文投递到客户端上线的业务卡进行IPsec解封装,然后业务卡将内层报文发回线卡,线卡将报文继续转发给客户端希望访问的内网设备。a. The ciphertext sent by the client to the intranet device is delivered to the service card of the client for IPsec decapsulation, and then the service card sends the inner packet back to the line card, and the line card forwards the packet to the client. Access to intranet devices.
b、将内网设备发送给客户端的明文投递到客户端上线的业务卡进行IPsec封装,然后业务卡将封装后的报文发回线卡,继续转发给客户端。 b. The service card sent by the intranet device to the client is delivered to the client's online service card for IPsec encapsulation, and then the service card sends the encapsulated packet back to the line card and forwards it to the client.
通过上述方式,可实现管理网关所有接入用户的需求,包括查看用户信息、踢用户下线、用户表与关联模块联动等,具备定位用户速度快、管理方式多样化等优点:In the above manner, the requirements of all the access users of the management gateway can be realized, including viewing user information, kicking the user offline, user table and associated module linkage, etc., and having the advantages of fast user positioning and diversified management modes:
a、用户组下设置了允许的最大接入用户数。当达到最大数时,后续接入该用户组的请求均被拒绝。由于用户组下的用户可以在多个业务卡上线,因此只有主控全局用户表能获取到用户组当前的接入用户数。当主控发现用户数量达到上限后,即通知业务卡关闭该用户组的接入功能,业务卡拒绝所有接入到该用户组的IKE协商;由于时序的原因,在主控用户组关闭接入功能后,仍然可能收到业务卡上送的本地用户节点,此时不能加入到全局用户表,而应该通知业务卡将冗余用户删除。当用户下线,用户数低于最大数时,主控通知业务卡开启该用户组的接入功能。a. The maximum number of allowed access users is set under the user group. When the maximum number is reached, subsequent requests to access the user group are rejected. The user in the user group can be online on multiple service cards. Therefore, only the master global user table can obtain the current number of access users in the user group. After the master discovers that the number of users reaches the upper limit, the service card is notified to disable the access function of the user group, and the service card rejects all IKE negotiation that is accessed to the user group; due to the timing, the master user group is closed. After the function, the local user node sent by the service card may still be received. At this time, the global user table cannot be added, but the service card should be notified to delete the redundant user. When the user goes offline and the number of users is lower than the maximum number, the master informs the service card to enable the access function of the user group.
b、管理员可以查看每个用户组或者每个业务卡的用户接入情况,以及每个用户具体的配置信息。b. The administrator can view the user access status of each user group or each service card, and the specific configuration information of each user.
c、可实现用户表与关联模块联动。比如配置管理模块,管理员修改网关配置后,主控可以通知业务卡进行相应的处理。比如将IPsec接口绑定的用户组删除,主控通知各业务卡将归属该用户组的所有接入用户删除,并通知客户端。c. The user table and the associated module can be linked. For example, after configuring the management module, after the administrator modifies the gateway configuration, the master can notify the service card to perform corresponding processing. For example, the user group bound to the IPsec interface is deleted, and the master control notifies each service card to delete all access users belonging to the user group, and notifies the client.
d、管理员可以通过接入用户索引表将单个用户踢下线,也可以以IPsec接口、用户组或者业务卡为单位踢用户下线。踢用户下线时,主控将用户从全局用户表中删除,并通知业务卡删除。d. The administrator can kick the user down the line by accessing the user index table. You can also use the IPsec interface, user group, or service card as the unit to kick the user offline. When the user goes offline, the master deletes the user from the global user list and notifies the service card to delete.
显然,本领域的技术人员应该明白,上述的本发明的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。It will be apparent to those skilled in the art that the various modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. The steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.
以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above description is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.
工业实用性 Industrial applicability
基于本发明实施例提供的上述技术方案,采用接收包含有互联网协议安全性IPsec配置信息的用户信息列表;根据用户信息列表中的用户信息生成全局用户节点;将全局用户节点加入全局用户表中,通过全局用户表管理接入的用户,解决了由于接入用户过多导致管理效率降低的问题,进而达到了提升对接入用户管理效率的效果。 According to the foregoing technical solution provided by the embodiment of the present invention, a user information list including Internet Protocol security IPsec configuration information is received; a global user node is generated according to user information in the user information list; and a global user node is added to the global user table. The user accessing the user through the global user table solves the problem that the management efficiency is reduced due to excessive access users, thereby improving the efficiency of managing the access user.

Claims (10)

  1. 一种用户数据管理方法,包括:A user data management method includes:
    接收包含有互联网协议安全性IPsec配置信息的用户信息列表;Receiving a list of user information including Internet Protocol security IPsec configuration information;
    根据所述用户信息列表中的用户信息生成全局用户节点;Generating a global user node according to the user information in the user information list;
    将所述全局用户节点加入全局用户表中,通过所述全局用户表管理接入的用户。Adding the global user node to the global user table, and managing the accessed user through the global user table.
  2. 根据权利要求1所述的方法,其中,所述用户信息列表中的用户信息包括以下至少之一:用户组、业务卡地址、所述IPsec配置信息,其中,所述IPsec配置信息用于为接入用户配置内网资源;The method according to claim 1, wherein the user information in the user information list comprises at least one of: a user group, a service card address, and the IPsec configuration information, wherein the IPsec configuration information is used for Enter the user to configure intranet resources;
    所述用户信息列表包括:接入用户索引表,用于索引接入用户,所述接入用户索引表由IPsec接口和用户内网IP组成。The user information list includes an access user index table for indexing an access user, and the access user index table is composed of an IPsec interface and a user intranet IP.
  3. 根据权利要求2所述的方法,其中,通过以下方式至少之一,通过所述全局用户表管理接入的用户:The method of claim 2, wherein the accessed user is managed by the global user table by at least one of:
    方案一,根据预设阈值判断所述全局用户表中,所述用户组的接入用户数是否大于所述预设阈值;若判断结果为是,则关闭接入接口;The first step is to determine, according to the preset threshold, whether the number of access users of the user group is greater than the preset threshold in the global user table; if the determination result is yes, the access interface is closed;
    方案二,通过查询所述全局用户表得到异常的业务卡;将所述异常的业务卡中的上线的全部用户删除;In the second scenario, an abnormal service card is obtained by querying the global user table; and all users on the online service in the abnormal service card are deleted;
    方案三,根据所述接入用户索引表查找接入用户,并对所述接入用户执行预设操作,所述预设操作包括以下至少之一:查询、删除。The third step is to search for an access user according to the access user index table, and perform a preset operation on the access user, where the preset operation includes at least one of the following: querying and deleting.
  4. 根据权利要求2所述的方法,其中,在所述通过所述全局用户表管理接入的用户之后,还包括:The method of claim 2, after the managing the accessed user by the global user table, further comprising:
    根据所述全局用户表中的所述用户信息生成表项;Generating an entry according to the user information in the global user table;
    根据所述表项与所述用户接入设备建立通信。Establishing communication with the user access device according to the entry.
  5. 根据权利要求4所述的方法,其中,所述根据所述表项与所述用户接入设备建立通信,包括: The method of claim 4, wherein the establishing communication with the user access device according to the entry comprises:
    方式一:接收用户接入设备发送的加密报文;对所述加密报文进行互联网协议安全性IPsec解封装,得到解封装后的内层报文;将所述内层报文发送至所述用户接入设备对应的内网设备;Manner 1: receiving an encrypted packet sent by the user access device, performing Internet Protocol security IPsec decapsulation on the encrypted packet, and obtaining the decapsulated inner layer packet; sending the inner layer packet to the The internal network device corresponding to the user access device;
    或者,or,
    方式二,接收内网设备发送的明文;通过互联网协议安全性IPsec封装所述明文,得到封装后的报文;将所述报文发送至用户接入设备。The second method is to receive the plaintext sent by the intranet device, and encapsulate the plaintext by using the Internet Protocol security IPsec to obtain the encapsulated packet; and send the packet to the user access device.
  6. 一种用户数据管理装置,包括:A user data management device comprising:
    接收模块,设置为接收包含有互联网协议安全性IPsec配置信息的用户信息列表;a receiving module, configured to receive a list of user information including Internet Protocol security IPsec configuration information;
    生成模块,设置为根据所述用户信息列表中的用户信息生成全局用户节点;Generating a module, configured to generate a global user node according to the user information in the user information list;
    管理模块,设置为将所述全局用户节点加入全局用户表中,通过所述全局用户表管理接入的用户。The management module is configured to add the global user node to the global user table, and manage the accessed user by using the global user table.
  7. 根据权利要求6所述的装置,其中,所述用户信息列表中的用户信息包括以下至少之一:用户组、业务卡地址、所述IPsec配置信息,其中,所述IPsec配置信息用于为接入用户配置内网资源;The device according to claim 6, wherein the user information in the user information list comprises at least one of: a user group, a service card address, and the IPsec configuration information, wherein the IPsec configuration information is used for Enter the user to configure intranet resources;
    所述用户信息列表包括:接入用户索引表,用于索引接入用户,所述接入用户索引表由IPsec接口和用户内网IP组成。The user information list includes an access user index table for indexing an access user, and the access user index table is composed of an IPsec interface and a user intranet IP.
  8. 根据权利要求7所述的装置,其中,所述管理模块,用于通过以下方式至少之一,通过所述全局用户表管理接入的用户:The device according to claim 7, wherein the management module is configured to manage the accessed user through the global user table by at least one of:
    第一管理单元,设置为根据预设阈值判断所述全局用户表中,所述用户组的接入用户数是否大于所述预设阈值;若判断结果为是,则关闭接入接口;The first management unit is configured to determine, according to the preset threshold, whether the number of access users of the user group is greater than the preset threshold in the global user table; if the determination result is yes, the access interface is closed;
    第二管理单元,设置为通过查询所述全局用户表得到异常的业务卡;将所述异常的业务卡中的上线的全部用户删除;a second management unit, configured to obtain an abnormal service card by querying the global user table; deleting all users of the online line in the abnormal service card;
    第三管理单元,设置为根据所述接入用户索引表查找接入用户,并对所述接入用户执行预设操作,所述预设操作包括以下至少之一:查询、删除。The third management unit is configured to search for an access user according to the access user index table, and perform a preset operation on the access user, where the preset operation includes at least one of the following: querying and deleting.
  9. 根据权利要求7所述的装置,其中,所述装置还包括:The apparatus of claim 7 wherein said apparatus further comprises:
    表项生成模块,设置为在所述通过所述全局用户表管理接入的用户之后,根据所述全局用户表中的所述用户信息生成表项; An entry generating module, configured to generate an entry according to the user information in the global user table after the user that is accessed by the global user table is managed;
    通信模块,设置为根据所述表项生成模块生成的所述表项与所述用户接入设备建立通信。The communication module is configured to establish communication with the user access device according to the entry generated by the entry generation module.
  10. 根据权利要求9所述的装置,其中,所述通信模块,包括:The apparatus of claim 9, wherein the communication module comprises:
    第一接收单元,设置为接收所述用户接入设备发送的加密报文;a first receiving unit, configured to receive an encrypted message sent by the user access device;
    解封单元,设置为对所述第一接收单元接收的所述加密报文进行互联网协议安全性IPsec解封装,得到解封装后的内层报文;The decapsulation unit is configured to perform Internet Protocol security IPsec decapsulation on the encrypted packet received by the first receiving unit, to obtain an encapsulated inner layer packet;
    第一发送单元,设置为将所述解封装后的所述内层报文发送至所述用户接入设备对应的内网设备;The first sending unit is configured to send the decapsulated inner layer packet to an intranet device corresponding to the user access device;
    或者,or,
    第二接收单元,设置为接收内网设备发送的明文;a second receiving unit, configured to receive the plaintext sent by the intranet device;
    封装单元,设置为通过互联网协议安全性IPsec封装所述明文,得到封装后的报文;The encapsulating unit is configured to encapsulate the plaintext by using the Internet Protocol security IPsec to obtain the encapsulated packet;
    第二发送单元,设置为将所述报文发送至所述用户接入设备。 The second sending unit is configured to send the message to the user access device.
PCT/CN2015/073522 2014-11-25 2015-03-02 User data management method and apparatus WO2016082363A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410690360.9 2014-11-25
CN201410690360.9A CN105610599B (en) 2014-11-25 2014-11-25 User data management and device

Publications (1)

Publication Number Publication Date
WO2016082363A1 true WO2016082363A1 (en) 2016-06-02

Family

ID=55990145

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/073522 WO2016082363A1 (en) 2014-11-25 2015-03-02 User data management method and apparatus

Country Status (2)

Country Link
CN (1) CN105610599B (en)
WO (1) WO2016082363A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107896233B (en) * 2017-12-28 2021-09-10 广州汇智通信技术有限公司 SCTP stream data management method, system and equipment
CN111147382B (en) * 2019-12-31 2021-09-21 杭州迪普科技股份有限公司 Message forwarding method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014007A (en) * 2010-12-29 2011-04-13 武汉日电光通信工业有限公司 Distributed system service management system and method
US20120226804A1 (en) * 2010-12-29 2012-09-06 Murali Raja Systems and methods for scalable n-core stats aggregation
CN103686725A (en) * 2012-09-26 2014-03-26 成都鼎桥通信技术有限公司 User data management method, user data management equipment and user data management system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014007A (en) * 2010-12-29 2011-04-13 武汉日电光通信工业有限公司 Distributed system service management system and method
US20120226804A1 (en) * 2010-12-29 2012-09-06 Murali Raja Systems and methods for scalable n-core stats aggregation
CN103686725A (en) * 2012-09-26 2014-03-26 成都鼎桥通信技术有限公司 User data management method, user data management equipment and user data management system

Also Published As

Publication number Publication date
CN105610599B (en) 2019-03-01
CN105610599A (en) 2016-05-25

Similar Documents

Publication Publication Date Title
US11165604B2 (en) Method and system used by terminal to connect to virtual private network, and related device
Ferrazani Mattos et al. AuthFlow: authentication and access control mechanism for software defined networking
US9461975B2 (en) Method and system for traffic engineering in secured networks
WO2017161706A1 (en) Method of controlling access to network resource in local area network, device, and gateway equipment
US20170201382A1 (en) Secure Endpoint Devices
US20170126623A1 (en) Protected Subnet Interconnect
US20140337967A1 (en) Data Transmission Method, System, and Apparatus
US20180375648A1 (en) Systems and methods for data encryption for cloud services
CN106506354B (en) Message transmission method and device
US11985113B2 (en) Computing system operational methods and apparatus
US20150249639A1 (en) Method and devices for registering a client to a server
WO2023197942A1 (en) Public cloud extension method, device, system and storage medium
CN103716280B (en) data transmission method, server and system
WO2023279782A1 (en) Access control method, access control system and related device
JP2016531464A (en) Secure service management in communication networks
US10931662B1 (en) Methods for ephemeral authentication screening and devices thereof
WO2016082363A1 (en) User data management method and apparatus
CN103227822B (en) A kind of P2P communication connection method for building up and equipment
CN112887278A (en) Interconnection system and method of private cloud and public cloud
WO2020029793A1 (en) Internet access behavior management system, device and method
KR101329968B1 (en) Method and system for determining security policy among ipsec vpn devices
Li et al. SDN-based access authentication and automatic configuration for IPsec
Fancy et al. An evaluation of alternative protocols-based Virtual Private LAN Service (VPLS)
WO2017104129A1 (en) Authentication device, authentication system, and authentication method
WO2022012355A1 (en) Secure communication method, related apparatus, and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15862193

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15862193

Country of ref document: EP

Kind code of ref document: A1