WO2018050007A1 - Method and apparatus for accessing local network by user terminal and computer storage medium - Google Patents

Method and apparatus for accessing local network by user terminal and computer storage medium Download PDF

Info

Publication number
WO2018050007A1
WO2018050007A1 PCT/CN2017/100636 CN2017100636W WO2018050007A1 WO 2018050007 A1 WO2018050007 A1 WO 2018050007A1 CN 2017100636 W CN2017100636 W CN 2017100636W WO 2018050007 A1 WO2018050007 A1 WO 2018050007A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
local network
packet
access
subnet
Prior art date
Application number
PCT/CN2017/100636
Other languages
French (fr)
Chinese (zh)
Inventor
翟来国
徐法禄
林愈银
李睿
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2018050007A1 publication Critical patent/WO2018050007A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Definitions

  • the present disclosure relates to the field of communications technologies, and in particular, to a method and apparatus for accessing a local network by a user terminal and a computer storage medium.
  • a private network (non-Internet) deployed near the carrier's mobile network base station is collectively referred to as a local network.
  • the uplink packet sent by the user equipment (UE) to the mobile network passes through LTE (Long Term Evolution), the mobile network base station eNB, and the backhaul network (Backhaul).
  • LTE Long Term Evolution
  • the mobile network base station eNB the backhaul network
  • the core network EPC enter the Internet, such as the backbone network and the metropolitan area network, and then enter the enterprise firewall from the Internet.
  • the VPN gateway is authenticated, access the server of the intranet, and the mobile network sends a report to the user terminal.
  • the path of the text is the opposite.
  • the way in which the user terminal accesses the local network is entered from the public network, that is, the Internet when entering the enterprise network, and there are many problems of the access path node and the network delay.
  • a method for a user terminal to access a local network comprising:
  • the S1-U uplink packet is disassembled, and the source IP address and the source port number in the user IP packet are converted into the device IP address and the mapped port number, and the cost network packet is re-encapsulated. Forwarding the local network packet to the next hop address of the subnet where the destination address is located.
  • a device for a user terminal to access a local network comprising:
  • the local network packet identification module is configured to receive the user plane S1-U uplink packet, and identify and intercept the local network access packet in the S1-U uplink packet;
  • a local network access processing module configured to determine a user type of the user terminal corresponding to the local network access message, and verify local network access of the user terminal according to the user type and the destination address in the local network access message Privilege, if the authentication is passed, the S1-U upstream packet is disassembled, the source IP address and the source port number in the user IP packet are converted into the device IP address and the mapped port number, and the cost network report is re-encapsulated. And forwarding the local network packet to a next hop address of a subnet where the destination address is located.
  • An apparatus for a user terminal to access a local network wherein the processor and the memory storing the processor-executable instructions perform the following operations when the instructions are executed by the processor:
  • the S1-U uplink packet is disassembled, and the source IP address and the source port number in the user IP packet are converted into the device IP address and the mapped port number, and the cost network packet is re-encapsulated. Forwarding the local network packet to the next hop address of the subnet where the destination address is located.
  • a computer storage medium having stored therein one or more programs executable by a computer, the one or more programs being executed by the computer to cause the computer to perform the method.
  • the method and device for accessing the local network by the user terminal by receiving the S1-U uplink packet, identify and intercept the local network access packet in the uplink packet of the S1-U, and the intercepted local network access packet is not sent to the core network.
  • the access path node is reduced, the user type of the user terminal corresponding to the local network access message is determined, and the local network access authority of the user terminal is verified according to the user type and the destination address in the local network access message; if the verification is passed, the S1 is determined.
  • the -U uplink packet is disassembled, and the source IP address and source port number in the user IP packet are translated into the device IP address and the mapped port number, and the local network packet is re-encapsulated, and the local network packet is forwarded to the local network packet.
  • the next hop address of the subnet where the destination address is located is forwarded only by the local network access packets that pass the authentication, ensuring the security of the local network information, so that the user terminal can quickly and securely access the local network.
  • 1 is an application environment diagram of a method for a user terminal to access a local network in an embodiment
  • Figure 2 is a diagram showing the internal structure of the server of Figure 1 in an embodiment
  • FIG. 3 is a flow chart of a method for a user terminal to access a local network in an embodiment
  • 5 is a flow chart of local network access authority verification in an embodiment
  • FIG. 6 is a flowchart of determining, according to an embodiment, whether a user access right meets an access right corresponding to a destination subnet type
  • FIG. 7 is a flow chart of initiating a user type modification request in an embodiment
  • FIG. 8 is a flow chart of modifying a user type according to a decision algorithm in an embodiment
  • FIG. 9 is a timing diagram of querying a local network domain name by a user terminal in a specific embodiment
  • FIG. 10 is a sequence diagram of an uplink packet of a user terminal accessing a local network DMZ subnet in a specific embodiment
  • FIG. 11 is a sequence diagram of a user terminal accessing a local network DMZ downlink message in a specific embodiment
  • FIG. 12 is a timing diagram of a local network DMZ visitor authorization in a specific embodiment
  • FIG. 13 is a timing diagram of a user terminal accessing a local line message in a local network in a specific embodiment
  • FIG. 14 is a timing diagram of a downlink message received by a user terminal in an intranet of a local network in a specific embodiment
  • 15 is a timing diagram of a local network intranet authorization in a specific embodiment
  • 16 is a structural block diagram of an apparatus for a user terminal to access a local network in an embodiment
  • 17 is a structural block diagram of an apparatus for a user terminal to access a local network in another embodiment
  • FIG. 18 is a structural block diagram of a local network access processing module in an embodiment
  • 19 is a structural block diagram of an apparatus for accessing a local network by a user terminal in still another embodiment
  • 20 is a structural block diagram of an apparatus for a user terminal to access a local network in still another embodiment
  • 21 is a structural block diagram of a first verification unit in an embodiment
  • 22 is a structural block diagram of a local network access processing module in an embodiment
  • FIG. 23 is a structural block diagram of a local network access authorization module in an embodiment
  • 24 is a structural block diagram of an apparatus for a user terminal to access a local network in still another embodiment
  • 25 is a schematic diagram of an internal structure of a mobile network base station after a user equipment accesses a local network device in an embodiment
  • 26 is a structural block diagram of a system for a user terminal to access a local network in an embodiment
  • FIG. 27 is a schematic diagram showing the internal structure of a system in which a user terminal accesses a local network in an embodiment
  • FIG. 28 is a schematic diagram showing the internal structure of a system in which a user terminal accesses a local network in another embodiment.
  • the application environment includes a terminal 110, an eNodeB eNB 120, a server 130, and an enterprise DMZ zone 140.
  • the enterprise intranet 150 wherein the enterprise DMZ zone 140 includes a VPN gateway 141, a reverse proxy server 142, and a firewall 143.
  • the enterprise intranet 150 includes a blocked choke router 151, a public server 152, and an APP application server 153.
  • the devices in the application environment may be Increase or decrease according to the actual deployment.
  • the terminal 110 is a device that can communicate using a mobile communication network, including but not limited to an intelligent terminal, a mobile communication industrial device, an Internet of Things (IoT) device, and the like.
  • a mobile communication network including but not limited to an intelligent terminal, a mobile communication industrial device, an Internet of Things (IoT) device, and the like.
  • IoT Internet of Things
  • the user terminal accesses the local network, it directly accesses the enterprise network through the user terminal authority verification from the mobile network base station side.
  • the uplink packet and the downlink packet do not need to pass through the backhaul network Backhaul, the core network EPC, and the Internet, and can be quickly and securely connected. Access to the local network.
  • the application environment can be applied to various scenarios, such as intranet access scenarios of mobile mobile office, wireless interconnection between industrial devices, industrial device data belonging to enterprise private data, large amount of data, high real-time requirements, wireless transmission of data to enterprises The scene of the network.
  • Wireless transmission of commercial premises to the network server of the mall such as large shopping malls, VR (Virtual Reality) and AR (Augmented Reality) promotion activities launched by merchants, large amount of data transmission, high real-time requirements, and wireless transmission of data to the mall network Server requirements.
  • Large-scale events or exhibitions where a large amount of video is wirelessly transmitted to the server in the venue.
  • the internal structure of server 130 in FIG. 1 is as shown in FIG. 2, which includes a processor, storage medium, memory, and network interface connected by a system bus.
  • the storage medium of the server 130 stores an operating system, a database, and a device for the user terminal to access the local network, and the database is used to store data, such as a user record table, etc., and the device is used to implement a user suitable for the server 130.
  • the processor of the server 130 is used to provide computing and control capabilities to support the operation of the entire server 130.
  • the memory of the server 130 is a device for the user terminal in the storage medium to access the local network. Run the provisioning environment.
  • the network interface of the server 130 is used to communicate with the base station eNB 120, the enterprise network, and the operator Backhaul through a network connection, such as receiving an uplink message sent by the base station eNB 120.
  • Server 130 typically employs a high performance web server.
  • a method for a user terminal to access a local network is provided, which is applied to the application environment, and includes the following steps:
  • Step S110 Receive an uplink packet of the user plane S1-U, and identify and intercept the local network access packet in the uplink packet of the S1-U.
  • the terminal when the terminal needs to access the local network, the terminal sends an air interface packet encapsulating the user packet to the base station, where the source IP address of the user packet, that is, the IP packet, is the UE PDN IP, and the UE PDN IP is the user terminal UE in the mobile network.
  • the IP address assigned by the mobile network after registration is completed.
  • the base station After receiving the air interface packet, the base station extracts the user packet and sends it to the S1-U tunnel packet for transmission.
  • the solution needs to obtain the source IP address as the user identifier, and identify different user terminals by using the source IP address.
  • the mobile network base station and the core network use a tunnel to transmit user packets.
  • the mobile network base station and the core network each assign a unique S1-U tunnel identifier TEID (Tunnel Endpoint Identifier) to each user terminal.
  • the tunnel identifier assigned by the base station is called The mobile network base station tunnel identifier, and the tunnel network assigned tunnel identifier may be referred to as a core network tunnel identifier.
  • the downlink packets sent to the mobile network base station are packaged into S1-U (S1 User Plane) user plane packets carrying the mobile network base station TEID.
  • S1-U S1 User Plane
  • the mobile network base station tunnel identification TEID distinguishes different users. , packaged into an air interface message and sent to the corresponding user terminal.
  • the uplink packet sent by the mobile network base station eNB to the core network needs to be packaged into an S1-U packet carrying the core network tunnel identifier, and the core network receives the user according to the core network tunnel identifier, and sends the packet to the Internet after processing.
  • the local network packet identification message in the uplink packet of the user plane S1-U can be identified and intercepted by the local network packet identification module deployed on the base station or the server. If the local network packet identification module is deployed in the base station, the local network access packet can be identified and intercepted before the base station sends the S1-U uplink packet, so that only the identified local network access packet is sent to the subsequent The processing module reduces the pressure on the subsequent processing modules. If the local network packet identification module is deployed in the server, the local network access packet is not sent by the server during the process of sending the S1-U uplink packet to the core network by the server. To the core network.
  • the local network access packet is a packet matching the local network access packet feature rule.
  • the local network access packet feature list is configured to compare and analyze the user packets in the S1-U uplink packet one by one.
  • Local network access message In the configured local network access packet feature list, each record contains subnet segments and associations.
  • the protocol number, port number, etc. allow the protocol number and port number fields to be optional.
  • a local network access message feature list record is: "address: 10.1.0.0, subnet mask: 255.255.0.0, protocol number: 6, port number: 443, the above address: 10.1.0.0, subnet mask :255.255.0.0", in the description, the subnet 10.1.0.0/16 is often used instead.
  • the destination address, protocol number, and destination port number are extracted from the user packets in the S1-U upstream packet and then accessed with the local network.
  • the feature list is compared. Only the feature match is the local network access message. If the user accesses the https message of hr.ttt.com.cn (ip address is 10.1.2.1), the destination address 10.1.2.1 matches 10.1.0.0/.
  • the intercepted local network access messages are not sent to the core network, and only non-local network access messages are sent to the core network.
  • Step S120 Determine a user type of the user terminal corresponding to the local network access message, and verify the local network access right of the user terminal according to the user type and the destination address in the local network access message.
  • different user types have different access rights.
  • the types of specific user types and corresponding rights can be customized according to requirements.
  • different types of user types can be set according to the division of the local network area.
  • the user type of the user terminal can be determined according to the network segment where the user terminal is located, such as a high-privileged user that can set a fixed IP address, and different fixed rights are assigned to different user terminals.
  • the local network access authorization module applies for a request according to the user type.
  • the authorization decision algorithm can be based on the authorization decision algorithm in real time.
  • the current network communication status parameter, the area of the visited local network, and the like, the user terminal authorizes the corresponding dynamic user type with different rights, updates the user type in real time according to the current network communication status, and can control the user terminal to access the local network in real time. quantity. You can also obtain the user type of the user terminal by searching the user record table. If there is no user record corresponding to the user terminal in the user record table, you need to apply for the authorized user type to the local network access authorization module.
  • the verification is passed only if the local network access right of the user terminal matches the permission required by the destination address in the local network access message accessed.
  • the local network can be divided into different areas, such as the DMZ area (Demilitarized Zone, also known as the quarantine area) and the internal network. Access to different areas requires different access rights.
  • the local network access authorization module may apply for a request according to the user type, and adopt different authorization decision algorithms, so that access of different areas sets different access rules according to the privacy of the content. Flexible and convenient.
  • the authorization is decided, the user can be authenticated by the VPN gateway. Only when the user is authenticated as an internal user, the user can apply for a specific user type to further ensure the security of the user type authorization.
  • Step S130 If the verification succeeds, the S1-U uplink packet is disassembled, and the source IP address and the source port number in the user IP packet are converted into the device IP address and the mapped port number, and the cost network packet is re-encapsulated. Forward the local network packet to the next hop address of the subnet where the destination address is located.
  • the source IP address and the source port number carried in the user packet are extracted and converted into the device IP address and the mapped port number.
  • the IP address of the device is the IP address of the device in the local network.
  • the number of device IP addresses can be set according to the number of network cards of the device. Each network card can also be configured with multiple device IP addresses.
  • the source IP address assigned by the mobile network to the user terminal is uniformly converted into the device IP address to ensure the correct IP address transmitted in the local network.
  • the source port number carried in the user packet needs to be converted to the mapping port number. Since the source port number carried in the previous user packet may carry the same port number for different user terminals, the port needs to be reassigned under a local network address. No., to ensure that the combination of each device IP address + mapping port number is not repeated during the transmission process, thus ensuring the correctness of data transmission.
  • the access path of the user terminal 110 to the APP application server 153 is as shown by the route 160 in FIG. 1 , after the access path node base station eNB 120 , the server 130 , the VPN gateway 141 , the firewall 143 , and the choke router 151 .
  • the APP application server 153 When the APP application server 153 is reached, the backhaul network, the core network EPC, and the Internet do not need to be passed in the middle, so that the access path node is greatly reduced, the network delay is reduced, and the transmission rate is increased.
  • the local network access packet in the uplink packet of the S1-U is identified and intercepted by receiving the uplink packet of the S1-U, and the intercepted local network access packet is not sent to the core network, and the access path node is reduced.
  • the user type of the user terminal corresponding to the local network access packet is determined, and the local network access authority of the user terminal is verified according to the user type and the destination address in the local network access message; if the verification is passed, the S1-U uplink packet is removed.
  • the solution translates the source IP address and the source port number of the user IP packet into the device IP address and the mapped port number, and re-encapsulates the local network packet to forward the local network packet to the subnet where the destination address is located. For the next hop address, only the local network access packets that pass the authentication are forwarded, ensuring the security of the local network information, so that the user terminal can quickly and securely access the local network.
  • the method further includes:
  • step S210 the S1-U uplink packet is received, and the domain name system DNS query message of the local network domain name in the S1-U uplink packet is identified and intercepted.
  • the local network IP address corresponding to the local network server domain name (such as hr.ttt.com.cn) needs to be obtained first. If the IP address of the local network server that needs to be accessed has been obtained in advance, such as For frequent access to a fixed local network, the local network IP address can be pre-stored, and the pre-stored local network IP address is directly carried in the sending network access message. However, in general, you need to obtain the IP address corresponding to the network domain name through DNS query packets.
  • the local network packet identification module deployed in the base station or the server can identify and intercept the DNS query message of the local network domain name in the S1-U uplink packet.
  • the local network domain name query message is a standard DNS query message sent by the user terminal to the public network DNS server.
  • the local network packet identification module analyzes the domain name in the DNS query packet and matches each domain name record in the configured local network domain name list to check whether the matching succeeds.
  • the local network domain name query message is identified.
  • each record complies with the FQDN (Fully Qualified Domain Name) rule. If ttt.com.cn is a record in the local network domain name list, if the domain name in the DNS query message is hr.ttt.con.cn or ims.ttt.com.cn, the matching is successful.
  • Step S220 The DNS response packet carrying the local network IP address is configured according to the DNS query message of the local network domain name, and the DNS response packet is returned to the terminal, and the local network IP address is carried as the destination address in the local network access packet.
  • the local network IP address corresponding to the domain name may be obtained according to the local network domain name configuration information, and a DNS query response message may be constructed, or may be forwarded to an external dedicated local network domain name DNS server to obtain a local network IP address corresponding to the domain name, and the DNS is constructed. Query response message.
  • the local network IP address corresponding to each local network domain name is configured in the local network domain name configuration information, such as hr.ttt.com.cn corresponding address 10.1.2.1, and ims.tt.com.cn corresponding address 10.1.3.2.
  • you need to configure the lifetime of the domain name record that is, TTL (Time To Live).
  • the DNS response packet is returned to the terminal, where the DNS response packet carries the local network domain name and the corresponding local network IP address, and the subsequent terminal sends the local network IP address as the destination address when sending the local network access message corresponding to the local network domain name. .
  • step S120 includes:
  • Step S121 Extract the user identifier carried in the local network access packet, determine the user type corresponding to the user identifier, and determine the subnet and subnet type where the destination address is located.
  • the user identifier is a source IP address, and can be obtained according to the correspondence between the source IP address and the user type.
  • the correspondence between the source IP address and the user type may be pre-stored in the form of a table, a text, or the like, thereby obtaining a corresponding user type by looking up a table or checking a string.
  • the corresponding subnet is determined according to the IP address segment where the destination address is located, and different subnets correspond to their respective subnet types.
  • the subnet type can be classified according to the information security importance of the local network. For example, it is divided into a DMZ subnet and an intranet subnet.
  • the intranet subnet needs higher access rights to access. Different subnet types have corresponding user types with access rights, and can customize the correspondence between subnet types and user types with access rights. By assigning different user types with different access rights for different subnet types, the flexible control of access rights is improved.
  • step S122 it is determined whether the user access right corresponding to the user type meets the access authority corresponding to the subnet type of the destination address. If yes, the process proceeds to step S123.
  • the user access rights corresponding to the user type match the access rights corresponding to the subnet type of the destination address, and the next step is entered. Otherwise, the local network access packet is discarded.
  • Step S123 Determine whether the subnet where the destination address is located is a subnet that is allowed to access, and if yes, the local network access authority is verified, otherwise the local network access permission fails to pass the verification.
  • the subnet where the destination address is located is a subnet that is allowed to be accessed, and a different subnet list may be assigned to different types of users in advance, and the local network is determined by means of table lookup. Whether the subnet where the destination address is located in the access packet is the subnet that is allowed to access. If yes, the local network access permission is verified. Otherwise, the local network access permission is not verified.
  • the guest authority and the subnet authority are double-verified, and the access rights of different user types are flexibly and conveniently controlled to ensure the security of local network access.
  • the method further includes: if the user access right corresponding to the user type does not meet the access right corresponding to the subnet type of the destination address, updating the user type of the user terminal according to the authorization decision algorithm.
  • the local network access authorization module may apply for the change of the user type, and the local network access authorization module receives the user type change request.
  • the user type of the user terminal is updated according to the user type change request and the authorization decision algorithm.
  • different user type change requests may be generated according to the subnet type of the destination address and the current user type.
  • Different user type change requests may correspond to different authorization decision algorithms, and the determination of the authorization decision algorithm may be customized according to requirements, such as the number of authorized persons and the current online number according to different subnet types configured, and the total traffic threshold and current online traffic.
  • Factors such as determining whether to grant a user type change request to the corresponding user type.
  • the access permission corresponding to the subnet type of the destination address can be applied to the user type with the corresponding permission to achieve dynamic permission change.
  • the type of the user that meets the access authority corresponding to the subnet type of the destination address can be modified to an unprivileged user, and the access authority can be flexibly controlled according to the authorization decision algorithm.
  • the method before the step of disassembling the S1-U uplink packet in step S130, the method further includes: determining, according to the current access state, whether to provide a forwarding permission for the local network access packet, if the local network access packet is forwarded. If the permission is obtained, the step of disassembling the S1-U uplink packet is performed. If the local network access packet does not obtain the forwarding permission, the local network access packet is discarded.
  • the current access status includes information such as the uplink and downlink access rate limit, the access duration, and the total access traffic of the user, and determines whether to provide a forwarding permission for the local network access message according to the current access status. Only when a forwarding permission is obtained can a forwarding report, and different subnet types can correspond to different forwarding permission grant policies.
  • the forwarding license further flexibly controls the access traffic, access duration, and the like of the local network.
  • the DMZ authorized guest user accesses the DMZ subnet, and provides a guest forwarding permission for the local network access processing module according to information such as the uplink and downlink access rate limit, the access duration, and the total access traffic of the guest user.
  • the authorized intranet user accesses the internal network subnet, and provides an authorization forwarding permission for the local network access processing module according to the user's uplink and downlink access rate limit.
  • the controlled authorized user accesses the local network VPN gateway, and provides a controlled forwarding permission for the local network access processing module according to the uplink and downlink access rate limit, the access duration, and the total access traffic of the controlled authorized user.
  • the step of determining the user type of the user terminal corresponding to the local network access message in step S120 includes: querying the user record table according to the user identifier of the user terminal carried in the local network access message, if the user identifier is in the In the user record table, the user type recorded in the user record table is obtained. If the user ID is not in the user record table, the user type is a non-privileged user.
  • different types of user record tables may be generated according to the user type, and the records are identified by the record table identifier. If the user type is updated, the user record table is updated synchronously. Therefore, if the user type with permission is obtained last time, the user record of the permission can be obtained directly through the user record table in the next access, and the user type without permission is not required to be re-applied to quickly obtain the access right.
  • the valid time corresponding to the user record in the user record table is obtained, and it is determined that the user record is deleted when the user does not access the local network within the valid time range. In one embodiment, if the user access right expires, the corresponding period of the user is set.
  • step S122 includes at least one of the following steps:
  • Step S122a If the subnet type of the destination address is a DMZ subnet, and the user type is a DMZ authorized guest user, it is determined that the user access right corresponding to the user type matches the access right corresponding to the subnet type of the destination address.
  • the DMZ zone provides isolation between the external network and the internal network, and is protected by external routers and firewalls.
  • Most devices deployed in the DMZ zone also have certain anti-attack capabilities, also known as bastion hosts.
  • the internal network is protected by an internal router, the choke router (blocking router) in Figure 1, and the firewall.
  • the internal network does not allow external direct access. Only some of the bastion hosts in the DMZ zone are allowed to access.
  • the external network users must be authenticated by the VPN gateway before they can access.
  • the VPN gateway can be used as a bastion host. Most of them are deployed in the DMZ zone. They can also lease the carrier's VPN gateway. They can transit through the bastion host in the DMZ zone and access the internal network.
  • the DMZ area server can also be deployed with a reverse proxy server. Most of the external public servers are deployed on the internal network. When the user accesses the external public service, the DMZ reverse proxy server accesses the external public server deployed on the internal network. Public servers provide better protection.
  • the DMZ authorized guest user indicates that the user with the DMZ subnet access rights has the subnet type of the DMZ subnet, and the user type is the DMZ authorized guest user. Access rights corresponding to the network type.
  • step S122b if the subnet type of the destination address is an intranet subnet and the user type is a controlled authorized user, the user access right corresponding to the user type does not meet the access authority corresponding to the subnet type of the destination address, and the S1-U is determined.
  • the uplink packet is disassembled, and the source IP address and the source port number of the user IP packet are converted into the device IP address and the mapped port number, and the local network packet is re-encapsulated to forward the local network packet to the VPN gateway.
  • the controlled authorized user indicates that the user has access to the VPN gateway of the local network. If the user type is a controlled authorized user, the user needs to apply for the user identity authentication to the VPN gateway before obtaining the internal user identity, and the S1-U uplink packet is sent. Disassemble, convert the source IP address and source port number in the user IP packet to the device IP address and the mapped port number, and re-encapsulate the local network packet to forward the local network packet to the VPN gateway.
  • Step S122c If the subnet type of the destination address is an intranet subnet and the user type is an authorized intranet user, it is determined that the user access right corresponding to the user type matches the access permission corresponding to the subnet type of the destination address.
  • the authorized intranet user indicates that the user has the access permission of the intranet subnet, and only the internal user is authorized by the intranet authorization decision algorithm to access the intranet subnet of the local network.
  • This program does not limit user access The way to authenticate users inside the local network.
  • the subnet type is divided into a DMZ subnet and an intranet subnet
  • the user type includes a DMZ authorized guest user, a controlled authorized user, and an authorized intranet user, and is specifically determined by the subnet type and user type of the destination address. Whether the access rights corresponding to the subnet type of the destination address are met, and flexible access control for each different subnet is achieved.
  • the method further includes at least one of the following steps:
  • Step S310 If the subnet type of the destination address is a DMZ subnet, and the user type is a non-DMZ authorized guest user, the DMZ authorizes the guest user to apply.
  • Step S320 If the subnet type of the destination address is an intranet subnet, and the user identity is known as the internal user, the controlled authorized user is invited to apply.
  • a user who does not pass the VPN authentication cannot confirm the identity of the user and can only send the certificate to the VPN gateway for authentication. Only the controlled authorized user can initiate the application and cannot authorize the intranet user to apply.
  • step S330 if the subnet type of the destination address is an intranet subnet, and the user identity is an internal user and the user type is a controlled authorized user, the intranet user is authorized to apply.
  • the user can be authorized to apply for an intranet only after the user is identified as an internal user.
  • the user type application request sent by the subnet type, the current user type, and the current user identity of the destination address is controlled, so that the user type application request can be generated hierarchically.
  • the step of updating the user type of the user terminal according to the authorization decision algorithm includes the following: At least one of the steps:
  • Step S410 If the DMZ authorized guest user application is received, the DMZ guest authorization algorithm is used to authorize the DMZ guest authorization, and the DMZ guest authorization information is generated according to the configuration, and the user type authorized by the DMZ guest is modified as the DMZ authorized guest user.
  • the DMZ visitor authorization information may include a user identifier and a corresponding user type.
  • the DMZ guest authorization information may be transmitted to the DMZ authorized guest record table to update the DMZ authorized guest user. Record the table, add or change user records, and set the user type of the user record to the DMZ authorized guest user.
  • the initiating guest user access control message is sent at the same time as the user record is updated, carrying the initiated policy and related information.
  • the uplink rate control and the downlink rate control are mandatory policies, and the access duration and total access traffic are available. selected.
  • Step S420 If the controlled authorized user application is received, the controlled authorization algorithm is given according to the controlled authorization decision algorithm, and the controlled authorization information is generated according to the configuration, and the user type controlled by the authorized authorization is modified as the controlled authorized user.
  • the controlled authorization information may include a user identifier and a corresponding user type.
  • the controlled authorization information can be passed to the controlled authorized user record table, the controlled authorized user record table is updated, the user record is added or changed, and the user type recorded by the user is set as the controlled authorized user.
  • the uplink rate control and the downlink rate control are mandatory policies, and the access duration and total access traffic are optional.
  • Step S430 If the application for the authorized intranet user is received, the intranet authorization is given according to the intranet authorization decision algorithm, and the intranet authorization information is generated according to the configuration, and the user type authorized by the intranet is modified as the intranet authorized user.
  • the intranet authorization information may include a user identifier and a corresponding user type.
  • the intranet authorization information can be transmitted to the intranet authorized user record table, the intranet authorized user record table is updated, the user record is added or changed, and the user type recorded by the user is set as an intranet authorized user.
  • the access control function of the authorized user of the intranet is activated, and the local network access control module stops the original controlled authorized user access control function.
  • the user record table is divided into a DMZ authorized guest user record table, a controlled authorized user record table, and an intranet authorized user record table, and the method further includes: modifying the user of the corresponding type of the user record table according to the update of the user type recording.
  • the DMZ authorized guest user record table includes a user identifier, user mobile network base station information, and visitor authorization information. Visitor authorization information, including the subnet list and next hop address allowed, the user uplink access rate, the user downlink access rate, the user access duration, and the total access quota of the user.
  • the controlled authorized user record table includes user identification, user mobile network base station information, and controlled authorization information. Controlled authorization information, including user uplink access rate, user downlink access rate, user access duration, and user access total traffic quota.
  • the intranet authorized user record table includes the user identifier, the user mobile network base station information, and the intranet authorization information. Intranet authorization information, including the list of subnets allowed to access and the next hop address, user uplink access rate, and user downlink access speed. Rate and other information.
  • the user record table records the mobile network base station IP address and the mobile network base station user information, the mobile network base station user information including the mobile network base station IP address and the mobile network base station tunnel identity TEID.
  • the user identifier in the user record table is the IP address of the mobile terminal in the mobile network, that is, the IP address of the mobile network base station, and the mobile network base station user information includes the IP address of the mobile network base station eNB and the mobile network base station tunnel identifier of the user terminal. TEID, the two are related.
  • the DMZ authorizes the guest user record table, including the user identifier, the user mobile network base station information, and the DMZ visitor authorization information.
  • the controlled authorized user record table includes user identification, user mobile network base station information, and controlled authorization information. Controlled authorization information, including user uplink access rate, user downlink access rate, user access duration, and user access total traffic quota.
  • the intranet authorized user record table includes the user ID, the user mobile network base station information, and the intranet authorization information. Intranet authorization information, including the list of subnets allowed to access, the next hop address, the user uplink access rate, and the user downlink access rate.
  • the method further includes: receiving a local network downlink packet, and restoring the device IP address and the mapping port number carried in the local network downlink packet to a source IP address and a source port number of the user terminal, according to the user.
  • the mobile network base station tunnel identifier of the terminal is packaged into an S1-U downlink message and sent to the mobile network base station.
  • the local network downlink packet is a response packet sent by the local network to the user terminal, where the device IP address and the mapping port number are carried, and the source IP address and the source port number of the user terminal need to be converted to the user terminal.
  • the method further includes:
  • the application request carries the number of bytes to be forwarded when applying for the corresponding type of downlink forwarding permission. If the application is successful, the local network downlink packet is disassembled, and the IP address and mapping port number of the device carried therein are obtained, and converted into a user source. The IP address and source port number are re-encapsulated into S1-U downlink packets and forwarded to the base station eNB. After receiving the S1-U downlink packet, the base station eNB converts the packet into an air interface and sends the packet to the user terminal. If no application is successful, the local network downlink packet is discarded to control the downlink packets of the local network.
  • the method before step S110, the method further includes: performing configuration of each parameter and rule in advance.
  • the configured parameters and rules include: local network access packet characteristics, local network domain name rules, local network subnets and routing rules, VPN gateway configuration, local network access control rules, etc., providing parameter configuration interface functions for other modules. .
  • the method for accessing the local network by the user terminal is implemented by a new module, where the newly added module includes a local network packet identification module, a local network domain name proxy module, a local network access processing module, and local network access control. Module, local network access authorization module and user information management module.
  • the user terminal queries the local network domain name timing diagram as shown in Figure 9.
  • the local network domain name proxy module constructs a DNS query response, which is described as follows:
  • the UE sends an air interface packet carrying a user packet, that is, a DNS query message to the eNB, to query the local network domain name.
  • the eNB After receiving the user packet, the eNB receives the S1-U uplink packet and sends it to the local network packet identification module.
  • the local network packet identification module analyzes the content of the S1-U packet by packet, and identifies the DNS query packet.
  • the 404 local network packet identification module identifies the DNS query packet of the local network domain name according to the configured local network domain name rule
  • the local network packet identification module forwards the DNS query message of the local network domain name to the local network domain name proxy module, and other DNS query messages continue to be sent to the core network;
  • the local network domain name proxy module constructs a DNS query response packet, and carries a local network IP address
  • the local network domain name proxy module acquires the user mobile network base station information from the user information management module;
  • the local network domain name proxy module packs the DNS query response packet into an S1-U packet, and sends the packet to the eNB;
  • the eNB receives the S1-U packet, and extracts the user packet, that is, the DNS query response packet, and sends the packet to the UE.
  • timing diagram 10 of an uplink message of a user terminal accessing a local network DMZ subnet is described as follows:
  • the UE sends a user uplink packet from the air interface.
  • the 502 eNB After receiving the user packet, the 502 eNB receives the S1-U uplink packet and sends the packet.
  • the local network packet identification module identifies the local network access packet according to the configured local network access packet characteristics and compares the packet by packet.
  • the local network packet identification module forwards the local network access packet to the local network access processing module
  • the local network access processing module checks the destination subnet and identifies that it is a DMZ subnet
  • the local network access processing module checks whether it is in the DMZ authorized guest user record table
  • a local network access processing module for a visitor who is not in the DMZ authorized guest user record table, may initiate a DMZ authorized guest user carrying the user identifier to apply for the DMZ visitor authorization information to the user information management module;
  • the local network access processing module checks whether the DMZ authorized guest user checks whether the subnet where the destination address is located is in the list of allowed subnets, and the packets are directly discarded when the unauthorized visitor or the unauthorized subnet is accessed.
  • the local network access processing module acquires a guest uplink forwarding permission from the local network access control module, and carries the number of bytes to be forwarded;
  • the local network access processing module unpacks the packet, performs port address translation, and re-encapsulates the local network packet. If the forwarding permission is not obtained, the packet is directly discarded.
  • the local network access processing module sends the packaged local network packet to the next hop address corresponding to the subnet where the destination address is located.
  • the local network DMZ server returns a response message to the UE, and also needs to apply for a guest downlink forwarding permission when forwarding.
  • FIG. 11 is an example of a sequence diagram of the user terminal accessing the local network DMZ downlink message, and the specific description is as follows:
  • the local network access processing module receives the packet of the local network DMZ, that is, the user downlink packet;
  • the local network access processing module acquires a guest downlink forwarding permission from the local network access control module, and carries the number of bytes to be forwarded;
  • the local network access processing module unpacks the packet, performs port address translation, and re-encapsulates the packet into an S1-U downlink user packet. If the forwarding permission is not obtained, the packet is directly discarded.
  • the local network access processing module sends the packaged S1-U downlink user packet to the eNB;
  • the 605 receives the S1-U packet, and sends the user downlink packet from the air interface to the UE.
  • the user terminal needs to apply for the guest authorization.
  • the application process can be triggered in the local network domain name response process or in the local network DMZ access process.
  • the local network DMZ guest authorization timing diagram 12 An example is described as follows:
  • the user information management module initiates a DMZ authorized guest application to the local network access authorization module;
  • the local network access authorization module grants DMZ visitor authorization according to the DMZ guest authorization decision algorithm, and generates DMZ visitor authorization information according to the configuration;
  • the local network access authorization module returns a DMZ authorized guest user to apply for a response
  • the user information management module checks the authorization result, saves the DMZ guest authorization information, and adds the authorized guest record table;
  • the user information management module sends a DMZ authorized guest user access control message to the local network access control module, and carries the initiated policy and related information, where the uplink rate control and the downlink rate control are mandatory policies, and the access duration and total access traffic are available. selected.
  • the user terminal accesses the intranet subnet of the local network and needs to perform intranet identity authentication.
  • the specific process of intranet identity authentication can be customized according to requirements. This solution is not limited.
  • the local network access authorization module gives controlled authorization, and the packet is forwarded to the VPN gateway, which is called controlled forwarding. At this time, the user is a controlled authorized user; the local network access authorization module knows that the user identity is an internal user.
  • the intranet authorization decision algorithm is given to the intranet authorization, the packet is allowed to be forwarded to the authorized subnet, which is called authorization forwarding. At this time, the user is changed to the authorized intranet user.
  • the timing diagram of the user terminal accessing the online line message in the local network is as shown in FIG. 13, and the specific description is as follows:
  • the UE sends a user uplink message from the air interface.
  • the eNB After receiving the 802 eNB, the eNB receives the S1-U uplink packet and sends the packet.
  • the local network packet identification module identifies the local network access packet according to the configured local network access packet characteristics and compares the packets by packet;
  • the local identification module forwards the local network access message to the local network access processing module
  • the 805 local network access processing module checks the destination subnet and identifies that it is an intranet subnet;
  • the local network access processing module checks the controlled authorized user record table and the intranet authorized user record table;
  • the local network access processing module sends a user type update request carrying the user identifier to the user information management module for the user who does not exist in the record table, and obtains the user authorization information;
  • the local network access processing module confirms whether the user type is a controlled authorized user or an authorized intranet user, so as to perform different policy processing subsequently;
  • the local network access processing module checks whether the subnet where the destination address is located belongs to the authorized subnet list, and if not, directly discards the packet. If it belongs, the next step is entered;
  • the local network access processing module obtains the controlled uplink forwarding permission from the local network access control module to the controlled network user, carries the number of forwarding bytes, and obtains the authorized uplink forwarding permission to the local network access control module for the authorized intranet user. Carry the number of forwarded bytes.
  • the local network access processing module unpacks the packet, performs port address translation, and re-encapsulates the network packet. If the packet is not forwarded, the packet is directly discarded.
  • the local network access processing module sends the packaged local network packet to the VPN gateway for the controlled authorized user, and sends the next hop address corresponding to the subnet where the destination address is located for the authorized intranet user.
  • the local network subnet server or the VPN gateway returns a response packet to the UE, and the downlink forwarding permission is also required to be forwarded.
  • the process is slightly different according to different user types, and the user terminal accesses the downlink sequence of the intranet of the local network. As shown in Figure 14, the detailed description is as follows:
  • the local network access processing module receives the local network packet from the local network intranet or the VPN gateway, that is, the user downlink packet;
  • the local network access processing module checks whether the user record type is a controlled authorized user or an authorized intranet user;
  • the local network access processing module obtains the controlled downlink forwarding permission from the local network access control module to the controlled network user, carries the number of forwarding bytes, and obtains the authorized downlink forwarding permission to the local network access control module for the authorized intranet user. Carry the number of forwarded bytes.
  • the local network access processing module unpacks the packet, performs port address translation, and re-encapsulates the packet into an S1-U downlink user packet. If the forwarding permission is not obtained, the packet is directly discarded.
  • the 905 local network access processing module sends the packetized S1-U downlink user packet to the eNB.
  • the 906 eNB receives the S1-U packet and sends the user downlink packet from the air interface to the UE.
  • the local network access authorization module grants an authorization to the internal identity user according to the intranet authorization decision algorithm, and the intranet authorization decision algorithm can combine the current authorized intranet access number, the configured authorized intranet accessor threshold, and the current authorized intranet. Factors such as the total rate of access, the configured total intranet access rate threshold, and so on.
  • the type of the controlled authorized user record is still maintained; the user who decides to grant the intranet authorization will be changed from the original controlled authorized user type to the authorized intranet user type. Even if the intranet identity user authenticated by the local network, if the local network access authorization module does not give the intranet authorization, it is still the controlled authorized user type.
  • FIG. 15 is a timing diagram of the intranet authorization of the local network.
  • the user terminal notifies the VPN gateway of the user terminal, that is, the IP address of the user terminal on the mobile network, and the VPN gateway notifies the local network access authorization module.
  • the details are as follows:
  • the user information management module accesses the authorization mode to the local network.
  • the block initiates a controlled authorization user application
  • the local network access authorization module gives controlled authorization according to the controlled authorization decision algorithm, and generates controlled authorization information according to the configuration
  • the local network access authorization module returns a controlled authorized user to apply for a response
  • the user information management module checks the controlled authorization result, saves it as the controlled authorized user information, and adds it to the controlled authorized user record table;
  • the user information management module sends a controlled access authorization user access control message to the local network access control module, and carries the initiated policy and related information, where the uplink rate control and the downlink rate control are mandatory policies, and the access duration and total access traffic are available. selected;
  • the user terminal and the local network intranet authentication system perform intranet authentication. This step is not limited.
  • the user terminal sends the user ID to the VPN gateway. This step is optional.
  • the 1008 VPN gateway notifies the local network access authorization module to carry the user identifier. This step is optional.
  • the local network access authorization module learns that the user has passed the intranet authentication, and the user identity is an internal user
  • the local network access authorization module gives an intranet authorization according to an intranet authorization decision algorithm, and generates intranet authorization information according to the configuration;
  • the local network access authorization module sends a notification to the user information management module to authorize the intranet user to carry the authorization information;
  • the user information management module modifies the user from the controlled authorized user record to the authorized intranet user record, saves the authorization information, and joins the internal network authorized user record table, and deletes from the controlled authorized user record table;
  • the user information management module notifies the local network access control module to activate the access control function of the authorized user of the intranet, and the local network access control module stops the original controlled authorized user access control function.
  • an apparatus for accessing a local network by a user terminal including:
  • the local network packet identification module 520 is configured to receive the S1-U uplink packet, and identify and intercept the local network access packet in the S1-U uplink packet.
  • the local network access processing module 530 is configured to determine a user type of the user terminal corresponding to the local network access message, and verify the local network access permission of the user terminal according to the user type and the destination address in the local network access message, if the verification is passed. Then, the S1-U uplink packet is disassembled, and the source IP address and the source port number in the user IP packet are converted into the device IP address and the mapped port number, and the local network packet is re-encapsulated, and the local network packet is locally encapsulated. The network packet is forwarded to the next hop address of the subnet where the destination address is located.
  • the local network message identification module 520 is further configured to receive the S1-U uplink message, and identify and intercept the DNS query message of the local network domain name in the S1-U uplink message. As shown in FIG. 17, the device further includes:
  • the local network domain name proxy module 540 is configured to construct a DNS response packet carrying the local network IP address according to the DNS query message of the local network domain name, and return the DNS response packet to the terminal, and the local network IP address is carried as the destination address in the local network. Access to the message.
  • the local network access processing module 530 includes:
  • the information determining unit 531 is configured to extract a user identifier carried in the local network access packet, determine a user type corresponding to the user identifier, and determine a subnet and a subnet type where the destination address is located.
  • the first verification unit 532 is configured to determine whether the user access right corresponding to the user type meets the access authority corresponding to the subnet type of the destination address, and if yes, enter the second verification unit.
  • the second verification unit 533 is configured to determine whether the subnet where the destination address is located is a subnet that is allowed to access, and if yes, the local network access authority is verified, otherwise the local network access authority fails to pass the verification.
  • the apparatus further includes:
  • the local network access control module 550 is configured to determine, according to the current access status, whether to provide a forwarding permission for the local network access message, and if the local network access message obtains the forwarding permission, enter the local network access processing module to uplink the S1-U. If the local network access packet is not forwarded, the local network access packet is discarded.
  • the device further includes:
  • the local network access authorization module 560 is configured to update the user type of the user terminal according to the authorization decision algorithm if the user access right corresponding to the user type does not meet the access right corresponding to the subnet type of the destination address.
  • the local network access processing module 530 is further configured to query the user record table according to the user identifier of the user terminal carried in the local network access message, and obtain the user record if the user identifier is in the user record table.
  • the user type recorded in the table. If the user ID is in the user record table, the user type is a non-privileged user.
  • the local network is divided into a DMZ zone and an intranet.
  • the subnet type is divided into a DMZ subnet and an intranet subnet.
  • the user types include DMZ authorized guest users, controlled authorized users, and authorized intranet users.
  • the first verification unit 532 includes at least one of the following units:
  • the DMZ subnet verification unit 532a is configured to determine, if the subnet type of the destination address is a DMZ subnet, and the user type is a DMZ authorized guest user, determine that the user access right corresponding to the user type matches the access permission corresponding to the subnet type of the destination address. .
  • the internal network subnet first verification unit 532b is configured to determine that the user access type corresponding to the user type does not meet the destination address if the subnet type of the destination address is an intranet subnet and the user type is a controlled authorized user.
  • the access rights corresponding to the network type are used to disassemble the S1-U uplink packet, convert the source IP address and the source port number in the user IP packet to the device IP address and the mapping port number, and re-encapsulate the cost network packet. Forward local network packets to the VPN gateway.
  • the intranet subnet second verification unit 532c is configured to: if the subnet type of the destination address is an intranet subnet, and the user type is an authorized intranet user, determine that the user access right corresponding to the user type matches the subnet type of the destination address. Access rights.
  • the local network access processing module 530 further includes:
  • the authorization application unit includes at least one of the following units:
  • the DMZ authorization application unit 534a is configured to initiate a DMZ authorized guest application if the subnet type of the destination address is a DMZ subnet and the user type is a non-DMZ authorized guest user.
  • the controlled authorization application unit 534b is configured to initiate a controlled authorized user application if the subnet type of the destination address is an intranet subnet and the user identity is known as an internal user.
  • the authorized intranet application unit 534c is configured to initiate an authorized intranet user to apply if the subnet type of the destination address is an intranet subnet and the user identity is an internal user and the user type is a controlled authorized user.
  • the local network access authorization module 560 includes at least one of the following units:
  • the DMZ authorization unit 560a is configured to: when receiving the DMZ authorized guest user application, grant the DMZ guest authorization according to the DMZ guest authorization decision algorithm, and generate DMZ guest authorization information according to the configuration, and modify the user type authorized by the DMZ guest to be the DMZ authorized guest user. .
  • the controlled authorization unit 560b is configured to, according to the controlled authorization decision algorithm, grant controlled authorization according to the controlled authorization decision algorithm, and generate controlled authorization information according to the configuration, and modify the type of the user through the controlled authorization to be controlled. Authorized user.
  • the authorized intranet unit 560c is configured to, if receiving an application for authorizing the intranet user, grant the intranet authorization according to the intranet authorization decision algorithm, and generate the intranet authorization information according to the configuration, and modify the type of the user authorized by the intranet. Authorize users for the intranet.
  • the user record table is divided into a DMZ authorized guest user record table, a controlled authorized user record table, and an intranet authorized user record table.
  • the device further includes:
  • the user information management module 570 is configured to modify the user record of the corresponding type of user record table according to the update of the user type.
  • an apparatus for accessing a local network by a user terminal including a processor and a memory storing executable instructions of the processor, when the instructions are executed by the processor, performing the following operations:
  • the user type of the user terminal corresponding to the local network access packet is determined, and the local network access right of the user terminal is verified according to the user type and the destination address in the local network access message.
  • the S1-U upstream packet is disassembled, and the source IP address and source port number in the user IP packet are translated into the device IP address and the mapped port number, and the local network packet is re-encapsulated.
  • the network packet is forwarded to the next hop address of the subnet where the destination address is located.
  • the S1-U uplink packet is received, and the DNS query packet of the local network domain name in the S1-U uplink packet is identified and intercepted.
  • a DNS response packet carrying the local network IP address is configured according to the DNS query packet of the local network domain name, and the DNS response packet is returned to the terminal, and the local network IP address is carried as the destination address in the local network access packet.
  • the user type of the user terminal corresponding to the local network access message is determined by the processor, and the local network access permission of the user terminal is verified according to the user type and the destination address in the local network access message.
  • the operations include:
  • the local network access permission is verified, otherwise the local network access permission Did not pass verification.
  • the local network is divided into a DMZ zone and an intranet
  • the subnet type of the destination address is divided into a DMZ subnet and an intranet subnet
  • the user types include a DMZ authorized guest user, a controlled authorized user, and an authorized intranet user.
  • the user access right corresponding to the user type matches the access permission corresponding to the subnet type of the destination address.
  • the subnet type of the destination address is the intranet subnet and the user type is the controlled authorization user
  • the user access right corresponding to the user type does not match the access permission corresponding to the subnet type of the destination address, and the S1-U is uplinked.
  • the packet is disassembled, and the source IP address and the source port number in the user IP packet are converted into the device IP address and the mapped port number, and the local network packet is re-encapsulated to forward the local network packet to the VPN gateway.
  • the user access right corresponding to the user type matches the access permission corresponding to the subnet type of the destination address.
  • a mobile network base station comprising the user terminal of any of the above embodiments accessing a local network.
  • the device that accesses the local network by the user terminal is deployed on the mobile network base station, and no new equipment is needed, and only the mobile network base station eNB needs to perform software upgrade.
  • FIG. 25 a schematic diagram of an internal structure after a user terminal accesses a local network device is deployed in a mobile network base station in a specific embodiment.
  • a system for a user terminal to access a local network includes a base station eNB 610 and a server 620, and the server includes the user terminal according to any one of the foregoing embodiments to access a local network.
  • Device 621 includes the user terminal according to any one of the foregoing embodiments to access a local network.
  • the device that accesses the local network by the user terminal is deployed on the server, and no modification is needed to the existing base station, so that the transparent deployment is implemented.
  • FIG. 27 the internal structure of a system in which a user terminal accesses a local network in this embodiment is shown.
  • a system for a user terminal to access a local network includes a base station eNB and a server.
  • the base station eNB is configured to receive an S1-U uplink packet, and identify and intercept the local network in the S1-U uplink packet.
  • the access packet is sent to the server, and the server is configured to determine the user type of the user terminal corresponding to the local network access packet, and determine the local network access permission of the user terminal according to the user type, such as If the local network access permission is to allow access to the subnet where the destination address of the local network access packet is located, the S1-U upstream packet is disassembled, and the source IP address and source port number in the user IP packet are converted to the device IP address. Address and map the port number, and re-encapsulate the local network packet to forward the local network packet to the next hop address of the subnet where the destination address is located.
  • the local network packet identification module is deployed on the mobile network base station, and other modules are deployed on one server, and only the packets conforming to the local network packet characteristics and the local network domain name characteristics are forwarded to the server for processing, and the new device can be reduced. Processing overhead.
  • FIG. 28 the internal structure of a system in which a user terminal accesses a local network in this embodiment is shown.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).
  • the local network access packet in the S1-U uplink packet is identified and intercepted by receiving the S1-U uplink packet, and the intercepted local network access packet is not sent to the core network to reduce access.
  • the path node determines the user type of the user terminal corresponding to the local network access packet, and verifies the local network access authority of the user terminal according to the user type and the destination address in the local network access packet; if the verification succeeds, the S1-U is uplinked.
  • the source IP address and the source port number in the packet are translated into the device IP address and the mapped port number, and the local network packet is re-encapsulated to forward the local network packet to the next hop address of the subnet where the destination address is located. Only the local network access packets that pass the authentication will be forwarded, ensuring the security of the local network information, so that the user terminal can quickly and securely access the local network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The disclosure relates to a method and an apparatus for accessing a local network by a user terminal and a computer storage medium, comprising: receiving a user plane S1-U uplink packet, and identifying and intercepting a local network access packet in the S1-U uplink packet; determining a user type of a user terminal corresponding to the local network access packet, and verifying a local network access permission of the user terminal according to the user type and a destination address in the local network access packet; and if the verification succeeds, disassembling the S1-U uplink packet, converting a source IP address and a source port number in a user IP packet to a device IP address and a mapped port number, re-encapsulating the packet into a local network packet, and forwarding the local network packet to a next hop address of a subnet to which the destination address belongs. In this way, a local network can be securely accessed directly from a base station side of a mobile network, so that nodes on an access path are greatly reduced, network latency is decreased, and transmission rate is increased.

Description

用户终端访问本地网络的方法和装置和计算机存储介质Method and device for accessing local network by user terminal and computer storage medium 技术领域Technical field
本公开涉及通信技术领域,特别是涉及一种用户终端访问本地网络的方法和装置和计算机存储介质。The present disclosure relates to the field of communications technologies, and in particular, to a method and apparatus for accessing a local network by a user terminal and a computer storage medium.
背景技术Background technique
随着移动通信技术的发展,使用移动网终端访问企业网普遍存在,如使用智能手机随时随地移动办公。移动网基站的部署位置也越来越靠近企业网络,尤其是室内部署场景,在一些大型企业、商业场所和中央商务区(CBD,Central Business District)等场所,运营商为满足室内高容量要求而部署了室内型基站,如室内分布系统,这些移动网室内基站和企业网络部署在同一个建筑里。与运营商移动网基站就近部署的私有网络(非因特网)统称为本地网络。With the development of mobile communication technologies, access to enterprise networks using mobile network terminals is widespread, such as using a smart phone to move around anytime and anywhere. The deployment location of the mobile network base station is also getting closer and closer to the enterprise network, especially in the indoor deployment scenario. In some large enterprises, commercial places, and Central Business District (CBD), operators meet the high-capacity requirements of the room. Indoor base stations, such as indoor distribution systems, are deployed, and these mobile network indoor base stations and enterprise networks are deployed in the same building. A private network (non-Internet) deployed near the carrier's mobile network base station is collectively referred to as a local network.
传统的用户终端访问本地网络时,用户终端(UE,User Equipment)发往移动网的上行报文经过LTE(Long Term Evolution,通用移动通信技术的长期演进)移动网基站eNB、回传网络(Backhaul),以及核心网EPC后,进入因特网,如骨干网和城域网等,然后从因特网上进入企业防火墙,经过VPN网关认证后,访问企业内网的服务器,移动网发给用户终端的下行报文的路径则相反。这种用户终端访问本地网络的方式,在进入企业网络时是从用公网,即因特网进入的,存在访问路径结点多,网络时延大的问题。When a user terminal accesses the local network, the uplink packet sent by the user equipment (UE) to the mobile network passes through LTE (Long Term Evolution), the mobile network base station eNB, and the backhaul network (Backhaul). After the core network EPC, enter the Internet, such as the backbone network and the metropolitan area network, and then enter the enterprise firewall from the Internet. After the VPN gateway is authenticated, access the server of the intranet, and the mobile network sends a report to the user terminal. The path of the text is the opposite. The way in which the user terminal accesses the local network is entered from the public network, that is, the Internet when entering the enterprise network, and there are many problems of the access path node and the network delay.
发明内容Summary of the invention
基于此,有必要针对上述技术问题,提供一种用户终端访问本地网络的方法和装置,能从移动网基站侧直接安全地访问本地网络,使得访问路径结点大幅减少,降低网络时延,提高传输速率。Based on the above, it is necessary to provide a method and device for a user terminal to access a local network, which can directly and securely access a local network from a mobile network base station side, thereby greatly reducing access path nodes, reducing network delay, and improving Transmission rate.
一种用户终端访问本地网络的方法,所述方法包括:A method for a user terminal to access a local network, the method comprising:
接收用户平面S1-U上行报文,识别并拦截所述S1-U上行报文中的本地网络访问报文;Receiving an uplink packet of the user plane S1-U, and identifying and intercepting the local network access packet in the uplink packet of the S1-U;
确定所述本地网络访问报文对应的用户终端的用户类型,根据所述用户类型和所 述本地网络访问报文中的目的地址验证所述用户终端的本地网络访问权限;Determining a user type of the user terminal corresponding to the local network access packet, according to the user type and location Determining a local network access right of the user terminal by using a destination address in the local network access message;
如果验证通过,则将所述S1-U上行报文拆解,将用户IP报文中的源IP地址和源端口号转换为设备IP地址和映射端口号,并重新封装成本地网络报文,将所述本地网络报文转发至所述目的地址所在子网的下一跳地址。If the verification succeeds, the S1-U uplink packet is disassembled, and the source IP address and the source port number in the user IP packet are converted into the device IP address and the mapped port number, and the cost network packet is re-encapsulated. Forwarding the local network packet to the next hop address of the subnet where the destination address is located.
一种用户终端访问本地网络的装置,所述装置包括:A device for a user terminal to access a local network, the device comprising:
本地网络报文识别模块,用于接收用户平面S1-U上行报文,识别并拦截所述S1-U上行报文中的本地网络访问报文;The local network packet identification module is configured to receive the user plane S1-U uplink packet, and identify and intercept the local network access packet in the S1-U uplink packet;
本地网络访问处理模块,用于确定所述本地网络访问报文对应的用户终端的用户类型,根据所述用户类型和所述本地网络访问报文中的目的地址验证所述用户终端的本地网络访问权限,如果验证通过,则将所述S1-U上行报文拆解,将用户IP报文中的源IP地址和源端口号转换为设备IP地址和映射端口号,并重新封装成本地网络报文,将所述本地网络报文转发至所述目的地址所在子网的下一跳地址。a local network access processing module, configured to determine a user type of the user terminal corresponding to the local network access message, and verify local network access of the user terminal according to the user type and the destination address in the local network access message Privilege, if the authentication is passed, the S1-U upstream packet is disassembled, the source IP address and the source port number in the user IP packet are converted into the device IP address and the mapped port number, and the cost network report is re-encapsulated. And forwarding the local network packet to a next hop address of a subnet where the destination address is located.
一种用户终端访问本地网络的装置,其中,包括处理器以及存储有所述处理器可执行指令的存储器,当所述指令被处理器执行时,执行如下操作:An apparatus for a user terminal to access a local network, wherein the processor and the memory storing the processor-executable instructions perform the following operations when the instructions are executed by the processor:
接收用户平面S1-U上行报文,识别并拦截所述S1-U上行报文中的本地网络访问报文;Receiving an uplink packet of the user plane S1-U, and identifying and intercepting the local network access packet in the uplink packet of the S1-U;
确定所述本地网络访问报文对应的用户终端的用户类型,根据所述用户类型和所述本地网络访问报文中的目的地址验证所述用户终端的本地网络访问权限;Determining a user type of the user terminal corresponding to the local network access message, and verifying the local network access right of the user terminal according to the user type and the destination address in the local network access message;
如果验证通过,则将所述S1-U上行报文拆解,将用户IP报文中的源IP地址和源端口号转换为设备IP地址和映射端口号,并重新封装成本地网络报文,将所述本地网络报文转发至所述目的地址所在子网的下一跳地址。If the verification succeeds, the S1-U uplink packet is disassembled, and the source IP address and the source port number in the user IP packet are converted into the device IP address and the mapped port number, and the cost network packet is re-encapsulated. Forwarding the local network packet to the next hop address of the subnet where the destination address is located.
一种计算机存储介质,所述计算机存储介质中存储有计算机可执行的一个或多个程序,所述一个或多个程序被所述计算机执行时使所述计算机执行前述方法。A computer storage medium having stored therein one or more programs executable by a computer, the one or more programs being executed by the computer to cause the computer to perform the method.
上述用户终端访问本地网络的方法和装置,通过接收S1-U上行报文,识别并拦截S1-U上行报文中的本地网络访问报文,拦截的本地网络访问报文不会发送至核心网减少了访问路径结点,确定本地网络访问报文对应的用户终端的用户类型,根据用户类型和本地网络访问报文中的目的地址验证用户终端的本地网络访问权限;如果验证通过,则将S1-U上行报文拆解,将用户IP报文中的源IP地址和源端口号转换为设备IP地址和映射端口号,并重新封装成本地网络报文,将本地网络报文转发至所 述目的地址所在子网的下一跳地址,只有验证通过的本地网络访问报文才会进行转发,保证了本地网络信息的安全性,使得用户终端能快速安全的访问本地网络。The method and device for accessing the local network by the user terminal, by receiving the S1-U uplink packet, identify and intercept the local network access packet in the uplink packet of the S1-U, and the intercepted local network access packet is not sent to the core network. The access path node is reduced, the user type of the user terminal corresponding to the local network access message is determined, and the local network access authority of the user terminal is verified according to the user type and the destination address in the local network access message; if the verification is passed, the S1 is determined. The -U uplink packet is disassembled, and the source IP address and source port number in the user IP packet are translated into the device IP address and the mapped port number, and the local network packet is re-encapsulated, and the local network packet is forwarded to the local network packet. The next hop address of the subnet where the destination address is located is forwarded only by the local network access packets that pass the authentication, ensuring the security of the local network information, so that the user terminal can quickly and securely access the local network.
附图说明DRAWINGS
图1为一个实施例中用户终端访问本地网络的方法运行的应用环境图;1 is an application environment diagram of a method for a user terminal to access a local network in an embodiment;
图2为一个实施例中图1中服务器的内部结构图;Figure 2 is a diagram showing the internal structure of the server of Figure 1 in an embodiment;
图3为一个实施例中用户终端访问本地网络的方法的流程图;3 is a flow chart of a method for a user terminal to access a local network in an embodiment;
图4为一个实施例中DNS查询响应的流程图;4 is a flow chart of a DNS query response in an embodiment;
图5为一个实施例中本地网络访问权限验证的流程图;5 is a flow chart of local network access authority verification in an embodiment;
图6为一个实施例中判断用户访问权限是否符合目的子网类型对应的访问权限的流程图;6 is a flowchart of determining, according to an embodiment, whether a user access right meets an access right corresponding to a destination subnet type;
图7为一个实施例中发起用户类型修改申请的流程图;7 is a flow chart of initiating a user type modification request in an embodiment;
图8为一个实施例中根据判决算法修改用户类型的流程图;8 is a flow chart of modifying a user type according to a decision algorithm in an embodiment;
图9为一个具体的实施例中用户终端查询本地网络域名时序图;9 is a timing diagram of querying a local network domain name by a user terminal in a specific embodiment;
图10为一个具体的实施例中用户终端访问本地网络DMZ子网的上行报文的时序图;10 is a sequence diagram of an uplink packet of a user terminal accessing a local network DMZ subnet in a specific embodiment;
图11为一个具体的实施例中用户终端访问本地网络DMZ下行报文时序图;11 is a sequence diagram of a user terminal accessing a local network DMZ downlink message in a specific embodiment;
图12为一个具体的实施例中本地网络DMZ访客授权时序图;12 is a timing diagram of a local network DMZ visitor authorization in a specific embodiment;
图13为一个具体的实施例中用户终端访问本地网络内网上行报文时序图;FIG. 13 is a timing diagram of a user terminal accessing a local line message in a local network in a specific embodiment; FIG.
图14为一个具体的实施例中用户终端访问本地网络内网下行报文时序图;FIG. 14 is a timing diagram of a downlink message received by a user terminal in an intranet of a local network in a specific embodiment; FIG.
图15为一个具体的实施例中本地网络内网授权时序图;15 is a timing diagram of a local network intranet authorization in a specific embodiment;
图16为一个实施例中用户终端访问本地网络的装置的结构框图;16 is a structural block diagram of an apparatus for a user terminal to access a local network in an embodiment;
图17为另一个实施例中用户终端访问本地网络的装置的结构框图;17 is a structural block diagram of an apparatus for a user terminal to access a local network in another embodiment;
图18为一个实施例中本地网络访问处理模块的结构框图;18 is a structural block diagram of a local network access processing module in an embodiment;
图19为再一个实施例中用户终端访问本地网络的装置的结构框图;19 is a structural block diagram of an apparatus for accessing a local network by a user terminal in still another embodiment;
图20为又一个实施例中用户终端访问本地网络的装置的结构框图;20 is a structural block diagram of an apparatus for a user terminal to access a local network in still another embodiment;
图21为一个实施例中第一验证单元的结构框图;21 is a structural block diagram of a first verification unit in an embodiment;
图22为一个实施例中本地网络访问处理模块的结构框图;22 is a structural block diagram of a local network access processing module in an embodiment;
图23为一个实施例中本地网络访问授权模块的结构框图; 23 is a structural block diagram of a local network access authorization module in an embodiment;
图24为又一个实施例中用户终端访问本地网络的装置的结构框图;24 is a structural block diagram of an apparatus for a user terminal to access a local network in still another embodiment;
图25为一个实施例中移动网基站部署了用户终端访问本地网络的装置后的内部结构示意图;25 is a schematic diagram of an internal structure of a mobile network base station after a user equipment accesses a local network device in an embodiment;
图26为一个实施例中用户终端访问本地网络的系统结构框图;26 is a structural block diagram of a system for a user terminal to access a local network in an embodiment;
图27为一个实施例中用户终端访问本地网络的系统的内部结构示意图;27 is a schematic diagram showing the internal structure of a system in which a user terminal accesses a local network in an embodiment;
图28为另一个实施例中用户终端访问本地网络的系统的内部结构示意图。28 is a schematic diagram showing the internal structure of a system in which a user terminal accesses a local network in another embodiment.
具体实施方式detailed description
图1为一个实施例中用户终端访问本地网络的方法运行的应用环境图,如图1所示,该应用环境包括终端110、基站eNB(evolved Node B)120、服务器130、企业DMZ区140和企业内网150,其中企业DMZ区140包括VPN网关141、反向代理服务器142和防火墙143,企业内网150包括阻塞choke路由器151、公共服务器152和APP应用服务器153,此应用环境中的设备可根据实际部署相应的增加或减少。其中终端110为可使用移动通信网进行通信的设备,包括但不限于智能终端、移动通信工业设备、物联网(IoT,Things Of Internet)设备等。用户终端访问本地网络时,从移动网基站侧经过用户终端权限验证后直接访问企业网络,上行报文和下行报文都不需要经过回传网络Backhaul、核心网EPC和因特网,可快速安全地接入访问本地网络。此应用环境可应用于多种场景,如手机移动办公的内网访问场景,工业设备之间通过无线互联,工业设备数据属于企业私有数据,数据量大,实时性要求高,无线传输数据到企业网络的场景。商用场所无线传输到商场网络服务器的场景,如大型购物商城,商家推出的VR(虚拟现实)、AR(增强现实)推广活动,传输数据量大,实时性要求高,存在无线传输数据到商场网络服务器的需求。大型赛事或展会,大量视频无线传输到场馆内服务器的场景等。1 is an application environment diagram of a method for a user terminal to access a local network in an embodiment. As shown in FIG. 1 , the application environment includes a terminal 110, an eNodeB eNB 120, a server 130, and an enterprise DMZ zone 140. The enterprise intranet 150, wherein the enterprise DMZ zone 140 includes a VPN gateway 141, a reverse proxy server 142, and a firewall 143. The enterprise intranet 150 includes a blocked choke router 151, a public server 152, and an APP application server 153. The devices in the application environment may be Increase or decrease according to the actual deployment. The terminal 110 is a device that can communicate using a mobile communication network, including but not limited to an intelligent terminal, a mobile communication industrial device, an Internet of Things (IoT) device, and the like. When the user terminal accesses the local network, it directly accesses the enterprise network through the user terminal authority verification from the mobile network base station side. The uplink packet and the downlink packet do not need to pass through the backhaul network Backhaul, the core network EPC, and the Internet, and can be quickly and securely connected. Access to the local network. The application environment can be applied to various scenarios, such as intranet access scenarios of mobile mobile office, wireless interconnection between industrial devices, industrial device data belonging to enterprise private data, large amount of data, high real-time requirements, wireless transmission of data to enterprises The scene of the network. Wireless transmission of commercial premises to the network server of the mall, such as large shopping malls, VR (Virtual Reality) and AR (Augmented Reality) promotion activities launched by merchants, large amount of data transmission, high real-time requirements, and wireless transmission of data to the mall network Server requirements. Large-scale events or exhibitions, where a large amount of video is wirelessly transmitted to the server in the venue.
在一个实施例中,图1中的服务器130的内部结构如图2所示,该服务器130包括通过系统总线连接的处理器、存储介质、内存和网络接口。其中,该服务器130的存储介质存储有操作系统、数据库和一种用户终端访问本地网络的装置,数据库用于存储数据,如用户记录表等,该装置用于实现一种适用于服务器130的用户终端访问本地网络的方法。该服务器130的处理器用于提供计算和控制能力,支撑整个服务器130的运行。该服务器130的内存为存储介质中的用户终端访问本地网络的装置的 运行提供环境。该服务器130的网络接口用于与基站eNB120、企业网络、运营商Backhaul通过网络连接通信,比如接收基站eNB120发送的上行报文等。服务器130一般采用高性能网络服务器。In one embodiment, the internal structure of server 130 in FIG. 1 is as shown in FIG. 2, which includes a processor, storage medium, memory, and network interface connected by a system bus. The storage medium of the server 130 stores an operating system, a database, and a device for the user terminal to access the local network, and the database is used to store data, such as a user record table, etc., and the device is used to implement a user suitable for the server 130. The method by which the terminal accesses the local network. The processor of the server 130 is used to provide computing and control capabilities to support the operation of the entire server 130. The memory of the server 130 is a device for the user terminal in the storage medium to access the local network. Run the provisioning environment. The network interface of the server 130 is used to communicate with the base station eNB 120, the enterprise network, and the operator Backhaul through a network connection, such as receiving an uplink message sent by the base station eNB 120. Server 130 typically employs a high performance web server.
如图3所示,在一个实施例中,提供了一种用户终端访问本地网络的方法,应用于上述应用环境,包括如下步骤:As shown in FIG. 3, in an embodiment, a method for a user terminal to access a local network is provided, which is applied to the application environment, and includes the following steps:
步骤S110,接收用户平面S1-U上行报文,识别并拦截S1-U上行报文中的本地网络访问报文。Step S110: Receive an uplink packet of the user plane S1-U, and identify and intercept the local network access packet in the uplink packet of the S1-U.
具体的,终端需要访问本地网络时,向基站发送封装了用户报文的空口报文,其中用户报文即IP报文的源IP地址就是UE PDN IP,UE PDN IP是用户终端UE在移动网完成登记后,由移动网分配的IP地址。基站接收到空口报文后,提取其中的用户报文,并打包在S1-U隧道报文中进行发送。本方案需要得到源IP地址作为用户标识,通过源IP地址区分识别不同的用户终端。移动网基站和核心网之间采用隧道方式传输用户报文,移动网基站和核心网为每个用户终端各自分配唯一的S1-U隧道标识TEID(Tunnel Endpoint Identifier),基站分配的隧道标识称为移动网基站隧道标识,核心网分配的隧道标识可称为核心网隧道标识。发给移动网基站的下行报文,需打包成携带移动网基站TEID的S1-U(S1 User Plane)用户平面报文,移动网基站收到后通过移动网基站隧道标识TEID区分出不同的用户,打包成空口报文中发送至对应的用户终端。同理,移动网基站eNB发给核心网的上行报文,需打包成携带核心网隧道标识的S1-U报文,核心网收到根据核心网隧道标识区分用户,通过处理后发往因特网。可通过部署在基站或服务器的本地网络报文识别模块识别并拦截用户平面S1-U上行报文中的本地网络访问报文。如果本地网络报文识别模块部署在基站中,则在基站发送S1-U上行报文之前,就能识别并拦截本地网络访问报文,从而只将识别出的本地网络访问报文发给后续的处理模块,减轻后续处理模块的压力。如果本地网络报文识别模块部署在服务器中,则在基站将S1-U上行报文发送至核心网的过程中,由服务器识别并拦截本地网络访问报文,从而本地网络访问报文不会发送至核心网。Specifically, when the terminal needs to access the local network, the terminal sends an air interface packet encapsulating the user packet to the base station, where the source IP address of the user packet, that is, the IP packet, is the UE PDN IP, and the UE PDN IP is the user terminal UE in the mobile network. The IP address assigned by the mobile network after registration is completed. After receiving the air interface packet, the base station extracts the user packet and sends it to the S1-U tunnel packet for transmission. The solution needs to obtain the source IP address as the user identifier, and identify different user terminals by using the source IP address. The mobile network base station and the core network use a tunnel to transmit user packets. The mobile network base station and the core network each assign a unique S1-U tunnel identifier TEID (Tunnel Endpoint Identifier) to each user terminal. The tunnel identifier assigned by the base station is called The mobile network base station tunnel identifier, and the tunnel network assigned tunnel identifier may be referred to as a core network tunnel identifier. The downlink packets sent to the mobile network base station are packaged into S1-U (S1 User Plane) user plane packets carrying the mobile network base station TEID. After receiving the mobile network base station, the mobile network base station tunnel identification TEID distinguishes different users. , packaged into an air interface message and sent to the corresponding user terminal. Similarly, the uplink packet sent by the mobile network base station eNB to the core network needs to be packaged into an S1-U packet carrying the core network tunnel identifier, and the core network receives the user according to the core network tunnel identifier, and sends the packet to the Internet after processing. The local network packet identification message in the uplink packet of the user plane S1-U can be identified and intercepted by the local network packet identification module deployed on the base station or the server. If the local network packet identification module is deployed in the base station, the local network access packet can be identified and intercepted before the base station sends the S1-U uplink packet, so that only the identified local network access packet is sent to the subsequent The processing module reduces the pressure on the subsequent processing modules. If the local network packet identification module is deployed in the server, the local network access packet is not sent by the server during the process of sending the S1-U uplink packet to the core network by the server. To the core network.
本地网络访问报文是符合本地网络访问报文特征规则的报文,使用配置的本地网络访问报文特征列表,对S1-U上行报文中的用户报文逐个进行比对和分析,识别出本地网络访问报文。配置的本地网络访问报文特征列表中,每条记录包含子网段、协 议号、端口号等信息,允许协议号和端口号字段可选。如一条本地网络访问报文特征列表记录为:“地址:10.1.0.0,子网掩码:255.255.0.0,协议号:6,端口号:443,上述“地址:10.1.0.0,子网掩码:255.255.0.0”,在描述时经常使用子网10.1.0.0/16来替代。通过从S1-U上行报文中用户报文提取出目的地址、协议号、目的端口号然后与本地网络访问报文特征列表进行对比,只有特征匹配才为本地网络访问报文。如用户访问hr.ttt.com.cn(ip地址为10.1.2.1)的https报文,目的地址10.1.2.1匹配10.1.0.0/16子网,https即协议号6,端口号443,则匹配上述特征记录。拦截的本地网络访问报文不会发送至核心网,只有非本地网络访问报文才会发送至核心网。The local network access packet is a packet matching the local network access packet feature rule. The local network access packet feature list is configured to compare and analyze the user packets in the S1-U uplink packet one by one. Local network access message. In the configured local network access packet feature list, each record contains subnet segments and associations. The protocol number, port number, etc. allow the protocol number and port number fields to be optional. For example, a local network access message feature list record is: "address: 10.1.0.0, subnet mask: 255.255.0.0, protocol number: 6, port number: 443, the above address: 10.1.0.0, subnet mask :255.255.0.0", in the description, the subnet 10.1.0.0/16 is often used instead. The destination address, protocol number, and destination port number are extracted from the user packets in the S1-U upstream packet and then accessed with the local network. The feature list is compared. Only the feature match is the local network access message. If the user accesses the https message of hr.ttt.com.cn (ip address is 10.1.2.1), the destination address 10.1.2.1 matches 10.1.0.0/. The 16 subnets, https, protocol number 6, and port number 443, match the above feature records. The intercepted local network access messages are not sent to the core network, and only non-local network access messages are sent to the core network.
步骤S120,确定本地网络访问报文对应的用户终端的用户类型,根据用户类型和本地网络访问报文中的目的地址验证用户终端的本地网络访问权限。Step S120: Determine a user type of the user terminal corresponding to the local network access message, and verify the local network access right of the user terminal according to the user type and the destination address in the local network access message.
具体的,不同的用户类型具有不同的访问权限,具体的用户类型的种类和对应的权限可根据需要自定义,定义时可根据本地网络区域的划分为不同的区域设置不同种类的用户类型。可根据用户终端所在的网络段确定用户终端的用户类型,如可设置固定IP地址的高权限用户,为不同的用户终端分配不同的固定权限。也可设置默认用户类型为无权限用户,需要实时的向本地网络访问授权模块申请有权限的用户类型,本地网络访问授权模块根据用户类型申请请求,实时的根据授权判决算法,授权判决算法可依据当前网络通信状态参数、访问的本地网络的区域等多种参考因子为用户终端授权相应的动态的有不同权限的用户类型,根据当前网络通信状态实时更新用户类型,可实时控制用户终端访问本地网络的数量。也可先通过查找用户记录表获取用户终端的用户类型,在用户记录表中不存在用户终端对应的用户记录时,才需要向本地网络访问授权模块申请有权限的用户类型。Specifically, different user types have different access rights. The types of specific user types and corresponding rights can be customized according to requirements. When defining, different types of user types can be set according to the division of the local network area. The user type of the user terminal can be determined according to the network segment where the user terminal is located, such as a high-privileged user that can set a fixed IP address, and different fixed rights are assigned to different user terminals. You can also set the default user type to be a non-privileged user. You need to apply for a permission to the local network access authorization module in real time. The local network access authorization module applies for a request according to the user type. The authorization decision algorithm can be based on the authorization decision algorithm in real time. The current network communication status parameter, the area of the visited local network, and the like, the user terminal authorizes the corresponding dynamic user type with different rights, updates the user type in real time according to the current network communication status, and can control the user terminal to access the local network in real time. quantity. You can also obtain the user type of the user terminal by searching the user record table. If there is no user record corresponding to the user terminal in the user record table, you need to apply for the authorized user type to the local network access authorization module.
只有用户终端的本地网络访问权限与其访问的本地网络访问报文中的目的地址要求的权限相匹配,才算验证通过。可将本地网络分为不同的区域,如DMZ区(Demilitarized Zone,非军事化区,也称隔离区)和内部网络,访问不同的区域需要不同的访问权限。用户终端访问的目的地址在不同的区域时,本地网络访问授权模块可根据用户类型申请请求,采用不同的授权判决算法,从而使得不同的区域的访问根据其内容的私密性设置不同的访问规则,灵活方便。授权判决时,可通过VPN网关协助认证用户身份,只有用户通过认证确认为内部用户,才有申请特定用户类型的权限,进一步保证用户类型授权的安全性。 The verification is passed only if the local network access right of the user terminal matches the permission required by the destination address in the local network access message accessed. The local network can be divided into different areas, such as the DMZ area (Demilitarized Zone, also known as the quarantine area) and the internal network. Access to different areas requires different access rights. When the destination address of the user terminal is in a different area, the local network access authorization module may apply for a request according to the user type, and adopt different authorization decision algorithms, so that access of different areas sets different access rules according to the privacy of the content. Flexible and convenient. When the authorization is decided, the user can be authenticated by the VPN gateway. Only when the user is authenticated as an internal user, the user can apply for a specific user type to further ensure the security of the user type authorization.
步骤S130,如果验证通过,则将S1-U上行报文拆解,将用户IP报文中的源IP地址和源端口号转换为设备IP地址和映射端口号,并重新封装成本地网络报文,将本地网络报文转发至目的地址所在子网的下一跳地址。Step S130: If the verification succeeds, the S1-U uplink packet is disassembled, and the source IP address and the source port number in the user IP packet are converted into the device IP address and the mapped port number, and the cost network packet is re-encapsulated. Forward the local network packet to the next hop address of the subnet where the destination address is located.
具体的,只有验证通过的本地网络访问报文才会进行转发,如果没有验证通过,则丢弃报文,保证了本地网络信息的安全性,向本地网络转发前,需要先拆解S1-U报文,提取用户报文,获取用户报文携带的源IP地址和源端口号,转换为设备IP地址和映射端口号。设备IP地址为实现上述方法的设备在本地网络中的IP地址,设备IP地址的数量可根据设备的网卡个数相应的设定,每个网卡也可设置多个设备IP地址。将移动网为用户终端分配的源IP地址统一转换为设备IP地址,保证在本地网络中传输的正确IP地址。同时,用户报文携带的源端口号也需要转换为映射端口号,由于之前用户报文携带的源端口号对于不同的用户终端可能携带相同的端口号,需要在一个本地网络地址下重新分配端口号,保证每个设备IP地址+映射端口号的组合在传输过程中是不重复的,从而保证数据传输的正确性。Specifically, only the local network access packets that pass the authentication are forwarded. If no authentication is passed, the packets are discarded, ensuring the security of the local network information. Before forwarding to the local network, you need to disassemble the S1-U packet. The source IP address and the source port number carried in the user packet are extracted and converted into the device IP address and the mapped port number. The IP address of the device is the IP address of the device in the local network. The number of device IP addresses can be set according to the number of network cards of the device. Each network card can also be configured with multiple device IP addresses. The source IP address assigned by the mobile network to the user terminal is uniformly converted into the device IP address to ensure the correct IP address transmitted in the local network. At the same time, the source port number carried in the user packet needs to be converted to the mapping port number. Since the source port number carried in the previous user packet may carry the same port number for different user terminals, the port needs to be reassigned under a local network address. No., to ensure that the combination of each device IP address + mapping port number is not repeated during the transmission process, thus ensuring the correctness of data transmission.
如一个具体的实施例中,用户终端110访问APP应用服务器153的访问路径如图1中路线160所示,经过访问路径结点基站eNB120、服务器130、VPN网关141、防火墙143、choke路由器151后到达APP应用服务器153,中途不需要经过回传网络Backhaul、核心网EPC和因特网,使得访问路径结点大幅减少,降低网络时延,提高传输速率。As shown in a specific embodiment, the access path of the user terminal 110 to the APP application server 153 is as shown by the route 160 in FIG. 1 , after the access path node base station eNB 120 , the server 130 , the VPN gateway 141 , the firewall 143 , and the choke router 151 . When the APP application server 153 is reached, the backhaul network, the core network EPC, and the Internet do not need to be passed in the middle, so that the access path node is greatly reduced, the network delay is reduced, and the transmission rate is increased.
本实施例中,通过接收S1-U上行报文,识别并拦截S1-U上行报文中的本地网络访问报文,拦截的本地网络访问报文不会发送至核心网减少了访问路径结点,确定本地网络访问报文对应的用户终端的用户类型,根据用户类型和本地网络访问报文中的目的地址验证用户终端的本地网络访问权限;如果验证通过,则将S1-U上行报文拆解,将用户IP报文中的源IP地址和源端口号转换为设备IP地址和映射端口号,并重新封装成本地网络报文,将本地网络报文转发至所述目的地址所在子网的下一跳地址,只有验证通过的本地网络访问报文才会进行转发,保证了本地网络信息的安全性,使得用户终端能快速安全的访问本地网络。In this embodiment, the local network access packet in the uplink packet of the S1-U is identified and intercepted by receiving the uplink packet of the S1-U, and the intercepted local network access packet is not sent to the core network, and the access path node is reduced. The user type of the user terminal corresponding to the local network access packet is determined, and the local network access authority of the user terminal is verified according to the user type and the destination address in the local network access message; if the verification is passed, the S1-U uplink packet is removed. The solution translates the source IP address and the source port number of the user IP packet into the device IP address and the mapped port number, and re-encapsulates the local network packet to forward the local network packet to the subnet where the destination address is located. For the next hop address, only the local network access packets that pass the authentication are forwarded, ensuring the security of the local network information, so that the user terminal can quickly and securely access the local network.
在一个实施例中,如图4所示,步骤S110之前,还包括:In an embodiment, as shown in FIG. 4, before step S110, the method further includes:
步骤S210,接收S1-U上行报文,识别并拦截S1-U上行报文中的本地网络域名的域名系统DNS查询报文。 In step S210, the S1-U uplink packet is received, and the domain name system DNS query message of the local network domain name in the S1-U uplink packet is identified and intercepted.
具体的,终端需要访问本地网络服务时,需要先获取本地网络服务器域名(如hr.ttt.com.cn)对应的本地网络IP地址,如果需要访问的本地网络服务器的IP地址已经提前获取,如对于经常访问一个固定的本地网络,可预存其本地网络IP地址,发送网络访问报文中直接携带预存的本地网络IP地址。但一般情况下,需要通过DNS查询报文获取网络域名对应的IP地址。可通过部署在基站或服务器的本地网络报文识别模块识别并拦截S1-U上行报文中的本地网络域名的DNS查询报文。Specifically, when the terminal needs to access the local network service, the local network IP address corresponding to the local network server domain name (such as hr.ttt.com.cn) needs to be obtained first. If the IP address of the local network server that needs to be accessed has been obtained in advance, such as For frequent access to a fixed local network, the local network IP address can be pre-stored, and the pre-stored local network IP address is directly carried in the sending network access message. However, in general, you need to obtain the IP address corresponding to the network domain name through DNS query packets. The local network packet identification module deployed in the base station or the server can identify and intercept the DNS query message of the local network domain name in the S1-U uplink packet.
本地网络域名查询报文,为标准DNS查询报文,由用户终端发往公网DNS服务器。本地网络报文识别模块在用户终端发往公网DNS服务器之前,分析DNS查询报文中的域名,与配置的本地网络域名列表的每条域名记录进行匹配,检查是否匹配成功,如果匹配成功,则识别到本地网络域名查询报文。配置的本地网络域名列表中,每条记录符合FQDN(Fully Qualified Domain Name,完全合格域名/全称域名)规则。如ttt.com.cn为本地网络域名列表中的一个记录,则如果DNS查询报文中的域名为hr.ttt.con.cn或ims.ttt.com.cn都算匹配成功。The local network domain name query message is a standard DNS query message sent by the user terminal to the public network DNS server. The local network packet identification module analyzes the domain name in the DNS query packet and matches each domain name record in the configured local network domain name list to check whether the matching succeeds. The local network domain name query message is identified. In the configured local network domain name list, each record complies with the FQDN (Fully Qualified Domain Name) rule. If ttt.com.cn is a record in the local network domain name list, if the domain name in the DNS query message is hr.ttt.con.cn or ims.ttt.com.cn, the matching is successful.
步骤S220,根据本地网络域名的DNS查询报文构造携带本地网络IP地址的DNS响应报文,将DNS响应报文返回至终端,本地网络IP地址作为目的地址携带在本地网络访问报文中。Step S220: The DNS response packet carrying the local network IP address is configured according to the DNS query message of the local network domain name, and the DNS response packet is returned to the terminal, and the local network IP address is carried as the destination address in the local network access packet.
具体的,可根据本地网络域名配置信息获取域名对应的本地网络IP地址,构造DNS查询响应消息,也可转发到外置的专用本地网络域名DNS服务器获取域名对应的本地网络IP地址,完成构造DNS查询响应消息。本地网络域名配置信息中配置了每个本地网络域名对应的本地网络IP地址,如hr.ttt.com.cn对应地址10.1.2.1,ims.tt.com.cn对应地址10.1.3.2。另外,还需要配置域名记录的生存时间,即TTL(Time To Live),超过TTL时间后域名记录应失效,需重新获取。将DNS响应报文返回至终端,其中DNS响应报文携带本地网络域名和对应的本地网络IP地址,则后续终端发送本地网络域名对应的本地网络访问报文时使用这个本地网络IP地址作为目的地址。Specifically, the local network IP address corresponding to the domain name may be obtained according to the local network domain name configuration information, and a DNS query response message may be constructed, or may be forwarded to an external dedicated local network domain name DNS server to obtain a local network IP address corresponding to the domain name, and the DNS is constructed. Query response message. The local network IP address corresponding to each local network domain name is configured in the local network domain name configuration information, such as hr.ttt.com.cn corresponding address 10.1.2.1, and ims.tt.com.cn corresponding address 10.1.3.2. In addition, you need to configure the lifetime of the domain name record, that is, TTL (Time To Live). After the TTL time expires, the domain name record should be invalid and need to be reacquired. The DNS response packet is returned to the terminal, where the DNS response packet carries the local network domain name and the corresponding local network IP address, and the subsequent terminal sends the local network IP address as the destination address when sending the local network access message corresponding to the local network domain name. .
在一个实施例中,如图5所示,步骤S120包括:In an embodiment, as shown in FIG. 5, step S120 includes:
步骤S121,提取本地网络访问报文携带的用户标识,确定用户标识对应的用户类型,确定目的地址所在子网和子网类型。Step S121: Extract the user identifier carried in the local network access packet, determine the user type corresponding to the user identifier, and determine the subnet and subnet type where the destination address is located.
具体的,用户标识为源IP地址,可根据源IP地址与用户类型的对应关系得到对 应的用户类型。源IP地址与用户类型的对应关系可通过表格、文本等形式预先存储,从而通过查表或查字符串的形式获得对应的用户类型。根据目的地址所在的IP地址段确定对应的子网,不同的子网对应了各自的子网类型。子网类型可根据本地网络的信息安全重要程度进行划分,如分为DMZ子网和内网子网,内网子网需要更高的访问权限才能访问。且不同的子网类型有对应的具有访问权限的用户类型,可自定义子网类型和具有访问权限的用户类型之间的对应关系。通过为不同的子网类型分配不同的具有访问权限的用户类型,提高了访问权限的灵活控制性。Specifically, the user identifier is a source IP address, and can be obtained according to the correspondence between the source IP address and the user type. The type of user that should be. The correspondence between the source IP address and the user type may be pre-stored in the form of a table, a text, or the like, thereby obtaining a corresponding user type by looking up a table or checking a string. The corresponding subnet is determined according to the IP address segment where the destination address is located, and different subnets correspond to their respective subnet types. The subnet type can be classified according to the information security importance of the local network. For example, it is divided into a DMZ subnet and an intranet subnet. The intranet subnet needs higher access rights to access. Different subnet types have corresponding user types with access rights, and can customize the correspondence between subnet types and user types with access rights. By assigning different user types with different access rights for different subnet types, the flexible control of access rights is improved.
步骤S122,判断用户类型对应的用户访问权限是否符合目的地址所在子网类型对应的访问权限,如果符合,则进入步骤S123。In step S122, it is determined whether the user access right corresponding to the user type meets the access authority corresponding to the subnet type of the destination address. If yes, the process proceeds to step S123.
具体的,只有用户类型对应的用户访问权限符合目的地址所在子网类型对应的访问权限,才会进入下一步,否则丢弃本地网络访问报文。Specifically, the user access rights corresponding to the user type match the access rights corresponding to the subnet type of the destination address, and the next step is entered. Otherwise, the local network access packet is discarded.
步骤S123,判断目的地址所在子网是否为允许访问的子网,如果是,则本地网络访问权限通过验证,否则本地网络访问权限未通过验证。Step S123: Determine whether the subnet where the destination address is located is a subnet that is allowed to access, and if yes, the local network access authority is verified, otherwise the local network access permission fails to pass the verification.
具体的,当用户类型符合用户访问权限后,进一步判断目的地址所在子网是否为允许访问的子网,可通过预先为不同类型的用户分配不同的子网列表,通过查表的方式确定本地网络访问报文中的目的地址所在子网是否为允许访问的子网,如果是,则本地网络访问权限通过验证,否则本地网络访问权限未通过验证。Specifically, after the user type meets the user access rights, it is further determined whether the subnet where the destination address is located is a subnet that is allowed to be accessed, and a different subnet list may be assigned to different types of users in advance, and the local network is determined by means of table lookup. Whether the subnet where the destination address is located in the access packet is the subnet that is allowed to access. If yes, the local network access permission is verified. Otherwise, the local network access permission is not verified.
本实施例中,通过访客权限和子网权限双重验证,灵活方便的控制不同用户类型的访问权限,保证本地网络访问的安全性。In this embodiment, the guest authority and the subnet authority are double-verified, and the access rights of different user types are flexibly and conveniently controlled to ensure the security of local network access.
在一个实施例中,方法还包括:如果用户类型对应的用户访问权限不符合目的地址所在子网类型对应的访问权限,则根据授权判决算法更新用户终端的用户类型。In an embodiment, the method further includes: if the user access right corresponding to the user type does not meet the access right corresponding to the subnet type of the destination address, updating the user type of the user terminal according to the authorization decision algorithm.
具体的,如果用户类型对应的用户访问权限不符合目的地址所在子网类型对应的访问权限,可向本地网络访问授权模块申请用户类型的变更,本地网络访问授权模块接收到用户类型变更请求,可根据用户类型变更请求和授权判决算法更新用户终端的用户类型。在发送用户类型变更请求时,可根据目的地址所在子网类型和当前用户类型生成不同的用户类型变更请求。不同的用户类型变更请求可对应不同的授权判决算法,授权判决算法的确定可根据需要自定义,如根据配置的不同子网类型对应的授权人数和当前在线人数,以及总流量门限和当前在线流量等因素确定是否给予用户类型变更请求授予相应的用户类型。本实施例中,如果用户类型对应的用户访问权限不符 合目的地址所在子网类型对应的访问权限,可申请具有相应权限的用户类型,达到动态的权限变更。Specifically, if the user access right corresponding to the user type does not meet the access right corresponding to the subnet type of the destination address, the local network access authorization module may apply for the change of the user type, and the local network access authorization module receives the user type change request. The user type of the user terminal is updated according to the user type change request and the authorization decision algorithm. When a user type change request is sent, different user type change requests may be generated according to the subnet type of the destination address and the current user type. Different user type change requests may correspond to different authorization decision algorithms, and the determination of the authorization decision algorithm may be customized according to requirements, such as the number of authorized persons and the current online number according to different subnet types configured, and the total traffic threshold and current online traffic. Factors such as determining whether to grant a user type change request to the corresponding user type. In this embodiment, if the user access authority corresponding to the user type does not match The access permission corresponding to the subnet type of the destination address can be applied to the user type with the corresponding permission to achieve dynamic permission change.
还可根据授权判决算法,将符合目的地址所在子网类型对应的访问权限的用户的类型修改为无权限用户,灵活的控制访问权限。The type of the user that meets the access authority corresponding to the subnet type of the destination address can be modified to an unprivileged user, and the access authority can be flexibly controlled according to the authorization decision algorithm.
在一个实施例中,步骤S130中则将S1-U上行报文拆解的步骤之前,还包括:根据当前访问状态判断是否为本地网络访问报文提供转发许可,如果本地网络访问报文获得转发许可,则进入将所述S1-U上行报文拆解的步骤,如果本地网络访问报文未获得转发许可,则丢弃本地网络访问报文。In an embodiment, before the step of disassembling the S1-U uplink packet in step S130, the method further includes: determining, according to the current access state, whether to provide a forwarding permission for the local network access packet, if the local network access packet is forwarded. If the permission is obtained, the step of disassembling the S1-U uplink packet is performed. If the local network access packet does not obtain the forwarding permission, the local network access packet is discarded.
具体的,当前访问状态包括用户的上下行访问速率限制、访问时长和访问总流量等信息,根据当前访问状态判断是否为本地网络访问报文提供转发许可。只有获得转发许可才能转发报,不同的子网类型可对应不同的转发许可授予策略。通过转发许可进一步灵活控制本地网络的访问流量、访问时长等。对DMZ授权访客用户访问DMZ子网,根据访客用户的上下行访问速率限制、访问时长和访问总流量等信息,为本地网络访问处理模块提供访客转发许可。对授权内网用户访问内部网络子网,根据用户的上下行访问速率限制,为本地网络访问处理模块提供授权转发许可。对受控授权用户访问本地网络VPN网关,根据受控授权用户的上下行访问速率限制、访问时长和访问总流量等为本地网络访问处理模块提供受控转发许可。Specifically, the current access status includes information such as the uplink and downlink access rate limit, the access duration, and the total access traffic of the user, and determines whether to provide a forwarding permission for the local network access message according to the current access status. Only when a forwarding permission is obtained can a forwarding report, and different subnet types can correspond to different forwarding permission grant policies. The forwarding license further flexibly controls the access traffic, access duration, and the like of the local network. The DMZ authorized guest user accesses the DMZ subnet, and provides a guest forwarding permission for the local network access processing module according to information such as the uplink and downlink access rate limit, the access duration, and the total access traffic of the guest user. The authorized intranet user accesses the internal network subnet, and provides an authorization forwarding permission for the local network access processing module according to the user's uplink and downlink access rate limit. The controlled authorized user accesses the local network VPN gateway, and provides a controlled forwarding permission for the local network access processing module according to the uplink and downlink access rate limit, the access duration, and the total access traffic of the controlled authorized user.
在一个实施例中,步骤S120中确定本地网络访问报文对应的用户终端的用户类型的步骤包括:根据本地网络访问报文携带的用户终端的用户标识查询用户记录表,如果用户标识在所述用户记录表中,则得到用户记录表中记录的用户类型,如果用户标识不在用户记录表中,则用户类型为无权限用户。In an embodiment, the step of determining the user type of the user terminal corresponding to the local network access message in step S120 includes: querying the user record table according to the user identifier of the user terminal carried in the local network access message, if the user identifier is in the In the user record table, the user type recorded in the user record table is obtained. If the user ID is not in the user record table, the user type is a non-privileged user.
具体的,可根据用户类型生成不同类型的用户记录表,通过记录表标识进行区分。如果更新了用户类型,则同步更新用户记录表。从而如果上次获得了有权限的用户类型,在下次访问时,可直接通过用户记录表得到有权限的用户类型记录,不必重新申请有权限的用户类型,快速获得访问权限。在一个实施例中,获取用户记录表中的用户记录对应的有效时间,判断在有效时间范围内用户没有访问本地网络,则删除用户记录。在一个实施例中,如果用户访问权限到期,则设置此用户对应的禁用期,在禁用期期内,此用户不具有申请用户类型更新的权限,只有禁用期过后,才具有申请资格。在一个实施例中,本地网络分为DMZ区和内网,子网类型分为DMZ子网和内 网子网,用户类型包括DMZ授权访客用户、受控授权用户和授权内网用户,如图6所示,步骤S122包括以下步骤中的至少一个:Specifically, different types of user record tables may be generated according to the user type, and the records are identified by the record table identifier. If the user type is updated, the user record table is updated synchronously. Therefore, if the user type with permission is obtained last time, the user record of the permission can be obtained directly through the user record table in the next access, and the user type without permission is not required to be re-applied to quickly obtain the access right. In one embodiment, the valid time corresponding to the user record in the user record table is obtained, and it is determined that the user record is deleted when the user does not access the local network within the valid time range. In one embodiment, if the user access right expires, the corresponding period of the user is set. During the disabled period, the user does not have the right to apply for the user type update, and only after the disabling period expires, the application is eligible. In one embodiment, the local network is divided into a DMZ zone and an intranet, and the subnet type is divided into a DMZ subnet and an internal network. The network subnet, the user type includes a DMZ authorized guest user, a controlled authorized user, and an authorized intranet user. As shown in FIG. 6, step S122 includes at least one of the following steps:
步骤S122a,如果目的地址所在子网类型为DMZ子网,且用户类型为DMZ授权访客用户,则判断用户类型对应的用户访问权限符合目的地址所在子网类型对应的访问权限。Step S122a: If the subnet type of the destination address is a DMZ subnet, and the user type is a DMZ authorized guest user, it is determined that the user access right corresponding to the user type matches the access right corresponding to the subnet type of the destination address.
具体的,DMZ区,提供外部网络和内部网络的隔离,并由外部路由器和防火墙提供一定防护。部署在DMZ区的设备大都也要具备一定的防攻击能力,也称为堡垒主机。内部网络,由内部路由器,图1中即choke路由器(阻塞路由器),和防火墙提供防护。内部网络不允许外部直接访问,只允许DMZ区的部分堡垒主机访问,外网用户必须通过VPN网关认证后才可访问。VPN网关,可作为堡垒主机,大都部署在DMZ区,也可租用运营商的VPN网关,可通过DMZ区的堡垒主机中转再访问内部网络。DMZ区服务器还可部署反向代理服务器,对外公共服务器也大多部署在内部网络,用户访问对外公共服务时,通过DMZ的反向代理服务器,再去访问部署于内部网络的对外公共服务器,为对外公共服务器提供更好的防护。DMZ授权访客用户,表示具有DMZ子网访问权限的用户,如果目的地址所在子网类型为DMZ子网,且用户类型为DMZ授权访客用户,则判断用户类型对应的用户访问权限符合目的地址所在子网类型对应的访问权限。Specifically, the DMZ zone provides isolation between the external network and the internal network, and is protected by external routers and firewalls. Most devices deployed in the DMZ zone also have certain anti-attack capabilities, also known as bastion hosts. The internal network is protected by an internal router, the choke router (blocking router) in Figure 1, and the firewall. The internal network does not allow external direct access. Only some of the bastion hosts in the DMZ zone are allowed to access. The external network users must be authenticated by the VPN gateway before they can access. The VPN gateway can be used as a bastion host. Most of them are deployed in the DMZ zone. They can also lease the carrier's VPN gateway. They can transit through the bastion host in the DMZ zone and access the internal network. The DMZ area server can also be deployed with a reverse proxy server. Most of the external public servers are deployed on the internal network. When the user accesses the external public service, the DMZ reverse proxy server accesses the external public server deployed on the internal network. Public servers provide better protection. The DMZ authorized guest user indicates that the user with the DMZ subnet access rights has the subnet type of the DMZ subnet, and the user type is the DMZ authorized guest user. Access rights corresponding to the network type.
步骤S122b,如果目的地址所在子网类型为内网子网,用户类型为受控授权用户,则判断用户类型对应的用户访问权限不符合目的地址所在子网类型对应的访问权限,将S1-U上行报文拆解,将用户IP报文中的源IP地址和源端口号转换为设备IP地址和映射端口号,并重新封装成本地网络报文,将本地网络报文转发至VPN网关。In step S122b, if the subnet type of the destination address is an intranet subnet and the user type is a controlled authorized user, the user access right corresponding to the user type does not meet the access authority corresponding to the subnet type of the destination address, and the S1-U is determined. The uplink packet is disassembled, and the source IP address and the source port number of the user IP packet are converted into the device IP address and the mapped port number, and the local network packet is re-encapsulated to forward the local network packet to the VPN gateway.
具体的,受控授权用户表示对本地网络的VPN网关有权限访问,如果用户类型为受控授权用户,在获得内部用户身份前,需要向VPN网关申请用户身份认证,将S1-U上行报文拆解,将用户IP报文中的源IP地址和源端口号转换为设备IP地址和映射端口号,并重新封装成本地网络报文,将本地网络报文转发至VPN网关。Specifically, the controlled authorized user indicates that the user has access to the VPN gateway of the local network. If the user type is a controlled authorized user, the user needs to apply for the user identity authentication to the VPN gateway before obtaining the internal user identity, and the S1-U uplink packet is sent. Disassemble, convert the source IP address and source port number in the user IP packet to the device IP address and the mapped port number, and re-encapsulate the local network packet to forward the local network packet to the VPN gateway.
步骤S122c,如果目的地址所在子网类型为内网子网,用户类型为授权内网用户,则判断用户类型对应的用户访问权限符合目的地址所在子网类型对应的访问权限。Step S122c: If the subnet type of the destination address is an intranet subnet and the user type is an authorized intranet user, it is determined that the user access right corresponding to the user type matches the access permission corresponding to the subnet type of the destination address.
具体的,授权内网用户表示具有内网子网访问权限的用户,只有内部用户且通过内网授权判决算法得到授权才能对本地网络内网子网进行访问。本方案不限定用户通 过本地网络内部用户认证的方式。Specifically, the authorized intranet user indicates that the user has the access permission of the intranet subnet, and only the internal user is authorized by the intranet authorization decision algorithm to access the intranet subnet of the local network. This program does not limit user access The way to authenticate users inside the local network.
本实施例中,将子网类型分为DMZ子网和内网子网,用户类型包括DMZ授权访客用户、受控授权用户和授权内网用户,通过目的地址所在子网类型和用户类型具体判断是否符合目的地址所在子网类型对应的访问权限,达到对各个不同子网的灵活访问控制。In this embodiment, the subnet type is divided into a DMZ subnet and an intranet subnet, and the user type includes a DMZ authorized guest user, a controlled authorized user, and an authorized intranet user, and is specifically determined by the subnet type and user type of the destination address. Whether the access rights corresponding to the subnet type of the destination address are met, and flexible access control for each different subnet is achieved.
在一个实施例中,如图7所示,方法还包括以下步骤中的至少一个:In one embodiment, as shown in FIG. 7, the method further includes at least one of the following steps:
步骤S310,如果目的地址所在子网类型为DMZ子网,且用户类型为非DMZ授权访客用户,则发起DMZ授权访客用户申请。Step S310: If the subnet type of the destination address is a DMZ subnet, and the user type is a non-DMZ authorized guest user, the DMZ authorizes the guest user to apply.
步骤S320,如果目的地址所在子网类型为内网子网,获知用户身份为内部用户前,则发起受控授权用户申请。Step S320: If the subnet type of the destination address is an intranet subnet, and the user identity is known as the internal user, the controlled authorized user is invited to apply.
具体的,没有通过VPN认证的用户,无法确认用户身份,只能发往VPN网关进行认证,则只能发起受控授权用户申请,不能发起授权内网用户申请。Specifically, a user who does not pass the VPN authentication cannot confirm the identity of the user and can only send the certificate to the VPN gateway for authentication. Only the controlled authorized user can initiate the application and cannot authorize the intranet user to apply.
步骤S330,如果目的地址所在子网类型为内网子网,获知用户身份为内部用户且用户类型为受控授权用户,则发起授权内网用户申请。In step S330, if the subnet type of the destination address is an intranet subnet, and the user identity is an internal user and the user type is a controlled authorized user, the intranet user is authorized to apply.
具体的,只有获知到用户身份为内部用户后,才能发起授权内网用户申请。Specifically, the user can be authorized to apply for an intranet only after the user is identified as an internal user.
本实施例中,通过目的地址所在子网类型、当前用户类型和当前用户身份控制发送的用户类型申请请求,使得用户类型申请请求能分层次的正确的生成。In this embodiment, the user type application request sent by the subnet type, the current user type, and the current user identity of the destination address is controlled, so that the user type application request can be generated hierarchically.
在一个实施例中,如图8所示,如果用户类型对应的用户访问权限不符合所述目的地址所在子网类型对应的访问权限,则根据授权判决算法更新用户终端的用户类型的步骤包括以下步骤中的至少一个:In an embodiment, as shown in FIG. 8, if the user access right corresponding to the user type does not meet the access authority corresponding to the subnet type of the destination address, the step of updating the user type of the user terminal according to the authorization decision algorithm includes the following: At least one of the steps:
步骤S410,如果接收到DMZ授权访客用户申请,则根据DMZ访客授权判决算法给予DMZ访客授权,并根据配置生成DMZ访客授权信息,修改通过DMZ访客授权的用户类型为DMZ授权访客用户。Step S410: If the DMZ authorized guest user application is received, the DMZ guest authorization algorithm is used to authorize the DMZ guest authorization, and the DMZ guest authorization information is generated according to the configuration, and the user type authorized by the DMZ guest is modified as the DMZ authorized guest user.
具体的,DMZ访客授权信息可包括用户标识和对应的用户类型。在用户记录表分为DMZ授权访客用户记录表、受控授权用户记录表和内网授权用户记录表的情况下,可将DMZ访客授权信息传递至DMZ授权访客用户记录表,更新DMZ授权访客用户记录表,新增或变更用户记录,并将用户记录的用户类型设置为DMZ授权访客用户。在更新用户记录的同时发送启动访客用户访问控制消息,携带启动的策略和相关信息。其中上行速率控制和下行速率控制为必选策略,访问时长和访问总流量为可 选。Specifically, the DMZ visitor authorization information may include a user identifier and a corresponding user type. In the case that the user record table is divided into a DMZ authorized guest record table, a controlled authorized user record table, and an intranet authorized user record table, the DMZ guest authorization information may be transmitted to the DMZ authorized guest record table to update the DMZ authorized guest user. Record the table, add or change user records, and set the user type of the user record to the DMZ authorized guest user. The initiating guest user access control message is sent at the same time as the user record is updated, carrying the initiated policy and related information. The uplink rate control and the downlink rate control are mandatory policies, and the access duration and total access traffic are available. selected.
步骤S420,如果接收到受控授权用户申请,则根据受控授权判决算法,给予受控授权,并根据配置生成受控授权信息,修改通过受控授权的用户类型为受控授权用户。Step S420: If the controlled authorized user application is received, the controlled authorization algorithm is given according to the controlled authorization decision algorithm, and the controlled authorization information is generated according to the configuration, and the user type controlled by the authorized authorization is modified as the controlled authorized user.
具体的,受控授权信息可包括用户标识和对应的用户类型。可将受控授权信息传递至受控授权用户记录表,更新受控授权用户记录表,新增或变更用户记录,并将用户记录的用户类型设置为受控授权用户。向本地网络访问控制模块发送启动受控授权用户访问控制消息,携带启动的策略和相关信息。其中上行速率控制和下行速率控制为必选策略,访问时长和访问总流量为可选。Specifically, the controlled authorization information may include a user identifier and a corresponding user type. The controlled authorization information can be passed to the controlled authorized user record table, the controlled authorized user record table is updated, the user record is added or changed, and the user type recorded by the user is set as the controlled authorized user. Sending a controlled controlled user access control message to the local network access control module, carrying the initiated policy and related information. The uplink rate control and the downlink rate control are mandatory policies, and the access duration and total access traffic are optional.
步骤S430,如果接收到授权内网用户申请,则根据内网授权判决算法,给予内网授权,并根据配置生成内网授权信息,修改通过内网授权的用户类型为内网授权用户。Step S430: If the application for the authorized intranet user is received, the intranet authorization is given according to the intranet authorization decision algorithm, and the intranet authorization information is generated according to the configuration, and the user type authorized by the intranet is modified as the intranet authorized user.
具体的,内网授权信息可包括用户标识和对应的用户类型。可将内网授权信息传递至内网授权用户记录表,更新内网授权用户记录表,新增或变更用户记录,并将用户记录的用户类型设置为内网授权用户。启动内网授权用户的访问控制功能,本地网络访问控制模块停止原来的受控授权用户访问控制功能。Specifically, the intranet authorization information may include a user identifier and a corresponding user type. The intranet authorization information can be transmitted to the intranet authorized user record table, the intranet authorized user record table is updated, the user record is added or changed, and the user type recorded by the user is set as an intranet authorized user. The access control function of the authorized user of the intranet is activated, and the local network access control module stops the original controlled authorized user access control function.
本实施例中,对于不同用户类型的用户申请,采取了不同的授权判决算法。且存在多个不同类型的表,进行相应的更新,使得用户类型的授权灵活有序。通过不同的授权判决算法对允许访问子网、访问速率、访问时长和访问总流量进行授权限制。In this embodiment, different authorization decision algorithms are adopted for user applications of different user types. And there are multiple different types of tables, and corresponding updates are made to make the authorization of the user type flexible and orderly. Authorization restrictions are allowed on access subnets, access rates, access durations, and total access traffic through different authorization decision algorithms.
在一个实施例中,用户记录表分为DMZ授权访客用户记录表、受控授权用户记录表和内网授权用户记录表,方法还包括:根据用户类型的更新修改对应类型的用户记录表的用户记录。In an embodiment, the user record table is divided into a DMZ authorized guest user record table, a controlled authorized user record table, and an intranet authorized user record table, and the method further includes: modifying the user of the corresponding type of the user record table according to the update of the user type recording.
具体的,DMZ授权访客用户记录表包括用户标识、用户移动网基站信息和访客授权信息。访客授权信息,包含允许访问的子网列表及下一跳地址、用户上行访问速率、用户下行访问速率、用户访问时长、用户访问总流量配额等信息。受控授权用户记录表包括用户标识、用户移动网基站信息和受控授权信息。受控授权信息,包含用户上行访问速率、用户下行访问速率、用户访问时长、用户访问总流量配额等信息。内网授权用户记录表包括用户标识、用户移动网基站信息和内网授权信息。内网授权信息,包含允许访问的子网列表及下一跳地址、用户上行访问速率、用户下行访问速 率等信息。Specifically, the DMZ authorized guest user record table includes a user identifier, user mobile network base station information, and visitor authorization information. Visitor authorization information, including the subnet list and next hop address allowed, the user uplink access rate, the user downlink access rate, the user access duration, and the total access quota of the user. The controlled authorized user record table includes user identification, user mobile network base station information, and controlled authorization information. Controlled authorization information, including user uplink access rate, user downlink access rate, user access duration, and user access total traffic quota. The intranet authorized user record table includes the user identifier, the user mobile network base station information, and the intranet authorization information. Intranet authorization information, including the list of subnets allowed to access and the next hop address, user uplink access rate, and user downlink access speed. Rate and other information.
在一个实施例中,用户记录表记录了移动网基站IP地址和移动网基站用户信息,所述移动网基站用户信息包括所述移动网基站IP地址和移动网基站隧道标识TEID。In one embodiment, the user record table records the mobile network base station IP address and the mobile network base station user information, the mobile network base station user information including the mobile network base station IP address and the mobile network base station tunnel identity TEID.
具体的,用户记录表中的用户标识即为用户终端在移动网的IP地址,即移动网基站IP地址,移动网基站用户信息包含移动网基站eNB的IP地址和用户终端的移动网基站隧道标识TEID,两者进行了关联。对于用户记录表分为DMZ授权访客用户记录表、受控授权用户记录表和内网授权用户记录表时,DMZ授权访客用户记录表,包括用户标识、用户移动网基站信息和DMZ访客授权信息。DMZ访客授权信息,包含允许访问的子网列表及下一跳地址、用户上行访问速率、用户下行访问速率、用户访问时长、用户访问总流量配额等信息。受控授权用户记录表,包括用户标识、用户移动网基站信息和受控授权信息。受控授权信息,包含用户上行访问速率、用户下行访问速率、用户访问时长、用户访问总流量配额等信息。内网授权用户记录表,包括用户标识、用户移动网基站信息和内网授权信息。内网授权信息,包含允许访问的子网列表及下一跳地址、用户上行访问速率、用户下行访问速率等信息。Specifically, the user identifier in the user record table is the IP address of the mobile terminal in the mobile network, that is, the IP address of the mobile network base station, and the mobile network base station user information includes the IP address of the mobile network base station eNB and the mobile network base station tunnel identifier of the user terminal. TEID, the two are related. When the user record table is divided into a DMZ authorized guest record table, a controlled authorized user record table, and an intranet authorized user record table, the DMZ authorizes the guest user record table, including the user identifier, the user mobile network base station information, and the DMZ visitor authorization information. DMZ visitor authorization information, including the subnet list and next hop address allowed for access, user uplink access rate, user downlink access rate, user access duration, and user access total traffic quota. The controlled authorized user record table includes user identification, user mobile network base station information, and controlled authorization information. Controlled authorization information, including user uplink access rate, user downlink access rate, user access duration, and user access total traffic quota. The intranet authorized user record table includes the user ID, the user mobile network base station information, and the intranet authorization information. Intranet authorization information, including the list of subnets allowed to access, the next hop address, the user uplink access rate, and the user downlink access rate.
在一个实施例中,所述方法还包括:接收本地网络下行报文,将本地网络下行报文中携带的设备IP地址和映射端口号还原为用户终端的源IP地址和源端口号,根据用户终端的移动网基站隧道标识打包成S1-U下行报文发送至移动网基站。In an embodiment, the method further includes: receiving a local network downlink packet, and restoring the device IP address and the mapping port number carried in the local network downlink packet to a source IP address and a source port number of the user terminal, according to the user. The mobile network base station tunnel identifier of the terminal is packaged into an S1-U downlink message and sent to the mobile network base station.
具体的,本地网络下行报文是本地网络发给用户终端的回应报文,其中携带了设备IP地址和映射端口号,需要转换为用户终端的源IP地址和源端口号才能转发至用户终端。Specifically, the local network downlink packet is a response packet sent by the local network to the user terminal, where the device IP address and the mapping port number are carried, and the source IP address and the source port number of the user terminal need to be converted to the user terminal.
在一个实施例中,接收本地网络下行报文的步骤之后,还包括:In an embodiment, after the step of receiving the downlink message of the local network, the method further includes:
根据本地网络下行报文对应的用户类型申请对应类型的下行转发许可,如果申请成功,则进入将本地网络下行报文中携带的设备IP地址和映射端口号还原为用户终端的源IP地址和源端口号的步骤,否则丢弃本地网络下行报文。Apply for the corresponding type of downlink forwarding permission according to the user type corresponding to the local network downlink packet. If the application is successful, enter the source IP address and source of the user terminal to restore the device IP address and mapping port number carried in the local network downlink packet. Port number step, otherwise the local network downlink packet is discarded.
具体的,申请对应类型的下行转发许可时申请请求携带待转发字节数,如果申请成功,则将本地网络下行报文拆解,获取其中携带的设备IP地址和映射端口号,转换为用户源IP地址和源端口号,并重新封装成S1-U下行报文,并转发至基站eNB。基站eNB收到S1-U下行报文后,转化为空口报文发送至用户终端。如果没有申请成功,则丢弃本地网络下行报文,达到对本地网络下行报文的控制管理。 Specifically, the application request carries the number of bytes to be forwarded when applying for the corresponding type of downlink forwarding permission. If the application is successful, the local network downlink packet is disassembled, and the IP address and mapping port number of the device carried therein are obtained, and converted into a user source. The IP address and source port number are re-encapsulated into S1-U downlink packets and forwarded to the base station eNB. After receiving the S1-U downlink packet, the base station eNB converts the packet into an air interface and sends the packet to the user terminal. If no application is successful, the local network downlink packet is discarded to control the downlink packets of the local network.
在一个实施例中,步骤S110之前还包括:预先进行各个参数和规则的配置。In an embodiment, before step S110, the method further includes: performing configuration of each parameter and rule in advance.
具体的,如配置的参数和规则包括:本地网络访问报文特征、本地网络域名规则、本地网络子网及路由规则、VPN网关配置、本地网络访问控制规则等,为其他模块提供参数配置接口功能。Specifically, the configured parameters and rules include: local network access packet characteristics, local network domain name rules, local network subnets and routing rules, VPN gateway configuration, local network access control rules, etc., providing parameter configuration interface functions for other modules. .
在一个具体的实施例中,上述用户终端访问本地网络的方法由新增模块实现,其中新增模块包括本地网络报文识别模块、本地网络域名代理模块、本地网络访问处理模块、本地网络访问控制模块、本地网络访问授权模块和用户信息管理模块。用户终端查询本地网络域名时序图如图9所示,由本地网络域名代理模块构造DNS查询响应,具体描述如下:In a specific embodiment, the method for accessing the local network by the user terminal is implemented by a new module, where the newly added module includes a local network packet identification module, a local network domain name proxy module, a local network access processing module, and local network access control. Module, local network access authorization module and user information management module. The user terminal queries the local network domain name timing diagram as shown in Figure 9. The local network domain name proxy module constructs a DNS query response, which is described as follows:
401 UE发送空口报文携带用户报文即DNS查询报文给eNB,查询本地网络域名;401. The UE sends an air interface packet carrying a user packet, that is, a DNS query message to the eNB, to query the local network domain name.
402 eNB收到后提取用户报文,打包成S1-U上行报文发送至本地网络报文识别模块;After receiving the user packet, the eNB receives the S1-U uplink packet and sends it to the local network packet identification module.
403 本地网络报文识别模块逐包分析S1-U报文内容,识别出DNS查询报文;403. The local network packet identification module analyzes the content of the S1-U packet by packet, and identifies the DNS query packet.
404 本地网络报文识别模块根据配置的本地网络域名规则,识别出本地网络域名的DNS查询报文;The 404 local network packet identification module identifies the DNS query packet of the local network domain name according to the configured local network domain name rule;
405 本地网络报文识别模块,将本地网络域名的DNS查询报文向本地网络域名代理模块转发,其他DNS查询报文继续发往核心网;405. The local network packet identification module forwards the DNS query message of the local network domain name to the local network domain name proxy module, and other DNS query messages continue to be sent to the core network;
406 本地网络域名代理模块构造DNS查询响应报文,携带本地网络IP地址;406: The local network domain name proxy module constructs a DNS query response packet, and carries a local network IP address;
407 本地网络域名代理模块向用户信息管理模块获取用户移动网基站信息;407 the local network domain name proxy module acquires the user mobile network base station information from the user information management module;
408 本地网络域名代理模块将DNS查询响应报文打包成S1-U报文,发给eNB;408, the local network domain name proxy module packs the DNS query response packet into an S1-U packet, and sends the packet to the eNB;
409 eNB收到S1-U报文,提取出用户报文即DNS查询响应报文,打包成空口报文发给UE。409 The eNB receives the S1-U packet, and extracts the user packet, that is, the DNS query response packet, and sends the packet to the UE.
在一个具体的实施例中,用户终端访问本地网络DMZ子网的上行报文的时序图10示例,具体描述如下:In a specific embodiment, an example of a timing diagram 10 of an uplink message of a user terminal accessing a local network DMZ subnet is described as follows:
501 UE从空口发送用户上行报文;501. The UE sends a user uplink packet from the air interface.
502 eNB收到后提取用户报文,打包成S1-U上行报文发送;After receiving the user packet, the 502 eNB receives the S1-U uplink packet and sends the packet.
503 本地网络报文识别模块,根据配置的本地网络访问报文特征,逐包比对,识别出本地网络访问报文;503. The local network packet identification module identifies the local network access packet according to the configured local network access packet characteristics and compares the packet by packet.
504 本地网络报文识别模块转发本地网络访问报文至本地网络访问处理模块; 504: The local network packet identification module forwards the local network access packet to the local network access processing module;
505 本地网络访问处理模块检查目的子网,识别出是DMZ子网;505 The local network access processing module checks the destination subnet and identifies that it is a DMZ subnet;
506 本地网络访问处理模块检查是否在DMZ授权访客用户记录表中;506 The local network access processing module checks whether it is in the DMZ authorized guest user record table;
507 本地网络访问处理模块,对不在DMZ授权访客用户记录表中的访客,可向用户信息管理模块发起携带用户标识的DMZ授权访客用户申请,获取DMZ访客授权信息;507 a local network access processing module, for a visitor who is not in the DMZ authorized guest user record table, may initiate a DMZ authorized guest user carrying the user identifier to apply for the DMZ visitor authorization information to the user information management module;
508 本地网络访问处理模块对DMZ授权访客用户检查目的地址所在子网是否在允许访问的子网列表中,对于未授权的访客或者未授权的子网访问,报文直接丢弃;508 The local network access processing module checks whether the DMZ authorized guest user checks whether the subnet where the destination address is located is in the list of allowed subnets, and the packets are directly discarded when the unauthorized visitor or the unauthorized subnet is accessed.
509 本地网络访问处理模块向本地网络访问控制模块获取访客上行转发许可,携带待转发字节数;509: The local network access processing module acquires a guest uplink forwarding permission from the local network access control module, and carries the number of bytes to be forwarded;
510 本地网络访问处理模块,将报文拆包,进行端口地址转换,并重新封装成本地网络报文。如果未获转发许可,则报文直接丢弃。510 The local network access processing module unpacks the packet, performs port address translation, and re-encapsulates the local network packet. If the forwarding permission is not obtained, the packet is directly discarded.
511 本地网络访问处理模块将打包好的本地网络报文,发给目的地址所在子网对应的下一跳地址。511 The local network access processing module sends the packaged local network packet to the next hop address corresponding to the subnet where the destination address is located.
在一个具体的实施例中,本地网络DMZ服务器返回给UE的回应报文,转发时也需要申请访客下行转发许可,图11为用户终端访问本地网络DMZ下行报文时序图示例,具体描述如下:In a specific embodiment, the local network DMZ server returns a response message to the UE, and also needs to apply for a guest downlink forwarding permission when forwarding. FIG. 11 is an example of a sequence diagram of the user terminal accessing the local network DMZ downlink message, and the specific description is as follows:
601 本地网络访问处理模块收到本地网络DMZ的报文,即用户下行报文;601: The local network access processing module receives the packet of the local network DMZ, that is, the user downlink packet;
602 本地网络访问处理模块向本地网络访问控制模块获取访客下行转发许可,携带待转发字节数;602: The local network access processing module acquires a guest downlink forwarding permission from the local network access control module, and carries the number of bytes to be forwarded;
603 本地网络访问处理模块,将报文拆包,进行端口地址转换并重新封装成S1-U下行用户报文。未获转发许可,报文直接丢弃;603 The local network access processing module unpacks the packet, performs port address translation, and re-encapsulates the packet into an S1-U downlink user packet. If the forwarding permission is not obtained, the packet is directly discarded.
604 本地网络访问处理模块将打包好的S1-U下行用户报文,发给eNB;604: The local network access processing module sends the packaged S1-U downlink user packet to the eNB;
605 eNB收到S1-U报文,将用户下行报文从空口发送给UE。The 605 receives the S1-U packet, and sends the user downlink packet from the air interface to the UE.
用户终端访问本地网络DMZ,需要申请访客授权,申请过程可以在本地网络域名响应过程中触发,也可以本地网络DMZ访问过程中触发,在一个具体的实施例中,本地网络DMZ访客授权时序图12示例,具体描述如下:The user terminal needs to apply for the guest authorization. The application process can be triggered in the local network domain name response process or in the local network DMZ access process. In a specific embodiment, the local network DMZ guest authorization timing diagram 12 An example is described as follows:
701 用户信息管理模块向本地网络访问授权模块发起DMZ授权访客用户申请;701: The user information management module initiates a DMZ authorized guest application to the local network access authorization module;
702 本地网络访问授权模块根据DMZ访客授权判决算法,给予DMZ访客授权,并根据配置生成DMZ访客授权信息; 702: The local network access authorization module grants DMZ visitor authorization according to the DMZ guest authorization decision algorithm, and generates DMZ visitor authorization information according to the configuration;
703 本地网络访问授权模块返回DMZ授权访客用户申请响应;703: The local network access authorization module returns a DMZ authorized guest user to apply for a response;
704 用户信息管理模块检查授权结果,保存DMZ访客授权信息,加入到授权访客用户记录表;704: The user information management module checks the authorization result, saves the DMZ guest authorization information, and adds the authorized guest record table;
705 用户信息管理模块向本地网络访问控制模块发送启动DMZ授权访客用户访问控制消息,携带启动的策略和相关信息,其中上行速率控制和下行速率控制为必选策略,访问时长和访问总流量为可选。705. The user information management module sends a DMZ authorized guest user access control message to the local network access control module, and carries the initiated policy and related information, where the uplink rate control and the downlink rate control are mandatory policies, and the access duration and total access traffic are available. selected.
用户终端访问本地网络内网子网,需要进行内网身份认证,内网身份认证的具体过程可根据需要自定义,本方案不作限定。内网身份认证成功前,本地网络访问授权模块给予受控授权,报文转发至VPN网关,称为受控转发,此时用户为受控授权用户;本地网络访问授权模块获知用户身份为内部用户时,根据内网授权判决算法给予内网授权,报文允许转发到授权子网,称为授权转发,此时用户变更为授权内网用户。在一个具体的实施例中,用户终端访问本地网络内网上行报文时序图如图13所示,具体描述如下:The user terminal accesses the intranet subnet of the local network and needs to perform intranet identity authentication. The specific process of intranet identity authentication can be customized according to requirements. This solution is not limited. Before the intranet identity authentication succeeds, the local network access authorization module gives controlled authorization, and the packet is forwarded to the VPN gateway, which is called controlled forwarding. At this time, the user is a controlled authorized user; the local network access authorization module knows that the user identity is an internal user. When the intranet authorization decision algorithm is given to the intranet authorization, the packet is allowed to be forwarded to the authorized subnet, which is called authorization forwarding. At this time, the user is changed to the authorized intranet user. In a specific embodiment, the timing diagram of the user terminal accessing the online line message in the local network is as shown in FIG. 13, and the specific description is as follows:
801 UE从空口发送用户上行报文;801. The UE sends a user uplink message from the air interface.
802 eNB收到后打包成S1-U上行报文发送;After receiving the 802 eNB, the eNB receives the S1-U uplink packet and sends the packet.
803 本地网络报文识别模块,根据配置的本地网络访问报文特征,逐包比对,识别出本地网络访问报文;803: The local network packet identification module identifies the local network access packet according to the configured local network access packet characteristics and compares the packets by packet;
804 本地识别模块转发本地网络访问报文给本地网络访问处理模块;804 the local identification module forwards the local network access message to the local network access processing module;
805 本地网络访问处理模块检查目的子网,识别出是内网子网;The 805 local network access processing module checks the destination subnet and identifies that it is an intranet subnet;
806 本地网络访问处理模块检查受控授权用户记录表和内网授权用户记录表;806: The local network access processing module checks the controlled authorized user record table and the intranet authorized user record table;
807 本地网络访问处理模块,对不存在上述记录表中的用户,向用户信息管理模块发送携带用户标识的用户类型更新申请,获取用户授权信息;807: The local network access processing module sends a user type update request carrying the user identifier to the user information management module for the user who does not exist in the record table, and obtains the user authorization information;
808 本地网络访问处理模块确认用户类型是受控授权用户还是授权内网用户,以便后续执行不同的策略处理;808 The local network access processing module confirms whether the user type is a controlled authorized user or an authorized intranet user, so as to perform different policy processing subsequently;
809 本地网络访问处理模块对授权内网用户,检查目的地址所在子网是否属于授权子网列表,如果不属于,直接丢弃报文,如果属于,则进入下一步;809: The local network access processing module checks whether the subnet where the destination address is located belongs to the authorized subnet list, and if not, directly discards the packet. If it belongs, the next step is entered;
810 本地网络访问处理模块,对受控授权用户,向本地网络访问控制模块获取受控上行转发许可,携带转发字节数,对授权内网用户,向本地网络访问控制模块获取授权上行转发许可,携带转发字节数。 810. The local network access processing module obtains the controlled uplink forwarding permission from the local network access control module to the controlled network user, carries the number of forwarding bytes, and obtains the authorized uplink forwarding permission to the local network access control module for the authorized intranet user. Carry the number of forwarded bytes.
811 本地网络访问处理模块,将报文拆包,进行端口地址转换,并重新封装成本地网络报文,未获转发许可,则报文直接丢弃。811 The local network access processing module unpacks the packet, performs port address translation, and re-encapsulates the network packet. If the packet is not forwarded, the packet is directly discarded.
812 本地网络访问处理模块将打包好的本地网络报文,对于受控授权用户,发给VPN网关,对于授权内网用户,发给目的地址所在子网对应的下一跳地址。812 The local network access processing module sends the packaged local network packet to the VPN gateway for the controlled authorized user, and sends the next hop address corresponding to the subnet where the destination address is located for the authorized intranet user.
本地网络内网子网服务器或者VPN网关返回给UE的回应报文,转发时也需要申请下行转发许可,根据不同的用户类型,过程略有区别,用户终端访问本地网络内网下行报文时序图如图14所示,具体描述如下:The local network subnet server or the VPN gateway returns a response packet to the UE, and the downlink forwarding permission is also required to be forwarded. The process is slightly different according to different user types, and the user terminal accesses the downlink sequence of the intranet of the local network. As shown in Figure 14, the detailed description is as follows:
901 本地网络访问处理模块收到来自本地网络内网或者VPN网关的本地网络报文,即用户下行报文;901: The local network access processing module receives the local network packet from the local network intranet or the VPN gateway, that is, the user downlink packet;
902 本地网络访问处理模块检查用户记录类型是受控授权用户还是授权内网用户;902 The local network access processing module checks whether the user record type is a controlled authorized user or an authorized intranet user;
903 本地网络访问处理模块,对受控授权用户,向本地网络访问控制模块获取受控下行转发许可,携带转发字节数,对授权内网用户,向本地网络访问控制模块获取授权下行转发许可,携带转发字节数。903. The local network access processing module obtains the controlled downlink forwarding permission from the local network access control module to the controlled network user, carries the number of forwarding bytes, and obtains the authorized downlink forwarding permission to the local network access control module for the authorized intranet user. Carry the number of forwarded bytes.
904 本地网络访问处理模块,将报文拆包,进行端口地址转换并重新封装成S1-U下行用户报文。未获转发许可,报文直接丢弃。904 The local network access processing module unpacks the packet, performs port address translation, and re-encapsulates the packet into an S1-U downlink user packet. If the forwarding permission is not obtained, the packet is directly discarded.
905 本地网络访问处理模块将打包好的S1-U下行用户报文,发给eNB。The 905 local network access processing module sends the packetized S1-U downlink user packet to the eNB.
906 eNB收到S1-U报文,将用户下行报文从空口发送给UE。The 906 eNB receives the S1-U packet and sends the user downlink packet from the air interface to the UE.
本地网络访问授权模块根据内网授权判决算法,对内部身份用户进行判决给予授权,内网授权判决算法可结合当前的授权内网访问人数、配置的授权内网访问人数门限和当前的授权内网访问总速率、配置的授权内网访问总速率门限等因素。The local network access authorization module grants an authorization to the internal identity user according to the intranet authorization decision algorithm, and the intranet authorization decision algorithm can combine the current authorized intranet access number, the configured authorized intranet accessor threshold, and the current authorized intranet. Factors such as the total rate of access, the configured total intranet access rate threshold, and so on.
对于判决为不给予内网授权的用户,仍保持受控授权用户记录类型;判决为授予内网授权的用户,将由原来的受控授权用户类型变更为授权内网用户类型。即使经过本地网络认证过的内网身份用户,如果本地网络访问授权模块未给予内网授权,仍为受控授权用户类型。For users who are determined not to be authorized by the intranet, the type of the controlled authorized user record is still maintained; the user who decides to grant the intranet authorization will be changed from the original controlled authorized user type to the authorized intranet user type. Even if the intranet identity user authenticated by the local network, if the local network access authorization module does not give the intranet authorization, it is still the controlled authorized user type.
图15为本地网络内网授权时序图,用户终端将用户终端标识,即用户终端在移动网的IP地址,通知VPN网关,VPN网关通知给本地网络访问授权模块,具体描述如下:Figure 15 is a timing diagram of the intranet authorization of the local network. The user terminal notifies the VPN gateway of the user terminal, that is, the IP address of the user terminal on the mobile network, and the VPN gateway notifies the local network access authorization module. The details are as follows:
1001 用户初始访问本地网络内网时,用户信息管理模块向本地网络访问授权模 块发起受控授权用户申请;1001 When the user initially accesses the intranet of the local network, the user information management module accesses the authorization mode to the local network. The block initiates a controlled authorization user application;
1002 本地网络访问授权模块根据受控授权判决算法,给予受控授权,并根据配置生成受控授权信息;1002: The local network access authorization module gives controlled authorization according to the controlled authorization decision algorithm, and generates controlled authorization information according to the configuration;
1003 本地网络访问授权模块返回受控授权用户申请响应;1003 The local network access authorization module returns a controlled authorized user to apply for a response;
1004 用户信息管理模块检查受控授权结果,保存为受控授权用户信息,加入到受控授权用户记录表;1004 The user information management module checks the controlled authorization result, saves it as the controlled authorized user information, and adds it to the controlled authorized user record table;
1005 用户信息管理模块向本地网络访问控制模块发送启动受控授权用户访问控制消息,携带启动的策略和相关信息,其中上行速率控制和下行速率控制为必选策略,访问时长和访问总流量为可选;The user information management module sends a controlled access authorization user access control message to the local network access control module, and carries the initiated policy and related information, where the uplink rate control and the downlink rate control are mandatory policies, and the access duration and total access traffic are available. selected;
1006 用户终端与本地网络内网认证系统进行内网认证,本步骤不作限定。1006 The user terminal and the local network intranet authentication system perform intranet authentication. This step is not limited.
1007 用户终端将用户标识发给VPN网关,本步骤可选;The user terminal sends the user ID to the VPN gateway. This step is optional.
1008 VPN网关通知本地网络访问授权模块,携带用户标识,本步骤可选;The 1008 VPN gateway notifies the local network access authorization module to carry the user identifier. This step is optional.
1009 本地网络访问授权模块获知该用户已通过内网认证,用户身份为内部用户;1009 The local network access authorization module learns that the user has passed the intranet authentication, and the user identity is an internal user;
1010 本地网络访问授权模块根据内网授权判决算法,给予内网授权,并根据配置生成内网授权信息;1010: The local network access authorization module gives an intranet authorization according to an intranet authorization decision algorithm, and generates intranet authorization information according to the configuration;
1011 本地网络访问授权模块向用户信息管理模块发送授权内网用户通知,携带授权信息;1011 The local network access authorization module sends a notification to the user information management module to authorize the intranet user to carry the authorization information;
1012 用户信息管理模块将用户从受控授权用户记录修改为授权内网用户记录,保存授权信息,并加入到内网授权用户记录表,同时从受控授权用户记录表中删除;1012 The user information management module modifies the user from the controlled authorized user record to the authorized intranet user record, saves the authorization information, and joins the internal network authorized user record table, and deletes from the controlled authorized user record table;
1013 用户信息管理模块通知本地网络访问控制模块启动内网授权用户的访问控制功能,本地网络访问控制模块停止原来的受控授权用户访问控制功能。1013 The user information management module notifies the local network access control module to activate the access control function of the authorized user of the intranet, and the local network access control module stops the original controlled authorized user access control function.
在一个实施例中,如图16所示,提供了一种用户终端访问本地网络的装置,包括:In an embodiment, as shown in FIG. 16, an apparatus for accessing a local network by a user terminal is provided, including:
本地网络报文识别模块520,用于接收S1-U上行报文,识别并拦截S1-U上行报文中的本地网络访问报文。The local network packet identification module 520 is configured to receive the S1-U uplink packet, and identify and intercept the local network access packet in the S1-U uplink packet.
本地网络访问处理模块530,用于确定本地网络访问报文对应的用户终端的用户类型,根据用户类型和所述本地网络访问报文中的目的地址验证用户终端的本地网络访问权限,如果验证通过,则将S1-U上行报文拆解,将用户IP报文中的源IP地址和源端口号转换为设备IP地址和映射端口号,并重新封装成本地网络报文,将本地 网络报文转发至目的地址所在子网的下一跳地址。The local network access processing module 530 is configured to determine a user type of the user terminal corresponding to the local network access message, and verify the local network access permission of the user terminal according to the user type and the destination address in the local network access message, if the verification is passed. Then, the S1-U uplink packet is disassembled, and the source IP address and the source port number in the user IP packet are converted into the device IP address and the mapped port number, and the local network packet is re-encapsulated, and the local network packet is locally encapsulated. The network packet is forwarded to the next hop address of the subnet where the destination address is located.
在一个实施例中,本地网络报文识别模块520还用于接收S1-U上行报文,识别并拦截S1-U上行报文中的本地网络域名的DNS查询报文。如图17所示,所述装置还包括:In an embodiment, the local network message identification module 520 is further configured to receive the S1-U uplink message, and identify and intercept the DNS query message of the local network domain name in the S1-U uplink message. As shown in FIG. 17, the device further includes:
本地网络域名代理模块540,用于根据本地网络域名的DNS查询报文构造携带本地网络IP地址的DNS响应报文,将DNS响应报文返回至终端,本地网络IP地址作为目的地址携带在本地网络访问报文中。The local network domain name proxy module 540 is configured to construct a DNS response packet carrying the local network IP address according to the DNS query message of the local network domain name, and return the DNS response packet to the terminal, and the local network IP address is carried as the destination address in the local network. Access to the message.
在一个实施例中,如图18所示,本地网络访问处理模块530包括:In an embodiment, as shown in FIG. 18, the local network access processing module 530 includes:
信息确定单元531,用于提取本地网络访问报文携带的用户标识,确定用户标识对应的用户类型,确定目的地址所在子网和子网类型。The information determining unit 531 is configured to extract a user identifier carried in the local network access packet, determine a user type corresponding to the user identifier, and determine a subnet and a subnet type where the destination address is located.
第一验证单元532,用于判断用户类型对应的用户访问权限是否符合目的地址所在子网类型对应的访问权限,如果符合,则进入第二验证单元。The first verification unit 532 is configured to determine whether the user access right corresponding to the user type meets the access authority corresponding to the subnet type of the destination address, and if yes, enter the second verification unit.
第二验证单元533,用于判断目的地址所在子网是否为允许访问的子网,如果是,则本地网络访问权限通过验证,否则本地网络访问权限未通过验证。The second verification unit 533 is configured to determine whether the subnet where the destination address is located is a subnet that is allowed to access, and if yes, the local network access authority is verified, otherwise the local network access authority fails to pass the verification.
在一个实施例中,如图19所示,装置还包括:In an embodiment, as shown in FIG. 19, the apparatus further includes:
本地网络访问控制模块550,用于根据当前访问状态判断是否为本地网络访问报文提供转发许可,如果本地网络访问报文获得转发许可,则进入本地网络访问处理模块中将所述S1-U上行报文拆解,如果本地网络访问报文未获得转发许可,则丢弃本地网络访问报文。The local network access control module 550 is configured to determine, according to the current access status, whether to provide a forwarding permission for the local network access message, and if the local network access message obtains the forwarding permission, enter the local network access processing module to uplink the S1-U. If the local network access packet is not forwarded, the local network access packet is discarded.
在一个实施例中,如图20所示,装置还包括:In an embodiment, as shown in FIG. 20, the device further includes:
本地网络访问授权模块560,用于如果用户类型对应的用户访问权限不符合目的地址所在子网类型对应的访问权限,则根据授权判决算法更新用户终端的用户类型。The local network access authorization module 560 is configured to update the user type of the user terminal according to the authorization decision algorithm if the user access right corresponding to the user type does not meet the access right corresponding to the subnet type of the destination address.
在一个实施例中,本地网络访问处理模块530还用于根据本地网络访问报文携带的所述用户终端的用户标识查询用户记录表,如果用户标识在所述用户记录表中,则得到用户记录表中记录的用户类型,如果用户标识在用户记录表中,则用户类型为无权限用户。In an embodiment, the local network access processing module 530 is further configured to query the user record table according to the user identifier of the user terminal carried in the local network access message, and obtain the user record if the user identifier is in the user record table. The user type recorded in the table. If the user ID is in the user record table, the user type is a non-privileged user.
在一个实施例中,本地网络分为DMZ区和内网,子网类型分为DMZ子网和内网子网,用户类型包括DMZ授权访客用户、受控授权用户和授权内网用户,如图21所示,第一验证单元532包括以下单元中的至少一个: In an embodiment, the local network is divided into a DMZ zone and an intranet. The subnet type is divided into a DMZ subnet and an intranet subnet. The user types include DMZ authorized guest users, controlled authorized users, and authorized intranet users. As indicated at 21, the first verification unit 532 includes at least one of the following units:
DMZ子网验证单元532a,用于如果目的地址所在子网类型为DMZ子网,且用户类型为DMZ授权访客用户,则判断用户类型对应的用户访问权限符合目的地址所在子网类型对应的访问权限。The DMZ subnet verification unit 532a is configured to determine, if the subnet type of the destination address is a DMZ subnet, and the user type is a DMZ authorized guest user, determine that the user access right corresponding to the user type matches the access permission corresponding to the subnet type of the destination address. .
内网子网第一验证单元532b,用于如果目的地址所在子网类型为内网子网,用户类型为受控授权用户,则判断用户类型对应的用户访问权限不符合所述目的地址所在子网类型对应的访问权限,将S1-U上行报文拆解,将用户IP报文中的源IP地址和源端口号转换为设备IP地址和映射端口号,并重新封装成本地网络报文,将本地网络报文转发至VPN网关。The internal network subnet first verification unit 532b is configured to determine that the user access type corresponding to the user type does not meet the destination address if the subnet type of the destination address is an intranet subnet and the user type is a controlled authorized user. The access rights corresponding to the network type are used to disassemble the S1-U uplink packet, convert the source IP address and the source port number in the user IP packet to the device IP address and the mapping port number, and re-encapsulate the cost network packet. Forward local network packets to the VPN gateway.
内网子网第二验证单元532c,用于如果目的地址所在子网类型为内网子网,用户类型为授权内网用户,则判断用户类型对应的用户访问权限符合目的地址所在子网类型对应的访问权限。The intranet subnet second verification unit 532c is configured to: if the subnet type of the destination address is an intranet subnet, and the user type is an authorized intranet user, determine that the user access right corresponding to the user type matches the subnet type of the destination address. Access rights.
在一个实施例中,如图22所示,本地网络访问处理模块530还包括:In an embodiment, as shown in FIG. 22, the local network access processing module 530 further includes:
授权申请单元534,所述授权申请单元包括以下单元中的至少一个: Authorization application unit 534, the authorization application unit includes at least one of the following units:
DMZ授权申请单元534a,用于如果目的地址所在子网类型为DMZ子网,且所述用户类型为非DMZ授权访客用户,则发起DMZ授权访客用户申请。The DMZ authorization application unit 534a is configured to initiate a DMZ authorized guest application if the subnet type of the destination address is a DMZ subnet and the user type is a non-DMZ authorized guest user.
受控授权申请单元534b,用于如果目的地址所在子网类型为内网子网,获知用户身份为内部用户前,则发起受控授权用户申请。The controlled authorization application unit 534b is configured to initiate a controlled authorized user application if the subnet type of the destination address is an intranet subnet and the user identity is known as an internal user.
授权内网申请单元534c,用于如果目的地址所在子网类型为内网子网,获知用户身份为内部用户且所述用户类型为受控授权用户,则发起授权内网用户申请。The authorized intranet application unit 534c is configured to initiate an authorized intranet user to apply if the subnet type of the destination address is an intranet subnet and the user identity is an internal user and the user type is a controlled authorized user.
在一个实施例中,如图23所示,本地网络访问授权模块560包括以下单元中的至少一个:In one embodiment, as shown in FIG. 23, the local network access authorization module 560 includes at least one of the following units:
DMZ授权单元560a,用于如果接收到DMZ授权访客用户申请,则根据DMZ访客授权判决算法给予DMZ访客授权,并根据配置生成DMZ访客授权信息,修改通过DMZ访客授权的用户类型为DMZ授权访客用户。The DMZ authorization unit 560a is configured to: when receiving the DMZ authorized guest user application, grant the DMZ guest authorization according to the DMZ guest authorization decision algorithm, and generate DMZ guest authorization information according to the configuration, and modify the user type authorized by the DMZ guest to be the DMZ authorized guest user. .
受控授权单元560b,用于如果接收到受控授权用户申请,则根据受控授权判决算法,给予受控授权,并根据配置生成受控授权信息,修改通过受控授权的用户类型为受控授权用户。The controlled authorization unit 560b is configured to, according to the controlled authorization decision algorithm, grant controlled authorization according to the controlled authorization decision algorithm, and generate controlled authorization information according to the configuration, and modify the type of the user through the controlled authorization to be controlled. Authorized user.
授权内网单元560c,用于如果接收到授权内网用户申请,则根据内网授权判决算法,给予内网授权,并根据配置生成内网授权信息,修改通过内网授权的用户类型 为内网授权用户。The authorized intranet unit 560c is configured to, if receiving an application for authorizing the intranet user, grant the intranet authorization according to the intranet authorization decision algorithm, and generate the intranet authorization information according to the configuration, and modify the type of the user authorized by the intranet. Authorize users for the intranet.
在一个实施例中,用户记录表分为DMZ授权访客用户记录表、受控授权用户记录表和内网授权用户记录表,如图24所示,所述装置还包括:In an embodiment, the user record table is divided into a DMZ authorized guest user record table, a controlled authorized user record table, and an intranet authorized user record table. As shown in FIG. 24, the device further includes:
用户信息管理模块570,用于根据用户类型的更新修改对应类型的用户记录表的用户记录。The user information management module 570 is configured to modify the user record of the corresponding type of user record table according to the update of the user type.
在一个实施例中,提供了一种用户终端访问本地网络的装置,包括处理器以及存储有所述处理器可执行指令的存储器,当指令被处理器执行时,执行如下操作:In one embodiment, an apparatus for accessing a local network by a user terminal is provided, including a processor and a memory storing executable instructions of the processor, when the instructions are executed by the processor, performing the following operations:
接收用户平面S1-U上行报文,识别并拦截S1-U上行报文中的本地网络访问报文。Receives the uplink packet of the user plane S1-U, and identifies and intercepts the local network access packet in the uplink packet of the S1-U.
确定本地网络访问报文对应的用户终端的用户类型,根据用户类型和本地网络访问报文中的目的地址验证用户终端的本地网络访问权限。The user type of the user terminal corresponding to the local network access packet is determined, and the local network access right of the user terminal is verified according to the user type and the destination address in the local network access message.
如果验证通过,则将S1-U上行报文拆解,将用户IP报文中的源IP地址和源端口号转换为设备IP地址和映射端口号,并重新封装成本地网络报文,将本地网络报文转发至目的地址所在子网的下一跳地址。If the authentication succeeds, the S1-U upstream packet is disassembled, and the source IP address and source port number in the user IP packet are translated into the device IP address and the mapped port number, and the local network packet is re-encapsulated. The network packet is forwarded to the next hop address of the subnet where the destination address is located.
在一个实施例中,当所述指令被处理器执行时,还执行如下操作:In one embodiment, when the instructions are executed by the processor, the following operations are also performed:
接收S1-U上行报文,识别并拦截所述S1-U上行报文中的本地网络域名的DNS查询报文。The S1-U uplink packet is received, and the DNS query packet of the local network domain name in the S1-U uplink packet is identified and intercepted.
根据本地网络域名的DNS查询报文构造携带本地网络IP地址的DNS响应报文,将DNS响应报文返回至终端,本地网络IP地址作为目的地址携带在本地网络访问报文中。A DNS response packet carrying the local network IP address is configured according to the DNS query packet of the local network domain name, and the DNS response packet is returned to the terminal, and the local network IP address is carried as the destination address in the local network access packet.
在一个实施例中,处理器所执行的确定所述本地网络访问报文对应的用户终端的用户类型,根据用户类型和所述本地网络访问报文中的目的地址验证用户终端的本地网络访问权限的操作包括:In an embodiment, the user type of the user terminal corresponding to the local network access message is determined by the processor, and the local network access permission of the user terminal is verified according to the user type and the destination address in the local network access message. The operations include:
提取本地网络访问报文携带的用户标识,确定用户标识对应的用户类型;Extracting a user identifier carried in the local network access packet, and determining a user type corresponding to the user identifier;
确定目的地址所在子网和子网类型;Determine the subnet and subnet type where the destination address is located;
判断用户类型对应的用户访问权限是否符合目的地址所在子网类型对应的访问权限,如果符合,则判断目的地址所在子网是否为允许访问的子网;Determine whether the user access right corresponding to the user type matches the access permission corresponding to the subnet type of the destination address. If yes, determine whether the subnet where the destination address is located is a subnet that is allowed to access.
如果是允许访问的子网,则本地网络访问权限通过验证,否则本地网络访问权限 未通过验证。If it is a subnet that is allowed to access, the local network access permission is verified, otherwise the local network access permission Did not pass verification.
在一个实施例中,本地网络分为DMZ区和内网,目的地址所在子网类型分为DMZ子网和内网子网,用户类型包括DMZ授权访客用户、受控授权用户和授权内网用户,处理器所执行的判断用户类型对应的用户访问权限是否符合目的地址所在子网类型对应的访问权限的操作包括以下操作中的至少一个:In an embodiment, the local network is divided into a DMZ zone and an intranet, and the subnet type of the destination address is divided into a DMZ subnet and an intranet subnet, and the user types include a DMZ authorized guest user, a controlled authorized user, and an authorized intranet user. The operation performed by the processor to determine whether the user access right corresponding to the user type meets the access right corresponding to the subnet type of the destination address includes at least one of the following operations:
如果目的地址所在子网类型为DMZ子网,且用户类型为DMZ授权访客用户,则判断用户类型对应的用户访问权限符合目的地址所在子网类型对应的访问权限。If the subnet type of the destination address is DMZ subnet and the user type is the DMZ authorized guest user, the user access right corresponding to the user type matches the access permission corresponding to the subnet type of the destination address.
如果目的地址所在子网类型为内网子网,用户类型为受控授权用户,则判断用户类型对应的用户访问权限不符合所述目的地址所在子网类型对应的访问权限,将S1-U上行报文拆解,将用户IP报文中的源IP地址和源端口号转换为设备IP地址和映射端口号,并重新封装成本地网络报文,将所述本地网络报文转发至VPN网关。If the subnet type of the destination address is the intranet subnet and the user type is the controlled authorization user, the user access right corresponding to the user type does not match the access permission corresponding to the subnet type of the destination address, and the S1-U is uplinked. The packet is disassembled, and the source IP address and the source port number in the user IP packet are converted into the device IP address and the mapped port number, and the local network packet is re-encapsulated to forward the local network packet to the VPN gateway.
如果目的地址所在子网类型为内网子网,用户类型为授权内网用户,则判断用户类型对应的用户访问权限符合目的地址所在子网类型对应的访问权限。If the subnet type of the destination address is the intranet subnet and the user type is the authorized intranet user, the user access right corresponding to the user type matches the access permission corresponding to the subnet type of the destination address.
在一个实施例中,提供了一种移动网基站,移动网基站包括上述任一实施例所述的用户终端访问本地网络的装置。In one embodiment, a mobile network base station is provided, the mobile network base station comprising the user terminal of any of the above embodiments accessing a local network.
具体的,将用户终端访问本地网络的装置部署在移动网基站上,不需要新增设备,只需要对移动网基站eNB进行软件升级。如图25所示,为一个具体的实施例中移动网基站部署了用户终端访问本地网络的装置后的内部结构示意图。Specifically, the device that accesses the local network by the user terminal is deployed on the mobile network base station, and no new equipment is needed, and only the mobile network base station eNB needs to perform software upgrade. As shown in FIG. 25, a schematic diagram of an internal structure after a user terminal accesses a local network device is deployed in a mobile network base station in a specific embodiment.
在一个实施例中,如图26所示,提供了一种用户终端访问本地网络的系统,所述系统包括基站eNB610和服务器620,服务器包括上述任一实施例所述的用户终端访问本地网络的装置621。In an embodiment, as shown in FIG. 26, a system for a user terminal to access a local network is provided. The system includes a base station eNB 610 and a server 620, and the server includes the user terminal according to any one of the foregoing embodiments to access a local network. Device 621.
具体的,将用户终端访问本地网络的装置部署在服务器上,对现有的基站不需要做任何改动,做到透明部署。如图27所示,为本实施例中用户终端访问本地网络的系统的内部结构示意图。Specifically, the device that accesses the local network by the user terminal is deployed on the server, and no modification is needed to the existing base station, so that the transparent deployment is implemented. As shown in FIG. 27, the internal structure of a system in which a user terminal accesses a local network in this embodiment is shown.
在一个实施例中,提供了一种用户终端访问本地网络的系统,系统包括基站eNB和服务器,基站eNB用于接收S1-U上行报文,识别并拦截S1-U上行报文中的本地网络访问报文,将本地网络访问报文发送至服务器,服务器用于确定本地网络访问报文对应的用户终端的用户类型,根据用户类型确定用户终端的本地网络访问权限,如 果本地网络访问权限为允许访问本地网络访问报文中的目的地址所在子网,则将S1-U上行报文拆解,将用户IP报文中的源IP地址和源端口号转换为设备IP地址和映射端口号,并重新封装成本地网络报文,将本地网络报文转发至目的地址所在子网的下一跳地址。In an embodiment, a system for a user terminal to access a local network is provided. The system includes a base station eNB and a server. The base station eNB is configured to receive an S1-U uplink packet, and identify and intercept the local network in the S1-U uplink packet. The access packet is sent to the server, and the server is configured to determine the user type of the user terminal corresponding to the local network access packet, and determine the local network access permission of the user terminal according to the user type, such as If the local network access permission is to allow access to the subnet where the destination address of the local network access packet is located, the S1-U upstream packet is disassembled, and the source IP address and source port number in the user IP packet are converted to the device IP address. Address and map the port number, and re-encapsulate the local network packet to forward the local network packet to the next hop address of the subnet where the destination address is located.
具体的,本地网络报文识别模块部署在移动网基站上,其他模块部署在一个服务器,则只有符合本地网络报文特征和本地网络域名特征的报文才转给服务器处理,可以降低新增设备的处理开销。如图28所示,为本实施例中用户终端访问本地网络的系统的内部结构示意图。Specifically, the local network packet identification module is deployed on the mobile network base station, and other modules are deployed on one server, and only the packets conforming to the local network packet characteristics and the local network domain name characteristics are forwarded to the server for processing, and the new device can be reduced. Processing overhead. As shown in FIG. 28, the internal structure of a system in which a user terminal accesses a local network in this embodiment is shown.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述程序可存储于一计算机可读取存储介质中,如本发明实施例中,该程序可存储于计算机系统的存储介质中,并被该计算机系统中的至少一个处理器执行,以实现包括如上述各方法的实施例的流程。其中,所述存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory,ROM)或随机存储记忆体(Random Access Memory,RAM)等。A person skilled in the art can understand that all or part of the process of implementing the above embodiments can be completed by a computer program to instruct related hardware, and the program can be stored in a computer readable storage medium, such as the present invention. In an embodiment, the program can be stored in a storage medium of the computer system and executed by at least one processor in the computer system to implement a process comprising an embodiment of the methods as described above. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).
以上所述实施例的各技术特征可以进行任意的组合,为使描述简洁,未对上述实施例中的各个技术特征所有可能的组合都进行描述,然而,只要这些技术特征的组合不存在矛盾,都应当认为是本说明书记载的范围。The technical features of the above-described embodiments may be arbitrarily combined. For the sake of brevity of description, all possible combinations of the technical features in the above embodiments are not described. However, as long as there is no contradiction between the combinations of these technical features, All should be considered as the scope of this manual.
以上所述实施例仅表达了本发明的几种实施方式,其描述较为具体和详细,但并不能因此而理解为对发明专利范围的限制。应当指出的是,对于本领域的普通技术人员来说,在不脱离本发明构思的前提下,还可以做出若干变形和改进,这些都属于本发明的保护范围。因此,本发明专利的保护范围应以所附权利要求为准。The above-described embodiments are merely illustrative of several embodiments of the present invention, and the description thereof is more specific and detailed, but is not to be construed as limiting the scope of the invention. It should be noted that a number of variations and modifications may be made by those skilled in the art without departing from the spirit and scope of the invention. Therefore, the scope of the invention should be determined by the appended claims.
工业实用性Industrial applicability
本发明实施例提供的技术方案可以应用于通信技术领域。在本发明的实施例中,通过接收S1-U上行报文,识别并拦截S1-U上行报文中的本地网络访问报文,拦截的本地网络访问报文不会发送至核心网减少了访问路径结点,确定本地网络访问报文对应的用户终端的用户类型,根据用户类型和本地网络访问报文中的目的地址验证用户终端的本地网络访问权限;如果验证通过,则将S1-U上行报文拆解,将用户IP 报文中的源IP地址和源端口号转换为设备IP地址和映射端口号,并重新封装成本地网络报文,将本地网络报文转发至所述目的地址所在子网的下一跳地址,只有验证通过的本地网络访问报文才会进行转发,保证了本地网络信息的安全性,使得用户终端能快速安全的访问本地网络。 The technical solutions provided by the embodiments of the present invention can be applied to the field of communications technologies. In the embodiment of the present invention, the local network access packet in the S1-U uplink packet is identified and intercepted by receiving the S1-U uplink packet, and the intercepted local network access packet is not sent to the core network to reduce access. The path node determines the user type of the user terminal corresponding to the local network access packet, and verifies the local network access authority of the user terminal according to the user type and the destination address in the local network access packet; if the verification succeeds, the S1-U is uplinked. Message disassembly, user IP The source IP address and the source port number in the packet are translated into the device IP address and the mapped port number, and the local network packet is re-encapsulated to forward the local network packet to the next hop address of the subnet where the destination address is located. Only the local network access packets that pass the authentication will be forwarded, ensuring the security of the local network information, so that the user terminal can quickly and securely access the local network.

Claims (16)

  1. 一种用户终端访问本地网络的方法,所述方法包括:A method for a user terminal to access a local network, the method comprising:
    接收用户平面S1-U上行报文,识别并拦截所述S1-U上行报文中的本地网络访问报文;Receiving an uplink packet of the user plane S1-U, and identifying and intercepting the local network access packet in the uplink packet of the S1-U;
    确定所述本地网络访问报文对应的用户终端的用户类型,根据所述用户类型和所述本地网络访问报文中的目的地址验证所述用户终端的本地网络访问权限;Determining a user type of the user terminal corresponding to the local network access message, and verifying the local network access right of the user terminal according to the user type and the destination address in the local network access message;
    如果验证通过,则将所述S1-U上行报文拆解,将用户网络协议IP报文中的源IP地址和源端口号转换为设备IP地址和映射端口号,并重新封装成本地网络报文,将所述本地网络报文转发至所述目的地址所在子网的下一跳地址。If the verification succeeds, the S1-U uplink packet is disassembled, and the source IP address and the source port number in the user network protocol IP packet are converted into a device IP address and a mapped port number, and the cost network report is re-encapsulated. And forwarding the local network packet to a next hop address of a subnet where the destination address is located.
  2. 根据权利要求1所述的方法,其中,所述方法还包括:The method of claim 1 wherein the method further comprises:
    接收S1-U上行报文,识别并拦截所述S1-U上行报文中的本地网络域名的域名系统DNS查询报文;Receiving an S1-U uplink packet, and identifying and intercepting a domain name system DNS query message of the local network domain name in the S1-U uplink packet;
    根据所述本地网络域名的DNS查询报文构造携带本地网络IP地址的DNS响应报文,将所述DNS响应报文返回至终端,所述本地网络IP地址作为目的地址携带在本地网络访问报文中。Constructing a DNS response packet carrying the local network IP address according to the DNS query packet of the local network domain name, and returning the DNS response packet to the terminal, where the local network IP address is used as the destination address to carry the local network access packet. in.
  3. 根据权利要求1所述的方法,其中,所述确定所述本地网络访问报文对应的用户终端的用户类型,根据所述用户类型和所述本地网络访问报文中的目的地址验证所述用户终端的本地网络访问权限的步骤包括:The method according to claim 1, wherein the determining the user type of the user terminal corresponding to the local network access message, and verifying the user according to the user type and the destination address in the local network access message The steps for the local network access of the terminal include:
    提取所述本地网络访问报文携带的用户标识,确定所述用户标识对应的用户类型;Extracting a user identifier carried in the local network access packet, and determining a user type corresponding to the user identifier;
    确定所述目的地址所在子网和子网类型;Determining the subnet and subnet type of the destination address;
    判断所述用户类型对应的用户访问权限是否符合所述目的地址所在子网类型对应的访问权限,如果符合,则判断所述目的地址所在子网是否为允许访问的子网;Determining whether the user access right corresponding to the user type meets the access right corresponding to the subnet type of the destination address, and if yes, determining whether the subnet where the destination address is located is a subnet that is allowed to access;
    如果是允许访问的子网,则所述本地网络访问权限通过验证,否则所述本地网络访问权限未通过验证。If it is a subnet that is allowed to access, the local network access right is verified, otherwise the local network access authority is not verified.
  4. 根据权利要求1所述的方法,其中,所述则将所述S1-U上行报文拆解的步骤之前,还包括:The method of claim 1, wherein the step of disassembling the S1-U uplink message further comprises:
    根据当前访问状态判断是否为所述本地网络访问报文提供转发许可,如果所述 本地网络访问报文获得转发许可,则进入所述将所述S1-U上行报文拆解的步骤;Determining whether to provide a forwarding permission for the local network access message according to the current access status, if After the local network access packet obtains the forwarding permission, the step of disassembling the S1-U uplink packet is entered;
    如果所述本地网络访问报文未获得转发许可,则丢弃所述本地网络访问报文。If the local network access message does not obtain a forwarding permission, the local network access message is discarded.
  5. 根据权利要求3所述的方法,其中,本地网络分为隔离区DMZ区和内网,所述目的地址所在子网类型分为DMZ子网和内网子网,所述用户类型包括DMZ授权访客用户、受控授权用户和授权内网用户,所述判断所述用户类型对应的用户访问权限是否符合所述目的地址所在子网类型对应的访问权限的步骤包括以下步骤中的至少一个:The method according to claim 3, wherein the local network is divided into an demilitarized zone DMZ zone and an intranet, and the subnet type in which the destination address is located is divided into a DMZ subnet and an intranet subnet, and the user type includes a DMZ authorized visitor. The user, the controlled authorized user, and the authorized intranet user, the step of determining whether the user access right corresponding to the user type meets the access right corresponding to the subnet type of the destination address includes at least one of the following steps:
    如果所述目的地址所在子网类型为DMZ子网,且所述用户类型为DMZ授权访客用户,则判断所述用户类型对应的用户访问权限符合所述目的地址所在子网类型对应的访问权限;If the subnet type of the destination address is a DMZ subnet, and the user type is a DMZ authorized guest user, determining that the user access right corresponding to the user type meets the access authority corresponding to the subnet type of the destination address;
    如果所述目的地址所在子网类型为内网子网,所述用户类型为受控授权用户,则判断所述用户类型对应的用户访问权限不符合所述目的地址所在子网类型对应的访问权限,将所述S1-U上行报文拆解,将用户IP报文中的源IP地址和源端口号转换为设备IP地址和映射端口号,并重新封装成本地网络报文,将所述本地网络报文转发至虚拟专用网络VPN网关;If the subnet type of the destination address is an intranet subnet, and the user type is a controlled authorization user, it is determined that the user access right corresponding to the user type does not meet the access permission corresponding to the subnet type of the destination address. The S1-U uplink packet is disassembled, and the source IP address and the source port number in the user IP packet are converted into a device IP address and a mapped port number, and the local network packet is re-encapsulated, and the local network packet is The network message is forwarded to the virtual private network VPN gateway;
    如果所述目的地址所在子网类型为内网子网,所述用户类型为授权内网用户,则判断所述用户类型对应的用户访问权限符合所述目的地址所在子网类型对应的访问权限。If the subnet type of the destination address is an intranet subnet, and the user type is an authorized intranet user, it is determined that the user access right corresponding to the user type meets the access permission corresponding to the subnet type of the destination address.
  6. 根据权利要求1所述的方法,其中,所述方法还包括:The method of claim 1 wherein the method further comprises:
    接收本地网络下行报文,将所述本地网络下行报文中携带的设备IP地址和映射端口号还原为用户终端的源IP地址和源端口号,根据用户终端的移动网基站隧道标识打包成S1-U下行报文发送至移动网基站。Receiving the local network downlink packet, and restoring the device IP address and the mapping port number carried in the local network downlink packet to the source IP address and the source port number of the user terminal, and packing the S1 according to the mobile network base station tunnel identifier of the user terminal The -U downlink message is sent to the mobile network base station.
  7. 根据权利要求6所述的方法,其中,所述接收本地网络下行报文的步骤之后,还包括:The method according to claim 6, wherein after the step of receiving the downlink message of the local network, the method further includes:
    根据本地网络下行报文对应的用户类型申请对应类型的下行转发许可,如果申请成功,则进入所述将所述本地网络下行报文中携带的设备IP地址和映射端口号还原为用户终端的源IP地址和源端口号的步骤,否则丢弃所述本地网络下行报文。Applying a corresponding type of downlink forwarding permission according to the user type corresponding to the local network downlink packet, and if the application is successful, the device enters the source IP address and the mapping port number carried in the local network downlink packet to be the source of the user terminal. The IP address and source port number, otherwise the local network downlink packet is discarded.
  8. 一种用户终端访问本地网络的装置,其中,所述装置包括:A device for a user terminal to access a local network, wherein the device includes:
    本地网络报文识别模块,设置为接收用户平面S1-U上行报文,识别并拦截所述 S1-U上行报文中的本地网络访问报文;The local network packet identification module is configured to receive the user plane S1-U uplink packet, identify and intercept the Local network access packets in the S1-U uplink packet;
    本地网络访问处理模块,设置为确定所述本地网络访问报文对应的用户终端的用户类型,根据所述用户类型和所述本地网络访问报文中的目的地址验证所述用户终端的本地网络访问权限,如果验证通过,则将所述S1-U上行报文拆解,将用户网络协议IP报文中的源IP地址和源端口号转换为设备IP地址和映射端口号,并重新封装成本地网络报文,将所述本地网络报文转发至所述目的地址所在子网的下一跳地址。a local network access processing module, configured to determine a user type of the user terminal corresponding to the local network access message, and verify local network access of the user terminal according to the user type and a destination address in the local network access message Privilege, if the authentication is passed, the S1-U uplink packet is disassembled, and the source IP address and the source port number in the user network protocol IP packet are converted into the device IP address and the mapped port number, and the cost is re-packaged. The network packet forwards the local network packet to the next hop address of the subnet where the destination address is located.
  9. 根据权利要求8所述的装置,其中,所述本地网络报文识别模块还设置为接收S1-U上行报文,识别并拦截所述S1-U上行报文中的本地网络域名的域名系统DNS查询报文;The device according to claim 8, wherein the local network message identification module is further configured to receive an S1-U uplink message, and identify and intercept a domain name system DNS of a local network domain name in the S1-U uplink message. Query message;
    所述装置还包括:The device also includes:
    本地网络域名代理模块,设置为根据所述本地网络域名的DNS查询报文构造携带本地网络IP地址的DNS响应报文,将所述DNS响应报文返回至终端,所述本地网络IP地址作为目的地址携带在本地网络访问报文中。The local network domain name proxy module is configured to construct a DNS response packet carrying a local network IP address according to the DNS query message of the local network domain name, and return the DNS response packet to the terminal, where the local network IP address is used as a destination. The address is carried in the local network access message.
  10. 根据权利要求8所述的装置,其中,所述本地网络访问处理模块包括:The apparatus of claim 8, wherein the local network access processing module comprises:
    信息确定单元,设置为提取所述本地网络访问报文携带的用户标识,确定所述用户标识对应的用户类型,确定所述目的地址所在子网和子网类型;The information determining unit is configured to extract a user identifier carried in the local network access packet, determine a user type corresponding to the user identifier, and determine a subnet and a subnet type of the destination address;
    第一验证单元,设置为判断所述用户类型对应的用户访问权限是否符合所述目的地址所在子网类型对应的访问权限,如果符合,则进入第二验证单元;The first verification unit is configured to determine whether the user access right corresponding to the user type meets the access right corresponding to the subnet type of the destination address, and if yes, enter the second verification unit;
    第二验证单元,设置为判断所述目的地址所在子网是否为允许访问的子网,如果是,则所述本地网络访问权限通过验证,否则所述本地网络访问权限未通过验证。The second verification unit is configured to determine whether the subnet where the destination address is located is a subnet that is allowed to access, and if yes, the local network access authority is verified, otherwise the local network access permission fails to pass the verification.
  11. 根据权利要求8所述的装置,其中,所述装置还包括:The apparatus of claim 8 wherein said apparatus further comprises:
    本地网络访问控制模块,设置为根据当前访问状态判断是否为所述本地网络访问报文提供转发许可,如果所述本地网络访问报文获得转发许可,则进入所述本地网络访问处理模块中将所述S1-U上行报文拆解,如果所述本地网络访问报文未获得转发许可,则丢弃所述本地网络访问报文。The local network access control module is configured to determine, according to the current access status, whether to provide a forwarding permission for the local network access message, and if the local network access message obtains a forwarding permission, enter the local network access processing module The S1-U uplink packet is disassembled, and if the local network access packet does not obtain the forwarding permission, the local network access packet is discarded.
  12. 一种用户终端访问本地网络的装置,其中,包括处理器以及存储有所述处理器可执行指令的存储器,当所述指令被处理器执行时,执行如下操作:An apparatus for a user terminal to access a local network, wherein the processor and the memory storing the processor-executable instructions perform the following operations when the instructions are executed by the processor:
    接收用户平面S1-U上行报文,识别并拦截所述S1-U上行报文中的本地网络访 问报文;Receiving an uplink packet of the user plane S1-U, identifying and intercepting the local network access in the uplink packet of the S1-U Question message
    确定所述本地网络访问报文对应的用户终端的用户类型,根据所述用户类型和所述本地网络访问报文中的目的地址验证所述用户终端的本地网络访问权限;Determining a user type of the user terminal corresponding to the local network access message, and verifying the local network access right of the user terminal according to the user type and the destination address in the local network access message;
    如果验证通过,则将所述S1-U上行报文拆解,将用户IP报文中的源IP地址和源端口号转换为设备IP地址和映射端口号,并重新封装成本地网络报文,将所述本地网络报文转发至所述目的地址所在子网的下一跳地址。If the verification succeeds, the S1-U uplink packet is disassembled, and the source IP address and the source port number in the user IP packet are converted into the device IP address and the mapped port number, and the cost network packet is re-encapsulated. Forwarding the local network packet to the next hop address of the subnet where the destination address is located.
  13. 根据权利要求12所述的装置,其中,当所述指令被处理器执行时,还执行如下操作:The apparatus of claim 12, wherein when the instruction is executed by the processor, the following operations are also performed:
    接收S1-U上行报文,识别并拦截所述S1-U上行报文中的本地网络域名的域名系统DNS查询报文;Receiving an S1-U uplink packet, and identifying and intercepting a domain name system DNS query message of the local network domain name in the S1-U uplink packet;
    根据所述本地网络域名的DNS查询报文构造携带本地网络IP地址的DNS响应报文,将所述DNS响应报文返回至终端,所述本地网络IP地址作为目的地址携带在本地网络访问报文中。Constructing a DNS response packet carrying the local network IP address according to the DNS query packet of the local network domain name, and returning the DNS response packet to the terminal, where the local network IP address is used as the destination address to carry the local network access packet. in.
  14. 根据权利要求12所述的装置,其中,所述处理器所执行的确定所述本地网络访问报文对应的用户终端的用户类型,根据所述用户类型和所述本地网络访问报文中的目的地址验证所述用户终端的本地网络访问权限的操作包括:The device according to claim 12, wherein the user type determined by the processor to determine the user terminal corresponding to the local network access message is based on the user type and the destination in the local network access message The operations of verifying the local network access rights of the user terminal by the address include:
    提取所述本地网络访问报文携带的用户标识,确定所述用户标识对应的用户类型;Extracting a user identifier carried in the local network access packet, and determining a user type corresponding to the user identifier;
    确定所述目的地址所在子网和子网类型;Determining the subnet and subnet type of the destination address;
    判断所述用户类型对应的用户访问权限是否符合所述目的地址所在子网类型对应的访问权限,如果符合,则判断所述目的地址所在子网是否为允许访问的子网;Determining whether the user access right corresponding to the user type meets the access right corresponding to the subnet type of the destination address, and if yes, determining whether the subnet where the destination address is located is a subnet that is allowed to access;
    如果是允许访问的子网,则所述本地网络访问权限通过验证,否则所述本地网络访问权限未通过验证。If it is a subnet that is allowed to access, the local network access right is verified, otherwise the local network access authority is not verified.
  15. 根据权利要求14所述的装置,其中,本地网络分为隔离区DMZ区和内网,所述目的地址所在子网类型分为DMZ子网和内网子网,所述用户类型包括DMZ授权访客用户、受控授权用户和授权内网用户,所述处理器所执行的判断所述用户类型对应的用户访问权限是否符合所述目的地址所在子网类型对应的访问权限的操作包括以下操作中的至少一个:The device according to claim 14, wherein the local network is divided into an LDZ zone and an intranet, and the subnet type of the destination address is divided into a DMZ subnet and an intranet subnet, and the user type includes a DMZ authorized visitor. The user, the controlled authorized user, and the authorized intranet user, and the operation performed by the processor to determine whether the user access right corresponding to the user type meets the access right corresponding to the subnet type of the destination address includes the following operations. at least one:
    如果所述目的地址所在子网类型为DMZ子网,且所述用户类型为DMZ授权访 客用户,则判断所述用户类型对应的用户访问权限符合所述目的地址所在子网类型对应的访问权限;If the subnet type of the destination address is a DMZ subnet, and the user type is DMZ authorized access Determining, by the guest user, that the user access right corresponding to the user type meets the access right corresponding to the subnet type of the destination address;
    如果所述目的地址所在子网类型为内网子网,所述用户类型为受控授权用户,则判断所述用户类型对应的用户访问权限不符合所述目的地址所在子网类型对应的访问权限,将所述S1-U上行报文拆解,将用户IP报文中的源IP地址和源端口号转换为设备IP地址和映射端口号,并重新封装成本地网络报文,将所述本地网络报文转发至虚拟专用网络VPN网关;If the subnet type of the destination address is an intranet subnet, and the user type is a controlled authorization user, it is determined that the user access right corresponding to the user type does not meet the access permission corresponding to the subnet type of the destination address. The S1-U uplink packet is disassembled, and the source IP address and the source port number in the user IP packet are converted into a device IP address and a mapped port number, and the local network packet is re-encapsulated, and the local network packet is The network message is forwarded to the virtual private network VPN gateway;
    如果所述目的地址所在子网类型为内网子网,所述用户类型为授权内网用户,则判断所述用户类型对应的用户访问权限符合所述目的地址所在子网类型对应的访问权限。If the subnet type of the destination address is an intranet subnet, and the user type is an authorized intranet user, it is determined that the user access right corresponding to the user type meets the access permission corresponding to the subnet type of the destination address.
  16. 一种计算机存储介质,所述计算机存储介质中存储有计算机可执行的一个或多个程序,所述一个或多个程序被所述计算机执行时使所述计算机执行如根据权利要求1-7中任一项所述的用户终端访问本地网络的方法。 A computer storage medium having stored therein one or more programs executable by a computer, the one or more programs being executed by the computer to cause the computer to perform as in claims 1-7 A method of accessing a local network by a user terminal according to any one of the preceding claims.
PCT/CN2017/100636 2016-09-13 2017-09-06 Method and apparatus for accessing local network by user terminal and computer storage medium WO2018050007A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610822884.8 2016-09-13
CN201610822884.8A CN107819732B (en) 2016-09-13 2016-09-13 Method and device for user terminal to access local network

Publications (1)

Publication Number Publication Date
WO2018050007A1 true WO2018050007A1 (en) 2018-03-22

Family

ID=61601445

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/100636 WO2018050007A1 (en) 2016-09-13 2017-09-06 Method and apparatus for accessing local network by user terminal and computer storage medium

Country Status (2)

Country Link
CN (1) CN107819732B (en)
WO (1) WO2018050007A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109889381A (en) * 2019-02-18 2019-06-14 国家计算机网络与信息安全管理中心 Automatic configuration management method and device based on fort machine
CN111885219A (en) * 2020-07-28 2020-11-03 杭州迪普科技股份有限公司 Communication method and device based on SIP (Session initiation protocol) media negotiation and NAT (network Address translation) equipment
CN112105074A (en) * 2019-06-17 2020-12-18 中国移动通信集团浙江有限公司 Access flow shunting system and method based on MEC
US11310758B2 (en) 2018-04-05 2022-04-19 Samsung Electronics Co., Ltd. Method and apparatus for providing local area data network service based on non-subscription model in wireless communication system
RU2777722C2 (en) * 2018-04-05 2022-08-08 Самсунг Электроникс Ко., Лтд. Method and device for provision of service of local data transmission network based on model without subscription in wireless communication system

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109379333B (en) * 2018-09-10 2021-04-13 安徽师范大学 Safe transmission method based on network layer
CN111355817B (en) * 2018-12-20 2022-08-23 中国移动通信集团辽宁有限公司 Domain name resolution method, device, security server and medium
CN111865876B (en) 2019-04-29 2021-10-15 华为技术有限公司 Network access control method and equipment
CN110611665B (en) * 2019-08-30 2022-01-25 杭州希益丰新业科技有限公司 Safe operation and maintenance gateway method for telecontrol operation and maintenance of power secondary system
CN110708301B (en) * 2019-09-24 2022-06-24 贝壳找房(北京)科技有限公司 User request processing method and device, electronic equipment and storage medium
CN112347460B (en) * 2020-10-29 2024-07-30 富联裕展科技(深圳)有限公司 User authority management method, electronic device and storage medium
CN112752300B (en) * 2020-12-29 2022-09-20 锐捷网络股份有限公司 Method and device for realizing local distribution
CN113973302B (en) * 2021-09-15 2024-07-09 杭州阿里云飞天信息技术有限公司 Data identification method, device, storage medium and communication system
CN114022331A (en) * 2021-10-15 2022-02-08 金茂数字科技有限公司 Wisdom thing allies oneself with data platform
CN114285819A (en) * 2021-12-29 2022-04-05 深圳市共进电子股份有限公司 Method and device for visiting intranet by visitor network, computer equipment and medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101841886A (en) * 2010-04-15 2010-09-22 中兴通讯股份有限公司 LIPA data flow transmission method and system
CN101990313A (en) * 2009-08-06 2011-03-23 中兴通讯股份有限公司 Method, informing method and system for realizing local IP access control
CN102056142A (en) * 2009-11-09 2011-05-11 中兴通讯股份有限公司 Method and system for setting local IP access downlink data channel
CN102172078A (en) * 2008-10-01 2011-08-31 爱立信电话股份有限公司 Method for enabling a home base station to choose between local and remote transportation of uplink data packets
CN102932953A (en) * 2012-09-20 2013-02-13 中国联合网络通信集团有限公司 PDP (packet data protocol) context activation method, device and system

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9008055B2 (en) * 2004-04-28 2015-04-14 Kdl Scan Designs Llc Automatic remote services provided by a home relationship between a device and a server
US8856387B2 (en) * 2008-04-24 2014-10-07 Qualcomm Incorporated Local IP access scheme
CN101932074B (en) * 2009-06-25 2013-01-23 华为技术有限公司 Control method and device for local IP access of home base station
CN101616076B (en) * 2009-07-28 2013-01-23 武汉理工大学 Fine-granularity network access control method based on user connection information
KR20140068261A (en) * 2009-12-04 2014-06-05 인터디지탈 패튼 홀딩스, 인크 Extended local ip access for a converged gateway in a hybrid network
TW201318387A (en) * 2011-07-01 2013-05-01 Interdigital Patent Holdings Method and apparatus for managing service continuity
CN102281337A (en) * 2011-07-29 2011-12-14 赛尔网络有限公司 destination address access control method and system
CN104168165B (en) * 2014-07-02 2017-11-17 北京交通大学 Access control method and device based on GPRS network and integrated identification network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102172078A (en) * 2008-10-01 2011-08-31 爱立信电话股份有限公司 Method for enabling a home base station to choose between local and remote transportation of uplink data packets
CN101990313A (en) * 2009-08-06 2011-03-23 中兴通讯股份有限公司 Method, informing method and system for realizing local IP access control
CN102056142A (en) * 2009-11-09 2011-05-11 中兴通讯股份有限公司 Method and system for setting local IP access downlink data channel
CN101841886A (en) * 2010-04-15 2010-09-22 中兴通讯股份有限公司 LIPA data flow transmission method and system
CN102932953A (en) * 2012-09-20 2013-02-13 中国联合网络通信集团有限公司 PDP (packet data protocol) context activation method, device and system

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11310758B2 (en) 2018-04-05 2022-04-19 Samsung Electronics Co., Ltd. Method and apparatus for providing local area data network service based on non-subscription model in wireless communication system
RU2777722C2 (en) * 2018-04-05 2022-08-08 Самсунг Электроникс Ко., Лтд. Method and device for provision of service of local data transmission network based on model without subscription in wireless communication system
US11792760B2 (en) 2018-04-05 2023-10-17 Samsung Electronics Co., Ltd. Method and apparatus for providing local area data network service based on non-subscription model in wireless communication system
CN109889381A (en) * 2019-02-18 2019-06-14 国家计算机网络与信息安全管理中心 Automatic configuration management method and device based on fort machine
CN109889381B (en) * 2019-02-18 2022-03-18 国家计算机网络与信息安全管理中心 Automatic configuration management method and device based on fort machine
CN112105074A (en) * 2019-06-17 2020-12-18 中国移动通信集团浙江有限公司 Access flow shunting system and method based on MEC
CN111885219A (en) * 2020-07-28 2020-11-03 杭州迪普科技股份有限公司 Communication method and device based on SIP (Session initiation protocol) media negotiation and NAT (network Address translation) equipment
CN111885219B (en) * 2020-07-28 2023-04-07 杭州迪普科技股份有限公司 Communication method and device based on SIP (Session initiation protocol) media negotiation and NAT (network Address translation) equipment

Also Published As

Publication number Publication date
CN107819732B (en) 2021-07-13
CN107819732A (en) 2018-03-20

Similar Documents

Publication Publication Date Title
WO2018050007A1 (en) Method and apparatus for accessing local network by user terminal and computer storage medium
US11362987B2 (en) Fully qualified domain name-based traffic control for virtual private network access control
US9729578B2 (en) Method and system for implementing a network policy using a VXLAN network identifier
US12057963B2 (en) Connecting to a home area network via a mobile communication network
US10237230B2 (en) Method and system for inspecting network traffic between end points of a zone
WO2017186181A1 (en) Network access control
US11228558B2 (en) Method and apparatus for isolating transverse communication between terminal devices in intranet
US11895092B2 (en) Network access controller operation
US20140230044A1 (en) Method and Related Apparatus for Authenticating Access of Virtual Private Cloud
EP3272059B1 (en) Apparatus and method for using certificate data to route data
JP2019515608A (en) Access control
US20200389426A1 (en) In-data-plane network policy enforcement using ip addresses
US12114198B2 (en) Prioritizing wireless access technologies in an enterprise fabric
US20240007468A1 (en) User defined network access that supports address rotation
EP3454520B1 (en) Virtual private networks without software requirements
US20200364351A1 (en) System and method for enforcing context-based data transfer and access
WO2016078375A1 (en) Data transmission method and device
WO2020029793A1 (en) Internet access behavior management system, device and method
CN116545665A (en) Safe drainage method, system, equipment and medium
CN114884771B (en) Identity network construction method, device and system based on zero trust concept
WO2016078325A1 (en) Data transmission method and device
US20210336851A1 (en) Globally-Distributed Secure End-To-End Identity-Based Overlay Network
KR101690498B1 (en) Method for setting network configuration and switch and computer-readable recording medium using the same
CN109962831B (en) Virtual client terminal device, router, storage medium, and communication method
US20230006998A1 (en) Management of private networks over multiple local networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17850209

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17850209

Country of ref document: EP

Kind code of ref document: A1