WO2018188482A1

WO2018188482A1 - Connection establishment method and apparatus

Info

Publication number: WO2018188482A1
Application number: PCT/CN2018/080853
Authority: WO
Inventors: 孙立新; 丁颖哲; 周明宇; 路杨
Original assignee: 北京佰才邦技术有限公司
Priority date: 2017-04-14
Filing date: 2018-03-28
Publication date: 2018-10-18
Also published as: CN106982427B; CN106982427A

Abstract

The present application provides a connection establishment method and apparatus. The method comprises: obtaining secure connection establishment request information sent by an access device of a terminal; in response to secure connection establishment request information, sending secure connection establishment response information to the access device of the terminal; and in a case in which the secure connection establishment response is used for instructing the access device of the terminal to establish a secure connection, sending secure connection establishment instruction information to a first remote device. The problem in the related art of low security of data transmission between a terminal and a device in the Internet is resolved, thereby improving the security of the data transmission between the terminal and the device in the Internet.

Description

Connection establishment method and device

The present application claims the priority of the Chinese Patent Application, filed on Apr. 14, 2017, the application Serial No.

Technical field

The present application relates to the field of communications, and in particular, to a connection establishment method and apparatus.

Background technique

The Local IP Access (LIPA) and Selective IP Traffic Offload (SIPTO) technologies introduced by the 3GPP standardization organization were originally proposed based on the Femtocell network, and their functions are users. The data can be directly connected to the home network to the Internet (Internet), without going through the operator's core network, thus reducing the load and transmission costs of the core network.

In the LIPA/SIPTO technology, after the UE registers with the network, the core network can select the base station or the local gateway as the data gateway of the UE, so that the data sent by the UE to the Internet can be directly sent from the base station or the local gateway without going through the core network. Internet, data from the Internet can also be sent directly to the base station or gateway accessed by the UE without going through the core network. The data transmission between the UE and the Internet node can be directly implemented by the base station or the local gateway without being transmitted to the core network, which can reduce the data transmission delay, reduce the load of the core network and reduce the transmission cost. In general, the LIPA technology is implemented on a Home evolved NodeB (HeNB). FIG. 1 is a network architecture for implementing LIPA on a HeNB by adding a local gateway (Local Gateway, L-GW) to the HeNB. ), its function is similar to PGW and can directly connect to HeNB through S-GW through direct channel. Data from UE can be directly sent to the Internet through L-GW. The SIPTO technology is generally implemented on a macro base station, and FIG. 2 is a network architecture for implementing SIPTO on a macro base station. As shown in FIG. 2, when selecting a P-GW for a UE, the MME considers the location of the user, and selects an L-GW that is geographically/logically close to the UE to perform SIPTO (the local S-GW and the local P-GW may be Set up).

In the prior art, the access device (the wireless network access point or the local gateway) of the UE generally establishes a secure connection (such as an IPSec tunnel, a VPN connection) with the security gateway of the core network, but accesses from the wireless network. The data that is distributed to the Internet by the point/local gateway or the user data sent by the Internet to the wireless network access point/local gateway does not pass through the core network. Therefore, the data that is offloaded to the Internet lacks a security guarantee mechanism, and is easily attacked, stolen or tampered by cyber hackers. . Transmission security is not guaranteed even between the same carrier or device provider subnet. For example, FIG. 1 is a schematic diagram of a LIPA network architecture according to the related art. As shown in FIG. 1, in an LIPA network architecture, an IPSec tunnel is established between a HeNB and a security gateway SeGW to ensure security between a HeNB and a core network. However, the security of the data that is offloaded from the HeNB to the Internet cannot be guaranteed; FIG. 2 is a schematic diagram of the SIPTO network architecture according to the related art. As shown in FIG. 2, in the SIPTO network architecture, the connection between the eNB and the S-GW is guaranteed. The security of transmission between the eNB and the core network, but the security of data diverted from the SGW to the Internet cannot be guaranteed.

In view of the low security of data transmission between devices in terminals and Internet networks in related art, there is currently no effective solution.

Application content

The embodiment of the present application provides a connection establishment method and device, so as to at least solve the problem that the security of data transmitted by a device in a terminal and an Internet network in the related art is low.

According to an embodiment of the present application, a connection establishment method is provided for securely connecting a management device, including: acquiring secure connection establishment request information sent by an access device of a terminal, wherein the secure connection establishment request information is used for Requesting to establish a secure connection between the access device of the terminal and the first remote device in the Internet; and transmitting the secure connection establishment response information to the access device of the terminal in response to the secure connection establishment request information, where The secure connection establishment response information is used to indicate whether the access device of the terminal establishes the secure connection; and in the case that the secure connection establishment response is used to indicate that the access device of the terminal establishes the secure connection, Sending the secure connection establishment indication information to the first remote device, where the secure connection establishment indication information is used to instruct the first remote device to establish the secure connection.

Optionally, the sending the security connection establishment response information to the access device of the terminal, where the first IP address carried in the secure connection establishment request information is used to trigger an access device that allows the terminal to establish In the case of the secure connection, the first secure connection establishment response information for instructing the access device of the terminal to establish the secure connection is sent to the access device of the terminal.

Optionally, the sending, by the access device of the terminal, the security connection establishment response information includes: the first IP address carried in the secure connection establishment request information is used to trigger establishment of an access device that does not allow the terminal to be established. In the case of the secure connection, the second access connection establishment response information for indicating that the access device of the terminal does not establish the secure connection is sent to the access device of the terminal.

Optionally, the sending, by the access device of the terminal, the first secure connection setup response information includes: determining, according to the first IP address, a second remote end that establishes the secure connection with an access device of the terminal The device, wherein the second remote device includes a device corresponding to the first IP address or a network device in a network where the device corresponding to the first IP address is located; and the device is sent to the access device of the terminal A secure connection establishment response message, wherein the first secure connection setup response information carries a second IP address of the second remote device and configuration information of the secure connection.

Optionally, the network device in the network where the device corresponding to the first IP address is located includes one of the following: the first one registered when the service provider deploys the network device in the network where the device corresponding to the first IP address is located The security gateway or router of the network where the device corresponding to the IP address is located; the access point device and the security gateway accessed by the terminal device corresponding to the first IP address registered when the terminal device corresponding to the first IP address accesses the network Or a router; the first remote device.

Optionally, the first IP address carried in the secure connection establishment request information is used to trigger an access device that allows the terminal to establish the secure connection, including: an IP address of the access device at the terminal, and the If the first IP address belongs to the IP address of the device deployed by the same service provider, the first IP address carried in the secure connection establishment request information is used to trigger the access device of the terminal to establish the secure connection. The device deployed by the service provider includes: an access device, a terminal device, or a user terminal.

Optionally, the first IP address carried in the secure connection establishment request information is used to trigger an access device that does not allow the terminal to establish the secure connection, including: an IP address and an address of the access device at the terminal If the first IP address does not belong to the IP address of the device deployed by the same service provider, the first IP address carried in the secure connection establishment request information is used to trigger the establishment of the access device that does not allow the terminal to be established. The secure connection, wherein the device deployed by the service provider comprises: an access device, a terminal device, or a user terminal.

According to another embodiment of the present application, a connection establishment method is provided for a terminal access device, including: sending a secure connection establishment request message to a secure connection management device, wherein the secure connection establishment request information is used for a request Establishing a secure connection with the first remote device in the Internet; receiving secure connection establishment response information of the secure connection management device in response to the secure connection establishment request information, wherein the secure connection establishment response information is used for Determining whether the secure connection is established; and in the case that the secure connection establishment response is used to indicate that the secure connection is established, establishing the secure connection according to the indication of the secure connection establishment response information.

Optionally, the sending the secure connection establishment request information includes: detecting, by the terminal data, a first IP address of the terminal data, where the first IP address is an IP address of the first remote device Sending the secure connection establishment request information carrying the first IP address.

Optionally, before the sending the secure connection establishment request information that carries the first IP address, the method further includes: determining whether a secure connection corresponding to the first IP address has been established; determining that the established connection is established In the case of the secure connection corresponding to the first IP address, the terminal data is sent through the established secure connection corresponding to the first IP address; and it is determined that the secure connection corresponding to the first IP address is not established. And determining to send the secure connection establishment request information carrying the first IP address.

According to another embodiment of the present application, a connection establishing apparatus is provided for securely connecting a management device, including: a first receiving module, configured to receive secure connection establishment request information sent by an access device of the terminal, where The secure connection establishment request information is used to request to establish a secure connection between the access device of the terminal and the first remote device in the Internet; the first sending module is configured to respond to the secure connection establishment request information The access device of the terminal sends the security connection establishment response information, where the security connection establishment response information is used to indicate whether the access device of the terminal establishes the secure connection; and the second sending module is configured to use the security The connection establishment response is used to send the secure connection establishment indication information to the first remote device, where the access device of the terminal establishes the secure connection, where the secure connection establishment indication information is used to indicate The first remote device establishes the secure connection.

According to another embodiment of the present application, a connection establishing apparatus is provided for a terminal access device, including: a third sending module, configured to send secure connection establishment request information to a secure connection management device, where the security The connection establishment request information is used to request to establish a secure connection with the first remote device in the Internet; the second receiving module is configured to receive the secure connection establishment of the secure connection management device in response to the secure connection establishment request information Response information, wherein the secure connection establishment response information is used to indicate whether the secure connection is established; and an establishing module, configured to perform security according to the security connection establishment response for indicating establishment of the secure connection The indication of the connection establishment response information establishes the secure connection.

According to another embodiment of the present application, a connection establishing apparatus is provided for securely connecting a management device, including: a first processor and a first communication interface, wherein the first processor, and the first a communication interface connection, the first processor is configured to acquire secure connection establishment request information sent by an access device of the terminal received by the first communication interface, where the secure connection establishment request information is used to request to establish the a secure connection between the access device of the terminal and the first remote device in the Internet; and in response to the secure connection establishment request information, the first communication interface sends a secure connection establishment response message to the access device of the terminal The secure connection establishment response information is used to indicate whether the access device of the terminal establishes the secure connection; and the secure connection establishment response is used to indicate that the access device of the terminal establishes the secure connection. In the case, the first communication interface is instructed to send the secure connection establishment indication information to the first remote device, where the security Connection establishment instruction information for instructing the remote device establishing the first secure connection.

According to another embodiment of the present application, a connection establishing apparatus is provided for a terminal access device, including: a second processor and a second communication interface, wherein the second processor and the second a communication interface, the second processor is configured to instruct the second communication interface to send secure connection establishment request information to the secure connection management device, where the secure connection establishment request information is used to request to establish the first distance in the Internet a secure connection between the end devices; receiving, by the second communication interface, secure connection establishment response information of the secure connection management device in response to the secure connection establishment request information, wherein the secure connection establishment response information is used to indicate Whether to establish the secure connection; and in the case that the secure connection setup response is used to indicate that the secure connection is established, the secure connection is established according to the indication of the secure connection establishment response information.

According to another embodiment of the present application, a storage medium is provided, the storage medium being arranged to store program code for performing the following steps:

Acquiring the secure connection establishment request information sent by the access device of the terminal, where the secure connection establishment request information is used to request a secure connection between the access device of the terminal and the first remote device in the Internet;

Sending the secure connection establishment response information to the access device of the terminal in response to the secure connection establishment request information, where the secure connection establishment response information is used to indicate whether the access device of the terminal establishes a secure connection;

And the secure connection establishment indication information is used to indicate that the first remote device establishes security, where the security connection establishment response is used to indicate that the access device of the terminal establishes a secure connection. connection.

Optionally, the storage medium is further arranged to store program code for performing the following steps:

Sending the secure connection establishment request information to the secure connection management device, where the secure connection establishment request information is used to request a secure connection between the access device of the establishment terminal and the first remote device in the Internet;

Receiving the secure connection establishment response information of the secure connection management device in response to the secure connection establishment request information, wherein the secure connection establishment response information is used to indicate whether the access device of the terminal establishes a secure connection;

In the case that the secure connection setup response is used to indicate that the access device of the terminal establishes a secure connection, the secure connection is established according to the indication of the secure connection establishment response information.

The secure connection establishment request information sent by the access device of the terminal is received by the access device, where the secure connection establishment request information is used to request a secure connection between the access device of the terminal and the first remote device in the Internet; The secure connection establishment request information is sent to the access device of the terminal, where the secure connection establishment response information is used to indicate whether the access device of the terminal establishes a secure connection; and the secure connection establishment response is used to indicate the connection of the terminal. The security connection establishment indication information is sent to the first remote device, where the security connection establishment indication information is used to indicate that the first remote device establishes a secure connection, and thus, the foregoing solution is adopted according to the security. The connection establishment request information indicates whether the access device of the terminal establishes a secure connection, and uses the secure connection establishment indication information to notify the first remote device to establish the secure connection when the connection is allowed to be established, and the data is in a secure environment through the establishment of the secure connection. Medium transmission, therefore, improved terminal Internet data transmission security devices in the network, so as to solve the security problems of low data transmission terminals and related technologies in the Internet network equipment.

DRAWINGS

The drawings described herein are intended to provide a further understanding of the present application, and are intended to be a part of this application. In the drawing:

1 is a schematic diagram of a LIPA network architecture according to related art;

2 is a schematic diagram of a SIPTO network architecture according to the related art;

FIG. 3 is a flowchart of a connection establishment method according to an embodiment of the present application; FIG.

4 is a flowchart of another connection establishment method according to an embodiment of the present application;

FIG. 5 is a structural block diagram 1 of a connection establishing apparatus according to an embodiment of the present application; FIG.

6 is a structural block diagram 2 of a connection establishing apparatus according to an embodiment of the present application;

7 is a first schematic diagram of a method for establishing a secure connection according to an alternative embodiment of the present application;

FIG. 8 is a second schematic diagram of a method of establishing a secure connection according to an alternative embodiment of the present application.

detailed description

The present application will be described in detail below with reference to the drawings in conjunction with the embodiments. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict.

It should be noted that the terms "first", "second" and the like in the specification and claims of the present application and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a specific order or order.

Example 1

In this embodiment, a connection establishment method is provided, which may be, but is not limited to, a security connection management device. FIG. 3 is a flowchart of a connection establishment method according to an embodiment of the present application, as shown in FIG. The process includes the following steps:

Step S302: Acquire secure connection establishment request information sent by the access device of the terminal, where the secure connection establishment request information is used to request a secure connection between the access device of the terminal and the first remote device in the Internet;

Step S304, sending security connection establishment response information to the access device of the terminal, in response to the secure connection establishment request information, where the security connection establishment response information is used to indicate whether the access device of the terminal establishes a secure connection;

Step S306, in the case that the secure connection establishment response is used to indicate that the access device of the terminal establishes a secure connection, the security connection establishment indication information is sent to the first remote device, where the secure connection establishment indication information is used to indicate the first remote end. The device establishes a secure connection.

Optionally, the foregoing connection establishment method may be, but is not limited to, being applied to a scenario in which a terminal and a device in an Internet network transmit data. For example, Local IP Access (LIPA for short) and Selective IP Traffic Offload (SIPTO) technology are used.

Optionally, the foregoing connection establishment method may be, but is not limited to, applied to a network management device.

Obtaining the secure connection establishment request information sent by the access device of the terminal, where the secure connection establishment request information is used to request a secure connection between the access device of the terminal and the first remote device in the Internet; The secure connection establishment request information is sent to the access device of the terminal, where the secure connection establishment response information is used to indicate whether the access device of the terminal establishes a secure connection; and the secure connection establishment response is used to indicate the connection of the terminal. The security connection establishment indication information is sent to the first remote device, where the security connection establishment indication information is used to indicate that the first remote device establishes a secure connection, and thus, the foregoing solution is adopted according to the security. The connection establishment request information indicates whether the access device of the terminal establishes a secure connection, and uses the secure connection establishment indication information to notify the first remote device to establish the secure connection when the connection is allowed to be established, and the data is in a secure environment through the establishment of the secure connection. In transit, therefore, improved the end The security of transmitting data between the terminal and the device in the Internet network solves the problem that the security of the data transmitted by the device in the terminal and the Internet network in the related art is low.

Optionally, in the foregoing step S304, the first IP address carried in the secure connection establishment request information may be triggered to trigger whether the access device of the terminal is allowed to establish a secure connection, and the indication is sent according to the first IP address. The secure connection of the judgment result establishes response information. For example, if the first IP address carried in the secure connection establishment request information is used to trigger the access device of the terminal to establish a secure connection, the access device for indicating the terminal establishes a secure connection. The first secure connection establishment response information is sent to the access device of the terminal to indicate the terminal when the first IP address carried in the secure connection establishment request information is used to trigger the access device that does not allow the terminal to establish a secure connection. The second secure connection establishment response information of the access device does not establish a secure connection.

Optionally, the manner in which the access device of the terminal is allowed to establish a secure connection may be, but is not limited to, sending the first secure connection establishment response information to the access device of the terminal, where the first secure connection establishment response information may be, but is not limited to, carrying The second IP address and the configuration information of the secure connection of the second remote device that will establish a secure connection to the access device of the terminal. For example, the second remote device that establishes a secure connection with the access device of the terminal is determined according to the first IP address, where the second remote device includes the device corresponding to the first IP address or the device corresponding to the device with the first IP address. The network device sends the first secure connection setup response information to the access device of the terminal, where the first secure connection setup response information carries the second IP address of the second remote device and the configuration information of the secure connection.

Optionally, the network device in the network where the device corresponding to the first IP address is located may be, but is not limited to, one of the following: the first IP address that is registered when the service provider deploys the network device in the network where the device corresponding to the first IP address is located. The security gateway or router of the network where the corresponding device is located; the access point device, security gateway, or router accessed by the terminal device corresponding to the first IP address registered when the terminal device corresponding to the first IP address accesses the network; End device.

Optionally, in the case that the IP address of the access device of the terminal and the IP address of the device deployed by the same service provider belong to the same IP address, the first IP address carried in the secure connection establishment request information is used to trigger the permission. The access device of the terminal establishes a secure connection, where the device deployed by the service provider includes: an access device, a terminal device, or a user terminal, where the IP address of the access device of the terminal does not belong to the same service provider deployment as the first IP address. In the case of the IP address of the device, the first IP address carried in the secure connection establishment request information is used to trigger the access device that does not allow the terminal to establish a secure connection, where the device deployed by the service provider includes: an access device, Terminal device or user terminal.

Another connection establishment method is provided in this embodiment, which may be, but is not limited to, a terminal access device. FIG. 4 is a flowchart of another connection establishment method according to an embodiment of the present application, as shown in FIG. The process includes the following steps:

Step S402, sending secure connection establishment request information to the secure connection management device, where the secure connection establishment request information is used to request to establish a secure connection with the first remote device in the Internet;

Step S404: Receive secure connection establishment response information of the secure connection management device in response to the secure connection establishment request information, where the secure connection establishment response information is used to indicate whether to establish a secure connection;

Step S406: In the case that the secure connection establishment response is used to indicate that the secure connection is established, the secure connection is established according to the indication of the secure connection establishment response information.

Optionally, the foregoing connection establishment method may be, but is not limited to, an access device applied to the terminal, for example, a wireless network access point, a service gateway, and the like.

Through the above steps, the secure connection establishment request information is sent to the secure connection management device, wherein the secure connection establishment request information is used to request to establish a secure connection with the first remote device in the Internet; and the secure connection management device is received in response to the security The secure connection establishment response information of the connection establishment request information, wherein the secure connection establishment response information is used to indicate whether to establish a secure connection; and in the case that the secure connection establishment response is used to indicate that the secure connection is established, the indication of establishing the response information according to the secure connection is established. The secure connection can be seen by using the above solution to establish a secure connection by sending a secure connection establishment request message, receiving a response to the secure connection establishment response, and establishing a secure connection according to the indication of the secure connection establishment response information, and establishing the secure connection. The data is transmitted in a secure environment. Therefore, the security of the data transmitted by the terminal and the device in the Internet network is improved, thereby solving the problem that the security of the data transmitted by the device in the terminal and the Internet network in the related art is low.

Optionally, in the foregoing step S402, by detecting the terminal data, the detected IP address of the first remote device that performs data transmission with the terminal is carried in the secure connection establishment request information, and the first carrier is sent. The secure connection establishment request information of the IP address. For example, the terminal data is detected to obtain the first IP address of the terminal data, wherein the first IP address is the IP address of the first remote device, and the secure connection establishment request information carrying the first IP address is sent.

Optionally, before the secure connection establishment request information carrying the first IP address is sent, it may be determined whether a secure connection corresponding to the first IP address already exists, and if the secure connection already exists, the existing secure connection is used to transmit. Data, if the secure connection does not exist, establish a secure connection for the secure connection establishment request information request. For example, determining whether a secure connection corresponding to the first IP address has been established, and if it is determined that the secure connection corresponding to the first IP address has been established, transmitting the terminal data through the secure connection corresponding to the established first IP address, When it is determined that the secure connection corresponding to the first IP address is not established, it is determined that the secure connection establishment request information carrying the first IP address is sent.

Example 2

In this embodiment, a connection establishment device is also provided, which may be, but is not limited to, a security connection management device, which is used to implement the foregoing embodiments and preferred embodiments, and has not been described again. As used below, the term "module" may implement a combination of software and/or hardware of a predetermined function. Although the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.

FIG. 5 is a structural block diagram 1 of a connection establishing apparatus according to an embodiment of the present application. As shown in FIG. 5, the apparatus includes:

The obtaining module 52 is configured to obtain secure connection establishment request information sent by the access device of the terminal, where the secure connection establishment request information is used to request a secure connection between the access device of the terminal and the first remote device in the Internet. ;

The first sending module 54 is coupled to the obtaining module 52, configured to send the secure connection establishing response information to the access device of the terminal, where the secure connection establishing response information is used to indicate whether the access device of the terminal is Establish a secure connection;

The second sending module 56 is coupled to the first sending module 54 and configured to send the secure connection establishing indication information to the first remote device, where the secure connection establishing response is used to indicate that the access device of the terminal establishes a secure connection, where The secure connection establishment indication information is used to indicate that the first remote device establishes a secure connection.

Optionally, the foregoing connection establishing apparatus may be, but is not limited to, being applied to a scenario in which a terminal and a device in an Internet network transmit data. For example, Local IP Access (LIPA for short) and Selective IP Traffic Offload (SIPTO) technology are used.

Alternatively, the above connection establishing means may be, but not limited to, applied to a network management device.

The obtaining module acquires the secure connection establishment request information sent by the access device of the terminal, where the secure connection establishment request information is used to request a secure connection between the access device of the terminal and the first remote device in the Internet. The first sending module sends the secure connection establishment response information to the access device of the terminal in response to the secure connection establishment request information, wherein the secure connection establishment response information is used to indicate whether the access device of the terminal establishes a secure connection; the second sending module is The secure connection establishment response is used to send the secure connection establishment indication information to the first remote device, where the security connection establishment indication information is used to indicate that the first remote device establishes a secure connection. Therefore, the foregoing solution is used to indicate whether the access device of the terminal establishes a secure connection according to the secure connection establishment request information, and notify the first remote device to establish the secure connection by using the secure connection establishment indication information when the connection is allowed to be established. Make data through the establishment of a secure connection Transmission security environment, therefore, improve the security of data transmission and Internet terminal devices in a network, so as to solve the security problems of low data transmission terminals and related technologies in the Internet network equipment.

Optionally, the first sending module 54 is configured to send, when the first IP address carried in the secure connection establishment request information is used to trigger the access device of the terminal to establish a secure connection, to send to the access device of the terminal, The first secure connection establishment response information indicating that the access device of the terminal establishes a secure connection.

Optionally, the first sending module 54 is configured to: when the first IP address carried in the secure connection establishment request information is used to trigger the access device that does not allow the terminal to establish a secure connection, send the information to the access device of the terminal. Establishing response information for the second secure connection indicating that the access device of the terminal does not establish a secure connection.

Optionally, the first sending module 54 is configured to: determine, according to the first IP address, a second remote device that establishes a secure connection with the access device of the terminal, where the second remote device includes the device corresponding to the first IP address or The network device in the network where the device corresponding to the first IP address is located; the first secure connection establishment response information is sent to the access device of the terminal, where the first secure connection establishment response information carries the second IP address of the second remote device Configuration information for secure connections.

Optionally, the network device in the network where the device corresponding to the first IP address is located includes one of the following: the device corresponding to the first IP address registered when the service provider deploys the network device in the network where the device corresponding to the first IP address is located The security gateway or the router of the network; the access point device, the security gateway or the router accessed by the terminal device corresponding to the first IP address registered when the terminal device corresponding to the first IP address accesses the network; the first remote device.

Optionally, the first sending module 54 is configured to: when the IP address of the access device of the terminal and the IP address of the device where the first IP address belongs to the same service provider, determine the information carried in the secure connection establishment request information. The first IP address is used to trigger an access device that allows the terminal to establish a secure connection, where the device deployed by the service provider includes: an access device, a terminal device, or a user terminal.

Optionally, the first sending module 54 is configured to: when the IP address of the access device of the terminal and the IP address of the device where the first IP address does not belong to the same service provider, determine that the secure connection establishment request information is carried in The first IP address is used to trigger an access device that does not allow the terminal to establish a secure connection, where the device deployed by the service provider includes: an access device, a terminal device, or a user terminal.

Another connection establishment device is also provided in this embodiment, and the device may be used for the terminal access device, and the device is used to implement the foregoing embodiments and preferred embodiments, and details are not described herein. As used below, the term "module" may implement a combination of software and/or hardware of a predetermined function. Although the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.

FIG. 6 is a structural block diagram 2 of a connection establishing apparatus according to an embodiment of the present application. As shown in FIG. 6, the apparatus includes:

The third sending module 62 is configured to send the secure connection establishment request information to the secure connection management device, where the secure connection establishment request information is used to request to establish a secure connection with the first remote device in the Internet;

The receiving module 64 is coupled to the third sending module 62, configured to receive the secure connection establishment response information of the secure connection management device in response to the secure connection establishment request information, where the secure connection establishment response information is used to indicate whether to establish a secure connection;

The establishing module 66 is coupled to the receiving module 64, for establishing a secure connection according to the indication of the secure connection establishment response information, in case the secure connection establishment response is used to indicate that the secure connection is established.

Optionally, the foregoing connection establishing apparatus may be, but not limited to, an access device applied to the terminal, such as a wireless network access point, a service gateway, or the like.

Through the above device, the third sending module sends the secure connection establishment request information to the secure connection management device, wherein the secure connection establishment request information is used to request to establish a secure connection with the first remote device in the Internet; the second receiving module Receiving the secure connection establishment response information of the secure connection management device in response to the secure connection establishment request information, wherein the secure connection establishment response information is used to indicate whether to establish a secure connection; and the establishing module is configured to indicate that the secure connection is established in response to the secure connection establishment response Establishing a secure connection according to the indication of the security connection establishment response information, so that the foregoing solution is used to establish a secure connection by sending a secure connection establishment request information, receiving response information in response to the secure connection establishment, and establishing response information according to the secure connection. Indicates that a secure connection is established, and data is transmitted in a secure environment through the establishment of a secure connection. Therefore, the security of data transmitted by the terminal and the device in the Internet network is improved, thereby solving the related art in the terminal and the Internet network. The problem of low security of data transmitted by the device.

Optionally, the third sending module is configured to: detect the terminal data, and obtain a first IP address of the terminal data, where the first IP address is an IP address of the first remote device; and the sending carries the first IP address. Secure connection establishment request information.

Optionally, the device further includes: a determining module, configured to determine whether a secure connection corresponding to the first IP address has been established; and a fourth sending module, coupled to the determining module, configured to determine that the first IP address is established In the case of a secure connection, the terminal data is sent through the secure connection corresponding to the established first IP address; the determining module is coupled between the fourth sending module and the third sending module, and is configured to determine that the first IP is not established. In the case of a secure connection corresponding to the address, it is determined that the secure connection establishment request information carrying the first IP address is sent.

It should be noted that each of the above modules may be implemented by software or hardware. For the latter, the foregoing may be implemented by, but not limited to, the foregoing modules are all located in the same processor; or, the modules are located in multiple In the processor.

Example 3

In the embodiment, a connection establishing device is further provided for securely connecting the management device, the device comprising: a first processor and a first communication interface, wherein

The first processor is connected to the first communication interface, and the first processor is configured to acquire secure connection establishment request information sent by the access device of the terminal received through the first communication interface, where the secure connection establishment request information is used to request to establish a secure connection between the access device of the terminal and the first remote device in the Internet; in response to the secure connection establishment request information, the first communication interface sends a secure connection establishment response message to the access device of the terminal, wherein the secure connection is established The response information is used to indicate whether the access device of the terminal establishes a secure connection. In case the secure connection establishment response is used to indicate that the access device of the terminal establishes a secure connection, the first communication interface is instructed to send a secure connection to the first remote device. The indication information, wherein the secure connection establishment indication information is used to indicate that the first remote device establishes a secure connection.

Optionally, the first processor is further configured to send, when the first IP address carried in the secure connection establishment request information is used to trigger the access device of the terminal to establish a secure connection, to send to the access device of the terminal, The first secure connection establishment response information indicating that the access device of the terminal establishes a secure connection.

Optionally, the first processor is further configured to: when the first IP address carried in the secure connection establishment request information is used to trigger the access device that does not allow the terminal to establish a secure connection, send the information to the access device of the terminal. Establishing response information for the second secure connection indicating that the access device of the terminal does not establish a secure connection.

Optionally, the first processor is further configured to: determine, according to the first IP address, a second remote device that establishes a secure connection with the access device of the terminal, where the second remote device includes the device corresponding to the first IP address or The network device in the network where the device corresponding to the first IP address is located; the first secure connection establishment response information is sent to the access device of the terminal, where the first secure connection establishment response information carries the second IP address of the second remote device And secure connection configuration information

Optionally, the first processor is further configured to: when the IP address of the access device of the terminal and the IP address of the device where the first IP address belongs to the same service provider, determine the information carried in the secure connection establishment request information. The first IP address is used to trigger an access device that allows the terminal to establish a secure connection, where the device deployed by the service provider includes: an access device, a terminal device, or a user terminal.

Optionally, the first processor is further configured to: when the IP address of the access device of the terminal and the IP address of the device where the first IP address does not belong to the same service provider, determine that the secure connection establishment request information is carried in The first IP address is used to trigger an access device that does not allow the terminal to establish a secure connection, where the device deployed by the service provider includes: an access device, a terminal device, or a user terminal.

In the embodiment, a connection establishing device is further provided for the terminal access device, the device comprising: a second processor and a second communication interface, wherein

The second processor is connected to the second communication interface, where the second processor is configured to instruct the second communication interface to send the secure connection establishment request information to the secure connection management device, where the secure connection establishment request information is used to request to establish the a secure connection between the remote devices; receiving, by the second communication interface, the secure connection establishment response information of the secure connection management device in response to the secure connection establishment request information, wherein the secure connection establishment response information is used to indicate whether to establish a secure connection; The secure connection setup response is used to indicate that a secure connection is established, and a secure connection is established based on the indication of the secure connection establishment response information.

Optionally, the second processor is further configured to: detect the terminal data, and obtain a first IP address of the terminal data, where the first IP address is an IP address of the first remote device; and the sending carries the first IP address. The secure connection establishes the request information.

Optionally, the second processor is further configured to: determine whether a secure connection corresponding to the first IP address has been established; and if it is determined that the secure connection corresponding to the first IP address is established, pass the established first IP address. The corresponding secure connection sends the terminal data. If it is determined that the secure connection corresponding to the first IP address is not established, it is determined that the secure connection establishment request information carrying the first IP address is sent.

The following is a detailed description in conjunction with the optional embodiments of the present application.

In the related art, an access device (a wireless network access point or a local gateway) of a UE generally establishes a secure connection (such as an IPSec tunnel, a VPN connection) with a security gateway of a core network, but an access device from the UE. The data that is offloaded to the Internet or the data that the Internet sends to the access device of the UE does not pass through the core network. Therefore, the data that is offloaded to the Internet lacks a security guarantee mechanism, and is easily attacked, stolen, or tampered with by network hackers.

An optional embodiment of the present application provides a method for establishing a secure connection. In the wireless communication network to which the local offloading technology is applied, the method can be used to ensure that data that is directly offloaded from the UE to the Internet from the access device or directly from the Internet via the UE. The security of the data sent by the access device to the UE.

The method for establishing a secure connection provided by an alternative embodiment of the present application is described and illustrated below through several alternative embodiments.

Alternative embodiment 1

This alternative embodiment provides a method for establishing a secure connection, which may be, but is not limited to, a wireless network for performing local service offload using LIPA technology. FIG. 7 is a first schematic diagram of a method for establishing a secure connection according to an alternative embodiment of the present application. As shown in FIG. 7 , an access device of a UE is a wireless network access point, and the method can ensure access via a UE. The security of data directly connected to the Internet by the device. The process includes the following steps:

Step S702: The wireless network access point detects the accessed UE data that is locally offloaded by using the LIPA technology, and acquires an IP address that the UE directly sends or receives data through the L-GW of the wireless access point.

In this optional embodiment, the wireless network access point is a wireless access device configured to automatically establish a secure connection function. The management device can configure the wireless network access point to automatically establish a secure connection according to the network management policy. When the wireless network access point is configured to automatically establish a secure connection function, the accessed IPPA technology is used to perform local IP service offloading. The UE performs IP packet inspection to obtain the remote IP address of the end-to-end packet sent by the UE, and further establishes a secure connection for the IP address. Due to the actual network structure and service diversity, the IP address detected by the wireless network access point may be the IP address of the end user/target server, or the IP address of the wireless network access point to which the end user/target server is connected. It may also be the IP address of the security gateway or router to which the end user/target server is connected. The secure connection may be a secure connection established directly with the IP address, or may be a secure connection established with a network device ((wireless) access point, security gateway or router) of the network to which the IP belongs. The secure connection can be a standard IPSec tunnel or any private secure connection.

Step S704, the wireless network access point determines whether a secure connection for the IP address has been established, and if not, sends an automatic secure connection establishment request to the management device, where the IP address is carried.

In this alternative embodiment, the wireless network access point determines whether a secure connection to the IP address has been established, including establishing a secure connection with the IP address or a network device (wireless) in the network to which the IP belongs. A secure connection has been established between the ingress point, the security gateway or the router. If it is established, the data to the IP address is sent over the secure connection of the IP address or the data from the IP address is received from the secure connection; if not, And sending an automatic secure connection establishment request to the management device, where the IP address is carried, to request to establish a secure connection for the IP address.

Step S706: After receiving the automatic secure connection establishment request, the management device sends an automatic secure connection establishment response to the wireless network access point to indicate whether the wireless network access point establishes a secure connection for the IP address.

In this optional embodiment, after receiving the automatic secure connection establishment request, the management device determines whether the wireless network access point is allowed to establish a secure connection for the IP address. For example, when the related information of the IP address, such as a subnet mask, a wireless access point, a security gateway or a router address, a destination IP address and a secure connection configuration information for establishing a secure connection to the IP address, are saved, the management device is managed. Allows a secure connection to be established for this IP address.

If setup is not allowed, an automatic secure connection setup response is sent to the wireless network access point indicating that the wireless network access point does not establish a secure connection for the IP address.

Otherwise, to allow establishment, an automatic secure connection setup response is sent to the wireless network access point instructing the wireless network access point to establish a secure connection for the IP address.

The automatic secure connection establishment response includes a remote device IP address and a configuration information of the secure connection for the secure connection established by the IP address, wherein the remote device of the secure connection may be the IP address device or the IP address device belongs to Network devices in the network (such as access point devices, security gateways, routers, etc.).

The configuration information of the foregoing secure connection includes a local identifier (local IP address or local host name), a remote identifier (a remote IP address or a remote host name), a security protocol, and a data stream to be protected (for example, UDP/TCP) Port number identification), key and algorithm information, where the key and algorithm include the keys and algorithms required for identity authentication, data integrity protection, or data encryption used by the secure connection. For example, if the secure connection is an IPSec tunnel, the configuration information includes an IKE policy (the IKE hash algorithm, the encryption algorithm, the DH group, and the lifetime), the pre-shared key, the data stream to be protected, the local identifier, and the remote identifier. The encryption algorithm and security protocol used by the data stream to be protected, the lifetime of the IPSec SA, and whether PFS is supported.

Step S708: If the management device instructs the wireless network access point to establish a secure connection for the IP address, the management device sends an automatic secure connection establishment indication message to the remotely connected remote device.

According to the above steps, if the management device instructs the wireless network access point to establish a secure connection for the IP address, the management device sends an automatic secure connection establishment indication message to the remotely connected remote device, including configuration information of the secure connection, A secure connection for the IP address is established between the wireless network access point and the remote device. For example, as shown in FIG. 3, the remotely connected device is a gateway device, and the management device sends an automatic secure connection establishment indication message to the gateway device.

Step S710: The wireless network access point establishes a secure connection with the remote device, and sends data sent by the UE to the IP address through the secure connection and receives data from the IP address through the secure connection.

For example, a secure connection is established between a wireless network access point and a gateway device.

Alternative embodiment 2

The present optional embodiment provides a method for establishing a secure connection, which may be, but is not limited to, used in a network for performing local traffic offload using SIPTO technology. FIG. 8 is a second schematic diagram of a method for establishing a secure connection according to an alternative embodiment of the present application. As shown in FIG. 8 , an access device of a UE is a serving gateway, and the method can ensure direct connection of an access device via a UE. The security of data entering the Internet. The process includes the following steps:

Step S802: The serving gateway detects the accessed UE data for performing local traffic offloading using the SIPTO technology, and acquires an IP address that the UE directly sends or receives data through the serving gateway.

In this optional embodiment, the service gateway is a device that has been configured to automatically establish a secure connection function. The management device can configure the automatic establishment of a secure connection function for the service gateway according to the network management policy. When the service gateway is configured with the automatic establishment of the secure connection function, the IP data packet detection is performed on the UE that is connected to the local IP traffic offload using the SIPTO technology. In order to obtain the remote IP address of the end-to-end data packet sent by the UE, and further establish a secure connection for the IP address. Due to the actual network structure and service diversity, the IP address detected by the service gateway may be the IP address of the end user/target server, or the IP address of the wireless network access point to which the end user/target server is connected. Is the IP address of the security gateway or router to which the end user/target server is connected. The secure connection may be a secure connection established directly with the IP address or a secure connection established between the wireless access point, security gateway or router to which the IP is connected.

Step S804, the serving gateway determines whether a secure connection for the IP address has been established, and if not, sends an automatic secure connection establishment request to the management device, where the IP address is carried.

The specific implementation of this step is similar to the foregoing step S704, and details are not described herein again.

Step S806, after receiving the automatic secure connection establishment request, the management device sends an automatic secure connection establishment response to the service gateway to indicate whether the service gateway establishes a secure connection for the IP address.

The specific implementation of this step is similar to the foregoing step S706, and details are not described herein again.

Step S808: If the management device instructs the serving gateway to establish a secure connection for the IP address, the management device sends an automatic secure connection establishment indication message to the remotely connected remote device.

According to the above steps, if the management device instructs the service gateway to establish a secure connection for the IP address, the management device sends an automatic secure connection establishment indication message to the remote device of the secure connection, including configuration information of the secure connection, to facilitate the A secure connection is established between the serving gateway and the remote device for the IP address. For example, as shown in FIG. 4, the remotely connected remote device is a wireless access point device, and the management device sends an automatic secure connection establishment indication message to the wireless access point device.

Step S810, the serving gateway establishes a secure connection with the remote device, and sends data sent by the UE to the IP address through the secure connection and receives data from the IP address through the secure connection.

For example, a secure connection is established between the serving gateway and the wireless access point device.

Alternative embodiment three

The optional embodiment describes the step S706 of the foregoing optional embodiment 1 and the step S806 of the optional embodiment 2. In the optional embodiment, after the management device receives the automatic secure connection establishment request, the management device accesses the UE. The device (wireless access point or serving gateway) sends an automatic secure connection setup response to indicate whether the access device of the UE establishes a secure connection for the secure connection specified in the request message.

After receiving the automatic secure connection establishment request, the management device determines whether to establish a secure connection for the IP address. For example, when the related information of the IP address, such as a subnet mask, a wireless access point, a security gateway or a router address, a destination IP address and a secure connection configuration information for establishing a secure connection to the IP address, are saved, the management device is managed. Allows a secure connection to be established for this IP address.

If setup is not allowed, an automatic secure connection setup response is sent to the access device of the UE indicating that the wireless network access point does not establish a secure connection for the IP address.

Otherwise, the establishment is allowed, and the management device first determines the remote device for the secure connection of the IP address. The remote device may be the IP address device or a network device in a network to which the IP address device belongs.

In some feasible implementation manners, the network device in the network to which the IP address device belongs is the IP address of the security gateway or router of the network to which the service provider registers when the service provider deploys the network device of the IP address, or The IP address of the access point device, security gateway, or router accessed by the terminal device of the IP address registered in the management device when the terminal device using the IP address accesses the network.

In some possible implementations, the network device in the network to which the IP address device belongs is the remote device indicated by the automatic secure connection establishment request sent by the access device of the UE. The address of the remote device indicated by the automatic secure connection establishment request is the device address obtained by the access device of the UE through the automatic route discovery function. The access device of the UE may obtain the address of the gateway and the router on the path through which the data arrives by the automatic route discovery function before sending the secure connection establishment request.

The implementation of automatic route discovery is to use the ICMP protocol to process TTL timeout packets. The implementation process is as follows: The source host first sends an echo request message (IP protocol type 8) to the destination host, where the TTL value is set to 1, and the first router receives the TTL minus 1, so that the TTL becomes 0, the packet is The first router sends a TTL timeout packet (the IP protocol type is 11) to the source host. The source IP address in the IP header is the IP address of the first router. The source host can obtain the IP address of the first router by analyzing the TTL timeout packet. In the same way, the source host sends a packet with the TTL equal to 2 to obtain the second router address, and sends a packet with the TTL of 3. The process continues until the destination host receives an echo response message (IP protocol type is 0) or destination unreachable message (IP protocol type is 3).

The management device then sends an automatic secure connection setup response to the wireless network access point or the serving gateway instructing the wireless network access point to establish a secure connection for the IP address.

The automatic secure connection setup response includes the remote device IP address of the secure connection established for the IP address and configuration information of the secure connection.

Alternative embodiment four

The optional embodiment describes the step S706 of the foregoing optional embodiment 1 and the step S806 of the optional embodiment 2. In the optional embodiment, after the management device receives the automatic secure connection establishment request, it is determined whether to allow the establishment of the designated A specific implementation method of a secure connection of an IP address.

In some possible implementations, data protection for data destined for the Internet directly by an access point or a serving gateway of a UE of a designated service provider (including an operator, a device provider, or a content provider) is supported. Specifically, the management device may determine that the IP address in the access device (for example, the wireless access device or the service gateway device) of the UE and the automatic security connection establishment request belong to the access device and the IP address of the user terminal deployed by the same service provider. Address, or determine that the access device of the UE and the IP address belong to the network device deployed by the same service provider. If yes, the secure connection for the IP address is allowed to be established, otherwise the establishment is not allowed.

In order to enable the management device to determine whether to allow a secure connection to be established according to the IP address in the automatic secure connection establishment request, the management device may save the network device (including (wireless) access point device, security gateway or router) deployed by the specified service provider. IP address. When the terminal device accesses a network deployed by a designated operator, a device provider, a service provider, or a content provider, the management device saves the IP address of the terminal device; in particular, in order to establish a network device connected to the terminal device ( A secure connection between an access point device, a security gateway, or a router. When the terminal accesses a network deployed by a specified service provider, the management device can also save the IP address of the terminal device and the network device to which it is connected (wireless IP address of the access point device, security gateway, or router.

Optionally, the wireless access point described in this application may be a base station (or mobile phone) in a cellular mobile communication network, an AP of a WiFi, a Bluetooth receiving device, or other device capable of transmitting or receiving a wireless signal, including a user. Devices (terminals), personal digital assistants (PDAs), wireless modems, wireless communication devices, handheld devices, laptop computers, cordless phones, wireless local loop (WLL) stations, CPE capable of converting mobile signals into wifi signals Or Mifi, smart home appliances, or other devices that can spontaneously communicate with the mobile communication network without human intervention.

Optionally, in the present application, the form of the base station is not limited, and may be a Macro Base Station, a Pico Base Station, a Node B, an Enhanced Base Station (ENB), and a Home Enhanced Base Station (Femto eNB). Or Home eNode B or Home eNB or HENB), relay station, access point, RRU, RRH, etc.

In summary, in the wireless communication network to which the local offloading technology is applied, the connection establishment method provided by the embodiment and the optional embodiment of the present application can ensure that data that is directly offloaded from the UE to the Internet from the access device or directly from the Internet. The security of the data that the UE accesses the device to send to the UE.

The above embodiments are only used to describe the technical solutions of the present application, and the technical solutions of the present application may be modified or equivalently replaced by those skilled in the art without departing from the spirit and scope of the present application. The scope of protection shall be as stated in the claims.

Example 3

Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware, but in many cases, the former is A better implementation. Based on such understanding, the technical solution of the present application, which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk, The optical disc includes a number of instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present application.

Embodiments of the present application also provide a storage medium. Optionally, in the embodiment, the foregoing storage medium may be configured to store program code for performing the following steps:

S11, the secure connection establishment request information sent by the access device of the terminal is obtained, where the secure connection establishment request information is used to request a secure connection between the access device of the terminal and the first remote device in the Internet;

S12. The security connection establishment response information is sent to the access device of the terminal, where the security connection establishment response information is used to indicate whether the access device of the terminal establishes a secure connection.

S13, in the case that the secure connection establishment response is used to indicate that the access device of the terminal establishes a secure connection, sending the secure connection establishment indication information to the first remote device, where the secure connection establishment indication information is used to indicate the first remote device. Establish a secure connection.

Optionally, the storage medium is further arranged to store program code for performing the method steps recited in the above embodiments:

S21: Send secure connection establishment request information to the secure connection management device, where the secure connection establishment request information is used to request a secure connection between the access device of the establishment terminal and the first remote device in the Internet;

S22. Receive secure connection establishment response information of the secure connection management device in response to the secure connection establishment request information, where the secure connection establishment response information is used to indicate whether the access device of the terminal establishes a secure connection.

S23. In a case that the secure connection establishment response is used to indicate that the access device of the terminal establishes a secure connection, establishing a secure connection according to the indication of the security connection establishment response information.

Optionally, in this embodiment, the foregoing storage medium may include, but not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, and a magnetic memory. A variety of media that can store program code, such as a disc or a disc.

Optionally, in this embodiment, the processor executes the method steps described in the foregoing embodiments according to the stored program code in the storage medium.

For example, the specific examples in this embodiment may refer to the examples described in the foregoing embodiments and the optional embodiments, and details are not described herein again.

Obviously, those skilled in the art should understand that the above modules or steps of the present application can be implemented by a general computing device, which can be concentrated on a single computing device or distributed in a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. The steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module. Thus, the application is not limited to any particular combination of hardware and software.

The above description is only the preferred embodiment of the present application, and is not intended to limit the present application, and various changes and modifications may be made to the present application. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of this application are intended to be included within the scope of the present application.

Claims

A connection establishment method for a secure connection management device, comprising:

Acquiring the secure connection establishment request information sent by the access device of the terminal, where the secure connection establishment request information is used to request to establish a secure connection between the access device of the terminal and the first remote device in the Internet;

Sending the secure connection establishment response information to the access device of the terminal in response to the secure connection establishment request information, where the secure connection establishment response information is used to indicate whether the access device of the terminal establishes the secure connection;

And the secure connection establishment indication information is sent to the first remote device, where the secure connection establishment response is used to indicate that the access device of the terminal establishes the secure connection, where the secure connection establishment indication information is And configured to instruct the first remote device to establish the secure connection.
The method according to claim 1, wherein the sending the secure connection establishment response information to the access device of the terminal comprises:

When the first IP address carried in the secure connection establishment request information is used to trigger the access device of the terminal to establish the secure connection, send the terminal to the access device of the terminal to indicate the terminal The access device establishes a first secure connection setup response message of the secure connection.
The method according to claim 1, wherein the sending the secure connection establishment response information to the access device of the terminal comprises:

And sending, by the access device of the terminal, the indication that the first IP address that is carried in the security connection establishment request information is used to trigger the access device that does not allow the terminal to establish the secure connection. The access device of the terminal does not establish the second secure connection establishment response information of the secure connection.
The method according to claim 2, wherein the sending the first secure connection setup response information to the access device of the terminal comprises:

Determining, according to the first IP address, a second remote device that establishes the secure connection with the access device of the terminal, where the second remote device includes the device corresponding to the first IP address or the The network device in the network where the device corresponding to the first IP address is located;

Sending the first secure connection setup response information to the access device of the terminal, where the first secure connection setup response information carries the second IP address of the second remote device and the secure connection Configuration information.
The method according to claim 4, wherein the network device in the network where the device corresponding to the first IP address is located comprises one of the following:

a security gateway or router of a network where the device corresponding to the first IP address that is registered when the service provider deploys the network device in the network where the device corresponding to the first IP address is located;

An access point device, a security gateway, or a router accessed by the terminal device corresponding to the first IP address that is registered when the terminal device corresponding to the first IP address accesses the network;

The first remote device.
The method according to claim 2, wherein the first IP address carried in the secure connection establishment request information is used to trigger the access device of the terminal to establish the secure connection, including:

Determining, in the case that the IP address of the access device of the terminal and the first IP address belong to the IP address of the device deployed by the same service provider, the first IP address carried in the secure connection establishment request information is used for The device is configured to allow the access device of the terminal to establish the secure connection, where the device deployed by the service provider includes: an access device, a terminal device, or a user terminal.
The method according to claim 3, wherein the first IP address carried in the secure connection establishment request information is used to trigger an access device that does not allow the terminal to establish the secure connection, including:

And determining, in the case that the IP address of the access device of the terminal is not the IP address of the device deployed by the same service provider, the first IP address carried in the secure connection establishment request information. The device that is not allowed to be connected to the terminal is configured to establish the secure connection, where the device deployed by the service provider includes: an access device, a terminal device, or a user terminal.
A method for establishing a connection, which is used for a terminal access device, and includes:

Sending secure connection establishment request information to the secure connection management device, where the secure connection establishment request information is used to request to establish a secure connection with the first remote device in the Internet;

Receiving the secure connection establishment response information of the secure connection management device in response to the secure connection establishment request information, wherein the secure connection establishment response information is used to indicate whether the secure connection is established;

And establishing, in the case that the secure connection establishment response is used to indicate that the secure connection is established, establishing the secure connection according to the indication of the secure connection establishment response information.
The method according to claim 5, wherein the transmitting the secure connection establishment request information comprises:

Detecting the terminal data, and obtaining a first IP address of the terminal data, where the first IP address is an IP address of the first remote device;

Sending the secure connection establishment request information carrying the first IP address.
The method according to claim 9, wherein before the sending the secure connection establishment request information carrying the first IP address, the method further comprises:

Determining whether a secure connection corresponding to the first IP address has been established;

When it is determined that the secure connection corresponding to the first IP address has been established, the terminal data is sent by using the established secure connection corresponding to the first IP address;

When it is determined that the secure connection corresponding to the first IP address is not established, determining to send the secure connection establishment request information carrying the first IP address.
A connection establishing device, configured for a secure connection management device, comprising:

An obtaining module, configured to acquire secure connection establishment request information sent by an access device of the terminal, where the secure connection establishment request information is used to request to establish an access device between the terminal and a first remote device in the Internet Secure connection

a first sending module, configured to send, according to the secure connection establishment request information, the secure connection establishment response information to the access device of the terminal, where the secure connection establishment response information is used to indicate the access device of the terminal Whether to establish the secure connection;

a second sending module, configured to send the secure connection establishment indication information to the first remote device, where the security connection establishment response is used to indicate that the access device of the terminal establishes the secure connection, where The secure connection establishment indication information is used to instruct the first remote device to establish the secure connection.
A connection establishing device, configured for a terminal access device, includes:

a third sending module, configured to send the secure connection establishment request information to the secure connection management device, where the secure connection establishment request information is used to request to establish a secure connection with the first remote device in the Internet;

a receiving module, configured to receive the secure connection establishment response information of the secure connection management device in response to the secure connection establishment request information, where the secure connection establishment response information is used to indicate whether the secure connection is established;

And a establishing module, configured to establish the secure connection according to the indication of the secure connection establishment response information, in a case that the secure connection establishment response is used to indicate that the secure connection is established.
A connection establishing device, configured for a secure connection management device, comprising: a first processor and a first communication interface, wherein

The first processor is connected to the first communication interface, and the first processor is configured to acquire secure connection establishment request information sent by an access device of the terminal received by the first communication interface, where The secure connection establishment request information is used to request to establish a secure connection between the access device of the terminal and the first remote device in the Internet; and the first communication interface is indicated in response to the secure connection establishment request information The access device of the terminal sends the security connection establishment response information, where the security connection establishment response information is used to indicate whether the access device of the terminal establishes the secure connection; and the secure connection establishment response is used to indicate the location In the case that the access device of the terminal establishes the secure connection, the first communication interface is instructed to send the secure connection establishment indication information to the first remote device, where the secure connection establishment indication information is used to indicate the location The first remote device establishes the secure connection.
A connection establishing device, configured for a terminal access device, comprising: a second processor and a second communication interface, wherein

The second processor is connected to the second communication interface, and the second processor is configured to instruct the second communication interface to send secure connection establishment request information to the secure connection management device, where the secure connection establishment request is The information is used to request to establish a secure connection with the first remote device in the Internet; and receive, by the second communication interface, the secure connection establishment response information of the secure connection management device in response to the secure connection establishment request information, The secure connection establishment response information is used to indicate whether the secure connection is established; and in the case that the secure connection establishment response is used to indicate that the secure connection is established, the indication of establishing the response information according to the secure connection is established. Said a secure connection.
A storage medium characterized in that the storage medium is arranged to store program code for performing the following steps:

Acquiring the secure connection establishment request information sent by the access device of the terminal, where the secure connection establishment request information is used to request a secure connection between the access device of the terminal and the first remote device in the Internet;

Sending the secure connection establishment response information to the access device of the terminal in response to the secure connection establishment request information, where the secure connection establishment response information is used to indicate whether the access device of the terminal establishes a secure connection;

And the secure connection establishment indication information is used to indicate that the first remote device establishes security, where the security connection establishment response is used to indicate that the access device of the terminal establishes a secure connection. connection.
A storage medium according to claim 15, wherein said storage medium is further arranged to store program code for performing the following steps:

Sending the secure connection establishment request information to the secure connection management device, where the secure connection establishment request information is used to request a secure connection between the access device of the establishment terminal and the first remote device in the Internet;

Receiving the secure connection establishment response information of the secure connection management device in response to the secure connection establishment request information, wherein the secure connection establishment response information is used to indicate whether the access device of the terminal establishes a secure connection;

In the case that the secure connection setup response is used to indicate that the access device of the terminal establishes a secure connection, the secure connection is established according to the indication of the secure connection establishment response information.