WO2016155005A1 - 通信方法、基站、接入点及系统 - Google Patents
通信方法、基站、接入点及系统 Download PDFInfo
- Publication number
- WO2016155005A1 WO2016155005A1 PCT/CN2015/075866 CN2015075866W WO2016155005A1 WO 2016155005 A1 WO2016155005 A1 WO 2016155005A1 CN 2015075866 W CN2015075866 W CN 2015075866W WO 2016155005 A1 WO2016155005 A1 WO 2016155005A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- wifi
- address
- transmission interface
- base station
- ipsec
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/08—Access point devices
- H04W88/10—Access point devices adapted for operation in multiple networks, e.g. multi-mode access points
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/5014—Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
Definitions
- Embodiments of the present invention relate to communication technologies, and in particular, to a secure communication method, a base station, an access point, and a system related to a wireless fidelity network.
- BTS Base Stations
- WiFi Wireless Fidelity
- AP WiFi access points
- IPSec Internet Protocol Security
- WiFi APs usually do not have IPSec processing capabilities.
- the AP controller AP Controller of the WiFi network is deployed in a non-secure domain (for example, the Internet) through the WiFi AP and the AC. Encryption technology is added to the tunnel to ensure security.
- the WiFi network adopts a different security scheme than the BTS network.
- the operator needs to deploy two sets of security mechanisms, the compatibility is low, the cost is too large, and the AC is deployed in the non-secure domain, which poses a great security risk.
- many base stations especially small base stations and WiFi APs, are similar to the user equipment.
- such base stations are required to support IPSec functions. Free planning and configuration-free requirements.
- the embodiments of the present invention provide a communication method, a base station, an access point, and a system, which are used to unify the security mechanism of the WiFi network and the BTS network, simplify the security networking solution of the communication system, and reduce the construction cost.
- an embodiment of the present invention provides a communication method, including:
- the data packet is encrypted according to the IPSec protocol, and the encrypted data packet is forwarded in the IPSec security tunnel according to the route on the IPSec security tunnel and the ACL rule.
- the method before the obtaining the IP address of the WiFi AP, the method further includes:
- the establishing, by the broadcast message, a DHCP relay agent relationship with the WiFi AP including:
- the DHCP address request message is sent to the WiFi AP controller AC by using the IPSec security tunnel, where the address request message includes An IP address of the security gateway, so that the AC allocates an IP address to the WiFi AP according to the IP address of the security gateway;
- the obtaining an IP address of the WiFi AP includes:
- the receiving, by the common transmission interface, the sending by the WiFi AP Before the DHCP broadcast message it also includes:
- the relay agent service is enabled, the parameters of the common transmission interface are configured, and the IPSec security tunnel is established, and the parameters of the common transmission interface include an IP address of the common transmission interface and a state of the common transmission interface.
- any one of the first to fourth possible implementation manners of the first aspect, in the fifth possible implementation manner of the first aspect, after the obtaining the IP address of the WiFi AP, include:
- the WiFi AP is monitored to obtain an updated IP address of the WiFi AP, and the updated IP address is used as an IP address of the WiFi AP.
- the method before the obtaining the IP address of the WiFi AP, the method further includes:
- Transmitting a co-transmission service with the WiFi AP acquiring an IP address of the AC, and configuring parameters of the co-transmission interface, where the parameters of the co-transmission interface include an IP address of the co-transmission interface and the co-transmission interface status;
- the obtaining the IP address of the WiFi AP includes:
- the method further includes:
- the address configuration response includes an IP address of the WiFi AP, an IP address of the co-transmission interface, and an IP address of the AC;
- the common transmission interface And transmitting, by the common transmission interface, a broadcast message to the WiFi AP, where the broadcast message includes an IP address of the WiFi AP, an IP address of the common transmission interface, and an IP address of the AC.
- the method further includes:
- the data packet is encrypted according to the IPSec protocol, and the encrypted data packet is forwarded in the IPSec security tunnel according to the route on the IPSec security tunnel and the ACL rule.
- an embodiment of the present invention provides a communication method, including:
- the method before the sending the data packet to the base station by using the co-transmission interface with the base station, the method further includes:
- the method before the sending the data packet to the base station by using the co-transmission interface with the base station, the method further includes:
- the address configuration response includes an IP address of the WiFi AP, an IP address of the common transmission interface, and an IP address of the AC;
- the common transmission interface Receiving, by the common transmission interface, a broadcast message sent by the base station, where the broadcast message includes an IP address of the WiFi AP, an IP address of the common transmission interface, and an IP address of the AC.
- an embodiment of the present invention provides a base station, including:
- An obtaining module configured to obtain an internet protocol IP address of the wireless fidelity WiFi access point AP;
- a route establishing module configured to establish a route on the Internet Protocol security IPSec secure tunnel for the WiFi AP according to the IP address of the WiFi AP, and generate a corresponding access control list ACL rule;
- a data packet processing module configured to receive, by using a co-transmission interface with the WiFi AP, a data packet sent by the WiFi AP; encrypt the data packet according to an IPSec protocol, and according to the route on the IPSec security tunnel And the ACL rule forwards the encrypted data packet in the IPSec secure tunnel.
- the method further includes:
- a relay agent module configured to receive, by using the common communication interface, a dynamic host configuration protocol DHCP broadcast message sent by the WiFi AP, where the broadcast message is used to request to acquire an IP address of the WiFi AP; according to the broadcast message
- the WiFi AP establishes a DHCP relay agent relationship.
- the relay proxy module is configured to determine, according to the broadcast message, that the relay proxy service is enabled. And the IPSec security tunnel is pre-established, and the DHCP address request message is sent to the WiFi AP controller AC by using the IPSec security tunnel, where the address request message includes an IP address of the security gateway, so that the AC according to the The IP address of the security gateway is the WiFi.
- the AP allocates an IP address, receives a DHCP assignment message of the AC reply, and sends the assignment message to the WiFi AP through the co-transmission interface to establish the relay agent relationship with the WiFi AP.
- the assignment message includes an IP address of the WiFi AP.
- the acquiring module is specifically configured to acquire an IP address of the WiFi AP according to the allocation message; or Obtaining an IP address of the WiFi AP by performing communication with the WiFi AP.
- the relay agent module is further configured to enable the relay agent service. And configuring the parameters of the co-transmission interface, and establishing the IPSec security tunnel, where the parameters of the co-transmission interface include an IP address of the co-transmission interface and a status of the co-transmission interface.
- the acquiring module is further configured to monitor the The WiFi AP obtains the updated IP address of the WiFi AP, and uses the updated IP address as the IP address of the WiFi AP.
- the acquiring module is specifically configured to enable a co-transmission service with the WiFi AP, acquire an IP address of the AC, and configure the co-transmission
- the parameter of the interface, the parameter of the common interface includes the IP address of the common interface and the state of the common interface; and obtaining the IP address of the common interface according to the network segment of the pre-configured internal IP address The IP address of the WiFi AP, and generates a corresponding ACL rule.
- the method further includes:
- a sending module configured to send an address configuration response to the WiFi AP, where the address configuration response includes an IP address of the WiFi AP, an IP address of the common transmission interface, and an IP address of the AC; or
- the common transmission interface sends a broadcast message to the WiFi AP, where the broadcast message includes an IP address of the WiFi AP, an IP address of the common transmission interface, and an IP address of the AC.
- the data packet processing module is specifically configured to communicate with the WiFi AP
- the common transmission interface receives the data packet sent by the WiFi AP, and converts the IP address of the WiFi AP carried by the data packet into a path on the IPSec security tunnel by using network address translation NAT.
- the data packet is encrypted according to the IPSec protocol, and the encrypted data packet is forwarded in the IPSec security tunnel according to the route on the IPSec secure tunnel and the ACL rule.
- the embodiment of the present invention provides a wireless fidelity WiFi access point AP, including:
- a transceiver module configured to send a data packet to the base station by using a co-transmission interface with the base station, so that the base station encrypts the data packet according to an Internet Protocol security IPSec protocol, and according to a pre-established IPSec security tunnel
- the routing and access control list ACL rules forward the encrypted data packets in the IPSec secure tunnel.
- the transceiver module is further configured to send a dynamic host configuration protocol DHCP broadcast message to the base station by using the common transmission interface, so that the The base station establishes a DHCP relay agent according to the broadcast message, and receives a DHCP assignment message sent by the WiFi AP controller AC forwarded by the base station, where the allocation message includes an Internet Protocol IP address of the WiFi AP allocated by the AC.
- the transceiver module is further configured to receive an address configuration response sent by the base station, where the address configuration response includes an IP address of the WiFi AP The IP address of the common interface and the IP address of the AC; or, the broadcast message sent by the base station is received by the common transmission interface, where the broadcast message includes an IP address of the WiFi AP, and the total The IP address of the interface and the IP address of the AC.
- an embodiment of the present invention provides a base station, including:
- a processor configured to obtain an Internet Protocol IP address of the wireless fidelity WiFi access point AP, establish a route on the Internet Protocol security IPSec secure tunnel according to the IP address of the WiFi AP, and generate corresponding access control List ACL rules;
- a receiver configured to receive, by using a co-transmission interface with the WiFi AP, a data packet sent by the WiFi AP;
- the sender is configured to encrypt the data packet according to the IPSec protocol, and forward the encrypted data packet in the IPSec security tunnel according to the route on the IPSec security tunnel and the ACL rule.
- the receiver is further configured to receive, by using the common transmission interface, a dynamic host configuration protocol (DHCP) broadcast message sent by the WiFi AP, The broadcast message is used to request to obtain an IP address of the WiFi AP;
- DHCP dynamic host configuration protocol
- the processor is further configured to establish a DHCP relay with the WiFi AP according to the broadcast message. Agency relationship.
- the transmitter is further configured to determine, according to the broadcast message, that the relay proxy service is in an on state, and The IPSec security tunnel is pre-established, and the DHCP address request message is sent to the WiFi AP controller AC through the IPSec security tunnel, where the address request message includes an IP address of the security gateway, so that the AC is according to the security.
- the IP address of the gateway allocates an IP address to the WiFi AP;
- the receiver is further configured to receive a DHCP assignment message of the AC reply, and send the assignment message to the WiFi AP by using the co-transmission interface to establish the relay with the WiFi AP.
- the proxy relationship the assignment message including an IP address of the WiFi AP.
- the processor is configured to acquire an IP address of the WiFi AP according to the allocation message; or Obtaining an IP address of the WiFi AP by performing communication with the WiFi AP.
- the processor is further configured to enable a relay proxy service, configured And the IPSec security tunnel is set up, and the parameters of the common transmission interface include an IP address of the common transmission interface and a state of the common transmission interface.
- the processor is further configured to monitor the The WiFi AP obtains the updated IP address of the WiFi AP, and uses the updated IP address as the IP address of the WiFi AP.
- the processor is further configured to enable a co-transmission service with the WiFi AP, acquire an IP address of the AC, and configure the co-transmission
- the parameter of the interface, the parameter of the common interface includes the IP address of the common interface and the state of the common interface; and obtaining the IP address of the common interface according to the network segment of the pre-configured internal IP address The IP address of the WiFi AP, and generates a corresponding ACL rule.
- the transmitter is further configured to send an address configuration response to the WiFi AP, where the address configuration response Including the IP address of the WiFi AP, the IP address of the co-transmission interface, and the IP address of the AC; or sending a broadcast message to the WiFi AP through the co-transmission interface.
- the broadcast message includes an IP address of the WiFi AP, an IP address of the co-transmission interface, and an IP address of the AC.
- the receiver is specifically configured to perform co-transmission with the WiFi AP Receiving, by the interface, a data packet sent by the WiFi AP;
- the processor is further configured to convert, by using a network address translation NAT, an IP address of the WiFi AP carried by the data packet into a route on the IPSec security tunnel;
- the transmitter is configured to encrypt the data packet according to the IPSec protocol, and forward the encrypted data packet in the IPSec security tunnel according to the route on the IPSec security tunnel and the ACL rule.
- the embodiment of the present invention provides a wireless fidelity WiFi access point AP, including:
- a transmitter configured to send a data packet to the base station by using a co-transmission interface with the base station, so that the base station encrypts the data packet according to an Internet Protocol Secure IPSec protocol, and according to a pre-established IPSec security tunnel
- the routing and access control list ACL rules forward the encrypted data packets in the IPSec secure tunnel.
- the method further includes: a receiver;
- the transmitter is further configured to send, by using the common transmission interface, a dynamic host configuration protocol DHCP broadcast message to the base station, so that the base station establishes a DHCP relay agent according to the broadcast message;
- the receiver is configured to receive a DHCP assignment message sent by the base station and forwarded by the WiFi AP controller AC, where the assignment message includes an Internet Protocol IP address of the WiFi AP allocated by the AC.
- the receiver is further configured to receive an address configuration response sent by the base station, where the address configuration response Including the IP address of the WiFi AP, the IP address of the co-transmission interface, and the IP address of the AC; or receiving, by the common transmission interface, a broadcast message sent by the base station, where the broadcast message includes the WiFi The IP address of the AP, the IP address of the co-transmission interface, and the IP address of the AC.
- an embodiment of the present invention provides a communication system, including: a base station and a wireless fidelity WiFi access point AP, where the base station adopts the third aspect, the first to the eighth aspects of the third aspect A base station according to a possible implementation manner, wherein the WiFi AP adopts the WiFi AP according to any one of the first aspect to the second aspect of the fourth aspect.
- an embodiment of the present invention provides a communication system, including: a base station and a wireless fidelity WiFi access point AP, where the base station adopts the fifth aspect, the first to the eighth aspect of the fifth aspect A base station according to a possible implementation manner, wherein the WiFi AP adopts the WiFi AP according to any one of the first aspect to the second aspect of the sixth aspect.
- the secure communication method, the base station, the access point, and the system related to the wireless fidelity network provided by the embodiments of the present invention, by transferring the service of the WiFi AP to the BTS, and implementing the secure communication of the WiFi network by using the processing capability of the BTS IPSec
- the security mechanism of the WiFi network and the BTS network are unified, the security networking scheme of the communication system is simplified, and the construction cost is reduced.
- FIG. 1 is a schematic structural diagram of an embodiment of a communication system according to the present invention.
- FIG. 2 is a flow chart of an embodiment of a communication method of the present invention.
- FIG. 3 is a flow chart of another embodiment of a communication method according to the present invention.
- FIG. 5 is a flowchart of a fourth embodiment of a communication method according to the present invention.
- FIG. 6 is a schematic structural diagram of an embodiment of a base station according to the present invention.
- FIG. 7 is a schematic structural diagram of another embodiment of a base station according to the present invention.
- FIG. 8 is a schematic structural diagram of still another embodiment of a base station according to the present invention.
- FIG. 9 is a schematic structural diagram of an embodiment of a WiFi AP according to the present invention.
- FIG. 10 is a schematic structural diagram of a fourth embodiment of a base station according to the present invention.
- FIG. 11 is a schematic structural diagram of another embodiment of a WiFi AP according to the present invention.
- FIG. 12 is a schematic structural diagram of still another embodiment of a WiFi AP according to the present invention.
- FIG. 13 is a schematic structural diagram of another embodiment of a communication system according to the present invention.
- FIG. 1 is a schematic structural diagram of an embodiment of a communication system according to the present invention.
- the system in this embodiment includes: a BTS, a WiFi AP, a Security Gateway (Sec GW), a BTS core network, and an AC.
- the BTS and the WiFi AP are deployed in the Internet of the non-secure domain
- the BTS core network and the AC are deployed in the security domain
- the Sec GW is connected to the non-secure domain and the security domain
- the BTS and the WiFi AP are connected through the common transmission interface
- the Sec GW is connected to the BTS core network and the AC in the security domain.
- the services of the WiFi AP are all transferred to the BTS, and the BTS can act as a proxy of the WiFi AP to implement data transmission and reception with the core network by using its own IPSec processing capability, so that even if the WiFi AP does not have the IPSec processing capability.
- the WiFi AP implements the secure communication of the WiFi network by means of the BTS. In this way, the security mechanism of the WiFi network and the BTS network are unified, the security networking scheme of the communication system is simplified, and the construction cost is reduced.
- deploying the AC in the security domain also improves the security of the core network device of the WiFi network.
- FIG. 2 is a flowchart of an embodiment of a communication method according to the present invention. As shown in FIG. 2, the method in this embodiment may include:
- Step 101 Obtain an IP address of a WiFi AP.
- the execution subject of this embodiment may be a BTS in the communication system shown in FIG. 1.
- the BTS obtains an Internet Protocol (IP) address of the WiFi AP, and uses the IPSec security processing capability of the WiFi AP to establish an IPSec security tunnel for the WiFi AP based on the IP address.
- IP Internet Protocol
- Step 102 Establish a route on the IPSec secure tunnel for the WiFi AP according to the IP address of the WiFi AP, and generate a corresponding ACL rule.
- the BTS carries the IP address of the WiFi AP to establish a route on the existing IPSec tunnel.
- the route is IPSec-compliant.
- the source address is the IP address of the WiFi AP.
- the destination address is the IP address of the Sec GW.
- the BTS can configure itself.
- the next hop route or gateway for the WiFi AP Since the BTS assists in processing the service of the WiFi AP, there is no Access Control List (ACL) rule for the service of the WiFi AP. For example, after the WiFi AP sends the data packet to the AC to the BTS, The BTS queries the ACL to obtain the destination address of the packet forwarding.
- ACL Access Control List
- Step 103 Receive, by using a co-transmission interface with the WiFi AP, a data packet sent by the WiFi AP.
- Step 104 Encrypt the data packet according to the IPSec protocol, and forward the encrypted data packet in the IPSec security tunnel according to the route on the IPSec security tunnel and the ACL rule.
- the BTS can process the data packets sent by the WiFi AP through the common transmission interface, encrypt and decrypt the data packet by using the unified IPSec protocol, and ensure the data packet according to the routing and ACL rules. Security forwarded in a non-secure domain.
- the BTS can also perform Quality of Service (QoS) control on the services of the WiFi AP, such as scheduling permission control, maximum rate control, and rate guarantee.
- QoS Quality of Service
- the secure communication of the WiFi network is realized by the processing capability of the IPSec of the BTS, and the security mechanism of the WiFi network and the BTS network are unified, thereby simplifying the security networking solution of the communication system. Reduce construction costs.
- the method further includes: receiving, by using the co-transmission interface, a Dynamic Host Configuration Protocol (DHCP) broadcast message sent by the WiFi AP, where The broadcast message is used to request to obtain an IP address of the WiFi AP; and establish a DHCP relay agent relationship with the WiFi AP according to the broadcast message.
- DHCP Dynamic Host Configuration Protocol
- the WiFi AP automatically sends a DHCP broadcast message, and the broadcast message is used to request the WiFi AP's own IP address.
- the BTS determines that the relay agent service is enabled according to the broadcast message, and the IPSec is pre-established.
- the security tunnel sends a DHCP address request message to the WiFi AP controller AC through the IPSec security tunnel, where the address request message includes an IP address of the security gateway, so that the AC is based on the IP address of the security gateway.
- the WiFi AP allocates an IP address; receives a DHCP assignment message replied by the AC, and sends the assignment message to the WiFi AP through the co-transmission interface to establish the relay agent with the WiFi AP. Relationship, the assignment message includes an IP address of the WiFi AP.
- the BTS Before establishing the proxy of the WiFi AP, the BTS needs to determine whether the relay proxy service has been enabled. If it is enabled, the BTS pre-configures the common communication interface with the WiFi AP. In addition, the BTS must first determine whether it has already An IPSec secure tunnel is established with the Sec GW. With these two points, the BTS can establish a DHCP relay agent for the WiFi AP to assist the WiFi AP in processing the service. The BTS converts the DHCP broadcast message sent by the WiFi AP into a unicast DHCP address request message, and sends the message to the AC through the IPSec tunnel.
- the address request message carries the IP address of the Sec GW, and the DHCP server (DHCP Server) on the AC will
- the IP address of the Sec GW carried in the received DHCP address request message is used as an address pool index for assigning an IP address to the WiFi AP, and the IP address of the assigned WiFi AP is encapsulated in the allocation message and returned to the BTS, and the BTS is locally saved.
- the IP address of the WiFi AP and forward it to the WiFi AP.
- the BTS may start the relay proxy service according to the configuration of the communication system, and configure parameters of the common transmission interface, where the parameters of the common transmission interface include the common transmission interface The IP address and the status of the co-transmission interface, and establish an IPSec secure tunnel for the service.
- the step 101 of the foregoing method embodiment obtains the IP address of the WiFi AP, and the specific implementation method may be: acquiring the IP address of the WiFi AP according to the allocation message; or acquiring the communication through the WiFi AP.
- the IP address of the WiFi AP may be: acquiring the IP address of the WiFi AP according to the allocation message; or acquiring the communication through the WiFi AP.
- the method for obtaining the IP address of the WiFi AP by the BTS can be obtained from the DHCP assignment message replied by the AC through the process of establishing the relay agent, and can also be obtained through the interaction communication with the WiFi AP.
- the BTS listens on the co-transmission interface.
- An Address Resolution Protocol (ARP) message is obtained through which the WiFi IP address is obtained.
- ARP Address Resolution Protocol
- the method further includes: monitoring the WiFi AP to obtain an updated IP address of the WiFi AP, and using the updated IP address as the WiFi AP. IP address.
- the BTS needs to monitor the update of the IP address of the WiFi AP all the time, so as to obtain the first time. Go to the new IP address, use it as the IP address of the WiFi AP, and establish an IPSec security tunnel for the WiFi AP based on the updated IP address of the WiFi AP. Routes, ACL rules, and so on.
- FIG. 3 is a flowchart of another embodiment of a communication method according to the present invention. As shown in FIG. 3, the method in this embodiment may include:
- Step 201 Enable a co-transmission service with the WiFi AP, obtain an IP address of the AC, and configure parameters of the co-transmission interface, where the parameters of the co-transmission interface include an IP address of the co-transmission interface and the co-transmission interface. status;
- the method embodiment shown in FIG. 2 is a mode in which the BTS and the WiFi AP are separated from each other, that is, the BTS is controlled by the BTS core network, and the WiFi AP is controlled by the AC.
- This embodiment is a mode in which the BTS and the WiFi AP are in the main control mode. That is, the BTS can assume the function of the AC and control the WiFi AP.
- the BTS initiates the co-transport service with the WiFi AP, the BTS obtains the IP address of the AC and configures parameters of the co-transmission interface.
- Step 202 Obtain an IP address of the common transmission interface and an IP address of the WiFi AP according to a network segment of the pre-configured internal IP address, and generate a corresponding ACL rule.
- the BTS automatically configures the network segment of the internal IP address in advance, for example, 192.168.200.x/24, and then allocates the IP address of the common interface (for example, 192.168.200.1/24) and the IP address of the WiFi AP according to the network segment of the internal IP address. (eg 192.168.200.2/24).
- Step 203 Send an IP address to the WiFi AP.
- the BTS can send the IP address assigned in step 202 to the WiFi AP in two ways: one is to send an address configuration response to the WiFi AP.
- the base station can serve as the DHCP server of the WiFi AP, and respond to the WiFi AP with an address configuration response (for example, DHCP-OFFER) according to the AC DHCP specification, where the IP address of the WiFi AP and the IP address of the common transmission interface are carried.
- an address configuration response for example, DHCP-OFFER
- the broadcast message may be periodically sent on the common transmission interface, where the IP address of the WiFi AP, the IP address of the common transmission interface, and the AC are carried. IP address these three parameters.
- Step 204 Receive, by using a co-transmission interface with the WiFi AP, a data packet sent by the WiFi AP, and convert the IP address of the WiFi AP carried by the data packet into a IPSec security tunnel by using NAT. routing;
- the base station converts the IP address of the WiFi AP in the data packet sent by the WiFi AP through the co-transmission interface into a network address translation (NAT) to IPSec.
- NAT network address translation
- the route on the entire tunnel for example 192.168.200.2, is converted to 10.1.1.2.
- the base station can perform matching on the downlink data packet received from the Sec GW according to the configured source IP address (ie, AC IP), and then convert the target IP address into an internal IP address assigned to the WiFi AP through NAT, and then from the co-transmission.
- the interface forwards to the WiFi AP, for example 10.1.1.2 is converted to 192.168.200.2.
- Step 205 Encrypt the data packet according to the IPSec protocol, and forward the encrypted data packet in the IPSec security tunnel according to the route on the IPSec security tunnel and the ACL rule.
- the BTS acts as a controller of the WiFi AP, and the secure communication of the WiFi network is realized by the processing capability of the IPSec of the BTS, and the security mechanism of the WiFi network and the BTS network are unified, thereby simplifying the security networking scheme of the communication system. Reduce construction costs.
- FIG. 4 is a flowchart of still another embodiment of a communication method according to the present invention. As shown in FIG. 4, the method in this embodiment may include:
- Step 301 Send a data packet to the base station by using a co-transmission interface with the base station, so that the base station encrypts the data packet according to the IPSec protocol, and according to a pre-established route and ACL rule of the IPSec security tunnel.
- the encrypted data packet is forwarded in the IPSec secure tunnel.
- the execution body of this embodiment may be a WiFi AP in the communication system shown in FIG. 1.
- the WiFi AP After the WiFi AP establishes a relay agent relationship with the BTS, it can send the data packet to be sent to the BTS.
- the BTS encrypts the data packet according to the IPSec protocol and forwards it in the established IPSec security tunnel. .
- the WiFi AP implements the secure communication of the WiFi network by means of the BTS.
- the secure communication of the WiFi network is realized by the processing capability of the IPSec of the BTS, and the security mechanism of the WiFi network and the BTS network are unified, thereby simplifying the security networking solution of the communication system. Reduce construction costs.
- the method further includes: sending, by the common transmission interface, a DHCP broadcast message to the base station, so that the base station establishes a DHCP relay agent relationship according to the broadcast message; Receiving, by the base station, a DHCP assignment message sent by the WiFi AP controller AC, where the assignment message includes an Internet Protocol IP address of the WiFi AP allocated by the AC.
- the establishment of a relay agent relationship between the WiFi AP and the BTS can be triggered by a broadcast message sent by the WiFi AP.
- the BTS becomes a proxy of the WiFi AP, according to its own
- the IPSec processing capability provides security for the services of the WiFi AP.
- the method further includes: receiving an address configuration response sent by the base station, where the address configuration response includes an IP address of the WiFi AP, and an IP address of the common transmission interface. And receiving, by the common communication interface, a broadcast message sent by the base station, where the broadcast message includes an IP address of the WiFi AP, an IP address of the common transmission interface, and the AC IP address.
- FIG. 5 is a flowchart of a fourth embodiment of a communication method according to the present invention. As shown in FIG. 5, the method in this embodiment may include:
- the s401 and the BTS communicate with the BTS core network, enable the relay agent service, configure the parameters of the common transmission interface, and establish an IPSec security tunnel;
- the BTS first communicates with the BTS core network to determine whether to enable the relay agent service and whether to establish an IPSec security tunnel.
- the BTS receives the DHCP broadcast message of the WiFi AP by using a common transmission interface with the WiFi AP.
- the BTS determines that the relay agent service is in an open state according to the broadcast message, and the IPSec security tunnel is pre-established, and the DHCP address request message is sent to the AC by using the IPSec security tunnel, where the address request message includes security.
- the BTS can provide proxy services for the WiFi AP after determining that the relay agent service has been enabled and an IPSec security tunnel has been established.
- the AC allocates an IP address to the WiFi AP according to the IP address of the security gateway.
- the BTS receives a DHCP assignment message of the AC reply.
- the BTS sends the allocation message to the WiFi AP by using the co-transmission interface to establish a DHCP relay agent relationship with the WiFi AP.
- the BTS obtains the IP address of the WiFi AP
- the BTS establishes a route for the IPSec secure tunnel of the WiFi AP according to the IP address of the WiFi AP, and generates a corresponding ACL rule.
- the BTS receives the data packet of the WiFi AP by using a common transmission interface.
- S410 The BTS encrypts the data packet according to the IPSec protocol, and forwards the encrypted data packet in the IPSec security tunnel according to the route and the ACL rule.
- This embodiment is an interaction example of the method embodiment shown in FIG. 2 or FIG. 4 above, and the method steps are The above steps are similar and will not be described here.
- FIG. 6 is a schematic structural diagram of an embodiment of a base station according to the present invention.
- the apparatus in this embodiment may include: an obtaining module 11, a route establishing module 12, and a data packet processing module 13, wherein the acquiring module 11 is used.
- the route establishing module 12 is configured to establish a route on the Internet Protocol security IPSec secure tunnel according to the IP address of the WiFi AP, and generate a corresponding Access control list ACL rule;
- the data packet processing module 13 is configured to receive the data packet sent by the WiFi AP by using a co-transmission interface with the WiFi AP; encrypt the data packet according to an IPSec protocol, and according to The route on the IPSec secure tunnel and the ACL rule forward the encrypted data packet in the IPSec secure tunnel.
- the device in this embodiment may be used to implement the technical solution of the method embodiment shown in FIG. 2, and the implementation principle and technical effects are similar, and details are not described herein again.
- FIG. 7 is a schematic structural diagram of another embodiment of a base station according to the present invention.
- the apparatus of this embodiment may further include: a relay agent module 14 on the basis of the apparatus structure shown in FIG. And a dynamic host configuration protocol DHCP broadcast message sent by the WiFi AP, where the broadcast message is used to request to obtain an IP address of the WiFi AP, and the broadcast message is established with the WiFi AP according to the broadcast message.
- DHCP relay agent relationship a dynamic host configuration protocol
- the device in this embodiment may be used to implement the technical solution of the method embodiment shown in FIG. 2 or FIG. 5, and the implementation principle and technical effects are similar, and details are not described herein again.
- the relay agent module 14 is specifically configured to determine that the relay agent service is in an open state according to the broadcast message, and the IPSec security tunnel is pre-established, and the IPSec security tunnel is controlled to the WiFi AP.
- the AC sends a DHCP address request message, where the address request message includes an IP address of the security gateway, so that the AC allocates an IP address to the WiFi AP according to the IP address of the security gateway; and receives the DHCP assignment of the AC reply. And sending, by the message, the allocation message to the WiFi AP by using the co-transmission interface to establish the relay agent relationship with the WiFi AP, where the allocation message includes an IP address of the WiFi AP.
- the obtaining module 11 is configured to acquire an IP address of the WiFi AP according to the allocation message, or obtain an IP address of the WiFi AP by using an interaction with the WiFi AP.
- the relay agent module 14 is further configured to enable a relay agent service, and configure the Cooperating the parameters of the interface, and establishing the IPSec security tunnel, the parameters of the common transmission interface include an IP address of the co-transmission interface and a state of the co-transmission interface.
- the obtaining module 11 is further configured to monitor the WiFi AP to obtain an updated IP address of the WiFi AP, and use the updated IP address as an IP address of the WiFi AP.
- FIG. 8 is a schematic structural diagram of still another embodiment of a base station according to the present invention.
- the apparatus in this embodiment may further include: a sending module 15 on the basis of the apparatus structure shown in FIG.
- the obtaining module 11 is specifically configured to enable a co-transmission service with the WiFi AP, obtain an IP address of the AC, and configure parameters of the co-transmission interface, where the parameters of the co-transmission interface include the co-transmission interface
- the IP address and the status of the co-transmission interface; the IP address of the co-transmission interface and the IP address of the WiFi AP are allocated according to the network segment of the pre-configured internal IP address, and a corresponding ACL rule is generated.
- the sending module 15 is configured to send an address configuration response to the WiFi AP, where the address configuration response includes an IP address of the WiFi AP, an IP address of the common transmission interface, and an IP address of the AC;
- the co-transmission interface sends a broadcast message to the WiFi AP, where the broadcast message includes an IP address of the WiFi AP, an IP address of the co-transmission interface, and an IP address of the AC.
- the device in this embodiment may be used to implement the technical solution of the method embodiment shown in FIG. 3, and the implementation principle and technical effects are similar, and details are not described herein again.
- the data packet processing module 13 is configured to receive, by using a co-transmission interface with the WiFi AP, a data packet sent by the WiFi AP, and an IP address of the WiFi AP that is carried by the data packet. Converting the route to the IPSec secure tunnel by using the network address translation NAT; encrypting the data packet according to the IPSec protocol, and forwarding the data packet according to the route and the ACL rule in the IPSec security tunnel Encrypted packets.
- FIG. 9 is a schematic structural diagram of an embodiment of a WiFi AP according to the present invention.
- the apparatus in this embodiment may include: a transceiver module 21, configured to send data to the base station by using a common transmission interface with a base station. a packet, so that the base station encrypts the data packet according to the Internet Protocol Security IPSec protocol, and forwards the encrypted data packet in the IPSec security tunnel according to a pre-established IPSec security tunnel routing and access control list ACL rule. .
- the device in this embodiment may be used to implement the technical solution of the method embodiment shown in FIG. 4, and the implementation principle and technical effects are similar, and details are not described herein again.
- the transceiver module 21 is further configured to send a dynamic host configuration protocol DHCP broadcast message to the base station by using the common transmission interface, so that the base station establishes a DHCP relay agent according to the broadcast message;
- the transceiver module 21 is further configured to receive an address configuration response sent by the base station, where the address configuration response includes an IP address of the WiFi AP, an IP address of the common transmission interface, and an IP of the AC. And receiving, by the common transmission interface, a broadcast message sent by the base station, where the broadcast message includes an IP address of the WiFi AP, an IP address of the common transmission interface, and an IP address of the AC.
- FIG. 10 is a schematic structural diagram of a fourth embodiment of a base station according to the present invention.
- the device in this embodiment may include: a processor 31, a receiver 32, and a transmitter 33.
- the device 32 is configured to receive, by using a co-transmission interface with the WiFi AP, a data packet sent by the WiFi AP, and a sender 33, configured to encrypt the data packet according to an IPSec protocol, and according to the IPSec security
- the route on the tunnel and the ACL rule forward the encrypted data packet in the IPSec secure tunnel.
- the device in this embodiment may be used to implement the technical solution of the method embodiment shown in FIG. 2, FIG. 3 or FIG. 5, and the implementation principle and the technical effect are similar, and details are not described herein again.
- the receiver 32 is further configured to receive, by using the common transmission interface, a dynamic host configuration protocol DHCP broadcast message sent by the WiFi AP, where the broadcast message is used to request to acquire an IP address of the WiFi AP;
- the processor 31 is further configured to establish a DHCP relay agent relationship with the WiFi AP according to the broadcast message.
- the transmitter 33 is further configured to determine, according to the broadcast message, that the relay agent service is in an open state, and the IPSec security tunnel is pre-established, and the IPSec security tunnel is used to connect to the WiFi AP controller.
- the processor 31 is configured to acquire an IP address of the WiFi AP according to the allocation message, or obtain an IP address of the WiFi AP by using an interaction with the WiFi AP.
- the processor 31 is further configured to enable a relay proxy service, configure parameters of the common transmission interface, and establish the IPSec security tunnel, where parameters of the common transmission interface include an IP of the common transmission interface The address and the status of the co-transmission interface.
- the processor 31 is further configured to monitor the WiFi AP to obtain an updated IP address of the WiFi AP, and use the updated IP address as an IP address of the WiFi AP.
- the processor 31 is further configured to enable the co-transmission service with the WiFi AP, obtain an IP address of the AC, and configure parameters of the co-transmission interface, where the parameters of the co-transmission interface include the total The IP address of the interface and the state of the common interface are obtained.
- the IP address of the common interface and the IP address of the WiFi AP are allocated according to the network segment of the pre-configured internal IP address, and corresponding ACL rules are generated.
- the sender 33 is further configured to send an address configuration response to the WiFi AP, where the address configuration response includes an IP address of the WiFi AP, an IP address of the common transmission interface, and an IP of the AC Or transmitting, by the common transmission interface, a broadcast message to the WiFi AP, where the broadcast message includes an IP address of the WiFi AP, an IP address of the common transmission interface, and an IP address of the AC.
- the receiver 32 is configured to receive, by using a co-transmission interface with the WiFi AP, a data packet sent by the WiFi AP, where the processor 31 is further configured to carry the data packet.
- the IP address of the WiFi AP is converted into a route on the IPSec secure tunnel by using a network address translation NAT.
- the sender 33 is specifically configured to encrypt the data packet according to the IPSec protocol, and according to the IPSec security tunnel.
- the upper route and the ACL rule forward the encrypted data packet in the IPSec secure tunnel.
- FIG. 11 is a schematic structural diagram of another embodiment of a WiFi AP according to the present invention.
- the device in this embodiment may include: a transmitter 41, configured to send to the base station by using a common transmission interface with a base station. a data packet, so that the base station encrypts the data packet according to the Internet Protocol Security IPSec protocol, and forwards the encrypted data in the IPSec security tunnel according to a pre-established IPSec security tunnel routing and access control list ACL rule. package.
- a transmitter 41 configured to send to the base station by using a common transmission interface with a base station.
- a data packet so that the base station encrypts the data packet according to the Internet Protocol Security IPSec protocol, and forwards the encrypted data in the IPSec security tunnel according to a pre-established IPSec security tunnel routing and access control list ACL rule. package.
- the device of this embodiment may be used to implement the technical solution of the method embodiment shown in FIG. 4 or FIG.
- the implementation principle and technical effect are similar, and will not be described here.
- FIG. 12 is a schematic structural diagram of still another embodiment of a WiFi AP according to the present invention.
- the device in this embodiment may further include: a receiver 42 on the basis of the device structure shown in FIG.
- the transmitter 41 is further configured to send, by using the common transmission interface, a dynamic host configuration protocol (DHCP) broadcast message to the base station, so that the base station establishes a DHCP relay agent according to the broadcast message; the receiver 42, And a method for receiving, by the base station, a DHCP assignment message sent by the WiFi AP controller AC, where the assignment message includes an Internet Protocol IP address of the WiFi AP allocated by the AC.
- DHCP dynamic host configuration protocol
- the device in this embodiment may be used to implement the technical solution of the method embodiment shown in FIG. 4 or FIG. 5, and the implementation principle and technical effects are similar, and details are not described herein again.
- the receiver 42 is further configured to receive an address configuration response sent by the base station, where the address configuration response includes an IP address of the WiFi AP, an IP address of the common transmission interface, and an IP of the AC. And receiving, by the common transmission interface, a broadcast message sent by the base station, where the broadcast message includes an IP address of the WiFi AP, an IP address of the common transmission interface, and an IP address of the AC.
- FIG. 13 is a schematic structural diagram of another embodiment of a communication system according to the present invention.
- the system in this embodiment includes: a base station 51 and a WiFi AP 52, wherein the base station 51 can adopt any of FIG. 6 to FIG.
- the technical solution of any one of the method embodiments of FIG. 2, FIG. 3 and FIG. 5 can be performed, and the implementation principle and technical effects are similar, and details are not described herein;
- the structure of the device embodiment shown in FIG. 9 can be used.
- the technical solution of the method embodiment shown in FIG. 4 or FIG. 5 can be performed.
- the implementation principle and technical effects are similar, and details are not described herein again.
- the base station 51 can adopt the structure of the device embodiment shown in FIG. 10, and correspondingly, the method of any one of FIG. 2, FIG. 3, and FIG. 5 can be implemented.
- the technical solution of the example is similar to the technical effect, and is not described here.
- the WiFi AP 52 can adopt the structure of the device embodiment shown in FIG. 11 or FIG. 12, and correspondingly, FIG. 4 or FIG. 5 can be performed.
- the technical solution of the method embodiment is similar, and the implementation principle and the technical effect are similar, and details are not described herein again.
- the disclosed apparatus and method may be implemented in other manners.
- the device embodiments described above are merely illustrative,
- the division of the unit is only a logical function division, and the actual implementation may have another division manner.
- multiple units or components may be combined or may be integrated into another system, or some features may be ignored, or carried out.
- the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
- the units described as separate components may or may not be physically separated, and the components displayed as the unit may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. . Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
- each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
- the above integrated unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
- the base station and the WIFI AP can adopt a system on chip (System on Chips, SOC for short) or a SOC plus hardware circuit.
- SOC System on Chips
- the method is such that the base station and the WIFI AP implement the method flow/functional unit involved in the above various embodiments of the present invention.
- the above-described integrated unit implemented in the form of a software functional unit can be stored in a computer readable storage medium.
- the above software functional unit is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor to perform the methods of the various embodiments of the present invention. Part of the steps.
- the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store program codes. .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
本发明实施例提供一种通信方法、基站、接入点及系统。本发明通信方法,包括:获取无线保真WiFi接入点AP的网际协议IP地址;根据所述WiFi AP的IP地址为所述WiFi AP建立网际协议安全IPSec安全隧道上的路由,并生成相应的访问控制列表ACL规则;通过与所述WiFi AP之间的共传接口接收所述WiFi AP发送的数据包;根据IPSec协议对所述数据包进行加密,并根据所述IPSec安全隧道上的路由和所述ACL规则在所述IPSec安全隧道中转发加密后的数据包。本发明实施例将WiFi网络和BTS网络的安全机制统一起来,简化了通信系统的安全组网方案,降低建设成本。
Description
本发明实施例涉及通信技术,尤其涉及一种与无线保真网络有关的安全通信方法、基站、接入点及系统。
运营商部署基站(Basestation,简称:BTS)的时候,希望BTS也能提供无线保真(Wireless Fidelity,简称:WiFi)业务,因此越来越多的BTS产品普遍集成有WiFi接入点(Access Point,简称:AP),以提供无线业务和WiFi业务。而为了保证网络的安全,多数BTS支持网际协议安全(Internet Protocol Security,简称:IPSec),但是出于节省成本的考虑,通常WiFi AP不具备IPSec的处理能力。
目前,为了保证集成在BTS中的WiFi AP的网络安全,是将WiFi网络的AP控制器(AP Controller,简称:AC)部署在非安全域(例如互联网),通过在WiFi AP和AC之间的隧道中增加加密技术来保证安全性。
但是,这样WiFi网络采用与BTS网络不相同的安全方案,运营商需要部署两套安全机制,兼容性低,代价太大,而且AC部署在非安全域中,存在很大的安全风险。另外,针对集成WiFi的基站,由于很多基站特别是小基站和WiFi AP类似,均为用户端的设备,为了简化配置、简化基站业务的发放,要求这类基站在支持IPSec功能的同时,依然要满足免规划、免配置的要求。
发明内容
本发明实施例提供一种通信方法、基站、接入点及系统,以将WiFi网络和BTS网络的安全机制统一起来,简化了通信系统的安全组网方案,降低建设成本。
第一方面,本发明实施例提供一种通信方法,包括:
获取无线保真WiFi接入点AP的网际协议IP地址;
根据所述WiFi AP的IP地址为所述WiFi AP建立网际协议安全IPSec安全隧道上的路由,并生成相应的访问控制列表ACL规则;
通过与所述WiFi AP之间的共传接口接收所述WiFi AP发送的数据包;
根据IPSec协议对所述数据包进行加密,并根据所述IPSec安全隧道上的路由和所述ACL规则在所述IPSec安全隧道中转发加密后的数据包。
结合第一方面,在第一方面的第一种可能的实现方式中,所述获取WiFi AP的IP地址之前,还包括:
通过所述共传接口接收所述WiFi AP发送的动态主机配置协议DHCP广播消息,所述广播消息用于请求获取所述WiFi AP的IP地址;
根据所述广播消息与所述WiFi AP建立DHCP中继代理关系。
结合第一方面的第一种可能的实现方式,在第一方面的第二种可能的实现方式中,所述根据所述广播消息与所述WiFi AP建立DHCP中继代理关系,包括:
根据所述广播消息确定中继代理业务为开启状态,且已预先建立所述IPSec安全隧道,通过所述IPSec安全隧道所述向WiFi AP控制器AC发送DHCP地址请求消息,所述地址请求消息包括安全网关的IP地址,以使所述AC根据所述安全网关的IP地址为所述WiFi AP分配IP地址;
接收所述AC回复的DHCP分配消息,将所述分配消息通过所述共传接口发送给所述WiFi AP,以建立与所述WiFi AP之间的所述中继代理关系,所述分配消息包括所述WiFi AP的IP地址。
结合第一方面的第二种可能的实现方式,在第一方面的第三种可能的实现方式中,所述获取WiFi AP的IP地址,包括:
根据所述分配消息获取所述WiFi AP的IP地址;或者,
通过与所述WiFi AP的交互通信获取所述WiFi AP的IP地址。
结合第一方面的第一种至第三种中任一种可能的实现方式,在第一方面的第四种可能的实现方式中,所述通过所述共传接口接收所述WiFi AP发送的DHCP广播消息之前,还包括:
开启中继代理业务,配置所述共传接口的参数,并建立所述IPSec安全隧道,所述共传接口的参数包括所述共传接口的IP地址和所述共传接口的状态。
结合第一方面、第一方面的第一种至第四种中任一种可能的实现方式,在第一方面的第五种可能的实现方式中,所述获取WiFi AP的IP地址之后,还包括:
监测所述WiFi AP以获取所述WiFi AP更新后的IP地址,并将所述更新后的IP地址作为所述WiFi AP的IP地址。
结合第一方面,在第一方面的第六种可能的实现方式中,所述获取WiFi AP的IP地址之前,还包括:
开启与所述WiFi AP的共传输业务,获取AC的IP地址,并配置所述共传接口的参数,所述共传接口的参数包括所述共传接口的IP地址和所述共传接口的状态;
所述获取WiFi AP的IP地址,包括:
获取根据预先配置的内部IP地址的网段分配所述共传接口的IP地址和所述WiFi AP的IP地址,并生成相应的ACL规则。
结合第一方面的第六种可能的实现方式,在第一方面的第七种可能的实现方式中,所述获取WiFi AP的IP地址之后,还包括:
向所述WiFi AP发送地址配置响应,所述地址配置响应包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址;或者,
通过所述共传接口向所述WiFi AP发送广播消息,所述广播消息包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址。
结合第一方面的第六种或第七种可能的实现方式,在第一方面的第八种可能的实现方式中,所述获取WiFi AP的IP地址之后,还包括:
通过与所述WiFi AP之间的共传接口接收所述WiFi AP发送的数据包,将所述数据包携带的所述WiFi AP的IP地址通过网络地址转换NAT转换成所述IPSec安全隧道上的路由;
根据IPSec协议对所述数据包进行加密,并根据所述IPSec安全隧道上的路由和所述ACL规则在所述IPSec安全隧道中转发加密后的数据包。
第二方面,本发明实施例提供一种通信方法,包括:
通过与基站之间的共传接口向所述基站发送数据包,以使所述基站根据网际协议安全IPSec协议对所述数据包进行加密,并根据预先建立的IPSec安全隧道的路由和访问控制列表ACL规则在所述IPSec安全隧道中转发加密
后的数据包。
结合第二方面,在第二方面的第一种可能的实现方式中,所述通过与基站之间的共传接口向所述基站发送数据包之前,还包括:
通过所述共传接口向所述基站发送动态主机配置协议DHCP广播消息,以使所述基站根据所述广播消息建立DHCP中继代理;
接收所述基站转发的由WiFi AP控制器AC发出的DHCP分配消息,所述分配消息包括所述AC分配的所述WiFi AP的网际协议IP地址。
结合第二方面,在第二方面的第二种可能的实现方式中,所述通过与基站之间的共传接口向所述基站基站发送数据包之前,还包括:
接收所述基站发送的地址配置响应,所述地址配置响应包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址;或者,
通过所述共传接口接收所述基站发送的广播消息,所述广播消息包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址。
第三方面,本发明实施例提供一种基站,包括:
获取模块,用于获取无线保真WiFi接入点AP的网际协议IP地址;
路由建立模块,用于根据所述WiFi AP的IP地址为所述WiFi AP建立网际协议安全IPSec安全隧道上的路由,并生成相应的访问控制列表ACL规则;
数据包处理模块,用于通过与所述WiFi AP之间的共传接口接收所述WiFi AP发送的数据包;根据IPSec协议对所述数据包进行加密,并根据所述IPSec安全隧道上的路由和所述ACL规则在所述IPSec安全隧道中转发加密后的数据包。
结合第三方面,在第三方面的第一种可能的实现方式中,还包括:
中继代理模块,用于通过所述共传接口接收所述WiFi AP发送的动态主机配置协议DHCP广播消息,所述广播消息用于请求获取所述WiFi AP的IP地址;根据所述广播消息与所述WiFi AP建立DHCP中继代理关系。
结合第三方面的第一种可能的实现方式,在第三方面的第二种可能的实现方式中,所述中继代理模块,具体用于根据所述广播消息确定中继代理业务为开启状态,且已预先建立所述IPSec安全隧道,通过所述IPSec安全隧道所述向WiFi AP控制器AC发送DHCP地址请求消息,所述地址请求消息包括安全网关的IP地址,以使所述AC根据所述安全网关的IP地址为所述WiFi
AP分配IP地址;接收所述AC回复的DHCP分配消息,将所述分配消息通过所述共传接口发送给所述WiFi AP,以建立与所述WiFi AP之间的所述中继代理关系,所述分配消息包括所述WiFi AP的IP地址。
结合第三方面的第二种可能的实现方式,在第三方面的第三种可能的实现方式中,所述获取模块,具体用于根据所述分配消息获取所述WiFi AP的IP地址;或者,通过与所述WiFi AP的交互通信获取所述WiFi AP的IP地址。
结合第三方面的第一种至第三种中任一种可能的实现方式,在第三方面的第四种可能的实现方式中,所述中继代理模块,还用于开启中继代理业务,配置所述共传接口的参数,并建立所述IPSec安全隧道,所述共传接口的参数包括所述共传接口的IP地址和所述共传接口的状态。
结合第三方面、第三方面的第一种至第四种中任一种可能的实现方式,在第三方面的第五种可能的实现方式中,所述获取模块,还用于监测所述WiFi AP以获取所述WiFi AP更新后的IP地址,并将所述更新后的IP地址作为所述WiFi AP的IP地址。
结合第三方面,在第三方面的第六种可能的实现方式中,所述获取模块,具体用于开启与所述WiFi AP的共传输业务,获取AC的IP地址,并配置所述共传接口的参数,所述共传接口的参数包括所述共传接口的IP地址和所述共传接口的状态;获取根据预先配置的内部IP地址的网段分配所述共传接口的IP地址和所述WiFi AP的IP地址,并生成相应的ACL规则。
结合第三方面的第六种可能的实现方式,在第三方面的第七种可能的实现方式中,还包括:
发送模块,用于向所述WiFi AP发送地址配置响应,所述地址配置响应包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址;或者,通过所述共传接口向所述WiFi AP发送广播消息,所述广播消息包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址。
结合第三方面的第六种或第七种可能的实现方式,在第三方面的第八种可能的实现方式中,所述数据包处理模块,具体用于通过与所述WiFi AP之间的共传接口接收所述WiFi AP发送的数据包,将所述数据包携带的所述WiFi AP的IP地址通过网络地址转换NAT转换成所述IPSec安全隧道上的路
由;根据IPSec协议对所述数据包进行加密,并根据所述IPSec安全隧道上的路由和所述ACL规则在所述IPSec安全隧道中转发加密后的数据包。
第四方面,本发明实施例提供一种无线保真WiFi接入点AP,包括:
收发模块,用于通过与基站之间的共传接口向所述基站发送数据包,以使所述基站根据网际协议安全IPSec协议对所述数据包进行加密,并根据预先建立的IPSec安全隧道的路由和访问控制列表ACL规则在所述IPSec安全隧道中转发加密后的数据包。
结合第四方面,在第四方面的第一种可能的实现方式中,所述收发模块,还用于通过所述共传接口向所述基站发送动态主机配置协议DHCP广播消息,以使所述基站根据所述广播消息建立DHCP中继代理;接收所述基站转发的由WiFi AP控制器AC发出的DHCP分配消息,所述分配消息包括所述AC分配的所述WiFi AP的网际协议IP地址。
结合第四方面,在第四方面的第二种可能的实现方式中,所述收发模块,还用于接收所述基站发送的地址配置响应,所述地址配置响应包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址;或者,通过所述共传接口接收所述基站发送的广播消息,所述广播消息包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址。
第五方面,本发明实施例提供一种基站,包括:
处理器,用于获取无线保真WiFi接入点AP的网际协议IP地址;根据所述WiFi AP的IP地址为所述WiFi AP建立网际协议安全IPSec安全隧道上的路由,并生成相应的访问控制列表ACL规则;
接收器,用于通过与所述WiFi AP之间的共传接口接收所述WiFi AP发送的数据包;
发送器,用于根据IPSec协议对所述数据包进行加密,并根据所述IPSec安全隧道上的路由和所述ACL规则在所述IPSec安全隧道中转发加密后的数据包。
结合第五方面,在第五方面的第一种可能的实现方式中,所述接收器,还用于通过所述共传接口接收所述WiFi AP发送的动态主机配置协议DHCP广播消息,所述广播消息用于请求获取所述WiFi AP的IP地址;
所述处理器,还用于根据所述广播消息与所述WiFi AP建立DHCP中继
代理关系。
结合第五方面的第一种可能的实现方式,在第五方面的第二种可能的实现方式中,所述发送器,还用于根据所述广播消息确定中继代理业务为开启状态,且已预先建立所述IPSec安全隧道,通过所述IPSec安全隧道所述向WiFi AP控制器AC发送DHCP地址请求消息,所述地址请求消息包括安全网关的IP地址,以使所述AC根据所述安全网关的IP地址为所述WiFi AP分配IP地址;
所述接收器,还用于接收所述AC回复的DHCP分配消息,将所述分配消息通过所述共传接口发送给所述WiFi AP,以建立与所述WiFi AP之间的所述中继代理关系,所述分配消息包括所述WiFi AP的IP地址。
结合第五方面的第二种可能的实现方式,在第五方面的第三种可能的实现方式中,所述处理器,具体用于根据所述分配消息获取所述WiFi AP的IP地址;或者,通过与所述WiFi AP的交互通信获取所述WiFi AP的IP地址。
结合第五方面的第一种至第三种中任一种可能的实现方式,在第五方面的第四种可能的实现方式中,所述处理器,还用于开启中继代理业务,配置所述共传接口的参数,并建立所述IPSec安全隧道,所述共传接口的参数包括所述共传接口的IP地址和所述共传接口的状态。
结合第五方面、第五方面的第一种至第四种中任一种可能的实现方式,在第五方面的第五种可能的实现方式中,所述处理器,还用于监测所述WiFi AP以获取所述WiFi AP更新后的IP地址,并将所述更新后的IP地址作为所述WiFi AP的IP地址。
结合第五方面,在第五方面的第六种可能的实现方式中,所述处理器,还用于开启与所述WiFi AP的共传输业务,获取AC的IP地址,并配置所述共传接口的参数,所述共传接口的参数包括所述共传接口的IP地址和所述共传接口的状态;获取根据预先配置的内部IP地址的网段分配所述共传接口的IP地址和所述WiFi AP的IP地址,并生成相应的ACL规则。
结合第五方面的第六种可能的实现方式,在第五方面的第七种可能的实现方式中,所述发送器,还用于向所述WiFi AP发送地址配置响应,所述地址配置响应包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址;或者,通过所述共传接口向所述WiFi AP发送广播消息,所
述广播消息包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址。
结合第五方面的第六种或第七种可能的实现方式,在第五方面的第八种可能的实现方式中,所述接收器,具体用于通过与所述WiFi AP之间的共传接口接收所述WiFi AP发送的数据包;
所述处理器,还用于将所述数据包携带的所述WiFi AP的IP地址通过网络地址转换NAT转换成所述IPSec安全隧道上的路由;
所述发送器,具体用于根据IPSec协议对所述数据包进行加密,并根据所述IPSec安全隧道上的路由和所述ACL规则在所述IPSec安全隧道中转发加密后的数据包。
第六方面,本发明实施例提供一种无线保真WiFi接入点AP,包括:
发送器,用于通过与基站之间的共传接口向所述基站发送数据包,以使所述基站根据网际协议安全IPSec协议对所述数据包进行加密,并根据预先建立的IPSec安全隧道的路由和访问控制列表ACL规则在所述IPSec安全隧道中转发加密后的数据包。
结合第六方面,在第六方面的第一种可能的实现方式中,还包括:接收器;
所述发送器,还用于通过所述共传接口向所述基站发送动态主机配置协议DHCP广播消息,以使所述基站根据所述广播消息建立DHCP中继代理;
所述接收器,用于接收所述基站转发的由WiFi AP控制器AC发出的DHCP分配消息,所述分配消息包括所述AC分配的所述WiFi AP的网际协议IP地址。
结合第六方面的第一种可能的实现方式,在第六方面的第二种可能的实现方式中,所述接收器,还用于接收所述基站发送的地址配置响应,所述地址配置响应包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址;或者,通过所述共传接口接收所述基站发送的广播消息,所述广播消息包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址。
第七方面,本发明实施例提供一种通信系统,包括:基站和无线保真WiFi接入点AP,其中,所述基站采用第三方面、第三方面的第一种至第八种中任
一种可能的实现方式所述的基站;所述WiFi AP采用第四方面、第四方面的第一种至第二种中任一种可能的实现方式所述的WiFi AP。
第八方面,本发明实施例提供一种通信系统,包括:基站和无线保真WiFi接入点AP,其中,所述基站采用第五方面、第五方面的第一种至第八种中任一种可能的实现方式所述的基站;所述WiFi AP采用第六方面、第六方面的第一种至第二种中任一种可能的实现方式所述的WiFi AP。
本发明实施例所提供的与无线保真网络有关的安全通信方法、基站、接入点及系统,通过将WiFi AP的业务转到BTS上,借助BTS的IPSec的处理能力实现WiFi网络的安全通信,将WiFi网络和BTS网络的安全机制统一起来,简化了通信系统的安全组网方案,降低建设成本。
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。
图1为本发明通信系统的一个实施例的结构示意图;
图2为本发明通信方法的一个实施例的流程图;
图3为本发明通信方法的另一个实施例的流程图;
图4为本发明通信方法的又一个实施例的流程图;
图5为本发明通信方法的第四个实施例的流程图;
图6为本发明基站的一个实施例的结构示意图;
图7为本发明基站的另一个实施例的结构示意图;
图8为本发明基站的又一个实施例的结构示意图;
图9为本发明WiFi AP的一个实施例的结构示意图;
图10为本发明基站的第四个实施例的结构示意图;
图11为本发明WiFi AP的另一个实施例的结构示意图;
图12为本发明WiFi AP的又一个实施例的结构示意图;
图13为本发明通信系统的另一个实施例的结构示意图。
为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。
图1为本发明通信系统的一个实施例的结构示意图,如图1所示,本实施例的系统包括:BTS、WiFi AP、安全网关(Security Gateway,简称:Sec GW)、BTS核心网以及AC,其中,BTS和WiFi AP部署在非安全域的互联网中,BTS核心网和AC部署在安全域中,Sec GW连接非安全域和安全域;BTS和WiFi AP之间通过共传接口连接;BTS与Sec GW之间根据IPSec协议建立IPSec安全隧道,以保障非安全域中的通信安全;Sec GW在安全域中分别与BTS核心网、AC连接。
本实施例中,WiFi AP的业务均转到BTS上,BTS可以作为WiFi AP的代理利用自身的IPSec处理能力为其实现与核心网之间的数据收发,这样即便WiFi AP自身不具备IPSec处理能力,但经过业务转移,WiFi AP借助BTS实现了WiFi网络的安全通信。这样将WiFi网络和BTS网络的安全机制统一起来,简化了通信系统的安全组网方案,降低建设成本,另外,将AC部署在安全域中也提高了WiFi网络的核心网设备的安全性。
图2为本发明通信方法的一个实施例的流程图,如图2所示,本实施例的方法可以包括:
步骤101、获取WiFi AP的IP地址;
本实施例的执行主体可以是图1所示通信系统中的BTS。BTS获取WiFi AP的网际协议(Internet Protocol,简称:IP)地址,以基于此IP地址利用自身的IPSec安全处理能力为WiFi AP建立IPSec安全隧道。
步骤102、根据所述WiFi AP的IP地址为所述WiFi AP建立IPSec安全隧道上的路由,并生成相应的ACL规则;
BTS携带WiFi AP的IP地址在已有的IPSec安全隧道上建立路由,该路由符合IPSec协议,其源地址为WiFi AP的IP地址,目的地址为而Sec GW的IP地址,BTS可以将其自身配置为WiFi AP的下一跳路由或者网关,同时
由于BTS协助处理WiFi AP的业务,因此原本是没有关于WiFi AP的业务的访问控制列表(Access Control List,简称:ACL)规则的,例如,WiFi AP将要发送给AC的数据包发送给BTS后,BTS查询ACL获取到数据包转发的目的地址。
步骤103、通过与所述WiFi AP之间的共传接口接收所述WiFi AP发送的数据包;
步骤104、根据IPSec协议对所述数据包进行加密,并根据所述IPSec安全隧道上的路由和所述ACL规则在所述IPSec安全隧道中转发加密后的数据包。
BTS为WiFi AP建立IPSec安全隧道的路由后,就可以对WiFi AP通过共传接口发送的数据包进行处理,采用统一的IPSec协议对数据包进行加解密,并依据路由和ACL规则保障数据包在非安全域中转发的安全性。BTS还可以对WiFi AP的业务进行服务质量(Quality of Service,简称:QoS)控制,例如:调度权限控制、最大速率控制、速率保证等。
本实施例,通过将WiFi AP的业务转到BTS上,借助BTS的IPSec的处理能力实现WiFi网络的安全通信,将WiFi网络和BTS网络的安全机制统一起来,简化了通信系统的安全组网方案,降低建设成本。
进一步的,上述方法实施例的步骤101之前,所述方法还包括:通过所述共传接口接收所述WiFi AP发送的动态主机配置协议(Dynamic Host Configuration Protocol,简称:DHCP)广播消息,所述广播消息用于请求获取所述WiFi AP的IP地址;根据所述广播消息与所述WiFi AP建立DHCP中继代理关系。
具体来讲,WiFi AP启动后会自动发送DHCP广播消息,该广播消息用于请求WiFi AP自己的IP地址,BTS根据所述广播消息确定中继代理业务为开启状态,且已预先建立所述IPSec安全隧道,通过所述IPSec安全隧道所述向WiFi AP控制器AC发送DHCP地址请求消息,所述地址请求消息包括安全网关的IP地址,以使所述AC根据所述安全网关的IP地址为所述WiFi AP分配IP地址;接收所述AC回复的DHCP分配消息,将所述分配消息通过所述共传接口发送给所述WiFi AP,以建立与所述WiFi AP之间的所述中继代理关系,所述分配消息包括所述WiFi AP的IP地址。
BTS在建立WiFi AP的代理之前,需要先确定自身是否已经开启了中继代理业务,如果开启,则BTS会预先配置与WiFi AP之间的共传接口,另外,BTS也要先确定自身是否已经与Sec GW建立了IPSec安全隧道。具备这两点,BTS才能为WiFi AP建立DHCP中继代理,协助WiFi AP处理业务。BTS将WiFi AP发送的DHCP广播消息转化成单播的DHCP地址请求消息,并通过IPSec安全隧道发送给AC,该地址请求消息中携带Sec GW的IP地址,AC上的DHCP服务器(DHCP Server)将根据收到的DHCP地址请求消息中携带的Sec GW的IP地址,作为为WiFi AP分配IP地址的地址池索引,并将分配WiFi AP的IP地址封装在分配消息中回复给BTS,BTS在本地保存WiFi AP的IP地址,并将其再转发给WiFi AP。通过上述通信过程,BTS与WiFi AP之间便建立起了中继代理关系,BTS正式开始作为WiFi AP的代理,借助自身的IPSec的处理能力实现WiFi网络的安全通信。
可选的,在BTS接收到WiFi AP的广播消息之前,BTS可以根据通信系统的配置开启中继代理业务,配置所述共传接口的参数,所述共传接口的参数包括所述共传接口的IP地址和所述共传接口的状态,并建立业务需要的IPSec安全隧道。
进一步的,上述方法实施例的步骤101获取WiFi AP的IP地址,具体的实现方法可以是:根据所述分配消息获取所述WiFi AP的IP地址;或者,通过与所述WiFi AP的交互通信获取所述WiFi AP的IP地址。
BTS获取WiFi AP的IP地址的方法,可以通过上述建立中继代理的过程从AC回复的DHCP分配消息中获取;还可以通过与WiFi AP的交互通信中获取,例如,BTS在共传接口上监听地址解析协议(Address Resolution Protocol,简称:ARP)消息,通过该ARP消息获取到WiFi IP地址。
进一步的,上述方法实施例的步骤101之后,所述方法还包括:监测所述WiFi AP以获取所述WiFi AP更新后的IP地址,并将所述更新后的IP地址作为所述WiFi AP的IP地址。
具体来讲,BTS在获取到WiFi AP的IP地址之后,WiFi AP的IP地址的IP地址有可能会发生变化,因此BTS需要一直监测WiFi AP的IP地址的更新情况,以便于在第一时间获取到新的IP地址,将其作为WiFi AP的IP地址,并及时根据更新后的WiFi AP的IP地址为WiFi AP建立IPSec安全隧
道的路由、生成ACL规则等。
图3为本发明通信方法的另一个实施例的流程图,如图3所示,本实施例的方法可以包括:
步骤201、开启与WiFi AP的共传输业务,获取AC的IP地址,并配置所述共传接口的参数,所述共传接口的参数包括所述共传接口的IP地址和所述共传接口的状态;
图2所示的方法实施例是BTS与WiFi AP分离主控的模式,即BTS由BTS核心网进行控制,而WiFi AP由AC进行控制,本实施例是BTS与WiFi AP共主控模式的模式,即BTS可以承担AC的功能,对WiFi AP进行控制。BTS在开启与WiFi AP的共传输业务时,获取AC的IP地址,并配置所述共传接口的参数。
步骤202、获取根据预先配置的内部IP地址的网段分配所述共传接口的IP地址和所述WiFi AP的IP地址,并生成相应的ACL规则;
BTS预先自动配置内部IP地址的网段,例如192.168.200.x/24,然后根据该内部IP地址的网段分配共传接口的IP地址(例如192.168.200.1/24)和WiFi AP的IP地址(例如192.168.200.2/24)。
步骤203、将IP地址发送给所述WiFi AP;
BTS可以通过两种方式将步骤202中分配的IP地址发送给WiFi AP:一种是向所述WiFi AP发送地址配置响应。此时,基站可以作为WiFi AP的DHCP Server,按照AC DHCP规范,给WiFi AP回应一个地址配置响应(例如DHCP-OFFER),其中携带所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址这三个参数;另一种是通过所述共传接口向所述WiFi AP发送广播消息。此时,由于基站仅连接一个WiFi AP,获取AC IP之后,可以在共传接口上定时发送广播消息,其中携带所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址这三个参数。
步骤204、通过与所述WiFi AP之间的共传接口接收所述WiFi AP发送的数据包,将所述数据包携带的所述WiFi AP的IP地址通过NAT转换成所述IPSec安全隧道上的路由;
基站对WiFi AP通过共传接口发送的数据包中的WiFi AP的IP地址进行网络地址转换(Network Address Translation,简称:NAT)转换成IPSec安
全隧道上的路由,例如192.168.200.2转换成10.1.1.2。
另外,基站对于下行从Sec GW收到的数据包,可以根据配置的源IP地址(即AC IP)进行匹配,然后将目标IP地址经过NAT转换成分配给WiFi AP的内部IP地址,然后从共传接口转发给WiFi AP,例如10.1.1.2转换成192.168.200.2。
步骤205、根据IPSec协议对所述数据包进行加密,并根据所述IPSec安全隧道上的路由和所述ACL规则在所述IPSec安全隧道中转发加密后的数据包。
本实施例,通过由BTS充当WiFi AP的控制器,借助BTS的IPSec的处理能力实现WiFi网络的安全通信,将WiFi网络和BTS网络的安全机制统一起来,简化了通信系统的安全组网方案,降低建设成本。
图4为本发明通信方法的又一个实施例的流程图,如图4所示,本实施例的方法可以包括:
步骤301、通过与基站之间的共传接口向所述基站发送数据包,以使所述基站根据IPSec协议对所述数据包进行加密,并根据预先建立的IPSec安全隧道的路由和ACL规则在所述IPSec安全隧道中转发加密后的数据包。
本实施例的执行主体可以是图1所示通信系统中的WiFi AP。WiFi AP在与BTS之间建立了中继代理关系后,即可将要发送的数据包发送给BTS,由BTS根据IPSec协议对数据包进行加密处理,并在已建立好的IPSec安全隧道中进行转发。这样即使WiFi AP不具备IPSec的处理能力,但是经过业务转移,WiFi AP借助BTS实现了WiFi网络的安全通信。
本实施例,通过将WiFi AP的业务转到BTS上,借助BTS的IPSec的处理能力实现WiFi网络的安全通信,将WiFi网络和BTS网络的安全机制统一起来,简化了通信系统的安全组网方案,降低建设成本。
进一步的,上述方法实施例的步骤301之前,所述方法还包括:通过所述共传接口向所述基站发送DHCP广播消息,以使所述基站根据所述广播消息建立DHCP中继代理关系;接收所述基站转发的由WiFi AP控制器AC发出的DHCP分配消息,所述分配消息包括所述AC分配的所述WiFi AP的网际协议IP地址。
WiFi AP与BTS之间建立中继代理关系可以通过WiFi AP发送的广播消息触发,通过两者之间的通信交互,BTS成为WiFi AP的代理,根据自身的
IPSec处理能力为WiFi AP的业务提供安全保障。
进一步的,上述方法实施例的步骤301之前,所述方法还包括:接收所述基站发送的地址配置响应,所述地址配置响应包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址;或者,通过所述共传接口接收所述基站发送的广播消息,所述广播消息包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址。
图5为本发明通信方法的第四个实施例的流程图,如图5所示,本实施例的方法可以包括:
s401、BTS与BTS核心网通信,开启中继代理业务,配置共传接口的参数,并建立IPSec安全隧道;
BTS首先与BTS核心网通信,确定是否开启中继代理业务,是否建立IPSec安全隧道。
s402、BTS通过与WiFi AP之间的共传接口接收WiFi AP的DHCP广播消息;
s403、BTS根据所述广播消息确定中继代理业务为开启状态,且已预先建立所述IPSec安全隧道,通过所述IPSec安全隧道所述向AC发送DHCP地址请求消息,所述地址请求消息包括安全网关的IP地址;
BTS在确定已开启了中继代理业务,并已建立IPSec安全隧道,就可以为WiFi AP提供代理服务。
s404、AC根据所述安全网关的IP地址为所述WiFi AP分配IP地址;
s405、BTS接收所述AC回复的DHCP分配消息;
s406、BTS将所述分配消息通过所述共传接口发送给所述WiFi AP,以建立与所述WiFi AP之间的DHCP中继代理关系;
s407、BTS获取WiFi AP的IP地址;
s408、BTS根据所述WiFi AP的IP地址为所述WiFi AP建立IPSec安全隧道的路由,并生成相应的ACL规则;
s409、BTS通过共传接口接收所述WiFi AP的数据包;
s410、BTS根据IPSec协议对所述数据包进行加密,并根据所述路由和所述ACL规则在所述IPSec安全隧道中转发加密后的数据包。
本实施例为上述图2或图4所示方法实施例的交互示例,其方法步骤与
上述步骤类似,此处不再赘述。
图6为本发明基站的一个实施例的结构示意图,如图6所示,本实施例的装置可以包括:获取模块11、路由建立模块12以及数据包处理模块13,其中,获取模块11,用于获取无线保真WiFi接入点AP的网际协议IP地址;路由建立模块12,用于根据所述WiFi AP的IP地址为所述WiFi AP建立网际协议安全IPSec安全隧道上的路由,并生成相应的访问控制列表ACL规则;数据包处理模块13,用于通过与所述WiFi AP之间的共传接口接收所述WiFi AP发送的数据包;根据IPSec协议对所述数据包进行加密,并根据所述IPSec安全隧道上的路由和所述ACL规则在所述IPSec安全隧道中转发加密后的数据包。
本实施例的装置,可以用于执行图2所示方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。
图7为本发明基站的另一个实施例的结构示意图,如图7所示,本实施例的装置在图6所示装置结构的基础上,进一步地,还可以包括:中继代理模块14,用于通过所述共传接口接收所述WiFi AP发送的动态主机配置协议DHCP广播消息,所述广播消息用于请求获取所述WiFi AP的IP地址;根据所述广播消息与所述WiFi AP建立DHCP中继代理关系。
本实施例的装置,可以用于执行图2或图5所示方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。
进一步的,所述中继代理模块14,具体用于根据所述广播消息确定中继代理业务为开启状态,且已预先建立所述IPSec安全隧道,通过所述IPSec安全隧道所述向WiFi AP控制器AC发送DHCP地址请求消息,所述地址请求消息包括安全网关的IP地址,以使所述AC根据所述安全网关的IP地址为所述WiFi AP分配IP地址;接收所述AC回复的DHCP分配消息,将所述分配消息通过所述共传接口发送给所述WiFi AP,以建立与所述WiFi AP之间的所述中继代理关系,所述分配消息包括所述WiFi AP的IP地址。
进一步的,所述获取模块11,具体用于根据所述分配消息获取所述WiFi AP的IP地址;或者,通过与所述WiFi AP的交互通信获取所述WiFi AP的IP地址。
进一步的,所述中继代理模块14,还用于开启中继代理业务,配置所述
共传接口的参数,并建立所述IPSec安全隧道,所述共传接口的参数包括所述共传接口的IP地址和所述共传接口的状态。
进一步的,所述获取模块11,还用于监测所述WiFi AP以获取所述WiFi AP更新后的IP地址,并将所述更新后的IP地址作为所述WiFi AP的IP地址。
图8为本发明基站的又一个实施例的结构示意图,如图8所示,本实施例的装置在图6所示装置结构的基础上,进一步地,还可以包括:发送模块15。所述获取模块11,具体用于开启与所述WiFi AP的共传输业务,获取AC的IP地址,并配置所述共传接口的参数,所述共传接口的参数包括所述共传接口的IP地址和所述共传接口的状态;获取根据预先配置的内部IP地址的网段分配所述共传接口的IP地址和所述WiFi AP的IP地址,并生成相应的ACL规则。发送模块15,用于向所述WiFi AP发送地址配置响应,所述地址配置响应包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址;或者,通过所述共传接口向所述WiFi AP发送广播消息,所述广播消息包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址。
本实施例的装置,可以用于执行图3所示方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。
进一步的,所述数据包处理模块13,具体用于通过与所述WiFi AP之间的共传接口接收所述WiFi AP发送的数据包,将所述数据包携带的所述WiFi AP的IP地址通过网络地址转换NAT转换成所述IPSec安全隧道上的路由;根据IPSec协议对所述数据包进行加密,并根据所述IPSec安全隧道上的路由和所述ACL规则在所述IPSec安全隧道中转发加密后的数据包。
图9为本发明WiFi AP的一个实施例的结构示意图,如图9所示,本实施例的装置可以包括:收发模块21,用于通过与基站之间的共传接口向所述基站发送数据包,以使所述基站根据网际协议安全IPSec协议对所述数据包进行加密,并根据预先建立的IPSec安全隧道的路由和访问控制列表ACL规则在所述IPSec安全隧道中转发加密后的数据包。
本实施例的装置,可以用于执行图4所示方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。
进一步的,所述收发模块21,还用于通过所述共传接口向所述基站发送动态主机配置协议DHCP广播消息,以使所述基站根据所述广播消息建立DHCP中继代理;接收所述基站转发的由WiFi AP控制器AC发出的DHCP分配消息,所述分配消息包括所述AC分配的所述WiFi AP的网际协议IP地址。
进一步的,所述收发模块21,还用于接收所述基站发送的地址配置响应,所述地址配置响应包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址;或者,通过所述共传接口接收所述基站发送的广播消息,所述广播消息包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址。
图10为本发明基站的第四个实施例的结构示意图,如图10所示,本实施例的设备可以包括:处理器31、接收器32以及发送器33,其中,处理器31,用于获取无线保真WiFi接入点AP的网际协议IP地址;根据所述WiFi AP的IP地址为所述WiFi AP建立网际协议安全IPSec安全隧道上的路由,并生成相应的访问控制列表ACL规则;接收器32,用于通过与所述WiFi AP之间的共传接口接收所述WiFi AP发送的数据包;发送器33,用于根据IPSec协议对所述数据包进行加密,并根据所述IPSec安全隧道上的路由和所述ACL规则在所述IPSec安全隧道中转发加密后的数据包。
本实施例的装置,可以用于执行图2、图3或图5所示方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。
进一步的,所述接收器32,还用于通过所述共传接口接收所述WiFi AP发送的动态主机配置协议DHCP广播消息,所述广播消息用于请求获取所述WiFi AP的IP地址;所述处理器31,还用于根据所述广播消息与所述WiFi AP建立DHCP中继代理关系。
进一步的,所述发送器33,还用于根据所述广播消息确定中继代理业务为开启状态,且已预先建立所述IPSec安全隧道,通过所述IPSec安全隧道所述向WiFi AP控制器AC发送DHCP地址请求消息,所述地址请求消息包括安全网关的IP地址,以使所述AC根据所述安全网关的IP地址为所述WiFi AP分配IP地址;所述接收器32,还用于接收所述AC回复的DHCP分配消息,将所述分配消息通过所述共传接口发送给所述WiFi AP,以建立与所述WiFi AP之间的所述中继代理关系,所述分配消息包括所述WiFi AP的IP地址。
进一步的,所述处理器31,具体用于根据所述分配消息获取所述WiFi AP的IP地址;或者,通过与所述WiFi AP的交互通信获取所述WiFi AP的IP地址。
进一步的,所述处理器31,还用于开启中继代理业务,配置所述共传接口的参数,并建立所述IPSec安全隧道,所述共传接口的参数包括所述共传接口的IP地址和所述共传接口的状态。
进一步的,所述处理器31,还用于监测所述WiFi AP以获取所述WiFi AP更新后的IP地址,并将所述更新后的IP地址作为所述WiFi AP的IP地址。
进一步的,所述处理器31,还用于开启与所述WiFi AP的共传输业务,获取AC的IP地址,并配置所述共传接口的参数,所述共传接口的参数包括所述共传接口的IP地址和所述共传接口的状态;获取根据预先配置的内部IP地址的网段分配所述共传接口的IP地址和所述WiFi AP的IP地址,并生成相应的ACL规则。
进一步的,所述发送器33,还用于向所述WiFi AP发送地址配置响应,所述地址配置响应包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址;或者,通过所述共传接口向所述WiFi AP发送广播消息,所述广播消息包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址。
进一步的,所述接收器32,具体用于通过与所述WiFi AP之间的共传接口接收所述WiFi AP发送的数据包;所述处理器31,还用于将所述数据包携带的所述WiFi AP的IP地址通过网络地址转换NAT转换成所述IPSec安全隧道上的路由;所述发送器33,具体用于根据IPSec协议对所述数据包进行加密,并根据所述IPSec安全隧道上的路由和所述ACL规则在所述IPSec安全隧道中转发加密后的数据包。
图11为本发明WiFi AP的另一个实施例的结构示意图,如图12所示,本实施例的设备可以包括:发送器41,用于通过与基站之间的共传接口向所述基站发送数据包,以使所述基站根据网际协议安全IPSec协议对所述数据包进行加密,并根据预先建立的IPSec安全隧道的路由和访问控制列表ACL规则在所述IPSec安全隧道中转发加密后的数据包。
本实施例的装置,可以用于执行图4或图5所示方法实施例的技术方案,
其实现原理和技术效果类似,此处不再赘述。
图12为本发明WiFi AP的又一个实施例的结构示意图,如图12所示,本实施例的设备在图11所示设备结构的基础上,进一步地,还可以包括:接收器42。所述发送器41,还用于通过所述共传接口向所述基站发送动态主机配置协议DHCP广播消息,以使所述基站根据所述广播消息建立DHCP中继代理;所述接收器42,用于接收所述基站转发的由WiFi AP控制器AC发出的DHCP分配消息,所述分配消息包括所述AC分配的所述WiFi AP的网际协议IP地址。
本实施例的装置,可以用于执行图4或图5所示方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。
进一步的,所述接收器42,还用于接收所述基站发送的地址配置响应,所述地址配置响应包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址;或者,通过所述共传接口接收所述基站发送的广播消息,所述广播消息包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址。
图13为本发明通信系统的另一个实施例的结构示意图,如图13所示,本实施例的系统包括:基站51和WiFi AP 52,其中,所述基站51可以采用图6~图8任一装置实施例的结构,其对应地,可以执行图2、图3、图5中任一方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述;所述WiFi AP 52可以采用图9所示装置实施例的结构,其对应地,可以执行图4或图5所示方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。
进一步的,图13所示的通信系统的结构示意图中,所述基站51可以采用图10所示设备实施例的结构,其对应地,可以执行图2、图3、图5中任一方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述;所述WiFi AP 52可以采用图11或图12所示设备实施例的结构,其对应地,可以执行图4或图5所示方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。
在本发明所提供的几个实施例中,应该理解到,所揭露的装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,
例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。
所述该作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现,比如说基站和WIFI AP可以采用内置片上系统(System on Chips,简称:SOC),或者SOC加硬件电路的方式,以使得基站和WIFI AP实现本发明上述各个实施例涉及的方法流程/功能单元。
上述以软件功能单元的形式实现的集成的单元,可以存储在一个计算机可读取存储介质中。上述软件功能单元存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)或处理器(processor)执行本发明各个实施例所述方法的部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。
本领域技术人员可以清楚地了解到,为描述的方便和简洁,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将装置的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。上述描述的装置的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。
最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,
或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围。
Claims (25)
- 一种通信方法,其特征在于,包括:获取无线保真WiFi接入点AP的网际协议IP地址;根据所述WiFi AP的IP地址为所述WiFi AP建立网际协议安全IPSec安全隧道上的路由,并生成相应的访问控制列表ACL规则;通过与所述WiFi AP之间的共传接口接收所述WiFi AP发送的数据包;根据IPSec协议对所述数据包进行加密,并根据所述IPSec安全隧道上的路由和所述ACL规则在所述IPSec安全隧道中转发加密后的数据包。
- 根据权利要求1所述的方法,其特征在于,所述获取WiFi AP的IP地址之前,还包括:通过所述共传接口接收所述WiFi AP发送的动态主机配置协议DHCP广播消息,所述广播消息用于请求获取所述WiFi AP的IP地址;根据所述广播消息与所述WiFi AP建立DHCP中继代理关系。
- 根据权利要求2所述的方法,其特征在于,所述根据所述广播消息与所述WiFi AP建立DHCP中继代理关系,包括:根据所述广播消息确定中继代理业务为开启状态,且已预先建立所述IPSec安全隧道,通过所述IPSec安全隧道所述向WiFi AP控制器AC发送DHCP地址请求消息,所述地址请求消息包括安全网关的IP地址,以使所述AC根据所述安全网关的IP地址为所述WiFi AP分配IP地址;接收所述AC回复的DHCP分配消息,将所述分配消息通过所述共传接口发送给所述WiFi AP,以建立与所述WiFi AP之间的所述中继代理关系,所述分配消息包括所述WiFi AP的IP地址。
- 根据权利要求3所述的方法,其特征在于,所述获取WiFi AP的IP地址,包括:根据所述分配消息获取所述WiFi AP的IP地址;或者,通过与所述WiFi AP的交互通信获取所述WiFi AP的IP地址。
- 根据权利要求2~4中任一项所述的方法,其特征在于,所述通过所述共传接口接收所述WiFi AP发送的DHCP广播消息之前,还包括:开启中继代理业务,配置所述共传接口的参数,并建立所述IPSec安全隧道,所述共传接口的参数包括所述共传接口的IP地址和所述共传接口的状 态。
- 根据权利要求1~5中任一项所述的方法,其特征在于,所述获取WiFi AP的IP地址之后,还包括:监测所述WiFi AP以获取所述WiFi AP更新后的IP地址,并将所述更新后的IP地址作为所述WiFi AP的IP地址。
- 根据权利要求1所述的方法,其特征在于,所述获取WiFi AP的IP地址之前,还包括:开启与所述WiFi AP的共传输业务,获取AC的IP地址,并配置所述共传接口的参数,所述共传接口的参数包括所述共传接口的IP地址和所述共传接口的状态;所述获取WiFi AP的IP地址,包括:获取根据预先配置的内部IP地址的网段分配所述共传接口的IP地址和所述WiFi AP的IP地址,并生成相应的ACL规则。
- 根据权利要求7所述的方法,其特征在于,所述获取WiFi AP的IP地址之后,还包括:向所述WiFi AP发送地址配置响应,所述地址配置响应包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址;或者,通过所述共传接口向所述WiFi AP发送广播消息,所述广播消息包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址。
- 根据权利要求7或8所述的方法,其特征在于,所述获取WiFi AP的IP地址之后,还包括:通过与所述WiFi AP之间的共传接口接收所述WiFi AP发送的数据包,将所述数据包携带的所述WiFi AP的IP地址通过网络地址转换NAT转换成所述IPSec安全隧道上的路由;根据IPSec协议对所述数据包进行加密,并根据所述IPSec安全隧道上的路由和所述ACL规则在所述IPSec安全隧道中转发加密后的数据包。
- 一种通信方法,其特征在于,包括:通过与基站之间的共传接口向所述基站发送数据包,以使所述基站根据网际协议安全IPSec协议对所述数据包进行加密,并根据预先建立的IPSec安全隧道的路由和访问控制列表ACL规则在所述IPSec安全隧道中转发加密 后的数据包。
- 根据权利要求10所述的方法,其特征在于,所述通过与基站之间的共传接口向所述基站发送数据包之前,还包括:通过所述共传接口向所述基站发送动态主机配置协议DHCP广播消息,以使所述基站根据所述广播消息建立DHCP中继代理;接收所述基站转发的由WiFi AP控制器AC发出的DHCP分配消息,所述分配消息包括所述AC分配的所述WiFi AP的网际协议IP地址。
- 根据权利要求10所述的方法,其特征在于,所述通过与基站之间的共传接口向所述基站基站发送数据包之前,还包括:接收所述基站发送的地址配置响应,所述地址配置响应包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址;或者,通过所述共传接口接收所述基站发送的广播消息,所述广播消息包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址。
- 一种基站,其特征在于,包括:获取模块,用于获取无线保真WiFi接入点AP的网际协议IP地址;路由建立模块,用于根据所述WiFi AP的IP地址为所述WiFi AP建立网际协议安全IPSec安全隧道上的路由,并生成相应的访问控制列表ACL规则;数据包处理模块,用于通过与所述WiFi AP之间的共传接口接收所述WiFi AP发送的数据包;根据IPSec协议对所述数据包进行加密,并根据所述IPSec安全隧道上的路由和所述ACL规则在所述IPSec安全隧道中转发加密后的数据包。
- 根据权利要求13所述的基站,其特征在于,还包括:中继代理模块,用于通过所述共传接口接收所述WiFi AP发送的动态主机配置协议DHCP广播消息,所述广播消息用于请求获取所述WiFi AP的IP地址;根据所述广播消息与所述WiFi AP建立DHCP中继代理关系。
- 根据权利要求14所述的基站,其特征在于,所述中继代理模块,具体用于根据所述广播消息确定中继代理业务为开启状态,且已预先建立所述IPSec安全隧道,通过所述IPSec安全隧道所述向WiFi AP控制器AC发送DHCP地址请求消息,所述地址请求消息包括安全网关的IP地址,以使所述AC根据所述安全网关的IP地址为所述WiFi AP分配IP地址;接收所述AC 回复的DHCP分配消息,将所述分配消息通过所述共传接口发送给所述WiFi AP,以建立与所述WiFi AP之间的所述中继代理关系,所述分配消息包括所述WiFi AP的IP地址。
- 根据权利要求15所述的基站,其特征在于,所述获取模块,具体用于根据所述分配消息获取所述WiFi AP的IP地址;或者,通过与所述WiFi AP的交互通信获取所述WiFi AP的IP地址。
- 根据权利要求14~16中任一项所述的基站,其特征在于,所述中继代理模块,还用于开启中继代理业务,配置所述共传接口的参数,并建立所述IPSec安全隧道,所述共传接口的参数包括所述共传接口的IP地址和所述共传接口的状态。
- 根据权利要求13~17中任一项所述的基站,其特征在于,所述获取模块,还用于监测所述WiFi AP以获取所述WiFi AP更新后的IP地址,并将所述更新后的IP地址作为所述WiFi AP的IP地址。
- 根据权利要求13所述的基站,其特征在于,所述获取模块,具体用于开启与所述WiFi AP的共传输业务,获取AC的IP地址,并配置所述共传接口的参数,所述共传接口的参数包括所述共传接口的IP地址和所述共传接口的状态;获取根据预先配置的内部IP地址的网段分配所述共传接口的IP地址和所述WiFi AP的IP地址,并生成相应的ACL规则。
- 根据权利要求19所述的基站,其特征在于,还包括:发送模块,用于向所述WiFi AP发送地址配置响应,所述地址配置响应包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址;或者,通过所述共传接口向所述WiFi AP发送广播消息,所述广播消息包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址。
- 根据权利要求19或20所述的基站,其特征在于,所述数据包处理模块,具体用于通过与所述WiFi AP之间的共传接口接收所述WiFi AP发送的数据包,将所述数据包携带的所述WiFi AP的IP地址通过网络地址转换NAT转换成所述IPSec安全隧道上的路由;根据IPSec协议对所述数据包进行加密,并根据所述IPSec安全隧道上的路由和所述ACL规则在所述IPSec安全隧道中转发加密后的数据包。
- 一种无线保真WiFi接入点AP,其特征在于,包括:收发模块,用于通过与基站之间的共传接口向所述基站发送数据包,以使所述基站根据网际协议安全IPSec协议对所述数据包进行加密,并根据预先建立的IPSec安全隧道的路由和访问控制列表ACL规则在所述IPSec安全隧道中转发加密后的数据包。
- 根据权利要求22所述的WiFi AP,其特征在于,所述收发模块,还用于通过所述共传接口向所述基站发送动态主机配置协议DHCP广播消息,以使所述基站根据所述广播消息建立DHCP中继代理;接收所述基站转发的由WiFi AP控制器AC发出的DHCP分配消息,所述分配消息包括所述AC分配的所述WiFi AP的网际协议IP地址。
- 根据权利要求22所述的WiFi AP,其特征在于,所述收发模块,还用于接收所述基站发送的地址配置响应,所述地址配置响应包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址;或者,通过所述共传接口接收所述基站发送的广播消息,所述广播消息包括所述WiFi AP的IP地址、所述共传接口的IP地址以及所述AC的IP地址。
- 一种通信系统,其特征在于,包括:基站和无线保真WiFi接入点AP,其中,所述基站采用权利要求13~21中任一项所述的基站;所述WiFi AP采用权利要求22~24中任一项所述的WiFi AP。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201580000387.3A CN105637914A (zh) | 2015-04-03 | 2015-04-03 | 通信方法、基站、接入点及系统 |
PCT/CN2015/075866 WO2016155005A1 (zh) | 2015-04-03 | 2015-04-03 | 通信方法、基站、接入点及系统 |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2015/075866 WO2016155005A1 (zh) | 2015-04-03 | 2015-04-03 | 通信方法、基站、接入点及系统 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016155005A1 true WO2016155005A1 (zh) | 2016-10-06 |
Family
ID=56050775
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2015/075866 WO2016155005A1 (zh) | 2015-04-03 | 2015-04-03 | 通信方法、基站、接入点及系统 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN105637914A (zh) |
WO (1) | WO2016155005A1 (zh) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101299665A (zh) * | 2008-05-19 | 2008-11-05 | 华为技术有限公司 | 报文处理方法、系统及装置 |
CN101431806A (zh) * | 2008-12-17 | 2009-05-13 | 华为技术有限公司 | 一种实现无线接入点安全通信的方法、网络设备及网络系统 |
CN102892156A (zh) * | 2012-09-19 | 2013-01-23 | 邦讯技术股份有限公司 | 一种实现融合家庭基站中数据转换的方法和系统 |
US20130216043A1 (en) * | 2012-02-17 | 2013-08-22 | Nokia Corporation | Security Solution For Integrating a WiFi Radio Interface in LTE Access Network |
CN103945379A (zh) * | 2013-01-23 | 2014-07-23 | 上海贝尔股份有限公司 | 一种在接入网中实现接入认证和数据通信的方法 |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1983771B1 (en) * | 2007-04-17 | 2011-04-06 | Alcatel Lucent | A method for interfacing a Femto-Cell equipment with a mobile core network |
JP5957826B2 (ja) * | 2011-08-12 | 2016-07-27 | 株式会社バッファロー | 無線端末及びプログラム |
US9462515B2 (en) * | 2013-01-17 | 2016-10-04 | Broadcom Corporation | Wireless communication system utilizing enhanced air-interface |
TWI545923B (zh) * | 2013-05-23 | 2016-08-11 | 中磊電子股份有限公司 | 網路裝置、使用其之網際網路協定安全性系統及建立網際網路協定安全性通道之方法 |
US9602470B2 (en) * | 2013-05-23 | 2017-03-21 | Sercomm Corporation | Network device, IPsec system and method for establishing IPsec tunnel using the same |
-
2015
- 2015-04-03 CN CN201580000387.3A patent/CN105637914A/zh active Pending
- 2015-04-03 WO PCT/CN2015/075866 patent/WO2016155005A1/zh active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101299665A (zh) * | 2008-05-19 | 2008-11-05 | 华为技术有限公司 | 报文处理方法、系统及装置 |
CN101431806A (zh) * | 2008-12-17 | 2009-05-13 | 华为技术有限公司 | 一种实现无线接入点安全通信的方法、网络设备及网络系统 |
US20130216043A1 (en) * | 2012-02-17 | 2013-08-22 | Nokia Corporation | Security Solution For Integrating a WiFi Radio Interface in LTE Access Network |
CN102892156A (zh) * | 2012-09-19 | 2013-01-23 | 邦讯技术股份有限公司 | 一种实现融合家庭基站中数据转换的方法和系统 |
CN103945379A (zh) * | 2013-01-23 | 2014-07-23 | 上海贝尔股份有限公司 | 一种在接入网中实现接入认证和数据通信的方法 |
Also Published As
Publication number | Publication date |
---|---|
CN105637914A (zh) | 2016-06-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR102139712B1 (ko) | 패킷 프로세싱 방법 및 디바이스 | |
US10237089B2 (en) | Packet tunneling method, switching device, and control device | |
US8539055B2 (en) | Device abstraction in autonomous wireless local area networks | |
WO2021057217A1 (zh) | 一种通信方法、装置、设备、系统及介质 | |
JP5050849B2 (ja) | リモートアクセスシステム及びそのipアドレス割当方法 | |
JP5602937B2 (ja) | リレーノードと構成エンティティの間の接続性の確立 | |
US8359644B2 (en) | Seamless data networking | |
US20130182651A1 (en) | Virtual Private Network Client Internet Protocol Conflict Detection | |
KR20160129896A (ko) | 커스터마이즈드 5세대 (5g) 네트워크를 위한 시스템 및 방법 | |
CN111541792B (zh) | 一种ip地址分配的方法和装置 | |
JP2021530892A (ja) | 通信方法及び通信装置 | |
WO2019157968A1 (zh) | 一种通信方法、装置及系统 | |
WO2015085788A1 (zh) | 一种动态主机配置协议报文处理方法及装置 | |
CN112398959B (zh) | Rlc信道确定方法和装置 | |
JP2019511154A (ja) | セキュリティパラメータ伝送方法及び関係するデバイス | |
WO2013053133A1 (zh) | 业务数据传输处理方法、设备以及通信系统 | |
CN114125995B (zh) | 数据传输方法及装置 | |
WO2018054272A1 (zh) | 数据的发送方法和装置、计算机存储介质 | |
US20160150577A1 (en) | Lte based wireless backhaul connection to cellular network base station | |
CN113518475A (zh) | 通信方法、装置及系统 | |
CN115499894B (zh) | 网络切片调整方法、装置及设备 | |
WO2018101452A1 (ja) | 通信方法および中継装置 | |
WO2016155005A1 (zh) | 通信方法、基站、接入点及系统 | |
WO2015168923A1 (en) | Method and network node for routing ip packets | |
WO2019000403A1 (zh) | 通信设备及通信方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15886975 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 15886975 Country of ref document: EP Kind code of ref document: A1 |