WO2019144826A1 - Network identifier mapping method and system, terminal, and identification gateway - Google Patents

Network identifier mapping method and system, terminal, and identification gateway Download PDF

Info

Publication number
WO2019144826A1
WO2019144826A1 PCT/CN2019/071730 CN2019071730W WO2019144826A1 WO 2019144826 A1 WO2019144826 A1 WO 2019144826A1 CN 2019071730 W CN2019071730 W CN 2019071730W WO 2019144826 A1 WO2019144826 A1 WO 2019144826A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
identifier
network
network identifier
gateway
Prior art date
Application number
PCT/CN2019/071730
Other languages
French (fr)
Chinese (zh)
Inventor
谢大雄
郝振武
吴强
张军
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2019144826A1 publication Critical patent/WO2019144826A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/30Managing network names, e.g. use of aliases or nicknames
    • H04L61/301Name conversion

Definitions

  • the present application relates to the field of the Internet, such as a network identity mapping method and system, and a terminal and an identity gateway.
  • FIG. 1 is a schematic structural diagram of a related art network. As shown in Figure 1, it includes:
  • UE User Equipment
  • UE User Equipment
  • Access Gateway According to different access technologies, the access gateway has different specific forms. For example, a packet gateway (PGW) in mobile communication, a broadband access server (BAS) in a fixed access, a three-layer switch in an enterprise network, and an Internet of Things gateway in an Internet of Things, in an authentication server.
  • PGW packet gateway
  • BAS broadband access server
  • IMS Internet of Things gateway
  • the terminal is authenticated. After the authentication is passed, the unoccupied IP address is selected from the locally configured IP address pool and assigned to the user. Therefore, the IP address obtained by the user is different depending on the user access location and access time.
  • Authentication Server Authenticates the validity of the terminal with the access gateway to determine whether the terminal is allowed to access the network.
  • the Internet/Intranet Provides various services for the terminal.
  • the terminal uses the IP address assigned by the access gateway to communicate with the application server in the Internet/enterprise network.
  • the IP address serves as the identifier of the terminal at the network layer, and identifies the terminal. And to ensure that the data packet can be delivered to each terminal correctly.
  • the IP address allocation adopts a dynamic IP address allocation scheme.
  • an IP address must be reacquired.
  • the IP address can only be used in the topology location (for example, only in the jurisdiction of the access gateway). Intra-use), and even in the same network location, due to dynamic allocation, access at different times, the assigned IP address will be different.
  • the IP address of the terminal is dynamically changed.
  • the IP address carried in the IP packet cannot be directly associated with the user. That is to say, the Internet or the enterprise network is an anonymous network, which is not conducive to network supervision. (such as user identity traceability, network behavior analysis, etc.).
  • the related art traces the source through the IP allocation log, and there are cases where the efficiency is low and the accuracy is low.
  • the present application provides a network identity mapping method and system, and a terminal and an identifier gateway, which can represent a user identity through a network identifier, thereby improving the monitoring efficiency.
  • the present application provides a network identity mapping method, including: pre-establishing a first correspondence between a first Internet Protocol address and a network identifier of a terminal; wherein, the network identifier corresponds to a user identifier of the terminal; The relationship performs network identity conversion on data packets from the terminal or to the terminal.
  • the present application provides a network identity mapping method, including: acquiring access information; wherein the access information includes a user identifier and a first Internet Protocol address of the terminal; and the access information is sent to the identity gateway.
  • the present application provides a network identifier mapping method, including: receiving a network identifier request for identifying a gateway, where the network identifier request carries a user identifier; in a second correspondence between a preset user identifier and a network identifier, The network identifier corresponding to the user identifier is searched; or the network identifier is allocated according to the user identifier, and the second correspondence between the user identifier and the network identifier is saved; and the network identifier is sent to the identifier gateway.
  • the present application provides an identification gateway, including: an establishing module, configured to pre-establish a first correspondence between a first Internet Protocol address and a network identifier of the terminal; wherein the network identifier corresponds to a user identifier of the terminal; and a conversion module, And being configured to perform network identifier conversion on the data packet from the terminal or sent to the terminal according to the first correspondence.
  • the present application provides a terminal, comprising: an obtaining module, configured to obtain access information; wherein the access information includes a user identifier and an internet protocol address of the terminal; and the first sending module is configured to send the access information to the identifier gateway. .
  • the present application provides an identity management server, including: a receiving module, configured to receive a network identifier request for identifying a gateway, the network identifier request carrying a user identifier; and a processing module configured to set a user identifier and a network identifier in advance In the second correspondence, the network identifier corresponding to the user identifier is searched; or the network identifier is allocated according to the user identifier, and the second correspondence between the user identifier and the network identifier is saved; the second sending module is set to Send the network ID to the identity gateway.
  • a receiving module configured to receive a network identifier request for identifying a gateway, the network identifier request carrying a user identifier
  • a processing module configured to set a user identifier and a network identifier in advance In the second correspondence, the network identifier corresponding to the user identifier is searched; or the network identifier is allocated according to the user identifier, and the second correspondence between the user identifier and the network identifie
  • the present application provides an identification gateway including a first processor and a first computer readable storage medium, wherein the first computer readable storage medium stores a first instruction when the first instruction is the first When the processor executes, any of the above network identifier mapping methods are implemented.
  • the present application proposes a terminal comprising a second processor and a second computer readable storage medium, wherein the second computer readable storage medium stores a second instruction when the second instruction is processed by the second When the device is executed, any of the above network identifier mapping methods is implemented.
  • the present application provides an identification management server including a third processor and a third computer readable storage medium, wherein the third computer readable storage medium stores a third instruction when the third instruction is When the three processors are executed, any one of the above network identifier mapping methods is implemented.
  • the present application proposes a computer readable storage medium having stored thereon a computer program, characterized in that the computer program is executed by a processor to implement the steps of any of the above network identification mapping methods.
  • the present application provides a network identity mapping system, including: a terminal, configured to obtain access information; wherein the access information includes a user identifier and a first Internet Protocol address of the terminal; the access information is sent to the identity gateway; The access information is set to receive the access information of the terminal, where the access information includes a user identifier and a first Internet Protocol address of the terminal; querying a network identifier corresponding to the user identifier, and saving or updating the first correspondence relationship; The first correspondence relationship performs network identifier conversion on a data packet from the terminal or sent to the terminal.
  • FIG. 1 is a schematic structural diagram of a related art network
  • FIG. 2 is a schematic structural diagram of a network structure of the present application.
  • FIG. 3 is a flowchart of a method for mapping a gateway side network identifier according to the present application
  • FIG. 4 is a flowchart of a method for mapping a network side of a terminal side according to the present application
  • FIG. 5 is a flowchart of a method for mapping a network identifier of an identity management server on the present application
  • FIG. 6 is a schematic structural diagram of a terminal of a first embodiment of the present application.
  • FIG. 7 is a schematic diagram of interaction of a network identity mapping method according to a second embodiment of the present application.
  • FIG. 8 is a schematic diagram of interaction of a terminal offline process according to a third embodiment of the present application.
  • FIG. 9 is a schematic diagram of interaction of a method for a terminal to move a better access gateway according to a fourth embodiment of the present application.
  • FIG. 10 is a schematic diagram of interaction of a user state maintenance process according to a fifth embodiment of the present application.
  • FIG. 11 is a schematic structural diagram of a gateway of the identification of the present application.
  • FIG. 13 is a schematic structural diagram of an identity management server of the present application.
  • FIG. 14 is a schematic structural diagram of another identification gateway of the present application.
  • 15 is a schematic structural diagram of another terminal of the present application.
  • 16 is a schematic structural diagram of another identity management server of the present application.
  • FIG. 17 is a schematic structural diagram of a network identity mapping system of the present application.
  • the AGW and the AS cooperate with each other to authenticate the validity of the terminal. After the authentication is passed, the AGW selects an unoccupied IP address from the locally configured IP address pool and allocates it to the terminal. After that, the terminal accesses the Internet based on the assigned IP address. Or the application server in the enterprise network. In this process, because the IP address assigned by the terminal is dynamically changed, the IP address carried in the data packet cannot be known which user is sent, which is very unfavorable for network supervision.
  • This application uses a network identity (NID) to represent the user's identity, and realizes the identity of the user through the network identity, thereby improving the efficiency of supervision.
  • NID network identity
  • an Identity Client (IDC) to the terminal, and add an identity gateway between the AGW and the application server, or add an identity gateway and The Identity Management Center (IDGW) is used to maintain the user's network identity.
  • IDC Identity Client
  • IDGW Identity Management Center
  • the network identity is used to represent the user identity without changing the related network infrastructure, thereby improving the efficiency of supervision.
  • the present application provides a network identity mapping method, which is applied to identify a gateway, and includes steps 300 and 301.
  • step 300 a first correspondence between the first Internet Protocol address of the terminal and the network identifier is established in advance.
  • the network identifier corresponds to the user identifier of the terminal and does not change with the change of the first IP address, the identity of the user is represented by the network identifier, thereby improving the monitoring efficiency.
  • the first correspondence may be statically configured or dynamically configured.
  • the first correspondence is dynamically configured
  • various methods can be employed. For example, receiving the access information of the terminal; querying the network identifier corresponding to the user identifier, and saving or updating the first correspondence between the first Internet Protocol address and the network identifier. For example, receiving access information of the terminal, assigning a network identifier to the terminal, and saving the first correspondence.
  • the access information includes a user identifier and a first Internet Protocol (IP) address of the terminal.
  • IP Internet Protocol
  • the user identifier may be a username, an email address, a phone number, and the like.
  • the access information further includes access information (such as 3G/4G access, Wireless Fidelity (WiFi) access, etc.), access location information, access time information, and the like.
  • access information such as 3G/4G access, Wireless Fidelity (WiFi) access, etc.
  • the device information of the terminal is also received.
  • the device information includes at least one of the following: a terminal device identifier, component information, a hardware state, and a software state.
  • the access information is received by receiving a notification message or a keep-alive message of the terminal, and the notification message or the keep-alive message includes the access information.
  • the notification message or keep-alive message also includes device information.
  • the form of the network identifier may be in the form of a second IP address or a second IP address + port range.
  • the second IP address 202.100.100.100 is used to indicate the network identity
  • the second IP address 202.100.100.100+port range (1024 to 2047) is used to represent the network identity.
  • the network identifier corresponding to the user identifier may be queried by using any one of the following methods.
  • the second correspondence between the user identifier and the network identifier is set in advance, and the network identifier corresponding to the user identifier is searched for in the second correspondence.
  • the first correspondence between the first IP address in the access information and the network identifier of the query is directly saved. If the first correspondence corresponding to the network identifier has been saved before, the first IP address is updated when the first IP address in the access information is different from the first IP address corresponding to the network identifier in the first correspondence. relationship.
  • step 301 the data identifier from the terminal or the data packet addressed to the terminal is converted according to the first correspondence.
  • the first IP address of the terminal in the source Internet Protocol address field of the data packet of the terminal is obtained, and the network identifier corresponding to the first IP address of the terminal is searched in the first correspondence relationship, The first IP address in the source Internet Protocol address field of the data packet from the terminal is replaced with the found network identifier, and then the data packet from the terminal is sent to the application server in the Internet or enterprise network.
  • the network identifier is used in the Internet or the enterprise network instead of the first IP address to indicate the user identity. Since the network identifier corresponds to the user identifier and does not change with the change of the first IP address, the monitoring efficiency is improved.
  • discarding data from the terminal includes: performing network address translation on the data packet from the terminal (Network Address Translation, NAT), to ensure that the service can be carried out normally; NAT the data packets from the terminal, but limit the scope of data packet transmission, for example, can only be passed to the application server with lower security level.
  • NAT Network Address Translation
  • the network identifier in the destination Internet Protocol address field of the data packet sent to the terminal is obtained, and the first IP address of the terminal corresponding to the network identifier is searched in the first correspondence relationship, and is sent to The network identifier in the destination Internet Protocol address field of the data packet of the terminal is replaced with the first IP address found, and then the data packet is sent to the terminal.
  • the data packet sent to the terminal is discarded; or the data packet addressed to the terminal is NAT.
  • the first IP address of the terminal in the source IP address field of the data packet from the terminal and the first port of the terminal in the source port field are acquired; in the first correspondence relationship Finding a network identifier corresponding to the first IP address of the terminal; replacing the first IP address in the source IP address field of the data packet from the terminal with the second IP address of the found network identifier, and the source of the data packet from the terminal.
  • the first port of the terminal in the port field is replaced with the second port that is not used in the port range of the found network identifier, and the first IP address, the first port, the second IP address, and the second port are established.
  • the first IP address and the second IP address of the network identifier corresponding to the first port and the second port of the network identifier are first searched in the third correspondence, and the data from the terminal is used.
  • the first IP address in the source IP address field of the packet is replaced with the found second IP address, and the first port in the source port field of the data packet from the terminal is replaced with the found second port.
  • the network identifier corresponding to the first IP address is searched in the first correspondence relationship;
  • the first IP address in the source IP address field of the data packet is replaced with the second IP address of the discovered network identifier, and the first port in the source port field of the data packet from the terminal is replaced with the port of the discovered network identifier.
  • the second port is not used in the range, and establishes a third correspondence between the first IP address, the first port, the second IP address, and the second port.
  • NAPT Network Address Port Translation
  • the second IP address of the network identifier in the destination IP address field of the data packet addressed to the terminal and the second port of the network identifier in the destination port field are searched in the third correspondence.
  • Corresponding first IP address and first port replacing the second IP address in the destination IP address field of the data packet sent to the terminal with the first IP address found, and the destination port field of the data packet to be sent to the terminal The second port in the middle is replaced with the first port found.
  • the second IP address of the network identifier in the destination IP address field of the data packet addressed to the terminal and the first port corresponding to the second port of the network identifier in the destination port field are not found.
  • the data packet sent to the terminal is discarded; or, the data packet sent to the terminal is NAPT.
  • the third correspondence when the third correspondence is not used for the conversion of the network identifier within a certain period of time, the third correspondence may be deleted to save storage space.
  • the method when at least one of the received access information and the device information changes, the method further includes: sending an information update message to the identity management server, so that the identity management server updates the user status, accesses At least one of information and device information; upon receiving an acknowledgment message returned by the identity management server, returning a confirmation message to the terminal.
  • the method further includes deleting the first correspondence when the notification message or the keep-alive message is not received within the preset time, or when the offline message of the terminal is received.
  • the acknowledgment message may be returned to the terminal, so that the terminal receives the acknowledgment message and then goes offline and releases the IP address; or may not return the acknowledgment message to the terminal.
  • the offline management message of the terminal may be sent to the identity management server, so that the identity management server updates the user status in the second correspondence, and when the confirmation message of the identity management server is received, the first message is deleted.
  • the offline message of the terminal may also be sent to the identity management server, so that the identity management server updates the user state in the second correspondence.
  • the present application provides a network identifier mapping method, which is applied to a terminal, and includes steps 400 and 401.
  • step 400 access information is obtained.
  • the access information includes a user identifier and a first IP address of the terminal.
  • the user identifier may be a username, an email address, a phone number, and the like.
  • the access information further includes related information such as an access mode (such as 3G/4G access, wireless fidelity access, etc.), access location information, and access time information.
  • an access mode such as 3G/4G access, wireless fidelity access, etc.
  • access location information such as 3G/4G access, wireless fidelity access, etc.
  • access time information such as access time information.
  • the device information of the terminal is also obtained.
  • the device information includes at least one of the following: a terminal device identifier, component information, a hardware state, and a software state.
  • step 401 the access information is sent to the identity gateway.
  • the third IP address of the identifier gateway needs to be known in advance, and the third IP address of the identifier gateway can be obtained by using any of the following methods.
  • the domain name of the gateway is pre-configured in the terminal.
  • DNS domain name system
  • the access gateway sends the third IP address or domain name of the gateway to the terminal.
  • the access information may be sent to the identification gateway by using a notification message or a keep-alive message, and the notification message or the keep-alive message includes the access information.
  • the notification message or keep-alive message also includes device information.
  • the notification message or the keep-alive message may be sent to the identifier gateway periodically; the notification message or the keep-alive message is sent to the identifier gateway when the access information changes; or the notification is sent to the identifier gateway when the device information changes. Message or keep-alive message.
  • the method when the terminal needs to go offline, the method further includes: sending an offline message to the identification gateway; when receiving the confirmation message returned by the identification gateway, the control terminal goes offline and releases the first IP address of the terminal. .
  • the network identifier mapping method can be implemented by setting an identifier client in the terminal, and the identifier client is a component of the terminal, and can obtain access information and device information from other components of the terminal. Therefore, on the basis of not changing the hardware structure of the relevant terminal, the identity of the user is represented by the network identifier, thereby improving the supervision efficiency.
  • the present application provides a network identifier mapping method, which is applied to an identity management server, and includes steps 500, 501, and 502.
  • step 500 a network identification request is generated that identifies the gateway, and the network identification request carries the user identifier.
  • the network identifier request may also carry at least one of the following: device information, access mode, access location information, and access time information of the terminal.
  • step 501 in the second correspondence between the user identifier and the network identifier, the network identifier corresponding to the user identifier is searched for; or the network identifier is allocated according to the user identifier, and the user identifier and the network identifier are saved.
  • the second correspondence between the two in the second correspondence between the two.
  • the correspondence between the user identifier and the network identifier may be a one-to-one correspondence or a one-to-many relationship.
  • the appropriate network identifier may be selected according to the user identifier, other access information, or device information.
  • the second correspondence further includes at least one of the following:
  • Device information access mode, access location information, access time information, and user status of the terminal.
  • the user status includes at least one of the following: online and offline.
  • the network identifier request further carries at least one of the following: device information, access mode, access location information, and access time information of the terminal, searching for a network corresponding to the user identifier and at least one of the following in the second correspondence ID: Device information, access mode, access location information, and access time information of the terminal.
  • the second correspondence may be a correspondence between the user identifier, the access time information, and the network identifier, and the network identifier request carries the user identifier and the access time information, and the user identifier is searched for in the second correspondence.
  • an unused network identifier may be selected from the network identifier resource pool for allocation.
  • step 502 the network identity is sent to the identity gateway.
  • the method further includes updating the second correspondence and returning an acknowledgement message to the identity gateway when the information update message is received.
  • the information update message includes at least one of the following: device information of the terminal, and access information.
  • the method further includes: when receiving the offline message of the terminal, updating the user status in the second correspondence to the offline, and returning an acknowledgement message to the identity gateway.
  • FIG. 6 is a schematic structural diagram of a terminal of a first embodiment of the present application. As shown in Figure 6, a typical terminal typically contains the underlying hardware and program modules running on the underlying hardware.
  • the basic hardware includes: a central processing unit, a memory or a memory, a modem, and the like.
  • Program modules include: operating system, communication module for driving modem, and application programs, etc.
  • Program modules are typically stored in memory or memory and executed by a central processing unit.
  • the communication module can drive the modem to communicate, for example, accessing the access gateway, receiving the first IP address allocated by the access gateway, or leaving the access gateway to release the first IP address;
  • the application communicates with the application server of the Internet or the enterprise network using the first IP address in the online state to provide services to the user.
  • the identification client is added to the terminal, and has an interaction interface and capability with the communication module, for example, can control the uplink or downlink of the communication module; can sense the uplink or downlink of the communication module; can use the first IP address to pass
  • the communication module communicates with the identification gateway; the access information can be obtained from the communication module, such as the user identifier used by the user to go online, the first IP address of the terminal, the access time information, and the access location information.
  • the identity gateway can interact with the underlying hardware to obtain device information.
  • the identification client is a component superimposed on the relevant terminal architecture, and does not affect the basic functions of the related components, especially the functions of the application, and has good compatibility.
  • FIG. 7 is a schematic diagram of interaction of a network identity mapping method according to a second embodiment of the present application. As shown in FIG. 7, the method includes steps 700 to 709.
  • step 700 the terminal accesses the access gateway, and the authentication server authenticates the validity of the user.
  • the terminal identifier is used in the process of accessing the access gateway by using the user identifier
  • the user identifier may be a username (such as a QQ username), an email address, a phone number, and the like.
  • step 701 after the authentication is passed, the access gateway allocates a first IP address to the terminal.
  • the first IP address is generally dynamically allocated.
  • the identity client of the terminal sends a notification message to the identity gateway, where the notification message carries the user identifier, the assigned first IP address, and may further include device information and other access information.
  • the device information includes but is not limited to the terminal device identifier, component information, hardware status, and software status.
  • the access information may further include an access method (such as 3G/4G access, Wifi access), access location information, access time information, and the like.
  • an access method such as 3G/4G access, Wifi access
  • the identifier client is a component of the terminal, and can obtain access information and device information from other components of the terminal.
  • the identifier client needs to know the address of the identifier gateway when sending the notification message to the identifier gateway, and the manner of obtaining includes, but is not limited to, pre-configuring the third IP address of the identifier gateway in the terminal;
  • the domain name when the domain name is resolved, the DNS returns a third IP address identifying the gateway according to the user's access location information; when the access gateway allocates the first IP address, the access gateway notifies the third IP address or domain name of the identity gateway.
  • the identifier gateway sends an NID request to the identity management server, where the user identifier is carried, and the device information and other access information may be further carried.
  • step 704 the identity management server queries the corresponding NID in the second correspondence between the user identifier and the NID, and sends the NID to the identity gateway.
  • the second correspondence between the user identifier and the NID is configured in the identifier management server, and the most basic correspondence is a one-to-one relationship, and may further be a one-to-many relationship.
  • the identity management server directly obtains the NID according to the user identifier.
  • the identity management server selects an appropriate NID according to the user identifier, the device identifier, and other access location information.
  • the NID form may be a second IP address or a second IP address + port range.
  • the NID is represented by using the second IP address 202.100.100.100, or by using the second IP address 202.100.100.100+port range (1024-2047).
  • the NID is also in the location of the data packet. If the second IP address is used, it is carried in the source IP address field in the data packet from the terminal, in the destination IP field in the data packet addressed to the terminal. Carrying; if the second IP address + port range is used, carried in the source IP address field and the source port field in the data packet from the terminal, carried in the destination IP address field and the destination port field in the data packet addressed to the terminal .
  • step 705 the gateway establishes a first correspondence between the first IP address and the NID of the terminal, and returns an acknowledgement message to the identity client.
  • the first correspondence may further include a user identifier.
  • step 706 after the identifier gateway receives the uplink data packet from the terminal, the identifier gateway performs the network identifier conversion, and converts the first IP address of the terminal in the data packet, or the first IP address and the first port of the terminal into NID.
  • the terminal can uniquely identify the user through the NID in the Internet or the enterprise network.
  • the identity gateway replaces the first IP address of the terminal in the source IP address field of the data packet with the NID, and the source port remains unchanged.
  • This process and network address translation (Network Address Translation) , NAT) functions similarly.
  • the identification gateway replaces the first IP address of the terminal in the source IP address field of the data packet with the second IP address of the NID, and replaces the source first port in the data packet. This is the second port that is not used in the port range of the NID.
  • NAPT Network Address Port Translation
  • a third correspondence between the first IP address, the first port, the second IP address, and the second port is established, and the state of the third correspondence is maintained, for example, the third correspondence is If there is no data flow for a certain period of time, the third correspondence will be released.
  • the identification gateway sends the data packet containing the NID to the application server in the Internet or the government enterprise network.
  • step 708 the application server sends a data packet containing the NID, and the data packet is sent to the identity gateway.
  • the identifier gateway queries the first correspondence according to the NID, determines the first IP address of the corresponding terminal and the first port of the terminal, and then replaces the second IP address of the NID in the destination IP address field in the data packet. For the first IP address of the terminal, the second port of the NID in the destination port is replaced with the first port of the terminal, and then the data packet is sent to the terminal.
  • the above process is the same as the processing of the downlink data stream in the NAT and NAPT technologies.
  • the subsequent data packets are repeated in steps 706-709. It should be noted that the identifier gateway receives the subsequent uplink data packet, and firstly searches for the third correspondence relationship. If yes, the network identifier is converted according to the existing third correspondence relationship. If not, a third correspondence is established in accordance with the process in step 706.
  • the identity gateway can process the data packet as follows:
  • the data packet transmitted in the Internet or the government-enterprise network carries the first IP address of the terminal, or the first IP address + the first port, and can no longer uniquely identify the user.
  • FIG. 8 is a schematic diagram of interaction of a terminal offline process according to a third embodiment of the present application. As shown in FIG. 8, step 800 to step 812 are included.
  • Steps 800 to 805 are the same as steps 700 to 705.
  • step 806 the client is notified that the user is offline, for example, the user operates the client to go offline to enter the offline state.
  • step 807 the identification client sends an offline message to the identity gateway.
  • step 808 the identity gateway sends a downline message to the identity management server.
  • step 809 the identity management service updates the user status in the second correspondence to be offline, and returns a confirmation response.
  • step 810 the gateway is deleted from the user, and the first correspondence and the third correspondence that have been established are deleted, and the packet forwarding relationship is deleted.
  • the identification gateway returns a confirmation response to the identification client.
  • step 812 the client control terminal is offlined and the first IP address is released.
  • FIG. 9 is a schematic diagram of interaction of a method for a terminal to move a better access gateway according to a fourth embodiment of the present application. As shown in FIG. 9, when the terminal moves, the access gateway 1 is replaced with the access gateway 2, and the first IP address assigned by the network is also replaced.
  • the execution process includes steps 900 to 910.
  • step 900 the terminal accesses the application server of the Internet or the enterprise network through the access gateway 1 and the identification gateway.
  • step 901 the terminal accesses the access gateway 2 due to the movement of the terminal or the like.
  • step 902 the access gateway 2 assigns a new first IP address to the terminal.
  • the identifier client detects that the access changes, sends a notification message to the identity gateway, and carries the user identifier, and the information such as the new first IP address, to identify the gateway to update the first correspondence.
  • step 904 the identity gateway sends an information update message to the identity network management server.
  • step 905 the identification network management server updates the second correspondence, such as the user's access location information, user status, and returns a confirmation message.
  • step 906 the identity gateway returns an acknowledgement message to the identity network client.
  • Steps 907-910 are the same as steps 706-709.
  • the terminal uses the new first IP address to communicate, and identifies the gateway to complete the conversion of the new first IP address and the network identifier.
  • FIG. 10 is a schematic diagram of interaction of a user state maintenance process according to a fifth embodiment of the present application. As shown in FIG. 10, steps 1000 to 1016 are included.
  • Steps 1000 to 1005 are the same as steps 700 to 705 in the second embodiment.
  • both the identity client and the identity gateway enable a keepalive timer, and the period of the keepalive timer on the client side is less than the period of the timer that identifies the gateway.
  • step 1007 step 1008, the client keepalive timer is timed out, and the client is sent a notification message to the identity gateway or a keep-alive message.
  • step 1009 if the access information is updated, the identity gateway sends an information update message to the identity management server, otherwise directly jumps to step 1011.
  • the identification management server returns a confirmation message.
  • step 1011 the identity gateway returns a confirmation message to the identity client.
  • step 1012 the gateway is reset to keep the keepalive timer, and the online state of the maintenance user is unchanged.
  • step 1013 if the terminal is offline, the identity client can no longer send a notification message or keep-alive message to the identity gateway. At this time, the keep-alive timer on the identity gateway will time out.
  • step 1014 the identity gateway considers that the terminal is offline, then logs out the terminal and deletes all correspondences of the terminal.
  • step 1015 the identification gateway sends an offline message of the terminal to the identity management server.
  • step 1016 the identity management server updates the user status in the second correspondence to the offline, and returns an acknowledgement message.
  • the network side can correctly maintain the online status of the terminal.
  • the identification gateway and the identity management server are deployed to enhance the terminal function, thereby realizing the use of the network identifier to identify the user, facilitating network supervision, and realizing functions such as rapid traceability.
  • the present application provides an identification gateway, which includes: an establishing module, configured to pre-establish a first correspondence between a first Internet Protocol address and a network identifier of a terminal; wherein, the network identifier corresponds to a user identifier of the terminal. And a conversion module configured to perform network identifier conversion on the data packet from the terminal or sent to the terminal according to the first correspondence.
  • the establishing module is configured to: receive access information of the terminal, where the access information includes a user identifier and a first internet protocol address of the terminal; query a network identifier corresponding to the user identifier, and save Or update the first correspondence.
  • the establishing module is configured to: receive a notification message or a keep-alive message of the terminal, where the notification message or the keep-alive message includes the access information, and the access information includes a user identifier and a terminal.
  • the first Internet Protocol address querying the network identifier corresponding to the user identifier, and saving or updating the first correspondence.
  • the establishing module is further configured to: when the notification message or the keep-alive message is not received within a preset time, deleting the first correspondence; or when receiving the And sending the offline message of the terminal to the identifier management server, receiving the confirmation message of the identifier management server, deleting the first correspondence, and returning the confirmation message to the terminal.
  • the establishing module is configured to implement the network identifier corresponding to the query user identifier in the following manner: in a second correspondence between the preset user identifier and the network identifier, searching for the user identifier corresponding to Or the network identifier is sent to the identifier management server, where the network identifier request carries the user identifier; and the network identifier returned by the identifier management server is received.
  • the establishing module is further configured to: send an information update message to the identity management server; receive an acknowledgement message returned by the identity management server, and return an acknowledgement message to the terminal.
  • the network identifier includes a second internet protocol address; the conversion module is configured to: acquire a first internet protocol address of the terminal in a data packet from the terminal; Searching, in the relationship, a network identifier corresponding to the first Internet Protocol address of the terminal; replacing the first Internet Protocol address of the terminal in the data packet from the terminal with the found network identifier; or
  • the mapping of the network identifier to the data packet sent to the terminal includes: obtaining the network identifier in the data packet sent to the terminal; searching for the first terminal corresponding to the network identifier in the first correspondence relationship The internet protocol address; the network identifier in the data packet sent to the terminal is replaced with the first internet protocol address of the found terminal.
  • the converting module is further configured to: when the network identifier corresponding to the first Internet address of the terminal is not found in the first correspondence, discard the data packet from the terminal, or The data from the terminal includes performing network address translation; or, when the first Internet Protocol address of the terminal corresponding to the network identifier is not found in the first correspondence, discarding data sent to the terminal Packet, or network address translation for packets sent to the terminal.
  • the network identifier includes a second internet protocol address and a port range
  • the conversion module is configured to: acquire a first internet protocol address of the terminal in a data packet from the terminal, and the terminal a first port; searching for a network identifier corresponding to the first Internet Protocol address of the terminal in the first correspondence; replacing the first Internet Protocol address of the terminal in the data packet from the terminal with the found a second Internet Protocol address of the network identifier, the first port of the terminal in the data packet from the terminal is replaced with a second port not used in the port range of the found network identifier; establishing the first Internet of the terminal A third correspondence between the protocol address, the first port of the terminal, the second Internet Protocol address of the network identifier, and the second port of the network identifier.
  • the converting module is further configured to: when the network identifier corresponding to the first Internet Protocol address of the terminal is not found in the first correspondence, discard the data packet from the terminal, Or perform network address port translation on the data packet from the terminal.
  • the present application provides a terminal, including: an obtaining module, configured to acquire access information; wherein, the access information includes a user identifier and a first Internet Protocol address of the terminal; and the first sending module is configured to connect The incoming information is sent to the identity gateway.
  • the first sending module is configured to perform an operation of: transmitting the access information to the identity gateway according to a third configured Internet Protocol address of the pre-configured gateway; The third Internet Protocol address of the identity gateway that is returned when the domain name of the identifier gateway is parsed is sent to the identity gateway; and the access is performed according to a third Internet Protocol address of the gateway that is sent by the access gateway. Information is sent to the identity gateway.
  • the first sending module is configured to: send a notification message or a keep-alive message to the identity gateway, where the notification message or the keep-alive message includes the access information.
  • the first sending module is configured to: periodically send the notification message or the keep-alive message to the identity gateway; or send the identifier information to the identity gateway when the access information changes The notification message or the keep-alive message.
  • the first sending module is further configured to: send an offline message to the identity gateway; receive an acknowledgement message returned by the identity gateway, control the terminal to go offline, and release the terminal First internet protocol address.
  • the present application provides an identity management server, including: a receiving module, configured to receive a network identifier request for identifying a gateway, where the network identifier request carries a user identifier; and a processing module is configured to be a preset user.
  • a receiving module configured to receive a network identifier request for identifying a gateway, where the network identifier request carries a user identifier
  • a processing module is configured to be a preset user.
  • searching for a network identifier corresponding to the user identifier searching for a network identifier corresponding to the user identifier; or, assigning a network identifier according to the user identifier, and saving a second correspondence between the user identifier and the network identifier;
  • Module set to send the network ID to the identity gateway.
  • the second correspondence further includes a user status, where the user status includes at least one of the following: online, offline.
  • the receiving module is further configured to: receive an information update message; the processing module is further configured to: update the second correspondence; the second sending module is further configured to: return to the identity gateway Confirm the message.
  • the receiving module is further configured to: receive an offline message of the terminal; the processing module is further configured to: update a user status in the second correspondence to be offline; The second sending module is further configured to: return an acknowledgement message to the identity gateway.
  • the present application provides an identification gateway including a first processor and a first computer readable storage medium, where the first computer readable storage medium stores a first instruction, wherein when When the first instruction is executed by the first processor, any one of the above network identifier mapping methods is implemented.
  • the present application provides a terminal, including a second processor and a second computer readable storage medium, where the second computer readable storage medium stores a second instruction, where When the two instructions are executed by the second processor, any one of the above network identifier mapping methods is implemented.
  • the present application provides an identification management server, including a third processor and a third computer readable storage medium, where the third computer readable storage medium stores a third instruction, which is characterized by When the third instruction is executed by the third processor, any one of the above network identifier mapping methods is implemented.
  • the present application proposes a computer readable storage medium having stored thereon a computer program, characterized in that the computer program is executed by a processor to implement the steps of any of the above network identification mapping methods.
  • the above computer readable storage medium comprises at least one of the following: a flash memory, a hard disk, a multimedia card, a card type memory.
  • a secure digital memory card SD card
  • DR data register
  • RAM random access memory
  • SRAM static random access memory
  • ROM Read Only Memory
  • EEPROM Electrically Erasable Programmable Read-Only Memory
  • PROM Programmable Read-Only Memory
  • magnetic memory Disk, CD, etc.
  • the processor may be a central processing unit (CPU), a controller, a microcontroller, a microprocessor, or other data processing chip.
  • CPU central processing unit
  • controller a controller
  • microcontroller a microcontroller
  • microprocessor a microprocessor
  • the present application provides a network identity mapping system, including: a terminal, configured to acquire access information; where the access information includes a user identifier and a first Internet Protocol address of the terminal; and the access information is sent to the identifier.
  • a gateway configured to receive access information of the terminal, where the access information includes a user identifier and a first internet protocol address of the terminal; querying a network identifier corresponding to the user identifier, saving or updating the first Corresponding relationship; converting the network identifier from the terminal or the data packet sent to the terminal according to the first correspondence relationship.
  • the identifier gateway is configured to query the network identifier corresponding to the user identifier in the following manner: in a second correspondence between the preset user identifier and the network identifier, searching for a network corresponding to the user identifier
  • the identifier is sent to the identifier management server, where the network identifier request carries the user identifier, and the network identifier returned by the identifier management server is received.
  • the network identifier mapping system further includes: an identifier management server, configured to receive the network identifier request for identifying the gateway, where the network identifier request carries the user identifier; in a second correspondence between the preset user identifier and the network identifier, The network identifier corresponding to the user identifier is searched; or the network identifier is allocated according to the user identifier, and the second correspondence between the user identifier and the network identifier is saved; and the network identifier is sent to the identifier gateway.
  • an identifier management server configured to receive the network identifier request for identifying the gateway, where the network identifier request carries the user identifier; in a second correspondence between the preset user identifier and the network identifier, The network identifier corresponding to the user identifier is searched; or the network identifier is allocated according to the user identifier, and the second correspondence between the user identifier and the network identifier is saved; and the network identifier is sent to the identifie
  • the terminal is configured to: acquire access information, where the access information includes a user identifier and a first internet protocol address of the terminal; and send a notification message or a keep-alive message to the identity gateway, where the notification message or The keep-alive message includes the access information.
  • the identifier gateway is configured to receive a notification message or a keep-alive message of the terminal, where the notification message or the keep-alive message includes the access information, query a network identifier corresponding to the user identifier, and save or update the a correspondence relationship; converting, according to the first correspondence, a network identifier from a data packet sent by the terminal or sent to the terminal.
  • the terminal is further configured to: send an offline message to the identity gateway; receive an acknowledgement message returned by the identity gateway, control the terminal to go offline, and release the first internet protocol address of the terminal.
  • the identifier gateway is further configured to: delete the first correspondence when the notification message or the keep-alive message is not received within a preset time; or, when receiving the offline message of the terminal, Sending an offline message of the terminal to the identity management server, receiving an acknowledgement message of the identity management server, deleting the first correspondence, and returning a confirmation message to the terminal.
  • the identity management server is further configured to: when receiving the offline message of the terminal, update the user status in the second correspondence to the offline line, and return an acknowledgement message to the identity gateway.

Abstract

Disclosed in the present application are a network identifier mapping method and system, a terminal, and an identification gateway. The network identifier mapping method comprises: pre-establishing a first corresponding relationship between a first Internet Protocol address of a terminal and a network identifier, wherein the network identifier corresponds to a user identifier of the terminal; and performing network identifier conversion on a data packet sent from the terminal or sent to the terminal according to the first corresponding relationship.

Description

一种网络标识映射方法和系统以及终端、标识网关Network identification mapping method and system, terminal and identification gateway
本申请要求在2018年01月24日提交中国专利局、申请号为201810067623.9的中国专利申请的优先权,该申请的全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. PCT Application No. No. No. No. No. No. No. No. No. No. No. No. No. No.
技术领域Technical field
本申请涉及互联网领域,例如一种网络标识映射方法和系统以及终端、标识网关。The present application relates to the field of the Internet, such as a network identity mapping method and system, and a terminal and an identity gateway.
背景技术Background technique
在传统传输控制协议(Transmission Control Protocol,TCP)/互联网协议(Internet Protocol,IP)网络环境中,终端通过接入网络接入到互联网或企业网中。图1为相关技术网络组成结构示意图。如图1所示,包括:In a traditional Transmission Control Protocol (TCP)/Internet Protocol (IP) network environment, a terminal accesses an Internet or an enterprise network through an access network. FIG. 1 is a schematic structural diagram of a related art network. As shown in Figure 1, it includes:
终端(User Equipment,UE):通过有线或无线接入技术,连接到接入网关,通过认证后从接入网关获得IP地址,然后使用该IP地址访问互联网或企业网中的应用服务器。User Equipment (UE): Connects to the access gateway through wired or wireless access technology. After authentication, the IP address is obtained from the access gateway, and then the IP address is used to access the application server in the Internet or enterprise network.
接入网关(Access Gateway,AGW):根据不同的接入技术,接入网关具体形态有所不同。比如移动通讯中分组网关(Packet Gateway,PGW)、固定接入中的宽带接入服务器(Broadband Access Server,BAS)、企业网中的三层交换机、物联网中的物联网关,在认证服务器的配合下,对终端进行认证,当认证通过后,从本地配置的IP地址池中选取没有占用的IP地址分配给用户。因此随着用户接入位置、接入时间的不同,用户获得的IP地址也不同。Access Gateway (AGW): According to different access technologies, the access gateway has different specific forms. For example, a packet gateway (PGW) in mobile communication, a broadband access server (BAS) in a fixed access, a three-layer switch in an enterprise network, and an Internet of Things gateway in an Internet of Things, in an authentication server. The terminal is authenticated. After the authentication is passed, the unoccupied IP address is selected from the locally configured IP address pool and assigned to the user. Therefore, the IP address obtained by the user is different depending on the user access location and access time.
认证服务器(Authentication Server,AS):配合接入网关对终端的合法性进行认证,确定终端是否允许接入网络。Authentication Server (AS): Authenticates the validity of the terminal with the access gateway to determine whether the terminal is allowed to access the network.
互联网/企业网(Internet/Intranet):为终端提供多样的业务,终端使用接入网关分配的IP地址与互联网/企业网中的应用服务器通信,IP地址作为终端在网络层的标识,识别终端,并且保证数据包能够正确送达各终端。Internet/Intranet: Provides various services for the terminal. The terminal uses the IP address assigned by the access gateway to communicate with the application server in the Internet/enterprise network. The IP address serves as the identifier of the terminal at the network layer, and identifies the terminal. And to ensure that the data packet can be delivered to each terminal correctly.
通常IP地址的分配都采用动态IP地址分配方案,当用户网络位置发生变化,就必须重新获取一个IP地址,该IP地址只能在该拓扑位置使用(如只能在该接入网关的管辖范围内使用),另外即使在同一网络位置,由于是动态分配,不同 时间接入,分配的IP地址也会有所不同。Usually, the IP address allocation adopts a dynamic IP address allocation scheme. When the user's network location changes, an IP address must be reacquired. The IP address can only be used in the topology location (for example, only in the jurisdiction of the access gateway). Intra-use), and even in the same network location, due to dynamic allocation, access at different times, the assigned IP address will be different.
从上面的论述可以看到,终端IP地址是动态变化的,通过IP数据包中携带的IP地址无法直接关联到用户,也就是说现在互联网或企业网是个匿名的网络,这个非常不利于网络监管(如用户身份溯源、网络行为分析等)。相关技术通过IP分配日志来进行溯源的,存在效率低和准确性低的情况。As can be seen from the above discussion, the IP address of the terminal is dynamically changed. The IP address carried in the IP packet cannot be directly associated with the user. That is to say, the Internet or the enterprise network is an anonymous network, which is not conducive to network supervision. (such as user identity traceability, network behavior analysis, etc.). The related art traces the source through the IP allocation log, and there are cases where the efficiency is low and the accuracy is low.
发明内容Summary of the invention
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this document. This Summary is not intended to limit the scope of the claims.
本申请提供了一种网络标识映射方法和系统以及终端、标识网关,能够通过网络标识来表示用户身份,从而提高监管效率。The present application provides a network identity mapping method and system, and a terminal and an identifier gateway, which can represent a user identity through a network identifier, thereby improving the monitoring efficiency.
本申请提供了一种网络标识映射方法,包括:预先建立终端的第一互联网协议地址和网络标识之间的第一对应关系;其中,网络标识和终端的用户标识对应;根据所述第一对应关系对来自所述终端或发往所述终端的数据包进行网络标识的转换。The present application provides a network identity mapping method, including: pre-establishing a first correspondence between a first Internet Protocol address and a network identifier of a terminal; wherein, the network identifier corresponds to a user identifier of the terminal; The relationship performs network identity conversion on data packets from the terminal or to the terminal.
本申请提出了一种网络标识映射方法,包括:获取接入信息;其中,接入信息包括用户标识和终端的第一互联网协议地址;将接入信息发送给标识网关。The present application provides a network identity mapping method, including: acquiring access information; wherein the access information includes a user identifier and a first Internet Protocol address of the terminal; and the access information is sent to the identity gateway.
本申请提出了一种网络标识映射方法,包括:接收到标识网关的获取网络标识请求,所述网络标识请求携带用户标识;在预先设置的用户标识和网络标识之间的第二对应关系中,查找所述用户标识对应的网络标识;或者,根据用户标识分配网络标识,并保存用户标识和网络标识之间的第二对应关系;将网络标识发送给标识网关。The present application provides a network identifier mapping method, including: receiving a network identifier request for identifying a gateway, where the network identifier request carries a user identifier; in a second correspondence between a preset user identifier and a network identifier, The network identifier corresponding to the user identifier is searched; or the network identifier is allocated according to the user identifier, and the second correspondence between the user identifier and the network identifier is saved; and the network identifier is sent to the identifier gateway.
本申请提出了一种标识网关,包括:建立模块,设置为预先建立终端的第一互联网协议地址和网络标识之间的第一对应关系;其中,网络标识和终端的用户标识对应;转换模块,设置为根据所述第一对应关系对来自所述终端或发往所述终端的数据包进行网络标识的转换。The present application provides an identification gateway, including: an establishing module, configured to pre-establish a first correspondence between a first Internet Protocol address and a network identifier of the terminal; wherein the network identifier corresponds to a user identifier of the terminal; and a conversion module, And being configured to perform network identifier conversion on the data packet from the terminal or sent to the terminal according to the first correspondence.
本申请提出了一种终端,包括:获取模块,设置为获取接入信息;其中,接入信息包括用户标识和终端的互联网协议地址;第一发送模块,设置为将接入信息发送给标识网关。The present application provides a terminal, comprising: an obtaining module, configured to obtain access information; wherein the access information includes a user identifier and an internet protocol address of the terminal; and the first sending module is configured to send the access information to the identifier gateway. .
本申请提出了一种标识管理服务器,包括:接收模块,设置为接收到标识 网关的获取网络标识请求,所述网络标识请求携带用户标识;处理模块,设置为在预先设置的用户标识和网络标识之间的第二对应关系中,查找所述用户标识对应的网络标识;或者,根据用户标识分配网络标识,并保存用户标识和网络标识之间的第二对应关系;第二发送模块,设置为将网络标识发送给标识网关。The present application provides an identity management server, including: a receiving module, configured to receive a network identifier request for identifying a gateway, the network identifier request carrying a user identifier; and a processing module configured to set a user identifier and a network identifier in advance In the second correspondence, the network identifier corresponding to the user identifier is searched; or the network identifier is allocated according to the user identifier, and the second correspondence between the user identifier and the network identifier is saved; the second sending module is set to Send the network ID to the identity gateway.
本申请提出了一种标识网关,包括第一处理器和第一计算机可读存储介质,所述第一计算机可读存储介质中存储有第一指令,当所述第一指令被所述第一处理器执行时,实现上述任一种网络标识映射方法。The present application provides an identification gateway including a first processor and a first computer readable storage medium, wherein the first computer readable storage medium stores a first instruction when the first instruction is the first When the processor executes, any of the above network identifier mapping methods are implemented.
本申请提出了一种终端,包括第二处理器和第二计算机可读存储介质,所述第二计算机可读存储介质中存储有第二指令,当所述第二指令被所述第二处理器执行时,实现上述任一种网络标识映射方法。The present application proposes a terminal comprising a second processor and a second computer readable storage medium, wherein the second computer readable storage medium stores a second instruction when the second instruction is processed by the second When the device is executed, any of the above network identifier mapping methods is implemented.
本申请提出了一种标识管理服务器,包括第三处理器和第三计算机可读存储介质,所述第三计算机可读存储介质中存储有第三指令,当所述第三指令被所述第三处理器执行时,实现上述任一种网络标识映射方法。The present application provides an identification management server including a third processor and a third computer readable storage medium, wherein the third computer readable storage medium stores a third instruction when the third instruction is When the three processors are executed, any one of the above network identifier mapping methods is implemented.
本申请提出了一种计算机可读存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现上述任一种网络标识映射方法的步骤。The present application proposes a computer readable storage medium having stored thereon a computer program, characterized in that the computer program is executed by a processor to implement the steps of any of the above network identification mapping methods.
本申请提出了一种网络标识映射系统,包括:终端,设置为获取接入信息;其中,接入信息包括用户标识和终端的第一互联网协议地址;将接入信息发送给标识网关;标识网关,设置为接收所述终端的接入信息;其中,接入信息包括用户标识和终端的第一互联网协议地址;查询所述用户标识对应的网络标识,保存或更新所述第一对应关系;根据所述第一对应关系对来自所述终端或发往所述终端的数据包进行网络标识的转换。The present application provides a network identity mapping system, including: a terminal, configured to obtain access information; wherein the access information includes a user identifier and a first Internet Protocol address of the terminal; the access information is sent to the identity gateway; The access information is set to receive the access information of the terminal, where the access information includes a user identifier and a first Internet Protocol address of the terminal; querying a network identifier corresponding to the user identifier, and saving or updating the first correspondence relationship; The first correspondence relationship performs network identifier conversion on a data packet from the terminal or sent to the terminal.
在阅读并理解了附图和详细描述后,可以明白其他方面。Other aspects will be apparent upon reading and understanding the drawings and detailed description.
附图说明DRAWINGS
附图用来提供对本申请技术方案的进一步理解,并且构成说明书的一部分,与本申请的实施例一起用于解释本申请的技术方案,并不构成对本申请技术方案的限制。The drawings are used to provide a further understanding of the technical solutions of the present application, and constitute a part of the specification, which is used together with the embodiments of the present application to explain the technical solutions of the present application, and does not constitute a limitation of the technical solutions of the present application.
图1为相关技术网络组成结构示意图;1 is a schematic structural diagram of a related art network;
图2为本申请网络组成结构示意图;2 is a schematic structural diagram of a network structure of the present application;
图3为本申请标识网关侧网络标识映射方法的流程图;3 is a flowchart of a method for mapping a gateway side network identifier according to the present application;
图4为本申请终端侧网络标识映射方法的流程图;4 is a flowchart of a method for mapping a network side of a terminal side according to the present application;
图5为本申请标识管理服务器侧网络标识映射方法的流程图;5 is a flowchart of a method for mapping a network identifier of an identity management server on the present application;
图6为本申请第一实施例终端的结构组成示意图;6 is a schematic structural diagram of a terminal of a first embodiment of the present application;
图7为本申请第二实施例网络标识映射方法的交互示意图;FIG. 7 is a schematic diagram of interaction of a network identity mapping method according to a second embodiment of the present application;
图8为本申请第三实施例终端下线过程的交互示意图;8 is a schematic diagram of interaction of a terminal offline process according to a third embodiment of the present application;
图9为本申请第四实施例终端移动更好接入网关的方法的交互示意图;9 is a schematic diagram of interaction of a method for a terminal to move a better access gateway according to a fourth embodiment of the present application;
图10为本申请第五实施例用户状态维护过程的交互示意图;FIG. 10 is a schematic diagram of interaction of a user state maintenance process according to a fifth embodiment of the present application;
图11为本申请标识网关的结构组成示意图;11 is a schematic structural diagram of a gateway of the identification of the present application;
图12为本申请终端的结构组成示意图;12 is a schematic structural diagram of a terminal of the present application;
图13为本申请标识管理服务器的结构组成示意图;13 is a schematic structural diagram of an identity management server of the present application;
图14为本申请另一种标识网关的结构组成示意图;14 is a schematic structural diagram of another identification gateway of the present application;
图15为本申请另一种终端的结构组成示意图;15 is a schematic structural diagram of another terminal of the present application;
图16为本申请另一种标识管理服务器的结构组成示意图;16 is a schematic structural diagram of another identity management server of the present application;
图17为本申请网络标识映射系统的结构组成示意图。FIG. 17 is a schematic structural diagram of a network identity mapping system of the present application.
具体实施方式Detailed ways
下文中将结合附图对本申请的实施例进行详细说明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。Embodiments of the present application will be described in detail below with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.
在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行。并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。The steps illustrated in the flowchart of the figures may be executed in a computer system such as a set of computer executable instructions. Also, although logical sequences are shown in the flowcharts, in some cases the steps shown or described may be performed in a different order than the ones described herein.
相关技术网络中AGW和AS相互配合对终端的合法性进行认证,认证通过后,AGW从本地配置的IP地址池中选取没有占用的IP地址分配给终端,之后,终端基于分配的IP地址访问互联网或企业网中的应用服务器,该过程中,由于终端分配的IP地址是动态变化的,数据包中携带的IP地址无法获知是哪个用户发送的,非常不利于网络监管。In the related technology network, the AGW and the AS cooperate with each other to authenticate the validity of the terminal. After the authentication is passed, the AGW selects an unoccupied IP address from the locally configured IP address pool and allocates it to the terminal. After that, the terminal accesses the Internet based on the assigned IP address. Or the application server in the enterprise network. In this process, because the IP address assigned by the terminal is dynamically changed, the IP address carried in the data packet cannot be known which user is sent, which is very unfavorable for network supervision.
本申请采用网络标识(Network Identity,NID)来表示用户身份,实现了通过网络标识来表示用户身份,从而提高了监管效率。This application uses a network identity (NID) to represent the user's identity, and realizes the identity of the user through the network identity, thereby improving the efficiency of supervision.
在一个实施例中,基于相关技术的网络组成结构,参见图2,并在终端中增加标识客户端(Identity Client,IDC),以及在AGW和应用服务器之间增加标识网关、或增加标识网关和标识管理服务器(Identity Gateway,IDGW)来维护用户的网络标识,在不改变相关网络基础设施的情况下,实现了通过网络标识来表示用户身份,从而提高了监管效率。In an embodiment, based on the network composition structure of the related art, refer to FIG. 2, and add an Identity Client (IDC) to the terminal, and add an identity gateway between the AGW and the application server, or add an identity gateway and The Identity Management Center (IDGW) is used to maintain the user's network identity. The network identity is used to represent the user identity without changing the related network infrastructure, thereby improving the efficiency of supervision.
参见图3,本申请提出了一种网络标识映射方法,应用于标识网关,包括步骤300和步骤301。Referring to FIG. 3, the present application provides a network identity mapping method, which is applied to identify a gateway, and includes steps 300 and 301.
在步骤300中,预先建立终端的第一互联网协议地址和网络标识之间的第一对应关系。In step 300, a first correspondence between the first Internet Protocol address of the terminal and the network identifier is established in advance.
本申请中,由于网络标识和终端的用户标识对应,且不会随着第一IP地址的变化而变化,因此,实现了通过网络标识来表示用户身份,从而提高了监管效率。In this application, since the network identifier corresponds to the user identifier of the terminal and does not change with the change of the first IP address, the identity of the user is represented by the network identifier, thereby improving the monitoring efficiency.
本申请中,第一对应关系可以静态配置,也可以动态配置。In the present application, the first correspondence may be statically configured or dynamically configured.
当动态配置第一对应关系时,可以采用多种方式。例如,接收终端的接入信息;查询用户标识对应的网络标识,保存或更新第一互联网协议地址和网络标识之间的第一对应关系。又如,接收终端的接入信息,为终端分配网络标识,保存第一对应关系。When the first correspondence is dynamically configured, various methods can be employed. For example, receiving the access information of the terminal; querying the network identifier corresponding to the user identifier, and saving or updating the first correspondence between the first Internet Protocol address and the network identifier. For example, receiving access information of the terminal, assigning a network identifier to the terminal, and saving the first correspondence.
本申请中,接入信息包括用户标识和终端的第一互联网协议(Internet Protocol,IP)地址。In the present application, the access information includes a user identifier and a first Internet Protocol (IP) address of the terminal.
其中,用户标识可以是用户名、邮件地址、电话号码等。The user identifier may be a username, an email address, a phone number, and the like.
在一个实施例中,接入信息还包括接入方式(如3G/4G接入、无线保真(Wireless Fidelity,wifi)接入等)、接入位置信息、接入时间信息等相关信息。In an embodiment, the access information further includes access information (such as 3G/4G access, Wireless Fidelity (WiFi) access, etc.), access location information, access time information, and the like.
在一个实施例中,还接收终端的设备信息。其中,设备信息包括以下至少之一:终端设备标识、部件信息、硬件状态、软件状态。In one embodiment, the device information of the terminal is also received. The device information includes at least one of the following: a terminal device identifier, component information, a hardware state, and a software state.
本申请中,通过接收终端的通知消息或保活消息的方式来接收接入信息,通知消息或保活消息包括接入信息。在一个实施例中,通知消息或保活消息还包括设备信息。In the present application, the access information is received by receiving a notification message or a keep-alive message of the terminal, and the notification message or the keep-alive message includes the access information. In one embodiment, the notification message or keep-alive message also includes device information.
本申请中,网络标识的形式可以是第二IP地址的形式,或者第二IP地址+端口范围的形式。例如使用第二IP地址202.100.100.100表示网络标识,或者使用第二IP地址202.100.100.100+端口范围(1024~2047)表示网络标识。In the present application, the form of the network identifier may be in the form of a second IP address or a second IP address + port range. For example, the second IP address 202.100.100.100 is used to indicate the network identity, or the second IP address 202.100.100.100+port range (1024 to 2047) is used to represent the network identity.
本申请中,可以采用以下方法中的任一种查询用户标识对应的网络标识。In this application, the network identifier corresponding to the user identifier may be queried by using any one of the following methods.
一、预先设置用户标识和网络标识之间的第二对应关系,在第二对应关系中查找用户标识对应的网络标识。The second correspondence between the user identifier and the network identifier is set in advance, and the network identifier corresponding to the user identifier is searched for in the second correspondence.
二、向标识管理服务器发送获取网络标识请求,网络标识请求中携带用户标识;接收标识管理服务器返回的网络标识。2. Sending a network identifier request to the identifier management server, where the network identifier request carries the user identifier; and receiving the network identifier returned by the identifier management server.
本申请中,查询用户标识对应的网络标识后,如果之前没有保存过该网络标识对应的第一对应关系,则直接保存接入信息中的第一IP地址和查询的网络标识的第一对应关系;如果之前已经保存过该网络标识对应的第一对应关系,则在接入信息中的第一IP地址与第一对应关系中查询的网络标识对应的第一IP地址不同时,更新第一对应关系。In the present application, after the network identifier corresponding to the user identifier is queried, if the first correspondence corresponding to the network identifier is not saved, the first correspondence between the first IP address in the access information and the network identifier of the query is directly saved. If the first correspondence corresponding to the network identifier has been saved before, the first IP address is updated when the first IP address in the access information is different from the first IP address corresponding to the network identifier in the first correspondence. relationship.
在步骤301中,根据第一对应关系对来自终端或发往终端的数据包进行网络标识的转换。In step 301, the data identifier from the terminal or the data packet addressed to the terminal is converted according to the first correspondence.
例如,(一)当网络标识采用第二IP地址的形式时:For example, (1) when the network identifier takes the form of a second IP address:
如果接收到来自终端的数据包,则获取来自终端的数据包的源互联网协议地址字段中的终端的第一IP地址,在第一对应关系中查找终端的第一IP地址对应的网络标识,将来自终端的数据包的源互联网协议地址字段中的第一IP地址替换为查找到的网络标识,然后将来自终端的数据包发送给互联网或企业网中的应用服务器。这样,在互联网或企业网中采用网络标识代替第一IP地址来表示用户身份,由于网络标识和用户标识对应,且不会随着第一IP地址的变化而变化,因此,提高了监管效率。If the data packet from the terminal is received, the first IP address of the terminal in the source Internet Protocol address field of the data packet of the terminal is obtained, and the network identifier corresponding to the first IP address of the terminal is searched in the first correspondence relationship, The first IP address in the source Internet Protocol address field of the data packet from the terminal is replaced with the found network identifier, and then the data packet from the terminal is sent to the application server in the Internet or enterprise network. In this way, the network identifier is used in the Internet or the enterprise network instead of the first IP address to indicate the user identity. Since the network identifier corresponds to the user identifier and does not change with the change of the first IP address, the monitoring efficiency is improved.
上述情况中,当在第一对应关系中查找不到终端的第一IP地址对应的网络标识时,执行以下之一的操作:丢弃来自终端的数据包括;对来自终端的数据包进行网络地址翻译(Network Address Translation,NAT),保证业务能够正常进行;对来自终端的数据包进行NAT,但限制数据包传输的范围,比如只能传递到安全级别较低的应用服务器。In the above case, when the network identifier corresponding to the first IP address of the terminal is not found in the first correspondence, one of the following operations is performed: discarding data from the terminal includes: performing network address translation on the data packet from the terminal (Network Address Translation, NAT), to ensure that the service can be carried out normally; NAT the data packets from the terminal, but limit the scope of data packet transmission, for example, can only be passed to the application server with lower security level.
如果接收到发往终端的数据包,则获取发往终端的数据包的目的互联网协议地址字段中的网络标识,在第一对应关系中查找网络标识对应的终端的第一IP地址,将发往终端的数据包的目的互联网协议地址字段中的网络标识替换为查找到的第一IP地址,然后将数据包发送给终端。If the data packet sent to the terminal is received, the network identifier in the destination Internet Protocol address field of the data packet sent to the terminal is obtained, and the first IP address of the terminal corresponding to the network identifier is searched in the first correspondence relationship, and is sent to The network identifier in the destination Internet Protocol address field of the data packet of the terminal is replaced with the first IP address found, and then the data packet is sent to the terminal.
上述情况中,当在第一对应关系中查找不到网络标识对应的第一IP地址时, 丢弃发往终端的数据包;或者,对发往终端的数据包进行NAT。In the above case, when the first IP address corresponding to the network identifier is not found in the first correspondence, the data packet sent to the terminal is discarded; or the data packet addressed to the terminal is NAT.
(二)当网络标识采用第二IP地址+端口范围的形式时:(2) When the network identifier adopts the form of the second IP address + port range:
如果第一次接收到来自终端的数据包,则获取来自终端的数据包的源IP地址字段中的终端的第一IP地址和源端口字段中的终端的第一端口;在第一对应关系中查找终端的第一IP地址对应的网络标识;将来自终端的数据包的源IP地址字段中的第一IP地址替换为查找到的网络标识的第二IP地址,将来自终端的数据包的源端口字段中的终端的第一端口替换为查找到的网络标识的端口范围中没有使用的第二端口,并建立第一IP地址、第一端口、第二IP地址和第二端口之间的第三对应关系。If the data packet from the terminal is received for the first time, the first IP address of the terminal in the source IP address field of the data packet from the terminal and the first port of the terminal in the source port field are acquired; in the first correspondence relationship Finding a network identifier corresponding to the first IP address of the terminal; replacing the first IP address in the source IP address field of the data packet from the terminal with the second IP address of the found network identifier, and the source of the data packet from the terminal The first port of the terminal in the port field is replaced with the second port that is not used in the port range of the found network identifier, and the first IP address, the first port, the second IP address, and the second port are established. Three correspondence.
后续如果再次接收到来自终端的数据包,则先在第三对应关系中查找第一IP地址和第一端口对应的网络标识的第二IP地址和网络标识的第二端口,将来自终端的数据包的源IP地址字段中的第一IP地址替换为查找到的第二IP地址,将来自终端的数据包的源端口字段中的第一端口替换为查找到的第二端口。If the data packet from the terminal is received again, the first IP address and the second IP address of the network identifier corresponding to the first port and the second port of the network identifier are first searched in the third correspondence, and the data from the terminal is used. The first IP address in the source IP address field of the packet is replaced with the found second IP address, and the first port in the source port field of the data packet from the terminal is replaced with the found second port.
如果在第三对应关系中查找不到第一IP地址和第一端口对应的第二IP地址和第二端口,则在第一对应关系中查找第一IP地址对应的网络标识;将来自终端的数据包的源IP地址字段中的第一IP地址替换为查找到的网络标识的第二IP地址,将来自终端的数据包的源端口字段中的第一端口替换为查找到的网络标识的端口范围中没有使用的第二端口,并建立第一IP地址、第一端口、第二IP地址和第二端口之间的第三对应关系。If the first IP address and the second IP address and the second port corresponding to the first port are not found in the third correspondence, the network identifier corresponding to the first IP address is searched in the first correspondence relationship; The first IP address in the source IP address field of the data packet is replaced with the second IP address of the discovered network identifier, and the first port in the source port field of the data packet from the terminal is replaced with the port of the discovered network identifier. The second port is not used in the range, and establishes a third correspondence between the first IP address, the first port, the second IP address, and the second port.
上述情况中,当在第一对应关系中查找不到第一IP地址对应的网络标识时,执行以下之一的操作:丢弃来自终端的数据包;对来自终端的数据包进行网络地址端口转换(Network Address Port Translation,NAPT),保证业务能够正常进行;对来自终端的数据包进行NAPT,保证业务能够正常进行,但限制数据包传输的范围,比如只能传递到安全级别较低的应用服务器。In the above case, when the network identifier corresponding to the first IP address is not found in the first correspondence, one of the following operations is performed: discarding the data packet from the terminal; performing network address port conversion on the data packet from the terminal ( Network Address Port Translation (NAPT) ensures that the service can be performed normally. NAPT is applied to the data packets from the terminal to ensure that the service can be performed normally, but the range of data packet transmission is limited, for example, it can only be transmitted to an application server with a lower security level.
如果接收到发往终端的数据包,则在第三对应关系中查找发往终端的数据包的目的IP地址字段中的网络标识的第二IP地址和目的端口字段中的网络标识的第二端口对应的第一IP地址和第一端口,将发往终端的数据包的目的IP地址字段中的第二IP地址替换为查找到的第一IP地址,将发往终端的数据包的目的端口字段中的第二端口替换为查找到的第一端口。If the data packet addressed to the terminal is received, the second IP address of the network identifier in the destination IP address field of the data packet addressed to the terminal and the second port of the network identifier in the destination port field are searched in the third correspondence. Corresponding first IP address and first port, replacing the second IP address in the destination IP address field of the data packet sent to the terminal with the first IP address found, and the destination port field of the data packet to be sent to the terminal The second port in the middle is replaced with the first port found.
上述情况中,当在第三对应关系中查找不到发往终端的数据包的目的IP地 址字段中的网络标识的第二IP地址和目的端口字段中的网络标识的第二端口对应的第一IP地址和第一端口时,丢弃发往终端的数据包;或者,对发往终端的数据包进行NAPT。In the above case, when the third correspondence is not found, the second IP address of the network identifier in the destination IP address field of the data packet addressed to the terminal and the first port corresponding to the second port of the network identifier in the destination port field are not found. When the IP address and the first port are used, the data packet sent to the terminal is discarded; or, the data packet sent to the terminal is NAPT.
上述情况中,当在一定时间内没有使用第三对应关系进行网络标识的转换时,可以删除第三对应关系,以节省存储空间。In the above case, when the third correspondence is not used for the conversion of the network identifier within a certain period of time, the third correspondence may be deleted to save storage space.
在一个实施例中,当接收到的接入信息和设备信息中的至少一种有变化时,该方法还包括:向标识管理服务器发送信息更新消息,以使标识管理服务器更新用户状态、接入信息以及设备信息中的至少一种;在接收到标识管理服务器返回的确认消息时,向终端返回确认消息。In an embodiment, when at least one of the received access information and the device information changes, the method further includes: sending an information update message to the identity management server, so that the identity management server updates the user status, accesses At least one of information and device information; upon receiving an acknowledgment message returned by the identity management server, returning a confirmation message to the terminal.
在一个实施例中,该方法还包括:当在预设时间内没有接收到通知消息或保活消息,或接收到终端的下线消息时,删除第一对应关系。In an embodiment, the method further includes deleting the first correspondence when the notification message or the keep-alive message is not received within the preset time, or when the offline message of the terminal is received.
其中,当接收到终端的下线消息时,可以向终端返回确认消息,使得终端接收到确认消息后下线并释放IP地址;也可以不向终端返回确认消息。When receiving the offline message of the terminal, the acknowledgment message may be returned to the terminal, so that the terminal receives the acknowledgment message and then goes offline and releases the IP address; or may not return the acknowledgment message to the terminal.
当接收到终端的下线消息时,还可以向标识管理服务器发送终端的下线消息,使得标识管理服务器更新第二对应关系中的用户状态,在接收到标识管理服务器的确认消息时,删除第一对应关系和第三对应关系,并向终端返回确认消息。When receiving the offline message of the terminal, the offline management message of the terminal may be sent to the identity management server, so that the identity management server updates the user status in the second correspondence, and when the confirmation message of the identity management server is received, the first message is deleted. A correspondence relationship and a third correspondence relationship, and returning a confirmation message to the terminal.
当在预设时间内没有接收到通知消息或保活消息时,还可以向标识管理服务器发送终端的下线消息,使得标识管理服务器更新第二对应关系中的用户状态。When the notification message or the keep-alive message is not received within the preset time, the offline message of the terminal may also be sent to the identity management server, so that the identity management server updates the user state in the second correspondence.
参见图4,本申请提出了一种网络标识映射方法,应用于终端,包括步骤400和步骤401。Referring to FIG. 4, the present application provides a network identifier mapping method, which is applied to a terminal, and includes steps 400 and 401.
在步骤400中,获取接入信息。In step 400, access information is obtained.
本申请中,接入信息包括用户标识和终端的第一IP地址。In the present application, the access information includes a user identifier and a first IP address of the terminal.
其中,用户标识可以是用户名、邮件地址、电话号码等。The user identifier may be a username, an email address, a phone number, and the like.
在一个实施例中,接入信息还包括接入方式(如3G/4G接入、无线保真接入等)、接入位置信息、接入时间信息等相关信息。In an embodiment, the access information further includes related information such as an access mode (such as 3G/4G access, wireless fidelity access, etc.), access location information, and access time information.
在一个实施例中,还获取终端的设备信息。In one embodiment, the device information of the terminal is also obtained.
其中,设备信息包括以下至少之一:终端设备标识、部件信息、硬件状态、软件状态。The device information includes at least one of the following: a terminal device identifier, component information, a hardware state, and a software state.
在步骤401中,将接入信息发送给标识网关。In step 401, the access information is sent to the identity gateway.
本申请中,在将接入信息发送给标识网关时,需要预先获知标识网关的第三IP地址,可以采用以下任一种方式获知标识网关的第三IP地址。In this application, when the access information is sent to the identifier gateway, the third IP address of the identifier gateway needs to be known in advance, and the third IP address of the identifier gateway can be obtained by using any of the following methods.
一、在终端预先配置标识网关的第三IP地址。1. Pre-configure the third IP address of the identification gateway in the terminal.
二、在终端预先配置标识网关的域名,域名系统(Domain Name System,DNS)在解析标识网关的域名时,根据用户的接入位置返回标识网关的第三IP地址。The domain name of the gateway is pre-configured in the terminal. When the domain name system (DNS) resolves the domain name of the gateway, the third IP address of the gateway is returned according to the access location of the user.
三、接入网关在将分配给终端的第一IP地址发送给终端时,将标识网关的第三IP地址或域名发送给终端。When the first IP address assigned to the terminal is sent to the terminal, the access gateway sends the third IP address or domain name of the gateway to the terminal.
本申请中,可以通过通知消息或保活消息将接入信息发送给标识网关,通知消息或保活消息包括接入信息。在一个实施例中,通知消息或保活消息还包括设备信息。In this application, the access information may be sent to the identification gateway by using a notification message or a keep-alive message, and the notification message or the keep-alive message includes the access information. In one embodiment, the notification message or keep-alive message also includes device information.
在一个实施例中,可以周期性向标识网关发送通知消息或保活消息;当接入信息发生变化时向标识网关发送通知消息或保活消息;或者,当设备信息发生变化时向标识网关发送通知消息或保活消息。In an embodiment, the notification message or the keep-alive message may be sent to the identifier gateway periodically; the notification message or the keep-alive message is sent to the identifier gateway when the access information changes; or the notification is sent to the identifier gateway when the device information changes. Message or keep-alive message.
在一个实施例中,当终端需要下线时,该方法还包括:向标识网关发送下线消息;当接收到标识网关返回的确认消息时,控制终端下线,并释放终端的第一IP地址。In an embodiment, when the terminal needs to go offline, the method further includes: sending an offline message to the identification gateway; when receiving the confirmation message returned by the identification gateway, the control terminal goes offline and releases the first IP address of the terminal. .
上述网络标识映射方法可以通过在终端中设置标识客户端来实现,标识客户端是终端的一个组件,能够从终端的其他组件中获取接入信息、设备信息。从而在不改变相关终端的硬件结构的基础上,实现了通过网络标识来表示用户身份,从而提高了监管效率。The network identifier mapping method can be implemented by setting an identifier client in the terminal, and the identifier client is a component of the terminal, and can obtain access information and device information from other components of the terminal. Therefore, on the basis of not changing the hardware structure of the relevant terminal, the identity of the user is represented by the network identifier, thereby improving the supervision efficiency.
参见图5,本申请提出了一种网络标识映射方法,应用于标识管理服务器,包括步骤500,步骤501和步骤502。Referring to FIG. 5, the present application provides a network identifier mapping method, which is applied to an identity management server, and includes steps 500, 501, and 502.
在步骤500中,接收到标识网关的获取网络标识请求,所述网络标识请求携带用户标识。In step 500, a network identification request is generated that identifies the gateway, and the network identification request carries the user identifier.
本申请中,网络标识请求还可携带以下至少之一:终端的设备信息、接入方式、接入位置信息、接入时间信息。In this application, the network identifier request may also carry at least one of the following: device information, access mode, access location information, and access time information of the terminal.
在步骤501中,在预先设置的用户标识和网络标识之间的第二对应关系中,查找所述用户标识对应的网络标识;或者,根据用户标识分配网络标识,并保 存用户标识和网络标识之间的第二对应关系。In step 501, in the second correspondence between the user identifier and the network identifier, the network identifier corresponding to the user identifier is searched for; or the network identifier is allocated according to the user identifier, and the user identifier and the network identifier are saved. The second correspondence between the two.
本申请中,用户标识和网络标识之间的对应关系可以是一一对应的关系,或者一对多的关系。当用户标识和网络标识之间的对应关系为一对多的对应关系时,可以根据用户标识、其他接入信息或设备信息选取合适的网络标识。例如,第二对应关系还包括以下至少之一:In this application, the correspondence between the user identifier and the network identifier may be a one-to-one correspondence or a one-to-many relationship. When the correspondence between the user identifier and the network identifier is a one-to-many correspondence, the appropriate network identifier may be selected according to the user identifier, other access information, or device information. For example, the second correspondence further includes at least one of the following:
终端的设备信息、接入方式、接入位置信息、接入时间信息、用户状态。Device information, access mode, access location information, access time information, and user status of the terminal.
其中,所述用户状态包括以下至少之一:已上线、已下线。The user status includes at least one of the following: online and offline.
这样,如果网络标识请求还携带以下至少之一:终端的设备信息、接入方式、接入位置信息、接入时间信息,则在第二对应关系中查找用户标识和以下至少之一对应的网络标识:终端的设备信息、接入方式、接入位置信息、接入时间信息。In this way, if the network identifier request further carries at least one of the following: device information, access mode, access location information, and access time information of the terminal, searching for a network corresponding to the user identifier and at least one of the following in the second correspondence ID: Device information, access mode, access location information, and access time information of the terminal.
具体实施时,第二对应关系可以是用户标识、接入时间信息和网络标识之间的对应关系,且网络标识请求携带用户标识和接入时间信息,则在第二对应关系中查找用户标识和接入时间信息对应的网络标识。In a specific implementation, the second correspondence may be a correspondence between the user identifier, the access time information, and the network identifier, and the network identifier request carries the user identifier and the access time information, and the user identifier is searched for in the second correspondence. Network identifier corresponding to the access time information.
本申请中,根据用户标识分配网络标识时,可以从网络标识资源池中选取一个未使用的网络标识进行分配。In this application, when the network identifier is allocated according to the user identifier, an unused network identifier may be selected from the network identifier resource pool for allocation.
在步骤502中,将网络标识发送给标识网关。In step 502, the network identity is sent to the identity gateway.
在一个实施例中,该方法还包括:当接收到信息更新消息时,更新第二对应关系并向标识网关返回确认消息。In one embodiment, the method further includes updating the second correspondence and returning an acknowledgement message to the identity gateway when the information update message is received.
其中,信息更新消息包括以下至少之一:终端的设备信息、接入信息。The information update message includes at least one of the following: device information of the terminal, and access information.
在一个实施例中,该方法还包括:当接收到终端的下线消息时,将第二对应关系中的用户状态更新为已下线,并向标识网关返回确认消息。In an embodiment, the method further includes: when receiving the offline message of the terminal, updating the user status in the second correspondence to the offline, and returning an acknowledgement message to the identity gateway.
下面通过具体实施例详细介绍本申请的网络标识映射方法的具体实现过程。The specific implementation process of the network identity mapping method of the present application is described in detail below through a specific embodiment.
第一实施例First embodiment
图6为本申请第一实施例终端的结构组成示意图。如图6所示,一个典型的终端通常包含基础硬件以及在基础硬件上运行的程序模块。FIG. 6 is a schematic structural diagram of a terminal of a first embodiment of the present application. As shown in Figure 6, a typical terminal typically contains the underlying hardware and program modules running on the underlying hardware.
其中,基础硬件包括:中央处理器、内存或存储器、调制解调器等。The basic hardware includes: a central processing unit, a memory or a memory, a modem, and the like.
程序模块包括:操作系统、驱动调制解调器的通讯模块、和应用程序等Program modules include: operating system, communication module for driving modem, and application programs, etc.
程序模块一般存储在内存或存储器中,被中央处理器执行。Program modules are typically stored in memory or memory and executed by a central processing unit.
其中,通讯模块能够驱动调制解调器进行通信,例如上线接入接入网关、 接收接入网关分配的第一IP地址;或下线离开接入网关,释放第一IP地址;The communication module can drive the modem to communicate, for example, accessing the access gateway, receiving the first IP address allocated by the access gateway, or leaving the access gateway to release the first IP address;
应用程序在上线状态下使用上述第一IP地址与互联网或企业网的应用服务器通信,向用户提供业务。The application communicates with the application server of the Internet or the enterprise network using the first IP address in the online state to provide services to the user.
本实施例终端中增加了标识客户端,具备与通信模块的交互接口和能力,例如,能够控制通讯模块的上线或下线;能够感知通讯模块的上线或下线;能够使用第一IP地址通过通讯模块与标识网关通信;能够从通讯模块中获取接入信息,如获取用户上线使用的用户标识、终端的第一IP地址、接入时间信息、接入位置信息等。In this embodiment, the identification client is added to the terminal, and has an interaction interface and capability with the communication module, for example, can control the uplink or downlink of the communication module; can sense the uplink or downlink of the communication module; can use the first IP address to pass The communication module communicates with the identification gateway; the access information can be obtained from the communication module, such as the user identifier used by the user to go online, the first IP address of the terminal, the access time information, and the access location information.
在一个实施例中,标识网关可以与基础硬件交互获取设备信息。In one embodiment, the identity gateway can interact with the underlying hardware to obtain device information.
上述终端的结构组成中,标识客户端是叠加在相关终端架构上的一个组件,不影响相关组件的基本功能,尤其是应用程序的功能,具有好的兼容性。In the structural composition of the above terminal, the identification client is a component superimposed on the relevant terminal architecture, and does not affect the basic functions of the related components, especially the functions of the application, and has good compatibility.
第二实施例Second embodiment
图7为本申请第二实施例网络标识映射方法的交互示意图。如图7所示,该方法包括步骤700至步骤709。FIG. 7 is a schematic diagram of interaction of a network identity mapping method according to a second embodiment of the present application. As shown in FIG. 7, the method includes steps 700 to 709.
在步骤700中,终端接入到接入网关,认证服务器对用户的合法性进行认证。In step 700, the terminal accesses the access gateway, and the authentication server authenticates the validity of the user.
本步骤中,认证过程和接入方式密切相关,在此不再赘述。In this step, the authentication process and the access mode are closely related and will not be described here.
本步骤中,终端接入到接入网关的过程中使用用户标识进行标识,用户标识可以为用户名(如QQ用户名)、邮件地址、电话号码等。In this step, the terminal identifier is used in the process of accessing the access gateway by using the user identifier, and the user identifier may be a username (such as a QQ username), an email address, a phone number, and the like.
在步骤701中,当认证通过后,接入网关为终端分配第一IP地址。In step 701, after the authentication is passed, the access gateway allocates a first IP address to the terminal.
本步骤中,第一IP地址一般采用动态分配方式。In this step, the first IP address is generally dynamically allocated.
在步骤702中,终端的标识客户端向标识网关发送通知消息,通知消息中携带用户标识、分配的第一IP地址,并可进一步包括设备信息、其他接入信息。In step 702, the identity client of the terminal sends a notification message to the identity gateway, where the notification message carries the user identifier, the assigned first IP address, and may further include device information and other access information.
本步骤中,设备信息包括但不限于终端设备标识、部件信息、硬件状态、软件状态。In this step, the device information includes but is not limited to the terminal device identifier, component information, hardware status, and software status.
接入信息还可进一步包括接入方式(如3G/4G接入,Wifi接入)、接入位置信息、接入时间信息等。The access information may further include an access method (such as 3G/4G access, Wifi access), access location information, access time information, and the like.
本步骤中,标识客户端是终端的一个组件,能够从终端的其他组件中获取接入信息、设备信息。In this step, the identifier client is a component of the terminal, and can obtain access information and device information from other components of the terminal.
本实施例中,标识客户端在向标识网关发送通知消息时,需要知道标识网 关的地址,获取方式包括但不限于:在终端预先配置标识网关的第三IP地址;在终端预先配置标识网关的域名,DNS在域名解析时,根据用户的接入位置信息返回标识网关的第三IP地址;接入网关在分配第一IP地址时,接入网关通知标识网关的第三IP地址或域名。In this embodiment, the identifier client needs to know the address of the identifier gateway when sending the notification message to the identifier gateway, and the manner of obtaining includes, but is not limited to, pre-configuring the third IP address of the identifier gateway in the terminal; The domain name, when the domain name is resolved, the DNS returns a third IP address identifying the gateway according to the user's access location information; when the access gateway allocates the first IP address, the access gateway notifies the third IP address or domain name of the identity gateway.
在步骤703中,标识网关向标识管理服务器发送获取NID请求,其中携带用户标识,进一步可以携带设备信息、其他接入信息。In step 703, the identifier gateway sends an NID request to the identity management server, where the user identifier is carried, and the device information and other access information may be further carried.
在步骤704中,标识管理服务器在用户标识和NID的第二对应关系中查询对应的NID,并将NID发送给标识网关。In step 704, the identity management server queries the corresponding NID in the second correspondence between the user identifier and the NID, and sends the NID to the identity gateway.
本步骤中,在标识管理服务器中配置有用户标识和NID的第二对应关系,最基本的对应关系是一对一的关系,并可进一步为一对多的关系。在一对一的关系中,标识管理服务器根据用户标识直接获取NID,在一对多的关系中,标识管理服务器根据用户标识、设备标识、其他接入位置信息等选取合适的NID。In this step, the second correspondence between the user identifier and the NID is configured in the identifier management server, and the most basic correspondence is a one-to-one relationship, and may further be a one-to-many relationship. In the one-to-one relationship, the identity management server directly obtains the NID according to the user identifier. In the one-to-many relationship, the identity management server selects an appropriate NID according to the user identifier, the device identifier, and other access location information.
本步骤中,NID形式可以为第二IP地址,或者第二IP地址+端口范围。如使用第二IP地址202.100.100.100表示NID,或者使用第二IP地址202.100.100.100+端口范围(1024~2047)表示NID。In this step, the NID form may be a second IP address or a second IP address + port range. The NID is represented by using the second IP address 202.100.100.100, or by using the second IP address 202.100.100.100+port range (1024-2047).
根据不同的表示方式,NID在数据包的位置也不同,如果使用第二IP地址,在来自终端的数据包中的源IP地址字段中携带,在发往终端的数据包中的目的IP字段中携带;如果使用第二IP地址+端口范围,在来自终端的数据包中的源IP地址字段和源端口字段中携带,在发往终端的数据包中的目的IP地址字段和目的端口字段中携带。According to different representations, the NID is also in the location of the data packet. If the second IP address is used, it is carried in the source IP address field in the data packet from the terminal, in the destination IP field in the data packet addressed to the terminal. Carrying; if the second IP address + port range is used, carried in the source IP address field and the source port field in the data packet from the terminal, carried in the destination IP address field and the destination port field in the data packet addressed to the terminal .
在步骤705中,标识网关建立终端的第一IP地址与NID之间的第一对应关系,向标识客户端返回确认消息。In step 705, the gateway establishes a first correspondence between the first IP address and the NID of the terminal, and returns an acknowledgement message to the identity client.
本步骤中,第一对应关系中还可以包括用户标识。In this step, the first correspondence may further include a user identifier.
在步骤706中,此后当标识网关收到来自终端的上行数据包,标识网关进行网络标识的转换,将数据包内终端的第一IP地址,或终端的第一IP地址和第一端口转换为NID。In step 706, after the identifier gateway receives the uplink data packet from the terminal, the identifier gateway performs the network identifier conversion, and converts the first IP address of the terminal in the data packet, or the first IP address and the first port of the terminal into NID.
本步骤中,在互联网或企业网中终端能够通过NID唯一标识用户。例如,当NID使用第二IP地址表示时,标识网关将数据包的源IP地址字段中的终端的第以IP地址替换为NID,源端口保持不变,此过程与网络地址翻译(Network Address Translation,NAT)功能类似。In this step, the terminal can uniquely identify the user through the NID in the Internet or the enterprise network. For example, when the NID is represented by the second IP address, the identity gateway replaces the first IP address of the terminal in the source IP address field of the data packet with the NID, and the source port remains unchanged. This process and network address translation (Network Address Translation) , NAT) functions similarly.
当NID使用第二IP地址+端口范围表示时,标识网关将数据包的源IP地址字段中的终端的第一IP地址替换为NID的第二IP地址,将数据包中的源第一端口替换为NID的端口范围中没有使用的第二端口,此过程与网络地址端口转换(Network Address Port Translation,NAPT)功能类似;When the NID is represented by the second IP address + port range, the identification gateway replaces the first IP address of the terminal in the source IP address field of the data packet with the second IP address of the NID, and replaces the source first port in the data packet. This is the second port that is not used in the port range of the NID. This process is similar to the Network Address Port Translation (NAPT) function.
在执行上述过程时,将建立第一IP地址、第一端口,第二IP地址和第二端口之间的第三对应关系,并维护该第三对应关系的状态,例如该第三对应关系在一定时间内没有数据流,将释放该第三对应关系。When the foregoing process is performed, a third correspondence between the first IP address, the first port, the second IP address, and the second port is established, and the state of the third correspondence is maintained, for example, the third correspondence is If there is no data flow for a certain period of time, the third correspondence will be released.
在步骤707中,标识网关将包含NID的数据包发送到互联网或政企网中的应用服务器。In step 707, the identification gateway sends the data packet containing the NID to the application server in the Internet or the government enterprise network.
在步骤708中,应用服务器发送包含NID的数据包,数据包被发送到标识网关。In step 708, the application server sends a data packet containing the NID, and the data packet is sent to the identity gateway.
在步骤709中,标识网关根据NID查询第一对应关系,确定对应的终端的第一IP地址和终端的第一端口,然后将数据包中的目的IP地址字段中的NID的第二IP地址替换为终端的第一IP地址,目的端口中NID的第二端口替换为终端的第一端口,然后将数据包发送给终端。In step 709, the identifier gateway queries the first correspondence according to the NID, determines the first IP address of the corresponding terminal and the first port of the terminal, and then replaces the second IP address of the NID in the destination IP address field in the data packet. For the first IP address of the terminal, the second port of the NID in the destination port is replaced with the first port of the terminal, and then the data packet is sent to the terminal.
上述过程与NAT、NAPT技术中对下行数据流的处理相同。The above process is the same as the processing of the downlink data stream in the NAT and NAPT technologies.
后续数据包重复步骤706~709,需要说明的是,标识网关接收到后续上行数据包,首先查找是否存在第三对应关系,如果有,在按已有的第三对应关系进行网络标识的转换,如果没有,在按照步骤706中的过程建立第三对应关系。The subsequent data packets are repeated in steps 706-709. It should be noted that the identifier gateway receives the subsequent uplink data packet, and firstly searches for the third correspondence relationship. If yes, the network identifier is converted according to the existing third correspondence relationship. If not, a third correspondence is established in accordance with the process in step 706.
如果在步骤702~705完成之前,标识网关接收到了来自终端的数据包,标识网关可以按照以下方式处理数据包:If the identity gateway receives the data packet from the terminal before steps 702-705 are completed, the identity gateway can process the data packet as follows:
1)丢弃数据包;1) Discard the data packet;
2)按照相关技术进行NAT或NAPT,保证业务能够正常进行;2) Perform NAT or NAPT according to the relevant technology to ensure that the service can be carried out normally;
3)按照相关技术进行NAT或NAPT,但限制数据包能够传送的范围,比如只能传递到安全级别要求低的应用服务器。3) Perform NAT or NAPT according to the related technology, but limit the range that data packets can be transmitted, for example, only to application servers with low security level requirements.
在2)和3)中,在互联网或政企网络中传递的数据包中携带终端的第一IP地址,或第一IP地址+第一端口,不再能唯一标识用户。In 2) and 3), the data packet transmitted in the Internet or the government-enterprise network carries the first IP address of the terminal, or the first IP address + the first port, and can no longer uniquely identify the user.
第三实施例Third embodiment
图8为本申请第三实施例终端下线过程的交互示意图。如图8所示,包括步骤800至步骤812。FIG. 8 is a schematic diagram of interaction of a terminal offline process according to a third embodiment of the present application. As shown in FIG. 8, step 800 to step 812 are included.
步骤800~805,与步骤700~705相同。Steps 800 to 805 are the same as steps 700 to 705.
在步骤806中,标识客户端感知用户下线,如用户操作客户端下线,以进入离线状态。In step 806, the client is notified that the user is offline, for example, the user operates the client to go offline to enter the offline state.
在步骤807中,标识客户端向标识网关发送下线消息。In step 807, the identification client sends an offline message to the identity gateway.
在步骤808中,标识网关向标识管理服务器发送下线消息。In step 808, the identity gateway sends a downline message to the identity management server.
在步骤809中,标识管理服务更新第二对应关系中的用户状态为已下线,返回确认响应。In step 809, the identity management service updates the user status in the second correspondence to be offline, and returns a confirmation response.
在步骤810中,标识网关注销用户,删除已经建立的第一对应关系和第三对应关系,同时删除数据包转发关系。In step 810, the gateway is deleted from the user, and the first correspondence and the third correspondence that have been established are deleted, and the packet forwarding relationship is deleted.
在步骤811、标识网关向标识客户端返回确认响应。At step 811, the identification gateway returns a confirmation response to the identification client.
在步骤812中,标识客户端控制终端下线,释放第一IP地址。In step 812, the client control terminal is offlined and the first IP address is released.
第四实施例Fourth embodiment
图9为本申请第四实施例终端移动更好接入网关的方法的交互示意图。如图9所示,当终端发生移动,从接入网关1更换到接入网关2,网络所分配的第一IP地址也发生了更换,执行过程包括步骤900至步骤910。FIG. 9 is a schematic diagram of interaction of a method for a terminal to move a better access gateway according to a fourth embodiment of the present application. As shown in FIG. 9, when the terminal moves, the access gateway 1 is replaced with the access gateway 2, and the first IP address assigned by the network is also replaced. The execution process includes steps 900 to 910.
在步骤900中,按照第二实施例描述的过程,终端通过接入网关1、标识网关访问互联网或企业网的应用服务器。In step 900, according to the process described in the second embodiment, the terminal accesses the application server of the Internet or the enterprise network through the access gateway 1 and the identification gateway.
在步骤901中,由于终端发生移动等原因,终端接入到接入网关2。In step 901, the terminal accesses the access gateway 2 due to the movement of the terminal or the like.
在步骤902中,接入网关2为终端分配新第一IP地址。In step 902, the access gateway 2 assigns a new first IP address to the terminal.
在步骤903中,标识客户端感知到接入发生变化,向标识网关发送通知消息,其中携带用户标识,以及新第一IP地址等信息,标识网关更新第一对应关系。In step 903, the identifier client detects that the access changes, sends a notification message to the identity gateway, and carries the user identifier, and the information such as the new first IP address, to identify the gateway to update the first correspondence.
在步骤904中,标识网关向标识网管理服务器发送信息更新消息。In step 904, the identity gateway sends an information update message to the identity network management server.
在步骤905中,标识网管理服务器更新第二对应关系,如用户的接入位置信息、用户状态,返回确认消息。In step 905, the identification network management server updates the second correspondence, such as the user's access location information, user status, and returns a confirmation message.
在步骤906中,标识网关向标识网客户端返回确认消息。In step 906, the identity gateway returns an acknowledgement message to the identity network client.
步骤907~910、与步骤706~709相同,这时终端使用新第一IP地址进行通信,标识网关完成新第一IP地址与网络标识的转换。Steps 907-910 are the same as steps 706-709. At this time, the terminal uses the new first IP address to communicate, and identifies the gateway to complete the conversion of the new first IP address and the network identifier.
从本实施例可以看出,当用户更换接入网关、第一IP地址发生改变后,但在互联网/企业网内所使用的网络标识保持不变,这样直接通过网络标识能够定 位用户,加强了网络监管能力。It can be seen from the embodiment that when the user replaces the access gateway and the first IP address is changed, but the network identifier used in the Internet/enterprise network remains unchanged, the user can be directly located through the network identifier, and the user is strengthened. Network supervision capabilities.
第五实施例Fifth embodiment
图10为本申请第五实施例用户状态维护过程的交互示意图。如图10所示,包括步骤1000至步骤1016。FIG. 10 is a schematic diagram of interaction of a user state maintenance process according to a fifth embodiment of the present application. As shown in FIG. 10, steps 1000 to 1016 are included.
步骤1000~1005、与第二实施例中步骤700~705相同。Steps 1000 to 1005 are the same as steps 700 to 705 in the second embodiment.
在步骤1006中,标识客户端和标识网关都启用保活定时器,标识客户端侧的保活定时器的周期小于标识网关的定时器的周期。In step 1006, both the identity client and the identity gateway enable a keepalive timer, and the period of the keepalive timer on the client side is less than the period of the timer that identifies the gateway.
在步骤1007、步骤1008中,标识客户端保活定时器超时,标识客户端向标识网关发送通知消息,或者保活消息。In step 1007, step 1008, the client keepalive timer is timed out, and the client is sent a notification message to the identity gateway or a keep-alive message.
在步骤1009中,如果接入信息有更新,则标识网关向标识管理服务器发送信息更新消息,否则直接跳转到步骤1011。In step 1009, if the access information is updated, the identity gateway sends an information update message to the identity management server, otherwise directly jumps to step 1011.
在步骤1010、标识管理服务器返回确认消息。At step 1010, the identification management server returns a confirmation message.
在步骤1011中,标识网关向标识客户端返回确认消息。In step 1011, the identity gateway returns a confirmation message to the identity client.
在步骤1012中,标识网关重置保活定时器,维护用户在线状态不变。In step 1012, the gateway is reset to keep the keepalive timer, and the online state of the maintenance user is unchanged.
在步骤1013中,如果终端离线,标识客户端无法再向标识网关发送通知消息或保活消息,此时标识网关上的保活定时器会超时溢出。In step 1013, if the terminal is offline, the identity client can no longer send a notification message or keep-alive message to the identity gateway. At this time, the keep-alive timer on the identity gateway will time out.
在步骤1014中,标识网关认为终端已经离线,则注销该终端,并删除该终端所有的对应关系。In step 1014, the identity gateway considers that the terminal is offline, then logs out the terminal and deletes all correspondences of the terminal.
在步骤1015中,标识网关向标识管理服务器发送终端的下线消息。In step 1015, the identification gateway sends an offline message of the terminal to the identity management server.
在步骤1016中,标识管理服务器将第二对应关系中用户状态更新为已下线,返回确认消息。In step 1016, the identity management server updates the user status in the second correspondence to the offline, and returns an acknowledgement message.
通过上述过程,网络侧能够正确维护终端的在线状态。Through the above process, the network side can correctly maintain the online status of the terminal.
基于上述方法,在不改变相关网络设备的基础上,通过部署标识网关、标识管理服务器,增强终端功能,实现了使用网络标识来标识用户,方便了网络监管,实现了快速溯源等功能。Based on the above method, on the basis of not changing the related network device, the identification gateway and the identity management server are deployed to enhance the terminal function, thereby realizing the use of the network identifier to identify the user, facilitating network supervision, and realizing functions such as rapid traceability.
参见图11,本申请提出了一种标识网关,包括:建立模块,设置为预先建立终端的第一互联网协议地址和网络标识之间的第一对应关系;其中,网络标识和终端的用户标识对应;转换模块,设置为根据所述第一对应关系对来自所述终端或发往所述终端的数据包进行网络标识的转换。Referring to FIG. 11, the present application provides an identification gateway, which includes: an establishing module, configured to pre-establish a first correspondence between a first Internet Protocol address and a network identifier of a terminal; wherein, the network identifier corresponds to a user identifier of the terminal. And a conversion module configured to perform network identifier conversion on the data packet from the terminal or sent to the terminal according to the first correspondence.
在一个实施例中,所述建立模块设置为:接收所述终端的接入信息;其中, 接入信息包括用户标识和终端的第一互联网协议地址;查询所述用户标识对应的网络标识,保存或更新所述第一对应关系。In an embodiment, the establishing module is configured to: receive access information of the terminal, where the access information includes a user identifier and a first internet protocol address of the terminal; query a network identifier corresponding to the user identifier, and save Or update the first correspondence.
在一个实施例中,所述建立模块设置为:接收所述终端的通知消息或保活消息,所述通知消息或所述保活消息包括所述接入信息,接入信息包括用户标识和终端的第一互联网协议地址;查询所述用户标识对应的网络标识,保存或更新所述第一对应关系。In an embodiment, the establishing module is configured to: receive a notification message or a keep-alive message of the terminal, where the notification message or the keep-alive message includes the access information, and the access information includes a user identifier and a terminal. The first Internet Protocol address; querying the network identifier corresponding to the user identifier, and saving or updating the first correspondence.
在一个实施例中,所述建立模块还设置为:当在预设时间内没有接收到所述通知消息或所述保活消息时,删除所述第一对应关系;或者,当接收到所述终端的下线消息时,向所述标识管理服务器发送所述终端的下线消息,接收到所述标识管理服务器的确认消息,删除所述第一对应关系,并向所述终端返回确认消息。In an embodiment, the establishing module is further configured to: when the notification message or the keep-alive message is not received within a preset time, deleting the first correspondence; or when receiving the And sending the offline message of the terminal to the identifier management server, receiving the confirmation message of the identifier management server, deleting the first correspondence, and returning the confirmation message to the terminal.
在一个实施例中,所述建立模块设置为采用以下方式实现所述查询用户标识对应的网络标识:在预先设置的用户标识和网络标识之间的第二对应关系中,查找所述用户标识对应的网络标识;或者,向标识管理服务器发送获取网络标识请求,所述网络标识请求携带用户标识;接收所述标识管理服务器返回的网络标识。In an embodiment, the establishing module is configured to implement the network identifier corresponding to the query user identifier in the following manner: in a second correspondence between the preset user identifier and the network identifier, searching for the user identifier corresponding to Or the network identifier is sent to the identifier management server, where the network identifier request carries the user identifier; and the network identifier returned by the identifier management server is received.
在一个实施例中,所述建立模块还设置为:向标识管理服务器发送信息更新消息;接收到所述标识管理服务器返回的确认消息,向所述终端返回确认消息。In an embodiment, the establishing module is further configured to: send an information update message to the identity management server; receive an acknowledgement message returned by the identity management server, and return an acknowledgement message to the terminal.
在一个实施例中,所述网络标识包括第二互联网协议地址;所述转换模块设置为:获取来自所述终端的数据包中的所述终端的第一互联网协议地址;在所述第一对应关系中查找所述终端的第一互联网协议地址对应的网络标识;将来自所述终端的数据包中的所述终端的第一互联网协议地址替换为查找到的网络标识;或者,所述根据第一对应关系对发往终端的数据包进行网络标识的转换包括:获取发往所述终端的数据包中的网络标识;在所述第一对应关系中查找所述网络标识对应的终端的第一互联网协议地址;将发往所述终端的数据包中的网络标识替换为查找到的终端的第一互联网协议地址。In one embodiment, the network identifier includes a second internet protocol address; the conversion module is configured to: acquire a first internet protocol address of the terminal in a data packet from the terminal; Searching, in the relationship, a network identifier corresponding to the first Internet Protocol address of the terminal; replacing the first Internet Protocol address of the terminal in the data packet from the terminal with the found network identifier; or The mapping of the network identifier to the data packet sent to the terminal includes: obtaining the network identifier in the data packet sent to the terminal; searching for the first terminal corresponding to the network identifier in the first correspondence relationship The internet protocol address; the network identifier in the data packet sent to the terminal is replaced with the first internet protocol address of the found terminal.
在一个实施例中,所述转换模块还设置为:当在所述第一对应关系中查找不到所述终端的第一互联网地址对应的网络标识时,丢弃来自所述终端的数据包,或对来自所述终端的数据包括进行网络地址翻译;或者,当在所述第一对 应关系中查找不到所述网络标识对应的终端的第一互联网协议地址时,丢弃发往所述终端的数据包,或对发往所述终端的数据包进行网络地址翻译。In an embodiment, the converting module is further configured to: when the network identifier corresponding to the first Internet address of the terminal is not found in the first correspondence, discard the data packet from the terminal, or The data from the terminal includes performing network address translation; or, when the first Internet Protocol address of the terminal corresponding to the network identifier is not found in the first correspondence, discarding data sent to the terminal Packet, or network address translation for packets sent to the terminal.
在一个实施例中,所述网络标识包括第二互联网协议地址和端口范围,所述转换模块设置为:获取来自所述终端的数据包中的所述终端的第一互联网协议地址和所述终端的第一端口;在第一对应关系中查找所述终端的第一互联网协议地址对应的网络标识;将来自所述终端的数据包中的所述终端的第一互联网协议地址替换为查找到的网络标识的第二互联网协议地址,将来自所述终端的数据包中的所述终端的第一端口替换为查找到的网络标识的端口范围中没有使用的第二端口;建立终端的第一互联网协议地址、终端的第一端口、网络标识的第二互联网协议地址和网络标识的第二端口之间的第三对应关系。In one embodiment, the network identifier includes a second internet protocol address and a port range, and the conversion module is configured to: acquire a first internet protocol address of the terminal in a data packet from the terminal, and the terminal a first port; searching for a network identifier corresponding to the first Internet Protocol address of the terminal in the first correspondence; replacing the first Internet Protocol address of the terminal in the data packet from the terminal with the found a second Internet Protocol address of the network identifier, the first port of the terminal in the data packet from the terminal is replaced with a second port not used in the port range of the found network identifier; establishing the first Internet of the terminal A third correspondence between the protocol address, the first port of the terminal, the second Internet Protocol address of the network identifier, and the second port of the network identifier.
在一个实施例中,所述转换模块还设置为:当在所述第一对应关系中查找不到所述终端的第一互联网协议地址对应的网络标识时,丢弃来自所述终端的数据包,或对来自所述终端的数据包进行网络地址端口转换。In an embodiment, the converting module is further configured to: when the network identifier corresponding to the first Internet Protocol address of the terminal is not found in the first correspondence, discard the data packet from the terminal, Or perform network address port translation on the data packet from the terminal.
参见图12,本申请提出了一种终端,包括:获取模块,设置为获取接入信息;其中,接入信息包括用户标识和终端的第一互联网协议地址;第一发送模块,设置为将接入信息发送给标识网关。Referring to FIG. 12, the present application provides a terminal, including: an obtaining module, configured to acquire access information; wherein, the access information includes a user identifier and a first Internet Protocol address of the terminal; and the first sending module is configured to connect The incoming information is sent to the identity gateway.
在一个实施例中,所述第一发送模块设置为执行以下之一的操作:根据预先配置的标识网关的第三互联网协议地址将所述接入信息发送给所述标识网关;根据域名系统在解析所述标识网关的域名时返回的标识网关的第三互联网协议地址将所述接入信息发送给所述标识网关;根据接入网关发送的标识网关的第三互联网协议地址将所述接入信息发送给所述标识网关。In an embodiment, the first sending module is configured to perform an operation of: transmitting the access information to the identity gateway according to a third configured Internet Protocol address of the pre-configured gateway; The third Internet Protocol address of the identity gateway that is returned when the domain name of the identifier gateway is parsed is sent to the identity gateway; and the access is performed according to a third Internet Protocol address of the gateway that is sent by the access gateway. Information is sent to the identity gateway.
在一个实施例中,所述第一发送模块设置为:向所述标识网关发送通知消息或保活消息,所述通知消息或所述保活消息包括所述接入信息。In an embodiment, the first sending module is configured to: send a notification message or a keep-alive message to the identity gateway, where the notification message or the keep-alive message includes the access information.
在一个实施例中,所述第一发送模块设置为:周期性向所述标识网关发送所述通知消息或所述保活消息;或者,当所述接入信息发生变化时向所述标识网关发送所述通知消息或所述保活消息。In an embodiment, the first sending module is configured to: periodically send the notification message or the keep-alive message to the identity gateway; or send the identifier information to the identity gateway when the access information changes The notification message or the keep-alive message.
在一个实施例中,所述第一发送模块还设置为:向所述标识网关发送下线消息;接收到所述标识网关返回的确认消息,控制所述终端下线,并释放所述终端的第一互联网协议地址。In an embodiment, the first sending module is further configured to: send an offline message to the identity gateway; receive an acknowledgement message returned by the identity gateway, control the terminal to go offline, and release the terminal First internet protocol address.
参见图13,本申请提出了一种标识管理服务器,包括:接收模块,设置为 接收到标识网关的获取网络标识请求,所述网络标识请求携带用户标识;处理模块,设置为在预先设置的用户标识和网络标识之间的第二对应关系中,查找所述用户标识对应的网络标识;或者,根据用户标识分配网络标识,并保存用户标识和网络标识之间的第二对应关系;第二发送模块,设置为将网络标识发送给标识网关。Referring to FIG. 13 , the present application provides an identity management server, including: a receiving module, configured to receive a network identifier request for identifying a gateway, where the network identifier request carries a user identifier; and a processing module is configured to be a preset user. In the second correspondence between the identifier and the network identifier, searching for a network identifier corresponding to the user identifier; or, assigning a network identifier according to the user identifier, and saving a second correspondence between the user identifier and the network identifier; Module, set to send the network ID to the identity gateway.
在一个实施例中,所述第二对应关系中还包括用户状态,所述用户状态包括以下至少之一:已上线、已下线。In an embodiment, the second correspondence further includes a user status, where the user status includes at least one of the following: online, offline.
在一个实施例中,所述接收模块还设置为:接收到信息更新消息;所述处理模块还设置为:更新所述第二对应关系;所述第二发送模块还设置为:向标识网关返回确认消息。In an embodiment, the receiving module is further configured to: receive an information update message; the processing module is further configured to: update the second correspondence; the second sending module is further configured to: return to the identity gateway Confirm the message.
在一个实施例中,所述接收模块还设置为:接收到终端的下线消息;所述处理模块还设置为:将所述第二对应关系中的用户状态更新为已下线;所述第二发送模块还设置为:向标识网关返回确认消息。In an embodiment, the receiving module is further configured to: receive an offline message of the terminal; the processing module is further configured to: update a user status in the second correspondence to be offline; The second sending module is further configured to: return an acknowledgement message to the identity gateway.
参见图14,本申请提出了一种标识网关,包括第一处理器和第一计算机可读存储介质,所述第一计算机可读存储介质中存储有第一指令,其特征在于,当所述第一指令被所述第一处理器执行时,实现上述任一种网络标识映射方法。Referring to FIG. 14, the present application provides an identification gateway including a first processor and a first computer readable storage medium, where the first computer readable storage medium stores a first instruction, wherein when When the first instruction is executed by the first processor, any one of the above network identifier mapping methods is implemented.
参见图15,本申请提出了一种终端,包括第二处理器和第二计算机可读存储介质,所述第二计算机可读存储介质中存储有第二指令,其特征在于,当所述第二指令被所述第二处理器执行时,实现上述任一种网络标识映射方法。Referring to FIG. 15, the present application provides a terminal, including a second processor and a second computer readable storage medium, where the second computer readable storage medium stores a second instruction, where When the two instructions are executed by the second processor, any one of the above network identifier mapping methods is implemented.
参见图16,本申请提出了一种标识管理服务器,包括第三处理器和第三计算机可读存储介质,所述第三计算机可读存储介质中存储有第三指令,其特征在于,当所述第三指令被所述第三处理器执行时,实现上述任一种网络标识映射方法。Referring to FIG. 16, the present application provides an identification management server, including a third processor and a third computer readable storage medium, where the third computer readable storage medium stores a third instruction, which is characterized by When the third instruction is executed by the third processor, any one of the above network identifier mapping methods is implemented.
本申请提出了一种计算机可读存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现上述任一种网络标识映射方法的步骤。The present application proposes a computer readable storage medium having stored thereon a computer program, characterized in that the computer program is executed by a processor to implement the steps of any of the above network identification mapping methods.
上述计算机可读存储介质包括以下至少一种:闪存、硬盘、多媒体卡、卡型存储器。例如,安全数码卡(Secure Digital Memory Card,SD卡)或数据寄存器(Data Register,DR)存储器等、随机访问存储器(Random Access Memory,RAM)、静态随机访问存储器(Static Random Access Memory,SRAM)、只读存 储器(Read Only Memory,ROM)、电可擦除可编程只读存储器(Electrically Erasable Programmable Read-Only Memory,EEPROM)、可编程只读存储器(Programmable Read-Only Memory,PROM)、磁性存储器、磁盘、光盘等。The above computer readable storage medium comprises at least one of the following: a flash memory, a hard disk, a multimedia card, a card type memory. For example, a secure digital memory card (SD card) or a data register (DR) memory, a random access memory (RAM), a static random access memory (SRAM), Read Only Memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Programmable Read-Only Memory (PROM), magnetic memory, Disk, CD, etc.
上述处理器可以是中央处理器(Central Processing Unit,CPU)、控制器、微控制器、微处理器、或其他数据处理芯片等。The processor may be a central processing unit (CPU), a controller, a microcontroller, a microprocessor, or other data processing chip.
参见图17,本申请提出了一种网络标识映射系统,包括:终端,设置为获取接入信息;其中,接入信息包括用户标识和终端的第一互联网协议地址;将接入信息发送给标识网关;标识网关,设置为接收所述终端的接入信息;其中,接入信息包括用户标识和终端的第一互联网协议地址;查询所述用户标识对应的网络标识,保存或更新所述第一对应关系;根据所述第一对应关系对来自所述终端或发往所述终端的数据包进行网络标识的转换。Referring to FIG. 17, the present application provides a network identity mapping system, including: a terminal, configured to acquire access information; where the access information includes a user identifier and a first Internet Protocol address of the terminal; and the access information is sent to the identifier. a gateway, configured to receive access information of the terminal, where the access information includes a user identifier and a first internet protocol address of the terminal; querying a network identifier corresponding to the user identifier, saving or updating the first Corresponding relationship; converting the network identifier from the terminal or the data packet sent to the terminal according to the first correspondence relationship.
在一个实施例中,标识网关设置为采用以下方式实现查询所述用户标识对应的网络标识:在预先设置的用户标识和网络标识之间的第二对应关系中,查找所述用户标识对应的网络标识;或者,向标识管理服务器发送获取网络标识请求,所述网络标识请求携带用户标识;接收所述标识管理服务器返回的网络标识。网络标识映射系统还包括:标识管理服务器,设置为接收到标识网关的获取网络标识请求,所述网络标识请求携带用户标识;在预先设置的用户标识和网络标识之间的第二对应关系中,查找所述用户标识对应的网络标识;或者,根据用户标识分配网络标识,并保存用户标识和网络标识之间的第二对应关系;将网络标识发送给标识网关。In an embodiment, the identifier gateway is configured to query the network identifier corresponding to the user identifier in the following manner: in a second correspondence between the preset user identifier and the network identifier, searching for a network corresponding to the user identifier The identifier is sent to the identifier management server, where the network identifier request carries the user identifier, and the network identifier returned by the identifier management server is received. The network identifier mapping system further includes: an identifier management server, configured to receive the network identifier request for identifying the gateway, where the network identifier request carries the user identifier; in a second correspondence between the preset user identifier and the network identifier, The network identifier corresponding to the user identifier is searched; or the network identifier is allocated according to the user identifier, and the second correspondence between the user identifier and the network identifier is saved; and the network identifier is sent to the identifier gateway.
在一个实施例中,终端设置为:获取接入信息;其中,接入信息包括用户标识和终端的第一互联网协议地址;向所述标识网关发送通知消息或保活消息,所述通知消息或所述保活消息包括所述接入信息。标识网关设置为:接收所述终端的通知消息或保活消息,所述通知消息或所述保活消息包括所述接入信息;查询所述用户标识对应的网络标识,保存或更新所述第一对应关系;根据所述第一对应关系对来自所述终端或发往所述终端的数据包进行网络标识的转换。In an embodiment, the terminal is configured to: acquire access information, where the access information includes a user identifier and a first internet protocol address of the terminal; and send a notification message or a keep-alive message to the identity gateway, where the notification message or The keep-alive message includes the access information. The identifier gateway is configured to receive a notification message or a keep-alive message of the terminal, where the notification message or the keep-alive message includes the access information, query a network identifier corresponding to the user identifier, and save or update the a correspondence relationship; converting, according to the first correspondence, a network identifier from a data packet sent by the terminal or sent to the terminal.
在一个实施例中,终端还设置为:向所述标识网关发送下线消息;接收到所述标识网关返回的确认消息,控制所述终端下线,并释放所述终端的第一互联网协议地址;标识网关还设置为:当在预设时间内没有接收到所述通知消息或所述保活消息时,删除所述第一对应关系;或者,当接收到所述终端的下线 消息时,向所述标识管理服务器发送所述终端的下线消息,接收到所述标识管理服务器的确认消息,删除所述第一对应关系,并向所述终端返回确认消息。标识管理服务器还设置为:当接收到终端的下线消息时,将所述第二对应关系中的用户状态更新为已下线,并向标识网关返回确认消息。In an embodiment, the terminal is further configured to: send an offline message to the identity gateway; receive an acknowledgement message returned by the identity gateway, control the terminal to go offline, and release the first internet protocol address of the terminal. The identifier gateway is further configured to: delete the first correspondence when the notification message or the keep-alive message is not received within a preset time; or, when receiving the offline message of the terminal, Sending an offline message of the terminal to the identity management server, receiving an acknowledgement message of the identity management server, deleting the first correspondence, and returning a confirmation message to the terminal. The identity management server is further configured to: when receiving the offline message of the terminal, update the user status in the second correspondence to the offline line, and return an acknowledgement message to the identity gateway.

Claims (24)

  1. 一种网络标识映射方法,包括:A network identity mapping method includes:
    预先建立终端的第一互联网协议地址和网络标识之间的第一对应关系;其中,所述网络标识和所述终端的用户标识对应;Determining, in advance, a first correspondence between the first Internet Protocol address of the terminal and the network identifier; wherein the network identifier corresponds to a user identifier of the terminal;
    根据所述第一对应关系对来自所述终端或发往所述终端的数据包进行网络标识的转换。Converting a network identifier from a data packet sent by the terminal or to the terminal according to the first correspondence.
  2. 根据权利要求1所述的网络标识映射方法,其中,所述预先建立终端的第一互联网协议地址和网络标识之间的第一对应关系,包括:The network identity mapping method according to claim 1, wherein the first correspondence between the first Internet Protocol address and the network identifier of the pre-established terminal comprises:
    接收所述终端的接入信息;其中,所述接入信息包括所述用户标识和所述终端的互联网协议地址;Receiving access information of the terminal; wherein the access information includes the user identifier and an internet protocol address of the terminal;
    查询所述用户标识对应的网络标识,保存或更新所述第一对应关系。Querying a network identifier corresponding to the user identifier, and saving or updating the first correspondence.
  3. 根据权利要求2所述的网络标识映射方法,还包括:The network identity mapping method according to claim 2, further comprising:
    响应于在预设时间内没有接收到所述接入信息,删除所述第一对应关系,向标识管理服务器发送所述终端的下线消息;And deleting the first correspondence, and sending the offline message of the terminal to the identity management server, in response to not receiving the access information within a preset time;
    或者,响应于接收到所述终端的下线消息,向所述标识管理服务器发送所述终端的下线消息,接收所述标识管理服务器的确认消息,删除所述第一对应关系,并向所述终端返回确认消息。Or, in response to receiving the offline message of the terminal, sending an offline message of the terminal to the identity management server, receiving an acknowledgement message of the identity management server, deleting the first correspondence, and The terminal returns a confirmation message.
  4. 根据权利要求2所述的网络标识映射方法,其中,所述查询用户标识对应的网络标识包括:The network identifier mapping method according to claim 2, wherein the network identifier corresponding to the query user identifier comprises:
    在预先设置的用户标识和网络标识之间的第二对应关系中,查找所述用户标识对应的所述网络标识;Searching, in a second correspondence between the preset user identifier and the network identifier, the network identifier corresponding to the user identifier;
    或者,向标识管理服务器发送获取网络标识请求,所述网络标识请求携带有所述用户标识;接收所述标识管理服务器返回的所述网络标识。Or sending a network identifier request to the identity management server, where the network identity request carries the user identifier; and receiving the network identifier returned by the identity management server.
  5. 根据权利要求2所述的网络标识映射方法,还包括:The network identity mapping method according to claim 2, further comprising:
    向标识管理服务器发送信息更新消息;Sending an information update message to the identity management server;
    接收所述标识管理服务器返回的确认消息,向所述终端返回确认消息。Receiving an acknowledgement message returned by the identity management server, and returning an acknowledgement message to the terminal.
  6. 根据权利要求1所述的网络标识映射方法,其中,所述网络标识包括第二互联网协议地址;The network identity mapping method according to claim 1, wherein the network identifier comprises a second internet protocol address;
    所述根据第一对应关系对来自终端的数据包进行网络标识的转换包括:获取来自所述终端的数据包中的所述终端的第一互联网协议地址;在所述第一对应关系中查找所述第一互联网协议地址对应的网络标识;将来自所述终端的数 据包中的所述第一互联网协议地址替换为查找到的网络标识;The converting the network identifier of the data packet from the terminal according to the first correspondence relationship comprises: acquiring a first internet protocol address of the terminal in a data packet from the terminal; searching for the first correspondence relationship Determining, by the first Internet Protocol address, a network identifier; replacing the first Internet Protocol address in the data packet from the terminal with the found network identifier;
    或者,所述根据第一对应关系对发往终端的数据包进行网络标识的转换包括:获取发往所述终端的数据包中的网络标识;在所述第一对应关系中查找所述网络标识对应的第一互联网协议地址;将发往所述终端的数据包中的网络标识替换为所述第一互联网协议地址。Or the converting the network identifier to the data packet sent to the terminal according to the first correspondence: acquiring the network identifier in the data packet sent to the terminal; searching for the network identifier in the first correspondence relationship Corresponding first internet protocol address; replacing the network identifier in the data packet sent to the terminal with the first internet protocol address.
  7. 根据权利要求1所述的网络标识映射方法,其中,所述网络标识包括第二互联网协议地址和端口范围,The network identity mapping method according to claim 1, wherein the network identifier comprises a second internet protocol address and a port range,
    所述根据第一对应关系对来自终端的数据包进行网络标识的转换包括:The converting the network identifier of the data packet from the terminal according to the first correspondence relationship includes:
    获取来自所述终端的数据包中的所述终端的第一互联网协议地址和所述终端的第一端口;Obtaining a first internet protocol address of the terminal in a data packet from the terminal and a first port of the terminal;
    在所述第一对应关系中查找所述终端的互联网协议地址对应的网络标识;Searching, in the first correspondence, a network identifier corresponding to an internet protocol address of the terminal;
    将来自所述终端的数据包中的所述终端的第一互联网协议地址替换为查找到的网络标识的第二互联网协议地址,将来自所述终端的数据包中的所述终端的第一端口替换为查找到的网络标识的端口范围中没有使用的第二端口;Replacing the first internet protocol address of the terminal in the data packet from the terminal with the second internet protocol address of the found network identifier, the first port of the terminal in the data packet from the terminal Replace with the second port that is not used in the port range of the discovered network identifier;
    建立所述第一互联网协议地址和所述第一端口两者与所述第二互联网协议地址和所述第二端口两者之间的第三对应关系。Establishing a third correspondence between the first internet protocol address and the first port and the second internet protocol address and the second port.
  8. 一种网络标识映射方法,包括:A network identity mapping method includes:
    获取接入信息;其中,所述接入信息包括用户标识和终端的第一互联网协议地址;Obtaining access information, where the access information includes a user identifier and a first internet protocol address of the terminal;
    将所述接入信息发送给标识网关。Sending the access information to the identity gateway.
  9. 根据权利要求8所述的网络标识映射方法,其中,所述将接入信息发送给标识网关包括以下之一:The network identity mapping method according to claim 8, wherein the sending the access information to the identity gateway comprises one of the following:
    根据预先配置的标识网关的第二互联网协议地址,将所述接入信息发送给所述标识网关;Sending the access information to the identity gateway according to a second Internet Protocol address of the pre-configured identifier gateway;
    根据域名系统在解析所述标识网关的域名时返回的标识网关的第二互联网协议地址,将所述接入信息发送给所述标识网关;Sending the access information to the identity gateway according to the second internet protocol address of the identity gateway returned by the domain name system when parsing the domain name of the identity gateway;
    根据接入网关发送的标识网关的第二互联网协议地址,将所述接入信息发送给所述标识网关。Sending the access information to the identity gateway according to a second internet protocol address of the gateway that is sent by the access gateway.
  10. 根据权利要求8或9所述的网络标识映射方法,还包括:The network identity mapping method according to claim 8 or 9, further comprising:
    向所述标识网关发送下线消息;Sending an offline message to the identity gateway;
    接收到所述标识网关返回的确认消息,控制所述终端下线,并释放所述终端的第一互联网协议地址。Receiving an acknowledgment message returned by the identity gateway, controlling the terminal to go offline, and releasing the first internet protocol address of the terminal.
  11. 一种网络标识映射方法,包括:A network identity mapping method includes:
    接收到标识网关的获取网络标识请求,所述网络标识请求携带有用户标识;Receiving a network identifier request for identifying a gateway, where the network identifier request carries a user identifier;
    在预先设置的所述用户标识和所述网络标识之间的对应关系中,查找所述用户标识对应的网络标识;或者,根据所述用户标识分配所述网络标识,并保存所述用户标识和所述网络标识之间的对应关系;Searching, in a corresponding relationship between the user identifier and the network identifier, a network identifier corresponding to the user identifier; or assigning the network identifier according to the user identifier, and saving the user identifier and Corresponding relationship between the network identifiers;
    将所述网络标识发送给所述标识网关。Sending the network identifier to the identity gateway.
  12. 根据权利要求11所述的网络标识映射方法,所述对应关系中还包括用户状态,所述用户状态包括以下至少之一:已上线和已下线。The network identifier mapping method according to claim 11, wherein the correspondence relationship further includes a user status, and the user status includes at least one of the following: online and offline.
  13. 根据权利要求12所述的网络标识映射方法,还包括:The network identity mapping method according to claim 12, further comprising:
    响应于接收到信息更新消息,更新所述对应关系并向所述标识网关返回确认消息;Responding to receiving the information update message, updating the correspondence and returning an acknowledgement message to the identity gateway;
    或者,响应于接收到终端的下线消息,将所述对应关系中的所述用户状态更新为已下线,并向所述标识网关返回确认消息。Or, in response to receiving the offline message of the terminal, updating the user status in the correspondence relationship to the offline line, and returning an acknowledgement message to the identity gateway.
  14. 一种标识网关,包括:An identification gateway that includes:
    建立模块,设置为预先建立终端的互联网协议地址和网络标识之间的对应关系;其中,所述网络标识和所述终端的用户标识对应;Establishing a module, configured to pre-establish a correspondence between an Internet Protocol address of the terminal and a network identifier; wherein the network identifier corresponds to a user identifier of the terminal;
    转换模块,设置为根据所述对应关系对来自所述终端或发往所述终端的数据包进行网络标识的转换。The conversion module is configured to perform network identifier conversion on the data packet from the terminal or sent to the terminal according to the correspondence.
  15. 根据权利要求14所述的标识网关,其中,所述建立模块设置为:The identification gateway of claim 14, wherein the establishing module is configured to:
    接收所述终端的接入信息;其中,所述接入信息包括所述用户标识和所述终端的互联网协议地址;查询所述用户标识对应的网络标识,保存或更新所述对应关系。Receiving the access information of the terminal, where the access information includes the user identifier and an internet protocol address of the terminal; querying a network identifier corresponding to the user identifier, and saving or updating the corresponding relationship.
  16. 一种终端,包括:A terminal comprising:
    获取模块,设置为获取接入信息;其中,所述接入信息包括用户标识和终端的互联网协议地址;An obtaining module, configured to obtain access information, where the access information includes a user identifier and an internet protocol address of the terminal;
    发送模块,设置为将所述接入信息发送给标识网关。The sending module is configured to send the access information to the identity gateway.
  17. 根据权利要求16所述的终端,所述发送模块还设置为:The terminal according to claim 16, wherein the sending module is further configured to:
    向所述标识网关发送下线消息;Sending an offline message to the identity gateway;
    接收所述标识网关返回的确认消息,控制所述终端下线,并释放所述终端的互联网协议地址。Receiving an acknowledgment message returned by the identity gateway, controlling the terminal to go offline, and releasing an internet protocol address of the terminal.
  18. 一种标识管理服务器,包括:An identity management server, including:
    接收模块,设置为接收来自标识网关的获取网络标识的请求,所述获取网络标识的请求携带有用户标识;a receiving module, configured to receive a request for obtaining a network identifier from the identifier gateway, where the request for acquiring the network identifier carries a user identifier;
    处理模块,设置为在预先设置的所述用户标识和所述网络标识之间的对应关系中,查找所述用户标识对应的网络标识;或者,根据所述用户标识分配所述网络标识,并保存所述用户标识和所述网络标识之间的对应关系;The processing module is configured to: search for a network identifier corresponding to the user identifier in a correspondence between the preset user identifier and the network identifier, or allocate the network identifier according to the user identifier, and save Corresponding relationship between the user identifier and the network identifier;
    发送模块,设置为将所述网络标识发送给所述标识网关。And a sending module, configured to send the network identifier to the identity gateway.
  19. 一种标识网关,包括处理器和计算机可读存储介质,所述计算机可读存储介质中存储有计算机指令,当所述计算机指令被所述处理器执行时,实现如权利要求1~7所述的网络标识映射方法。An identification gateway comprising a processor and a computer readable storage medium having computer instructions stored therein, when said computer instructions are executed by said processor, implementing said claims 1-7 Network identity mapping method.
  20. 一种终端,包括处理器和计算机可读存储介质,所述计算机可读存储介质中存储有计算机指令,当所述计算机指令被所述处理器执行时,实现如权利要求8~10所述的网络标识映射方法。A terminal, comprising a processor and a computer readable storage medium, wherein the computer readable storage medium stores computer instructions, when the computer instructions are executed by the processor, implementing the method of claims 8-10 Network identity mapping method.
  21. 一种标识管理服务器,包括处理器和计算机可读存储介质,所述计算机可读存储介质中存储有计算机指令,当所述计算机指令被所述处理器执行时,实现如权利要求11~13所述的网络标识映射方法。An identification management server comprising a processor and a computer readable storage medium having computer instructions stored therein, when the computer instructions are executed by the processor, implementing as claimed in claims 11-13 The network identity mapping method described.
  22. 一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现如权利要求1~13所述的网络标识映射方法。A computer readable storage medium having stored thereon a computer program, the computer program being executed by a processor to implement the network identification mapping method according to claims 1-13.
  23. 一种网络标识映射系统,包括:A network identity mapping system includes:
    终端,设置为获取接入信息;其中,接入信息包括用户标识和终端的互联网协议地址;将接入信息发送给标识网关;The terminal is configured to obtain access information, where the access information includes a user identifier and an internet protocol address of the terminal, and the access information is sent to the identifier gateway.
    标识网关,设置为接收所述终端的接入信息;其中,接入信息包括用户标识和终端的互联网协议地址;查询所述用户标识对应的网络标识,保存或更新终端的互联网协议地址和网络标识之间的第一对应关系;根据所述第一对应关系对来自所述终端或发往所述终端的数据包进行网络标识的转换。The identifier gateway is configured to receive the access information of the terminal, where the access information includes a user identifier and an internet protocol address of the terminal, query a network identifier corresponding to the user identifier, and save or update an internet protocol address and a network identifier of the terminal. a first correspondence between the two; converting the network identifier from the terminal or the data packet addressed to the terminal according to the first correspondence.
  24. 根据权利要求23所述的网络标识映射系统,其中,所述标识网关设置为采用以下方式实现所述查询用户标识对应的网络标识:The network identifier mapping system according to claim 23, wherein the identifier gateway is configured to implement the network identifier corresponding to the query user identifier in the following manner:
    向标识管理服务器发送获取网络标识的请求,所述获取网络标识的请求携 带用户标识;接收所述标识管理服务器返回的网络标识;Sending a request for acquiring a network identifier to the identifier management server, where the request for obtaining the network identifier carries the user identifier; and receiving the network identifier returned by the identifier management server;
    所述网络标识映射系统还包括:The network identity mapping system further includes:
    标识管理服务器,设置为接收来自标识网关的获取网络标识的请求,所述获取网络标识的请求携带用户标识;在预先设置的用户标识和网络标识之间的第二对应关系中,查找所述用户标识对应的网络标识;或者,根据用户标识分配网络标识,并保存用户标识和网络标识之间的第二对应关系;将网络标识发送给标识网关。An identifier management server is configured to receive a request for obtaining a network identifier from the identifier gateway, where the request for obtaining the network identifier carries a user identifier; and in a second correspondence between the preset user identifier and the network identifier, searching for the user The network identifier is identified; or the network identifier is allocated according to the user identifier, and the second correspondence between the user identifier and the network identifier is saved; and the network identifier is sent to the identifier gateway.
PCT/CN2019/071730 2018-01-24 2019-01-15 Network identifier mapping method and system, terminal, and identification gateway WO2019144826A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810067623.9 2018-01-24
CN201810067623.9A CN110071984A (en) 2018-01-24 2018-01-24 A kind of network identity mapping method and system and terminal, mark gateway

Publications (1)

Publication Number Publication Date
WO2019144826A1 true WO2019144826A1 (en) 2019-08-01

Family

ID=67365539

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/071730 WO2019144826A1 (en) 2018-01-24 2019-01-15 Network identifier mapping method and system, terminal, and identification gateway

Country Status (2)

Country Link
CN (1) CN110071984A (en)
WO (1) WO2019144826A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113438335A (en) * 2021-06-10 2021-09-24 深圳市广和通无线股份有限公司 Routing method, device, equipment and storage medium
CN113507531A (en) * 2021-06-15 2021-10-15 山东伏羲智库互联网研究院 Internet of things identification analysis method, edge gateway, electronic equipment and storage medium
CN113810349A (en) * 2020-06-17 2021-12-17 腾讯科技(深圳)有限公司 Data transmission method and device and computer equipment
CN114338634A (en) * 2021-12-29 2022-04-12 杭州盈高科技有限公司 Data processing method and device
CN114598735A (en) * 2022-01-30 2022-06-07 阿里巴巴(中国)有限公司 Data processing method and system
US20220200952A1 (en) * 2020-12-21 2022-06-23 Oracle International Corporation Network address translation between networks
CN115348191A (en) * 2022-08-24 2022-11-15 北京首信科技股份有限公司 Internet of things terminal data acquisition method and device in wireless VPDN (virtual private digital network)
WO2024022400A1 (en) * 2022-07-26 2024-02-01 中国电信股份有限公司 Cloud resource configuration method and related device

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111465003B (en) * 2020-04-01 2022-05-13 中国联合网络通信集团有限公司 Method and device for addressing card-free terminal
CN113810900A (en) * 2020-06-12 2021-12-17 中兴通讯股份有限公司 Network access method, electronic device and storage medium
CN114710470A (en) * 2020-12-16 2022-07-05 华为技术有限公司 Communication system, method and device
CN112866379B (en) * 2021-01-15 2022-05-31 浪潮云信息技术股份公司 Access method and device of microservice
CN113568811A (en) * 2021-07-28 2021-10-29 中国南方电网有限责任公司 Distributed safety monitoring data processing method
CN113691858A (en) * 2021-08-31 2021-11-23 Vidaa美国公司 Display device and interface display method
CN113556414B (en) * 2021-09-18 2021-12-10 浙江国利信安科技有限公司 Method, gateway device and storage medium for inter-network communication
CN113923707B (en) * 2021-12-10 2022-04-05 中移(上海)信息通信科技有限公司 Terminal monitoring method, device, network equipment, control system and terminal
CN114363331A (en) * 2021-12-22 2022-04-15 上海浦东发展银行股份有限公司 Communication method, system, computer device and storage medium
CN114615230B (en) * 2022-03-14 2024-01-19 芯河半导体科技(无锡)有限公司 NAPT dynamic address mapping method capable of backtracking
CN114900559A (en) * 2022-04-11 2022-08-12 北京声智科技有限公司 Management system, terminal, management method, and storage medium
CN116405927B (en) * 2023-05-30 2023-09-22 中国铁道科学研究院集团有限公司通信信号研究所 Method for hierarchical processing of functional addressing and rapid maintenance of functional numbers

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016144230A1 (en) * 2015-03-06 2016-09-15 Telefonaktiebolaget Lm Ericsson (Publ) Method, network device, computer program and computer program product for mobile service chaining
CN106790732A (en) * 2015-11-24 2017-05-31 中兴通讯股份有限公司 Address conversion method, apparatus and system, network identity control method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105306612A (en) * 2014-07-15 2016-02-03 中兴通讯股份有限公司 Method for acquiring identifier of terminal in network and management network element

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016144230A1 (en) * 2015-03-06 2016-09-15 Telefonaktiebolaget Lm Ericsson (Publ) Method, network device, computer program and computer program product for mobile service chaining
CN106790732A (en) * 2015-11-24 2017-05-31 中兴通讯股份有限公司 Address conversion method, apparatus and system, network identity control method and device

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113810349A (en) * 2020-06-17 2021-12-17 腾讯科技(深圳)有限公司 Data transmission method and device and computer equipment
CN113810349B (en) * 2020-06-17 2023-05-12 腾讯科技(深圳)有限公司 Data transmission method, device, computer equipment and storage medium
US20220200952A1 (en) * 2020-12-21 2022-06-23 Oracle International Corporation Network address translation between networks
CN113438335A (en) * 2021-06-10 2021-09-24 深圳市广和通无线股份有限公司 Routing method, device, equipment and storage medium
CN113438335B (en) * 2021-06-10 2022-09-06 深圳市广和通无线股份有限公司 Routing method, device, equipment and storage medium
CN113507531A (en) * 2021-06-15 2021-10-15 山东伏羲智库互联网研究院 Internet of things identification analysis method, edge gateway, electronic equipment and storage medium
CN114338634A (en) * 2021-12-29 2022-04-12 杭州盈高科技有限公司 Data processing method and device
CN114338634B (en) * 2021-12-29 2023-12-01 杭州盈高科技有限公司 Data processing method and device
CN114598735A (en) * 2022-01-30 2022-06-07 阿里巴巴(中国)有限公司 Data processing method and system
WO2024022400A1 (en) * 2022-07-26 2024-02-01 中国电信股份有限公司 Cloud resource configuration method and related device
CN115348191A (en) * 2022-08-24 2022-11-15 北京首信科技股份有限公司 Internet of things terminal data acquisition method and device in wireless VPDN (virtual private digital network)
CN115348191B (en) * 2022-08-24 2024-01-09 北京首信科技股份有限公司 Internet of things terminal data acquisition method and device in wireless VPDN (virtual private digital network)

Also Published As

Publication number Publication date
CN110071984A (en) 2019-07-30

Similar Documents

Publication Publication Date Title
WO2019144826A1 (en) Network identifier mapping method and system, terminal, and identification gateway
WO2019085803A1 (en) Method, device and system for internet of things communication
US10715482B2 (en) Wide area service discovery for internet of things
US6633761B1 (en) Enabling seamless user mobility in a short-range wireless networking environment
KR101589239B1 (en) Method and apparatus for packet call setup
WO2017088628A1 (en) Address converting method, device and system, network identity control method and device
WO2012094898A1 (en) Virtual machine migration method, switch, virtual machine system
WO2016008320A1 (en) Method for acquiring identifier of terminal in network, management network element and storage medium
WO2012162965A1 (en) Method, system and network element for pushing application information
WO2015085523A1 (en) Communication method, device and system for virtual extensible local area network
KR101751889B1 (en) Methods and apparatus for determining address of a machine type communication device in a wireless network
WO2023125151A1 (en) Data migration system, method and apparatus for internet-of-things device, and storage medium
US8605736B2 (en) Method, system and apparatus for heterogeneous addressing mapping
WO2017067464A1 (en) Method and device for acquiring resource
EP1419641B1 (en) System and method of coordinating network events
EP3016423A1 (en) Network safety monitoring method and system
EP2472788A1 (en) Method and system for implementing id/locator mapping
US20120300776A1 (en) Method for creating virtual link, communication network element, and ethernet network system
WO2013185696A2 (en) Data processing method and device
US10419386B2 (en) Endpoint identifiers registration
CN110809033B (en) Message forwarding method and device and switching server
WO2017219777A1 (en) Packet processing method and device
WO2017045197A1 (en) Method for accessing local network, and related device
KR102023115B1 (en) Communication method based on integrated flat id and system
JP4889617B2 (en) Gateway apparatus and communication control method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19743566

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 24.11.2020)

122 Ep: pct application non-entry in european phase

Ref document number: 19743566

Country of ref document: EP

Kind code of ref document: A1