WO2021031465A1 - Sd-wan-based device authentication method and system - Google Patents

Sd-wan-based device authentication method and system Download PDF

Info

Publication number
WO2021031465A1
WO2021031465A1 PCT/CN2019/124188 CN2019124188W WO2021031465A1 WO 2021031465 A1 WO2021031465 A1 WO 2021031465A1 CN 2019124188 W CN2019124188 W CN 2019124188W WO 2021031465 A1 WO2021031465 A1 WO 2021031465A1
Authority
WO
WIPO (PCT)
Prior art keywords
wan
authentication
ssh
controller
user authentication
Prior art date
Application number
PCT/CN2019/124188
Other languages
French (fr)
Chinese (zh)
Inventor
王巍
赵伟
Original Assignee
烽火通信科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 烽火通信科技股份有限公司 filed Critical 烽火通信科技股份有限公司
Publication of WO2021031465A1 publication Critical patent/WO2021031465A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles

Definitions

  • the present invention relates to the field of communication technology, in particular to an SD-WAN-based device authentication method and system.
  • SDN Software Defined Network
  • Wide Area Network WAN (Wide Area Network) is a telecom network or computer network covering a long distance.
  • Virtual WAN is based on the existing public WAN network to realize the user's private WAN, thereby saving funds and operating and maintaining costs.
  • SD-WAN Software-Defined Wide Area Network
  • SDN SDN concept for user private WAN network management to realize Efficient management of WAN.
  • the SD-WAN controller is a centralized controller for the SD-WAN network. It is used to uniformly manage and configure WAN network devices through standardized interfaces, realize flexible traffic strategies, fault monitoring, and simplify WAN management and troubleshooting.
  • NETCONF Network Configuration Protocol, network configuration protocol
  • XML Extensible Markup Language
  • Extensible Markup Language Extensible Markup Language
  • SSH Secure Shell
  • RPC Remote Procedure Call, remote Process call protocol
  • the active mode is generally adopted, that is, the controller actively connects to the device.
  • the device's authentication information is bound to the device's IP address, and the controller actively uses the device authentication information to connect to the device's IP address.
  • Device authentication is completed.
  • the IP address of the device connection will dynamically change with the user's network. The controller cannot predict the IP address of the device, and the device needs to be authenticated actively.
  • the purpose of the present invention is to provide an SD-WAN-based device authentication method and system. Based on the device authentication identifier in the authentication configuration file, each WAN device is authenticated without being affected by each WAN device. Active online, IP address changes and the influence of device information independence ensure the smooth progress of device certification.
  • the present invention discloses an SD-WAN-based device authentication method, the method includes the following steps:
  • the SD-WAN controller performs an SSH connection with the WAN device, and the WAN device performs SSH key exchange with the SD-WAN controller according to the device authentication identifier in the authentication configuration file of the WAN device;
  • the SD-WAN controller obtains the device authentication identifier, obtains user authentication information according to the device authentication identifier, and performs SSH user authentication on the WAN device according to the user authentication information.
  • the WAN device performs SSH key exchange with the SD-WAN controller according to the device authentication identifier in the authentication configuration file of the WAN device, which specifically includes the following steps:
  • the WAN device interacts with the SD-WAN controller to unify key agreement and key exchange algorithm
  • the WAN device sets the device authentication identifier in the authentication configuration file as a key exchange characteristic value
  • the SD-WAN controller performs key exchange with the WAN device, and obtains the key exchange characteristic value.
  • the SD-WAN controller obtains the device authentication identifier, obtains user authentication information according to the device authentication identifier, and performs SSH user authentication on the WAN device according to the user authentication information. It includes the following steps:
  • the SD-WAN controller obtains the user authentication information of the WAN device in a preset local data table according to the device authentication identifier;
  • the SD-WAN controller sends an SSH user authentication request to the WAN device in accordance with the SSH protocol standard, where the SSH user authentication request includes the user authentication information;
  • the WAN device In response to the user authentication information, the WAN device passes the SSH user authentication.
  • the method further includes the following steps:
  • the WAN device is initialized according to the authentication configuration file
  • the SD-WAN controller establishes a TCP connection with the WAN device, and the SD-WAN controller initiates SSH user authentication to the WAN device;
  • the SD-WAN controller After the SSH user authentication of the WAN device is passed, the SD-WAN controller sends a NETCONF connection request to the WAN device, and the WAN device responds and generates a NETCONF connection feedback.
  • the method further includes the following steps:
  • the SD-WAN controller registers the WAN equipment, and will generate a device online form and a device certification form;
  • the SD-WAN controller generates the authentication configuration file, and publishes the authentication configuration file to the WAN device;
  • the device online table is used to record WAN devices that have completed device registration on the SD-WAN controller
  • the device authentication table is used to record device SSH authentication information of the SDN-WAN controller.
  • the present invention also discloses an SD-WAN-based device authentication system, the system includes:
  • the SSH key exchange unit is used to control the SD-WAN controller and the WAN according to the device authentication identifier in the authentication configuration file of the WAN device after the SD-WAN controller and the WAN device are connected via SSH.
  • the device performs SSH key exchange;
  • the SSH user authentication unit is used to obtain user authentication information according to the device authentication identifier after the SD-WAN controller obtains the device authentication identifier, and perform SSH user authentication on the WAN device according to the user authentication information Certification.
  • the SSH key exchange unit is also used to unify a key agreement and a key exchange algorithm between the WAN device and the SD-WAN controller;
  • the SSH key exchange unit is further configured to set the device authentication identifier in the authentication configuration file as a key exchange characteristic value
  • the SSH key exchange unit is further configured to control the SD-WAN controller to obtain the key exchange characteristic value after completing the SSH key exchange with the WAN device.
  • the SSH user authentication unit is further configured to control the SD-WAN controller to obtain user authentication information of the WAN device in a preset local data table according to the device authentication identifier;
  • the SSH user authentication unit is further configured to control the SD-WAN controller to send an SSH user authentication request to the WAN device in accordance with the SSH protocol standard, where the SSH user authentication request includes the user authentication information;
  • the SSH user authentication unit is further configured to wait for the WAN device to issue SSH user authentication passing information in response to the user authentication information.
  • the system further includes:
  • the TCP connection unit is configured to control the WAN device to perform a TCP connection with the SD-WAN controller after the WAN device completes initialization according to the authentication configuration file;
  • NETCONF connection unit which is used to control the NETCONF connection with the SD-WAN controller after the SSH user authentication of the WAN device is passed;
  • the authentication judging unit is used to determine that the WAN device passes the device authentication when the TCP connection is completed, the SHH authentication is passed, and the NETCONF connection is completed, and otherwise, the WAN device authentication fails.
  • the system further includes:
  • a pre-preparation unit which is used to control the SD-WAN controller to register the WAN device, and generate a device online table and a device authentication table;
  • the pre-preparation unit is further configured to control the SD-WAN controller to generate an authentication configuration file and publish the authentication configuration file to the WAN device;
  • the device online table is used to record WAN devices that have completed device registration on the SD-WAN controller
  • the device authentication table is used to record device SSH authentication information of the SDN-WAN controller.
  • the invention authenticates each WAN device based on the device authentication identifier in the authentication configuration file, and is not affected by the active online of each WAN device, IP address change, and device information independence, and ensures the smooth progress of the device authentication work.
  • FIG. 1 is a flowchart of the steps of an SD-WAN-based device authentication method in an embodiment of the present invention
  • FIG. 2 is a step flow chart of the preamble process of the SD-WAN-based device authentication method in an embodiment of the present invention
  • FIG. 3 is a step flow diagram of step S1 of the SD-WAN-based device authentication process in the embodiment of the present invention.
  • step S2 of the SD-WAN-based device authentication method in the embodiment of the present invention is a flowchart of step S2 of the SD-WAN-based device authentication method in the embodiment of the present invention.
  • FIG. 5 is a flow chart of the steps of the pre-preparation process of the SD-WAN-based device authentication method in the embodiment of the present invention.
  • step C1 of the SD-WAN-based device authentication method in the embodiment of the present invention is a step flow chart of step C1 of the SD-WAN-based device authentication method in the embodiment of the present invention.
  • FIG. 7 is a structural block diagram of an SD-WAN-based device authentication system in an embodiment of the present invention.
  • SDN Software Defined Network, software customized network
  • WAN Wide Area Network, a telecommunications network or computer network covering a long distance;
  • SD-WAN Software-Defined Wide Area Network is the combination of Virtual WAN and traditional WAN, which is used for coverage processing. SD-WAN uses the SDN concept for user private WAN network management to achieve efficient management of private WAN;
  • Virtual WAN Virtual Wide Area Network, virtual wide area network
  • TCP Transmission Control Protocol, transmission control protocol, is a connection-oriented, reliable, byte stream-based transport layer communication protocol
  • SSH Secure Shell, secure shell protocol
  • NETCONF NETCONF protocol, an XML-based network configuration protocol
  • IP address IP Address, Internet Protocol Address, Internet Protocol address, also known as Internet Protocol address, is a digital label assigned to Internet Protocol devices used by users to access the Internet;
  • Diffie-Hellman key exchange algorithm The Diffie-Hellman-Group-Exchange-SHA algorithm enables both parties in communication to exchange keys securely in an insecure channel for encrypting subsequent communication messages.
  • An SD-WAN-based device authentication method includes the following steps:
  • the SD-WAN controller connects with the WAN device through SSH, and the WAN device exchanges SSH keys with the SD-WAN controller according to the device authentication identifier in the authentication configuration file of the WAN device;
  • the SD-WAN controller obtains the device authentication ID, obtains user authentication information according to the device authentication ID, and performs SSH user authentication on the WAN device according to the user authentication information.
  • the embodiment of the present invention realizes the active online of the WAN device, and ensures the isolation of authentication information of different WAN devices through the use of the device authentication identifier, thereby enhancing the security of device online authentication.
  • the method embodiment of the present invention provides an SD-WAN-based device authentication method, the method includes the following steps:
  • the SD-WAN controller connects with the WAN device through SSH, and the WAN device exchanges SSH keys with the SD-WAN controller according to the device authentication identifier in the authentication configuration file of the WAN device;
  • the SD-WAN controller obtains the device authentication ID, obtains user authentication information according to the device authentication ID, and performs SSH user authentication on the WAN device according to the user authentication information.
  • the SD-WAN controller establishes a TCP connection with the WAN device, and the SD-WAN controller initiates SSH user authentication to the WAN device;
  • the SD-WAN controller After the SSH user of the WAN device is authenticated, the SD-WAN controller sends a NETCONF connection request to the WAN device, and the WAN device responds and generates a NETCONF connection feedback.
  • the WAN device first initializes according to a preset authentication configuration file. During specific operations, the WAN device can obtain the online configuration information in the authentication configuration file by email or other methods, and then complete the device initialization operation;
  • the WAN device initializes the device according to the authentication configuration file.
  • the key information in the authentication configuration file includes the SD-WAN controller IP address, local exit configuration, SSH login user name, and SSH user authentication information (password or controller public key) ;
  • the SD-WAN controller and the WAN device will perform a TCP connection.
  • the WAN device can use the SD-WAN controller IP address and port to actively initiate a TCP connection to the SDWAN controller, and the SD -The WAN controller monitors TCP port 6622, and then obtains the TCP connection request initiated by the WAN device;
  • the SD-WAN controller performs SSH user authentication with the WAN device according to the device authentication identifier in the authentication configuration file of the WAN device;
  • the device authentication identifier in the configuration properties is used as the seed value of the Diffie-Hellman key exchange algorithm
  • SD- The WAN controller completes the SSH key exchange process according to the SSH protocol standard, establishes an SSH session between the SD-WAN controller and the WAN device, and obtains the key exchange algorithm seed value from the received SSH key exchange message, and SD-WAN controls
  • the device obtains the seed value of the Diffie-Hellman key exchange algorithm as the unique identifier of the authentication of the WAN device, that is, the device authentication identifier, and obtains the SSH user authentication information of the WAN device from the local data table
  • the SD-WAN controller follows the SSH protocol standard , Send an SSH user authentication message to the WAN device, and the WAN device responds to the SSH user authentication message to complete the SSH user authentication;
  • the NETCONF Client module of the SD-WAN controller that is, the NETCONF client module, uses the SSH channel to send NETCONF handshake messages to establish a NETCONF connection.
  • the SD-WAN controller acts as a NETCONF client and uses the NETCONF protocol to configure WAN devices.
  • the NETCONF SERVICE module that is, the NETCONF server module, uses the SSH channel to accept NETCONF messages, respond to the NETCONF network configuration request of the SD-WAN controller, and generate NETCONF connection feedback, and the device authentication will pass, otherwise the device authentication will fail;
  • the WAN device re-initiates a TCP request and completes the NETCONF over SSH process again.
  • the active online of the WAN device is realized, and the authentication information of different WAN devices is isolated through the use of the device authentication identifier, thereby enhancing the security of the device online authentication.
  • the Diffie-Hellman key exchange algorithm namely the Diffie-Hellman-Group-Exchange-SHA algorithm
  • the DH algorithm is the key exchange algorithm required by the SSH2.0 protocol
  • the security of the Diffie-Hellman key exchange algorithm depends on such a Fact: Although it is relatively easy to calculate an exponent modulo a prime number, it is difficult to calculate the discrete logarithm. For large prime numbers, it is almost impossible to calculate the discrete logarithm.
  • the large prime numbers mentioned here are the equipment certification mark .
  • the networking topology of a typical SD-WAN network includes an SD-WAN controller, multiple WAN devices, that is, WAN network devices;
  • the SD-WAN controller is the management core of the entire network. It communicates with each WAN device in the network through a common WAN network (mainly Internet, MPLS dedicated line), manages the device certification of each WAN device, and assigns each WAN device at the same time Authentication message. At the same time, each WAN device is also connected to the same public WAN network.
  • the public WAN network ensures that the IP of each WAN device is reachable, that is, the IP of the host or network port is reachable;
  • the WAN devices mentioned in the embodiments of the present invention mainly refer to WAN network edge routers with routing functions. These devices can be specific hardware facilities or virtualized software.
  • the devices used in SD-WAN networks are also called For SD-WAN equipment;
  • the SD-WAN controller manages network equipment through the NETCONF protocol, and at the same time uses the SSH protocol as the connection layer of the NETCONF protocol, referred to as NETCONF over SSH,
  • the SD-WAN controller serves as the NETCONF client, and the WAN device serves as the NETCONF server.
  • the common way for the NETCONF client to connect to the server is that the client initiates an SSH connection through the pre-configured server IP address and SSH user authentication information. After the SSH session is established, the NETCONF connection is established;
  • NETCONF connection establishment requires the client (SD-WAN controller) to obtain the IP address of the server (WAN device) and SSH user authentication in advance.
  • SD-WAN controller the client
  • the WAN device IP address is dynamically allocated.
  • the authentication information of the WAN device cannot be bound to the WAN device IP address.
  • the SD-WAN controller needs to be dynamically online after the WAN device IP address changes.
  • the traditional technical solution does not meet the characteristics of the SD-WAN network. , And the embodiments of the present invention can deal with this technical problem.
  • the authentication configuration file includes SD-WAN controller IP address, local exit configuration, SSH login user name, and SSH user authentication information;
  • SSH user authentication information is different from SSH user authentication messages.
  • the former SSH user authentication information is data related to SSH user authentication in the authentication configuration file, while the latter SSH user authentication message is a message sent during SSH user authentication.
  • step S1 specifically includes the following steps:
  • A1 WAN equipment interacts with SD-WAN controller, unified key agreement and key exchange algorithm
  • the WAN device sets the device authentication identifier in the authentication configuration file as the key exchange characteristic value
  • the SD-WAN controller performs key exchange with the WAN device and obtains the key exchange characteristic value.
  • the SD-WAN controller obtains the device authentication ID, obtains user authentication information according to the device authentication ID, and performs SSH user authentication on the WAN device according to the user authentication information, that is, the step S2 specifically includes the following steps:
  • the SD-WAN controller obtains the user authentication information of the WAN device in the preset local data table according to the device authentication identifier;
  • the SD-WAN controller sends an SSH user authentication request to the WAN device in accordance with the SSH protocol standard.
  • the SSH user authentication request includes user authentication information;
  • the WAN device responds to the user authentication information, and the SSH user is authenticated.
  • the WAN device before the WAN device is initialized according to the preset authentication configuration file, it also includes a pre-preparation process, and the pre-preparation process specifically includes the following steps:
  • C1 SD-WAN controller registers WAN equipment, and will generate equipment online form and equipment certification form
  • SD-WAN controller generates authentication configuration files, and publishes authentication configuration files to WAN devices;
  • the device online table is used to record the WAN devices that have completed device registration on the SD-WAN controller
  • the device authentication table is used to record the device SSH authentication information of the SDN-WAN controller.
  • the device SSH authentication information records the SSH device authentication results of each WAN device when the SDN-WAN controller performs SSH authentication;
  • the SD-WAN controller When the SD-WAN controller registers the WAN device, the SD-WAN controller mainly generates the device online table and the device certification table according to the device registration message.
  • the key data in the online table is to generate a large prime number as the device's certification mark;
  • authentication configuration files include: email authentication URL, local configuration file or local installation package.
  • step C1 the SD-WAN controller registers the WAN device, and generates the device online list and the device certification table, which specifically include the following steps:
  • the SD-WAN controller configures the authentication identifier for the device according to the device registration message. This identifier will be used as a key parameter in the subsequent algorithm. According to the requirements of the DH key exchange algorithm, the device authentication identifier is a large prime number;
  • the SD-WAN controller assigns independent SSH user login names and user authentication messages to the WAN device according to the characteristic messages of the device user.
  • SSH user authentication supports key authentication and key authentication;
  • the SD-WAN controller configures the online information for the WAN device according to the device registration message.
  • the configured online information mainly includes the device outlet network information and the controller network information;
  • step C13 update the device authentication table and the device online table in the local database of the SD-WAN controller;
  • the SD-WAN controller issues the authentication configuration file described in step C14 in an offline or online manner.
  • system embodiment of the present invention provides an embodiment of an SD-WAN-based device authentication system, which is specifically as follows:
  • an SD-WAN-based device authentication system includes:
  • the SSH key exchange unit 1 which is used to control the SD-WAN controller and the WAN device to perform SSH keys according to the device authentication identifier in the authentication configuration file of the WAN device after the SD-WAN controller and the WAN device have an SSH connection exchange;
  • SSH user authentication unit 2 which is used to obtain user authentication information according to the device authentication ID after the SD-WAN controller obtains the device authentication ID, and perform SSH user authentication on the WAN device according to the user authentication information;
  • system also includes:
  • the TCP connection unit 3 which is used to control the WAN device to perform a TCP connection with the SD-WAN controller after the WAN device is initialized according to the authentication configuration file;
  • NETCONF connection unit 4 which is used to control the NETCONF connection with the SD-WAN controller after the SSH user authentication of the WAN device is passed;
  • the authentication judgment unit 5 is used to determine that the WAN device has passed the device authentication when the TCP connection is completed, the SHH authentication is passed, and the NETCONF connection is completed, and otherwise, the WAN device authentication has failed.
  • the WAN device first initializes according to a preset authentication configuration file. During specific operations, the WAN device can obtain the online configuration information in the authentication configuration file by email or other methods, and then complete the device initialization operation;
  • the WAN device initializes the device according to the authentication configuration file.
  • the key information in the authentication configuration file includes the SD-WAN controller IP address, local exit configuration, SSH login user name, and SSH user authentication information (password or controller public key) ;
  • the SD-WAN controller and the WAN device will perform a TCP connection.
  • the WAN device can use the SD-WAN controller IP address and port to actively initiate a TCP connection to the SDWAN controller, and the SD -The WAN controller monitors TCP port 6622, and then obtains the TCP connection request initiated by the WAN device;
  • the SD-WAN controller performs SSH user authentication with the WAN device according to the device authentication identifier in the authentication configuration file of the WAN device;
  • the device authentication identifier in the configuration properties is used as the seed value of the Diffie-Hellman key exchange algorithm
  • SD- The WAN controller completes the SSH key exchange process according to the SSH protocol standard, establishes an SSH session between the SD-WAN controller and the WAN device, and obtains the key exchange algorithm seed value from the received SSH key exchange message, and SD-WAN controls
  • the device obtains the seed value of the Diffie-Hellman key exchange algorithm as the unique identifier of the authentication of the WAN device, that is, the device authentication identifier, and obtains the SSH user authentication information of the WAN device from the local data table
  • the SD-WAN controller follows the SSH protocol standard , Send an SSH user authentication message to the WAN device, and the WAN device responds to the SSH user authentication message to complete the SSH user authentication;
  • the NETCONF Client module of the SD-WAN controller that is, the NETCONF client module, uses the SSH channel to send NETCONF handshake messages to establish a NETCONF connection.
  • the SD-WAN controller acts as a NETCONF client and uses the NETCONF protocol to configure WAN devices.
  • the NETCONF SERVICE module that is, the NETCONF server module, uses the SSH channel to accept NETCONF messages, respond to the NETCONF network configuration request of the SD-WAN controller, and generate NETCONF connection feedback, and the device authentication will pass, otherwise the device authentication will fail;
  • the WAN device re-initiates a TCP request and completes the NETCONF over SSH process again.
  • the active online of the WAN device is realized, and the authentication information of different WAN devices is isolated through the use of the device authentication identifier, thereby enhancing the security of the device online authentication.
  • the Diffie-Hellman key exchange algorithm namely the Diffie-Hellman-Group-Exchange-SHA algorithm
  • the DH algorithm is the key exchange algorithm required by the SSH2.0 protocol
  • the security of the Diffie-Hellman key exchange algorithm depends on such a Fact: Although it is relatively easy to calculate an exponent modulo a prime number, it is difficult to calculate the discrete logarithm. For large prime numbers, it is almost impossible to calculate the discrete logarithm.
  • the large prime numbers mentioned here are the equipment certification mark .
  • the networking topology of a typical SD-WAN network includes an SD-WAN controller, multiple WAN devices, that is, WAN network devices;
  • the SD-WAN controller is the management core of the entire network. It communicates with each WAN device in the network through a common WAN network (mainly Internet, MPLS dedicated line), manages the device certification of each WAN device, and assigns each WAN device at the same time Authentication message. At the same time, each WAN device is also connected to the same public WAN network.
  • the public WAN network ensures that the IP of each WAN device is reachable, that is, the IP of the host or network port is reachable;
  • the WAN devices mentioned in the embodiments of the present invention mainly refer to WAN network edge routers with routing functions. These devices can be specific hardware facilities or virtualized software.
  • the devices used in SD-WAN networks are also called For SD-WAN equipment;
  • the SD-WAN controller manages network equipment through the NETCONF protocol, and at the same time uses the SSH protocol as the connection layer of the NETCONF protocol, referred to as NETCONF over SSH,
  • the SD-WAN controller serves as the NETCONF client, and the WAN device serves as the NETCONF server.
  • the common way for the NETCONF client to connect to the server is that the client initiates an SSH connection through the pre-configured server IP address and SSH user authentication information. After the SSH session is established, the NETCONF connection is established;
  • NETCONF connection establishment requires the client (SD-WAN controller) to obtain the IP address of the server (WAN device) and SSH user authentication in advance.
  • SD-WAN controller the client
  • the WAN device IP address is dynamically allocated.
  • the authentication information of the WAN device cannot be bound to the WAN device IP address.
  • the SD-WAN controller needs to be dynamically online after the WAN device IP address changes.
  • the traditional technical solution does not meet the characteristics of the SD-WAN network. , And the embodiments of the present invention can deal with this technical problem.
  • the authentication configuration file includes the SD-WAN controller IP address, local exit configuration, SSH login user name, and SSH user authentication information.
  • the SSH key exchange unit 1 is also used to unify the key agreement and the key exchange algorithm between the WAN device and the SD-WAN controller;
  • the SSH key exchange unit 1 is also used to set the device authentication identifier in the authentication configuration file as the key exchange characteristic value;
  • the SSH key exchange unit 1 is also used to control the SD-WAN controller to obtain the key exchange characteristic value after the SD-WAN controller and the WAN device complete the SSH key exchange.
  • the SSH user authentication unit 2 is further configured to control the SD-WAN controller to obtain user authentication information of the WAN device in a preset local data table according to the device authentication identifier;
  • the SSH user authentication unit 2 is also used to control the SD-WAN controller to send an SSH user authentication request to the WAN device in accordance with the SSH protocol standard, and the SSH user authentication request includes user authentication information;
  • the SSH user authentication unit 2 is also used for the waiting WAN device to release SSH user authentication information in response to the user authentication information.
  • the system further includes a pre-preparation unit 6, which is used to control the SD-WAN controller to register the WAN device and generate a device online list and a device authentication list;
  • the pre-preparation unit 6 is also used to control the SD-WAN controller to generate an authentication configuration file, and to release the authentication configuration file to the WAN device;
  • the device online table is used to record the WAN devices that have completed device registration on the SD-WAN controller
  • the device authentication table is used to record the device SSH authentication information of the SDN-WAN controller.
  • the device SSH authentication information records the SSH device authentication results of each WAN device when the SDN-WAN controller performs SSH authentication;
  • the SD-WAN controller When the SD-WAN controller registers the WAN device, the SD-WAN controller mainly generates the device online table and the device certification table according to the device registration message.
  • the key data in the online table is to generate a large prime number as the device's certification mark;
  • authentication configuration files include: email authentication URL, local configuration file or local installation package.
  • the embodiments of the present invention can be provided as methods, systems, servers, or computer program products. Therefore, the present invention may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, the present invention may be in the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, optical storage, etc.) containing computer-usable program codes.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.

Abstract

Disclosed are an SD-WAN-based device authentication method and system, which relate to the technical field of communications. The method comprises the following steps: an SD-WAN controller performing SSH connection with a WAN device, and the WAN device performing SSH key exchange with the SD-WAN controller according to a device authentication identifier in an authentication configuration file of the WAN device; and the SD-WAN controller acquiring the device authentication identifier and obtaining user authentication information according to the device authentication identifier, and performing SSH user authentication on the WAN device according to the user authentication information. According to the present invention, on the basis of the device authentication identifier in an authentication configuration file, each WAN device is authenticated, without being affected by each WAN device actively online, IP address change and device information independence, thereby ensuring the smooth progress of device authentication.

Description

一种基于SD-WAN的设备认证方法及系统A device authentication method and system based on SD-WAN 技术领域Technical field
本发明涉及通信技术领域,具体涉及一种基于SD-WAN的设备认证方法及系统。The present invention relates to the field of communication technology, in particular to an SD-WAN-based device authentication method and system.
背景技术Background technique
SDN(Software Defined Network,软件自定义网络)是一种新的网络架构,通过将网络虚拟化,建立集中化控制,从而提供更为敏捷灵活的网络服务。SDN (Software Defined Network) is a new network architecture that provides more agile and flexible network services by virtualizing the network and establishing centralized control.
广域网WAN(Wide Area Network)是一个覆盖较远距离的电信网络或者计算机网络,Virtual WAN基于现有的公共WAN网络,来实现用户的私有WAN,从而达到节约资金和运维成本的目的。Wide Area Network WAN (Wide Area Network) is a telecom network or computer network covering a long distance. Virtual WAN is based on the existing public WAN network to realize the user's private WAN, thereby saving funds and operating and maintaining costs.
SD-WAN(Software-Defined Wide Area Network,广域软件定义网络)是Virtual WAN与传统WAN结合,在这之上做覆盖处理,SD-WAN将SDN理念用于用户私有WAN网络管理,实现对私有WAN的高效管理。SD-WAN (Software-Defined Wide Area Network) is a combination of Virtual WAN and traditional WAN, which is used for coverage processing. SD-WAN uses the SDN concept for user private WAN network management to realize Efficient management of WAN.
SD-WAN控制器是SD-WAN网络的集中式控制器,用于通过标准化的接口对WAN网络设备进行统一管理和配置,实现灵活的流量策略,故障监控,简化WAN管理和故障排查。The SD-WAN controller is a centralized controller for the SD-WAN network. It is used to uniformly manage and configure WAN network devices through standardized interfaces, realize flexible traffic strategies, fault monitoring, and simplify WAN management and troubleshooting.
与数据中心网络不同,WAN网络要求网络设备支持灵活的路由配置和管理配置,目前数据中心常用的open flow协议无法满足WAN要求,而NETCONF(Network Configuration Protocol,网络配置协议)采用XML(Extensible Markup Language,可扩展标记语言)作为配 置数据和协议消息内容的数据编码方式,基于TCP(Transmission Control Protocol,传输控制协议)的SSH(Secure Shell,安全外壳协议)进行传送,以RPC(Remote Procedure Call,远程过程调用协议)方式实现设备操作和控制,故而NETCONF配置协议能够满足了WAN设备灵活配置管理的要求。Unlike data center networks, WAN networks require network devices to support flexible routing configuration and management configuration. The current open flow protocol commonly used in data centers cannot meet WAN requirements, while NETCONF (Network Configuration Protocol, network configuration protocol) uses XML (Extensible Markup Language) , Extensible Markup Language) as the data encoding method of configuration data and protocol message content, it is transmitted based on SSH (Secure Shell) of TCP (Transmission Control Protocol), and transmitted by RPC (Remote Procedure Call, remote Process call protocol) mode to achieve equipment operation and control, so the NETCONF configuration protocol can meet the requirements of flexible configuration management of WAN equipment.
现有技术中,在设备使用NETCONF上线时候,一般采用主动方式即控制器主动连接设备,在该方式下设备的认证信息和设备的IP地址绑定,控制器主动使用设备认证信息连接设备IP地址完成设备认证,然而,在WAN网络中,用户的设备数量很多,同时设备连接IP地址会随着用户网络而发生动态变化,控制器无法预知设备的IP地址,需要采用设备主动上线认证。In the prior art, when the device uses NETCONF to go online, the active mode is generally adopted, that is, the controller actively connects to the device. In this mode, the device's authentication information is bound to the device's IP address, and the controller actively uses the device authentication information to connect to the device's IP address. Device authentication is completed. However, in the WAN network, there are a lot of users' devices, and the IP address of the device connection will dynamically change with the user's network. The controller cannot predict the IP address of the device, and the device needs to be authenticated actively.
因此,目前需要一种SD-WAN网络设备主动认证方法,用于解决WAN网络中设备主动上线、设备连接IP地址动态变化,不同设备认证信息独立情况下的设备认证问题。Therefore, there is currently a need for an SD-WAN network device active authentication method to solve the device authentication problem when the device in the WAN network actively goes online, the device connection IP address changes dynamically, and the authentication information of different devices is independent.
发明内容Summary of the invention
针对现有技术中存在的缺陷,本发明的目的在于提供一种基于SD-WAN的设备认证方法及系统,基于认证配置文件中的设备认证标识,对各WAN设备进行认证,不受各WAN设备主动上线、IP地址变化以及设备信息独立的影响,保障设备认证工作的顺利进行。In view of the defects in the prior art, the purpose of the present invention is to provide an SD-WAN-based device authentication method and system. Based on the device authentication identifier in the authentication configuration file, each WAN device is authenticated without being affected by each WAN device. Active online, IP address changes and the influence of device information independence ensure the smooth progress of device certification.
为达到以上目的,本发明采取的技术方案是:In order to achieve the above objectives, the technical solution adopted by the present invention is:
第一方面,本发明公开一种基于SD-WAN的设备认证方法,所述方法包括以下步骤:In the first aspect, the present invention discloses an SD-WAN-based device authentication method, the method includes the following steps:
SD-WAN控制器与WAN设备进行SSH连接,所述WAN设备根据所述WAN设备的认证配置文件中的设备认证标识,与所述 SD-WAN控制器进行SSH密钥交换;The SD-WAN controller performs an SSH connection with the WAN device, and the WAN device performs SSH key exchange with the SD-WAN controller according to the device authentication identifier in the authentication configuration file of the WAN device;
所述SD-WAN控制器获取所述设备认证标识,并根据所述设备认证标识获得用户认证信息,并根据所述用户认证信息对所述WAN设备进行SSH用户认证。The SD-WAN controller obtains the device authentication identifier, obtains user authentication information according to the device authentication identifier, and performs SSH user authentication on the WAN device according to the user authentication information.
在上述技术方案的基础上,所述WAN设备根据所述WAN设备的认证配置文件中的设备认证标识,与所述SD-WAN控制器进行SSH密钥交换,具体包括以下步骤:Based on the above technical solution, the WAN device performs SSH key exchange with the SD-WAN controller according to the device authentication identifier in the authentication configuration file of the WAN device, which specifically includes the following steps:
所述WAN设备与所述SD-WAN控制器进行交互,统一密钥协议以及密钥交换算法;The WAN device interacts with the SD-WAN controller to unify key agreement and key exchange algorithm;
所述WAN设备将所述认证配置文件中的所述设备认证标识设置为密钥交换特征值;The WAN device sets the device authentication identifier in the authentication configuration file as a key exchange characteristic value;
所述SD-WAN控制器与所述WAN设备进行密钥交换,并获取所述密钥交换特征值。The SD-WAN controller performs key exchange with the WAN device, and obtains the key exchange characteristic value.
在上述技术方案的基础上,所述SD-WAN控制器获取所述设备认证标识,并根据所述设备认证标识获得用户认证信息,并根据所述用户认证信息对WAN设备进行SSH用户认证,具体包括以下步骤:On the basis of the above technical solution, the SD-WAN controller obtains the device authentication identifier, obtains user authentication information according to the device authentication identifier, and performs SSH user authentication on the WAN device according to the user authentication information. It includes the following steps:
所述SD-WAN控制器根据所述设备认证标识在预设的本地数据表中获取所述WAN设备的用户认证信息;The SD-WAN controller obtains the user authentication information of the WAN device in a preset local data table according to the device authentication identifier;
所述SD-WAN控制器按照SSH协议标准,向所述WAN设备发送SSH用户认证请求,所述SSH用户认证请求包括所述用户认证信息;The SD-WAN controller sends an SSH user authentication request to the WAN device in accordance with the SSH protocol standard, where the SSH user authentication request includes the user authentication information;
所述WAN设备响应于所述用户认证信息,SSH用户认证通过。In response to the user authentication information, the WAN device passes the SSH user authentication.
在上述技术方案的基础上,所述方法还包括以下步骤:On the basis of the above technical solution, the method further includes the following steps:
所述WAN设备根据所述认证配置文件进行初始化;The WAN device is initialized according to the authentication configuration file;
SD-WAN控制器与所述WAN设备建立TCP连接,SD-WAN控 制器向所述WAN设备发起SSH用户认证;The SD-WAN controller establishes a TCP connection with the WAN device, and the SD-WAN controller initiates SSH user authentication to the WAN device;
待所述WAN设备的SSH用户认证通过后,所述SD-WAN控制器向WAN设备发送NETCONF连接请求,所述WAN设备响应并生成NETCONF连接回馈。After the SSH user authentication of the WAN device is passed, the SD-WAN controller sends a NETCONF connection request to the WAN device, and the WAN device responds and generates a NETCONF connection feedback.
在上述技术方案的基础上,所述方法还包括以下步骤:On the basis of the above technical solution, the method further includes the following steps:
SD-WAN控制器对WAN设备进行注册工作,并将生成设备上线表和设备认证表;The SD-WAN controller registers the WAN equipment, and will generate a device online form and a device certification form;
SD-WAN控制器生成所述认证配置文件,并向所述WAN设备发布所述认证配置文件;The SD-WAN controller generates the authentication configuration file, and publishes the authentication configuration file to the WAN device;
其中,所述设备上线表用于记录已在所述SD-WAN控制器上完成设备注册的WAN设备,所述设备认证表用于记录所述SDN-WAN控制器的设备SSH认证信息。Wherein, the device online table is used to record WAN devices that have completed device registration on the SD-WAN controller, and the device authentication table is used to record device SSH authentication information of the SDN-WAN controller.
第二方面,本发明还公开一种基于SD-WAN的设备认证系统,所述系统包括:In the second aspect, the present invention also discloses an SD-WAN-based device authentication system, the system includes:
SSH密钥交换单元,其用于待SD-WAN控制器与WAN设备进行SSH连接后,根据所述WAN设备的认证配置文件中的设备认证标识,控制所述SD-WAN控制器与所述WAN设备进行SSH密钥交换;The SSH key exchange unit is used to control the SD-WAN controller and the WAN according to the device authentication identifier in the authentication configuration file of the WAN device after the SD-WAN controller and the WAN device are connected via SSH. The device performs SSH key exchange;
SSH用户认证单元,其用于待所述SD-WAN控制器获取所述设备认证标识后,根据所述设备认证标识获得用户认证信息,并根据所述用户认证信息对所述WAN设备进行SSH用户认证。The SSH user authentication unit is used to obtain user authentication information according to the device authentication identifier after the SD-WAN controller obtains the device authentication identifier, and perform SSH user authentication on the WAN device according to the user authentication information Certification.
在上述技术方案的基础上,所述SSH密钥交换单元还用于在所述WAN设备与所述SD-WAN控制器之间统一密钥协议以及密钥交换算法;On the basis of the above technical solution, the SSH key exchange unit is also used to unify a key agreement and a key exchange algorithm between the WAN device and the SD-WAN controller;
所述SSH密钥交换单元还用于将所述认证配置文件中的所述设备认证标识设置为密钥交换特征值;The SSH key exchange unit is further configured to set the device authentication identifier in the authentication configuration file as a key exchange characteristic value;
所述SSH密钥交换单元还用于所述SD-WAN控制器与所述WAN设备完成SSH密钥交换后,控制所述SD-WAN控制器获取所述密钥交换特征值。The SSH key exchange unit is further configured to control the SD-WAN controller to obtain the key exchange characteristic value after completing the SSH key exchange with the WAN device.
在上述技术方案的基础上,所述SSH用户认证单元还用于控制所述SD-WAN控制器根据所述设备认证标识在预设的本地数据表中获取所述WAN设备的用户认证信息;Based on the above technical solution, the SSH user authentication unit is further configured to control the SD-WAN controller to obtain user authentication information of the WAN device in a preset local data table according to the device authentication identifier;
所述SSH用户认证单元还用于控制所述SD-WAN控制器按照SSH协议标准,向所述WAN设备发送SSH用户认证请求,所述SSH用户认证请求包括所述用户认证信息;The SSH user authentication unit is further configured to control the SD-WAN controller to send an SSH user authentication request to the WAN device in accordance with the SSH protocol standard, where the SSH user authentication request includes the user authentication information;
所述SSH用户认证单元还用于待所述WAN设备响应于所述用户认证信息,发布SSH用户认证通过信息。The SSH user authentication unit is further configured to wait for the WAN device to issue SSH user authentication passing information in response to the user authentication information.
在上述技术方案的基础上,所述系统还包括:On the basis of the above technical solution, the system further includes:
TCP连接单元,其用于待WAN设备根据所述认证配置文件完成初始化后,控制所述WAN设备与所述SD-WAN控制器进行TCP连接;The TCP connection unit is configured to control the WAN device to perform a TCP connection with the SD-WAN controller after the WAN device completes initialization according to the authentication configuration file;
NETCONF连接单元,其用于待所述WAN设备的SSH用户认证通过后,控制所述与所述SD-WAN控制器进行NETCONF连接;NETCONF connection unit, which is used to control the NETCONF connection with the SD-WAN controller after the SSH user authentication of the WAN device is passed;
认证判断单元,其用于当TCP连接完成、SHH认证通过以及NETCONF连接完成时,判定所述WAN设备通过设备认证,反之则所述WAN设备认证失败。The authentication judging unit is used to determine that the WAN device passes the device authentication when the TCP connection is completed, the SHH authentication is passed, and the NETCONF connection is completed, and otherwise, the WAN device authentication fails.
在上述技术方案的基础上,所述系统还包括:On the basis of the above technical solution, the system further includes:
预准备单元,其用于控制所述SD-WAN控制器对所述WAN设备进行注册工作,并将生成设备上线表和设备认证表;A pre-preparation unit, which is used to control the SD-WAN controller to register the WAN device, and generate a device online table and a device authentication table;
所述预准备单元,其还用于控制所述SD-WAN控制器生成认证配置文件,并向所述WAN设备发布所述认证配置文件;The pre-preparation unit is further configured to control the SD-WAN controller to generate an authentication configuration file and publish the authentication configuration file to the WAN device;
其中,所述设备上线表用于记录已在所述SD-WAN控制器上完成设备注册的WAN设备,所述设备认证表用于记录所述SDN-WAN控制器的设备SSH认证信息。Wherein, the device online table is used to record WAN devices that have completed device registration on the SD-WAN controller, and the device authentication table is used to record device SSH authentication information of the SDN-WAN controller.
与现有技术相比,本发明的优点在于:Compared with the prior art, the advantages of the present invention are:
本发明基于认证配置文件中的设备认证标识,对各WAN设备进行认证,不受各WAN设备主动上线、IP地址变化以及设备信息独立的影响,保障设备认证工作的顺利进行。The invention authenticates each WAN device based on the device authentication identifier in the authentication configuration file, and is not affected by the active online of each WAN device, IP address change, and device information independence, and ensures the smooth progress of the device authentication work.
附图说明Description of the drawings
图1为本发明实施例中基于SD-WAN的设备认证方法的步骤流程图;FIG. 1 is a flowchart of the steps of an SD-WAN-based device authentication method in an embodiment of the present invention;
图2为本发明实施例中基于SD-WAN的设备认证方法的前序流程的步骤流程图;2 is a step flow chart of the preamble process of the SD-WAN-based device authentication method in an embodiment of the present invention;
图3为本发明实施例中基于SD-WAN的设备认证流程的步骤S1的步骤流程图;FIG. 3 is a step flow diagram of step S1 of the SD-WAN-based device authentication process in the embodiment of the present invention;
图4为本发明实施例中基于SD-WAN的设备认证方法的步骤S2的步骤流程图;4 is a flowchart of step S2 of the SD-WAN-based device authentication method in the embodiment of the present invention;
图5为本发明实施例中基于SD-WAN的设备认证方法的预准备流程的步骤流程图;FIG. 5 is a flow chart of the steps of the pre-preparation process of the SD-WAN-based device authentication method in the embodiment of the present invention;
图6为本发明实施例中基于SD-WAN的设备认证方法的步骤C1的步骤流程图;6 is a step flow chart of step C1 of the SD-WAN-based device authentication method in the embodiment of the present invention;
图7为本发明实施例中基于SD-WAN的设备认证系统的结构框图;Figure 7 is a structural block diagram of an SD-WAN-based device authentication system in an embodiment of the present invention;
图中:1、SSH密钥交换单元;2、SSH用户认证单元;3、TCP连接单元;4、NETCONF连接单元;5、认证判断单元;6、预准备 单元。In the figure: 1. SSH key exchange unit; 2. SSH user authentication unit; 3. TCP connection unit; 4. NETCONF connection unit; 5. authentication judgment unit; 6. pre-preparation unit.
具体实施方式detailed description
术语解释:Term explanation:
SDN:Software Defined Network,软件自定义网络;SDN: Software Defined Network, software customized network;
WAN:Wide Area Network,广域网,是一个覆盖较远距离的电信网络或者计算机网络;WAN: Wide Area Network, a telecommunications network or computer network covering a long distance;
SD-WAN:Software-Defined Wide Area Network是Virtual WAN与传统WAN结合,在这之上做覆盖处理,SD-WAN将SDN理念用于用户私有WAN网络管理,实现对私有WAN的高效管理;SD-WAN: Software-Defined Wide Area Network is the combination of Virtual WAN and traditional WAN, which is used for coverage processing. SD-WAN uses the SDN concept for user private WAN network management to achieve efficient management of private WAN;
Virtual WAN:Virtual Wide Area Network,虚拟广域网;Virtual WAN: Virtual Wide Area Network, virtual wide area network;
TCP:Transmission Control Protocol,传输控制协议,是一种面向连接的、可靠的、基于字节流的传输层通信协议;TCP: Transmission Control Protocol, transmission control protocol, is a connection-oriented, reliable, byte stream-based transport layer communication protocol;
SSH:Secure Shell,安全外壳协议;SSH: Secure Shell, secure shell protocol;
NETCONF:NETCONF协议,一种基于XML的网络配置协议;NETCONF: NETCONF protocol, an XML-based network configuration protocol;
IP地址:IP Address,Internet Protocol Address,互联网协议地址,又称网际协议地址,是分配给用户上网使用的网际协议的设备的数字标签;IP address: IP Address, Internet Protocol Address, Internet Protocol address, also known as Internet Protocol address, is a digital label assigned to Internet Protocol devices used by users to access the Internet;
Diffie-Hellman密钥交换算法:Diffie-Hellman-Group-Exchange-SHA算法,使得通信的双方能在非安全的信道中安全的交换密钥,用于加密后续的通信消息。Diffie-Hellman key exchange algorithm: The Diffie-Hellman-Group-Exchange-SHA algorithm enables both parties in communication to exchange keys securely in an insecure channel for encrypting subsequent communication messages.
以下结合附图对本发明的实施例作进一步详细说明。The embodiments of the present invention will be described in further detail below with reference to the accompanying drawings.
为达到上述技术效果,本申请的总体思路如下:To achieve the above technical effects, the general idea of this application is as follows:
一种基于SD-WAN的设备认证方法,该方法包括以下步骤:An SD-WAN-based device authentication method, the method includes the following steps:
S1、SD-WAN控制器与WAN设备进行SSH连接,WAN设备根 据WAN设备的认证配置文件中的设备认证标识,与SD-WAN控制器进行SSH密钥交换;S1, the SD-WAN controller connects with the WAN device through SSH, and the WAN device exchanges SSH keys with the SD-WAN controller according to the device authentication identifier in the authentication configuration file of the WAN device;
S2、SD-WAN控制器获取设备认证标识,并根据设备认证标识获得用户认证信息,并根据用户认证信息对WAN设备进行SSH用户认证。S2, the SD-WAN controller obtains the device authentication ID, obtains user authentication information according to the device authentication ID, and performs SSH user authentication on the WAN device according to the user authentication information.
本发明实施例,实现了WAN设备的主动上线,通过设备认证标识的使用,保证不同WAN设备的认证信息隔离,从而加强了设备上线认证的安全性。The embodiment of the present invention realizes the active online of the WAN device, and ensures the isolation of authentication information of different WAN devices through the use of the device authentication identifier, thereby enhancing the security of device online authentication.
参见图1至6所示,本发明的方法实施例提供一种基于SD-WAN的设备认证方法,该方法包括以下步骤:1 to 6, the method embodiment of the present invention provides an SD-WAN-based device authentication method, the method includes the following steps:
S1、SD-WAN控制器与WAN设备进行SSH连接,WAN设备根据WAN设备的认证配置文件中的设备认证标识,与SD-WAN控制器进行SSH密钥交换;S1, the SD-WAN controller connects with the WAN device through SSH, and the WAN device exchanges SSH keys with the SD-WAN controller according to the device authentication identifier in the authentication configuration file of the WAN device;
S2、SD-WAN控制器获取设备认证标识,并根据设备认证标识获得用户认证信息,并根据用户认证信息对WAN设备进行SSH用户认证。S2, the SD-WAN controller obtains the device authentication ID, obtains user authentication information according to the device authentication ID, and performs SSH user authentication on the WAN device according to the user authentication information.
本发明实施例中,必要时,还存在前序流程,具体包括以下步骤:In the embodiment of the present invention, if necessary, there is also a pre-procedure, which specifically includes the following steps:
Q1、WAN设备根据认证配置文件进行初始化;Q1. WAN equipment is initialized according to the authentication configuration file;
Q2、SD-WAN控制器与WAN设备建立TCP连接,SD-WAN控制器向WAN设备发起SSH用户认证;Q2. The SD-WAN controller establishes a TCP connection with the WAN device, and the SD-WAN controller initiates SSH user authentication to the WAN device;
Q3、待WAN设备的SSH用户认证通过后,SD-WAN控制器向WAN设备发送NETCONF连接请求,WAN设备响应并生成NETCONF连接回馈。Q3. After the SSH user of the WAN device is authenticated, the SD-WAN controller sends a NETCONF connection request to the WAN device, and the WAN device responds and generates a NETCONF connection feedback.
本发明实施例中,首先WAN设备根据预设的认证配置文件进行初始化,具体操作时,WAN设备可以通过邮件或者其他方式获得认 证配置文件内的上线配置信息,进而完成设备初始化操作;In the embodiment of the present invention, the WAN device first initializes according to a preset authentication configuration file. During specific operations, the WAN device can obtain the online configuration information in the authentication configuration file by email or other methods, and then complete the device initialization operation;
其中,进行WAN设备根据认证配置文件,初始化设备,认证配置文件中的关键信息包括SD-WAN控制器IP地址、本地出口配置、SSH登陆用户名以及SSH用户认证信息(密码或者控制器公钥);Among them, the WAN device initializes the device according to the authentication configuration file. The key information in the authentication configuration file includes the SD-WAN controller IP address, local exit configuration, SSH login user name, and SSH user authentication information (password or controller public key) ;
待WAN设备初始化完成后,SD-WAN控制器与WAN设备进行TCP连接,具体进行TCP连接时,可以是WAN设备使用SD-WAN控制器IP地址和端口主动向SDWAN控制器发起TCP连接,而SD-WAN控制器监听TCP的端口6622,进而获得WAN设备发起的TCP连接请求;After the initialization of the WAN device is completed, the SD-WAN controller and the WAN device will perform a TCP connection. When a specific TCP connection is made, the WAN device can use the SD-WAN controller IP address and port to actively initiate a TCP connection to the SDWAN controller, and the SD -The WAN controller monitors TCP port 6622, and then obtains the TCP connection request initiated by the WAN device;
进而,待TCP连接完成后,SD-WAN控制器根据WAN设备的认证配置文件中的设备认证标识与WAN设备进行SSH用户认证;Furthermore, after the TCP connection is completed, the SD-WAN controller performs SSH user authentication with the WAN device according to the device authentication identifier in the authentication configuration file of the WAN device;
进而在SSH用户认证过程,即在SSH连接过程中,需要进行密钥交换,而在密钥交换阶段中,使用配置属性中的设备认证标识作为Diffie-Hellman密钥交换算法的种子值,SD-WAN控制器按照SSH协议标准完成SSH密钥交换流程,建立SD-WAN控制器和WAN设备间的SSH会话,同时从接收到SSH密钥交换消息中获取密钥交换算法种子值,SD-WAN控制器获得Diffie-Hellman密钥交换算法的种子值作为WAN设备的认证的唯一标识,即设备认证标识,从本地数据表中获得WAN设备的SSH用户认证信息,进而SD-WAN控制器按照SSH协议标准,向WAN设备发送SSH用户认证消息,WAN设备响应SSH用户认证消息,完成SSH的用户认证;Furthermore, in the SSH user authentication process, that is, during the SSH connection process, key exchange is required. In the key exchange phase, the device authentication identifier in the configuration properties is used as the seed value of the Diffie-Hellman key exchange algorithm, SD- The WAN controller completes the SSH key exchange process according to the SSH protocol standard, establishes an SSH session between the SD-WAN controller and the WAN device, and obtains the key exchange algorithm seed value from the received SSH key exchange message, and SD-WAN controls The device obtains the seed value of the Diffie-Hellman key exchange algorithm as the unique identifier of the authentication of the WAN device, that is, the device authentication identifier, and obtains the SSH user authentication information of the WAN device from the local data table, and the SD-WAN controller follows the SSH protocol standard , Send an SSH user authentication message to the WAN device, and the WAN device responds to the SSH user authentication message to complete the SSH user authentication;
SD-WAN控制器的NETCONF Client模块,即NETCONF客户端模块,使用SSH通道发送NETCONF的握手消息,建立NETCONF连接,SD-WAN控制器作为NETCONF客户端,使用NETCONF协议配置WAN设备,而WAN设备的NETCONF SERVICE模块,即 NETCONF服务端模块,使用SSH通道接受NETCONF消息,响应SD-WAN控制器的NETCONF网络配置请求,并生成NETCONF连接回馈,则通过设备认证,反之则设备认证失败;The NETCONF Client module of the SD-WAN controller, that is, the NETCONF client module, uses the SSH channel to send NETCONF handshake messages to establish a NETCONF connection. The SD-WAN controller acts as a NETCONF client and uses the NETCONF protocol to configure WAN devices. The NETCONF SERVICE module, that is, the NETCONF server module, uses the SSH channel to accept NETCONF messages, respond to the NETCONF network configuration request of the SD-WAN controller, and generate NETCONF connection feedback, and the device authentication will pass, otherwise the device authentication will fail;
假设,当SD-WAN控制器和WAN设备发生连接异常,则WAN设备重新发起TCP请求,重新完成NETCONF over SSH流程。Assume that when the SD-WAN controller and the WAN device are connected abnormally, the WAN device re-initiates a TCP request and completes the NETCONF over SSH process again.
本发明实施例中,实现了WAN设备的主动上线,通过设备认证标识的使用,保证不同WAN设备的认证信息隔离,从而加强了设备上线认证的安全性。In the embodiment of the present invention, the active online of the WAN device is realized, and the authentication information of different WAN devices is isolated through the use of the device authentication identifier, thereby enhancing the security of the device online authentication.
其中,Diffie-Hellman密钥交换算法,即Diffie-Hellman-Group-Exchange-SHA算法,DH算法是SSH2.0协议要求的密钥交换算法,Diffie-Hellman密钥交换算法的安全性依赖于这样一个事实:虽然计算以一个素数为模的指数相对容易,但计算离散对数却很困难,对于大的素数,计算出离散对数几乎是不可能的,这里提到的大素数,即设备认证标识。Among them, the Diffie-Hellman key exchange algorithm, namely the Diffie-Hellman-Group-Exchange-SHA algorithm, the DH algorithm is the key exchange algorithm required by the SSH2.0 protocol, and the security of the Diffie-Hellman key exchange algorithm depends on such a Fact: Although it is relatively easy to calculate an exponent modulo a prime number, it is difficult to calculate the discrete logarithm. For large prime numbers, it is almost impossible to calculate the discrete logarithm. The large prime numbers mentioned here are the equipment certification mark .
需要说明的是,典型SD-WAN网络的组网拓扑,包括SD-WAN控制器,多个WAN设备,即WAN网络设备;It should be noted that the networking topology of a typical SD-WAN network includes an SD-WAN controller, multiple WAN devices, that is, WAN network devices;
其中,SD-WAN控制器是整个网络的管理核心,它通过共同WAN网络(主要是Internet,MPLS专线)与网络中各个WAN设备进行通信,管理各个WAN设备的设备认证,同时为各个WAN设备分派认证消息,同时各个WAN设备也连接到相同的公共WAN网络之上,公共WAN网络保证了各个WAN设备IP可达,即到主机或者网络端口IP可达;Among them, the SD-WAN controller is the management core of the entire network. It communicates with each WAN device in the network through a common WAN network (mainly Internet, MPLS dedicated line), manages the device certification of each WAN device, and assigns each WAN device at the same time Authentication message. At the same time, each WAN device is also connected to the same public WAN network. The public WAN network ensures that the IP of each WAN device is reachable, that is, the IP of the host or network port is reachable;
本发明实施例中提到的WAN设备主要是指具备路由功能WAN网络边缘路由器,这些设备可以是具体的硬件设施,也可以是虚拟化的软件,在SD-WAN网络中使用的设备,也称为SD-WAN设备;The WAN devices mentioned in the embodiments of the present invention mainly refer to WAN network edge routers with routing functions. These devices can be specific hardware facilities or virtualized software. The devices used in SD-WAN networks are also called For SD-WAN equipment;
本发明实施例中SD-WAN控制器是通过NETCONF协议管理网络设备,同时使用SSH协议作为NETCONF协议的连接层,简称NETCONF over SSH,In the embodiment of the present invention, the SD-WAN controller manages network equipment through the NETCONF protocol, and at the same time uses the SSH protocol as the connection layer of the NETCONF protocol, referred to as NETCONF over SSH,
其中SD-WAN控制器作为NETCONF客户端,而WAN设备为NETCONF服务端。The SD-WAN controller serves as the NETCONF client, and the WAN device serves as the NETCONF server.
另外,常用的NETCONF客户端连接服务器端的方式是客户端通过预先配置的服务器IP地址,SSH用户认证信息,主动发起SSH连接,SSH会话建立完成后,建立NETCONF连接;In addition, the common way for the NETCONF client to connect to the server is that the client initiates an SSH connection through the pre-configured server IP address and SSH user authentication information. After the SSH session is established, the NETCONF connection is established;
从上面描述可以看出,NETCONF连接建立需要客户端(SD-WAN控制器)预先获得服务端(WAN设备)的IP地址和SSH用户认证,但是在SD-WAN场景中,WAN设备的数目众多,WAN设备IP地址动态分配,WAN设备的认证信息无法和WAN设备IP地址进行绑定,SD-WAN控制器在WAN设备IP地址发生变化后需要动态上线,传统的技术方案不符合SD-WAN网络特点,而本发明实施例能够应对该技术问题。As can be seen from the above description, NETCONF connection establishment requires the client (SD-WAN controller) to obtain the IP address of the server (WAN device) and SSH user authentication in advance. However, in the SD-WAN scenario, there are a large number of WAN devices. The WAN device IP address is dynamically allocated. The authentication information of the WAN device cannot be bound to the WAN device IP address. The SD-WAN controller needs to be dynamically online after the WAN device IP address changes. The traditional technical solution does not meet the characteristics of the SD-WAN network. , And the embodiments of the present invention can deal with this technical problem.
需要说明的是,认证配置文件包括SD-WAN控制器IP地址、本地出口配置、SSH登陆用户名以及SSH用户认证信息;It should be noted that the authentication configuration file includes SD-WAN controller IP address, local exit configuration, SSH login user name, and SSH user authentication information;
SSH用户认证信息与SSH用户认证消息不同,前者SSH用户认证信息为认证配置文件中与SSH用户认证相关的数据,而后者SSH用户认证消息则是在进行SSH用户认证工作时发送的消息。SSH user authentication information is different from SSH user authentication messages. The former SSH user authentication information is data related to SSH user authentication in the authentication configuration file, while the latter SSH user authentication message is a message sent during SSH user authentication.
本发明实施例中的另一种实施方式,WAN设备根据WAN设备的认证配置文件中的设备认证标识,与SD-WAN控制器进行SSH密钥交换,即步骤S1具体包括以下步骤:In another implementation manner in the embodiment of the present invention, the WAN device performs SSH key exchange with the SD-WAN controller according to the device authentication identifier in the authentication configuration file of the WAN device, that is, step S1 specifically includes the following steps:
A1、WAN设备与SD-WAN控制器进行交互,统一密钥协议以及密钥交换算法;A1, WAN equipment interacts with SD-WAN controller, unified key agreement and key exchange algorithm;
A2、WAN设备将认证配置文件中的设备认证标识设置为密钥交换特征值;A2. The WAN device sets the device authentication identifier in the authentication configuration file as the key exchange characteristic value;
A3、SD-WAN控制器与WAN设备进行密钥交换,并获取密钥交换特征值。A3. The SD-WAN controller performs key exchange with the WAN device and obtains the key exchange characteristic value.
具体的,本发明实施例中的另一种实施方式,SD-WAN控制器获取设备认证标识,并根据设备认证标识获得用户认证信息,并根据用户认证信息对WAN设备进行SSH用户认证,即步骤S2具体包括以下步骤:Specifically, in another implementation manner in the embodiment of the present invention, the SD-WAN controller obtains the device authentication ID, obtains user authentication information according to the device authentication ID, and performs SSH user authentication on the WAN device according to the user authentication information, that is, the step S2 specifically includes the following steps:
B1、SD-WAN控制器根据设备认证标识在预设的本地数据表中获取WAN设备的用户认证信息;B1. The SD-WAN controller obtains the user authentication information of the WAN device in the preset local data table according to the device authentication identifier;
B2、SD-WAN控制器按照SSH协议标准,向WAN设备发送SSH用户认证请求,SSH用户认证请求包括用户认证信息;B2. The SD-WAN controller sends an SSH user authentication request to the WAN device in accordance with the SSH protocol standard. The SSH user authentication request includes user authentication information;
B3、WAN设备响应用户认证信息,SSH用户认证通过。B3. The WAN device responds to the user authentication information, and the SSH user is authenticated.
本发明实施例中的另一种实施方式,WAN设备根据预设的认证配置文件进行初始化之前,还包括预准备流程,预准备流程具体包括以下步骤:In another implementation manner in the embodiment of the present invention, before the WAN device is initialized according to the preset authentication configuration file, it also includes a pre-preparation process, and the pre-preparation process specifically includes the following steps:
C1、SD-WAN控制器对WAN设备进行注册工作,并将生成设备上线表和设备认证表;C1, SD-WAN controller registers WAN equipment, and will generate equipment online form and equipment certification form;
C2、SD-WAN控制器生成认证配置文件,并向WAN设备发布认证配置文件;C2, SD-WAN controller generates authentication configuration files, and publishes authentication configuration files to WAN devices;
其中,设备上线表用于记录已在SD-WAN控制器上完成设备注册的WAN设备,设备认证表用于记录SDN-WAN控制器的设备SSH认证信息,Among them, the device online table is used to record the WAN devices that have completed device registration on the SD-WAN controller, and the device authentication table is used to record the device SSH authentication information of the SDN-WAN controller.
而设备SSH认证信息记录有SDN-WAN控制器在进行SSH认证时,各WAN设备的SSH设备认证结果;The device SSH authentication information records the SSH device authentication results of each WAN device when the SDN-WAN controller performs SSH authentication;
SD-WAN控制器对WAN设备进行注册工作时,SD-WAN控制器主要是根据设备注册消息生成设备上线表、设备认证表,上线表中关键数据为生成一个大素数作为设备的认证标识;When the SD-WAN controller registers the WAN device, the SD-WAN controller mainly generates the device online table and the device certification table according to the device registration message. The key data in the online table is to generate a large prime number as the device's certification mark;
认证配置文件常见的配置形式包括:邮件认证URL、本地配置文件或本地安装包。Common configuration forms of authentication configuration files include: email authentication URL, local configuration file or local installation package.
需要说明的是,步骤C1,SD-WAN控制器对WAN设备进行注册工作,并将生成设备上线表和设备认证表中,具体包括以下步骤:It should be noted that in step C1, the SD-WAN controller registers the WAN device, and generates the device online list and the device certification table, which specifically include the following steps:
C10、SD-WAN控制器根据设备注册消息为设备配置认证标识,该标识会作为后续算法中关键参数,按照DH密钥交换算法要求,设备认证标识是一个大素数;C10. The SD-WAN controller configures the authentication identifier for the device according to the device registration message. This identifier will be used as a key parameter in the subsequent algorithm. According to the requirements of the DH key exchange algorithm, the device authentication identifier is a large prime number;
C11、SD-WAN控制器根据设备用户的特性消息为WAN设备分配独立的SSH用户登陆名称和用户认证消息,SSH用户认证支持密钥认证和密钥认证;C11. The SD-WAN controller assigns independent SSH user login names and user authentication messages to the WAN device according to the characteristic messages of the device user. SSH user authentication supports key authentication and key authentication;
C12、SD-WAN控制器根据设备注册消息为WAN设备配置上线信息,配置上线信息主要包括设备出口网络信息以及控制器网络消息;C12. The SD-WAN controller configures the online information for the WAN device according to the device registration message. The configured online information mainly includes the device outlet network information and the controller network information;
C13、根据步骤C11以及步骤C12的结果,更新SD-WAN控制器的本地数据库内的设备认证表和设备上线表;C13. According to the results of step C11 and step C12, update the device authentication table and the device online table in the local database of the SD-WAN controller;
C14、根据设备认证表、设备上线表以及WAN设备支持的认证导入方式,生成WAN设备的认证配置文件;C14. Generate the authentication configuration file of the WAN device according to the device authentication table, the device online table and the authentication import method supported by the WAN device;
C15、SD-WAN控制器通过离线或在线方式发布步骤C14中描述的认证配置文件。C15. The SD-WAN controller issues the authentication configuration file described in step C14 in an offline or online manner.
另外,分别给出一种设备认证表以及设备上线表的形式,具体如下:In addition, a form of the equipment certification form and the equipment online form are respectively given, as follows:
设备上线表:Equipment online table:
Figure PCTCN2019124188-appb-000001
Figure PCTCN2019124188-appb-000001
设备用户认证表:Device user authentication form:
Figure PCTCN2019124188-appb-000002
Figure PCTCN2019124188-appb-000002
基于同一发明构思,本发明的系统实施例提供了一种基于SD-WAN的设备认证系统的实施例,具体如下:Based on the same inventive concept, the system embodiment of the present invention provides an embodiment of an SD-WAN-based device authentication system, which is specifically as follows:
如图7所示,一种基于SD-WAN的设备认证系统,该系统包括:As shown in Figure 7, an SD-WAN-based device authentication system includes:
SSH密钥交换单元1,其用于待SD-WAN控制器与WAN设备进行SSH连接后,根据WAN设备的认证配置文件中的设备认证标识,控制SD-WAN控制器与WAN设备进行SSH密钥交换;The SSH key exchange unit 1, which is used to control the SD-WAN controller and the WAN device to perform SSH keys according to the device authentication identifier in the authentication configuration file of the WAN device after the SD-WAN controller and the WAN device have an SSH connection exchange;
SSH用户认证单元2,其用于待SD-WAN控制器获取设备认证 标识后,根据设备认证标识获得用户认证信息,并根据用户认证信息对WAN设备进行SSH用户认证;SSH user authentication unit 2, which is used to obtain user authentication information according to the device authentication ID after the SD-WAN controller obtains the device authentication ID, and perform SSH user authentication on the WAN device according to the user authentication information;
需要说明的是,该系统还包括:It should be noted that the system also includes:
TCP连接单元3,其用于待WAN设备根据认证配置文件完成初始化后,控制WAN设备与SD-WAN控制器进行TCP连接;The TCP connection unit 3, which is used to control the WAN device to perform a TCP connection with the SD-WAN controller after the WAN device is initialized according to the authentication configuration file;
NETCONF连接单元4,其用于待WAN设备的SSH用户认证通过后,控制与SD-WAN控制器进行NETCONF连接; NETCONF connection unit 4, which is used to control the NETCONF connection with the SD-WAN controller after the SSH user authentication of the WAN device is passed;
认证判断单元5,其用于当TCP连接完成、SHH认证通过以及NETCONF连接完成时,判定WAN设备通过设备认证,反之则WAN设备认证失败。The authentication judgment unit 5 is used to determine that the WAN device has passed the device authentication when the TCP connection is completed, the SHH authentication is passed, and the NETCONF connection is completed, and otherwise, the WAN device authentication has failed.
本发明实施例中,首先WAN设备根据预设的认证配置文件进行初始化,具体操作时,WAN设备可以通过邮件或者其他方式获得认证配置文件内的上线配置信息,进而完成设备初始化操作;In the embodiment of the present invention, the WAN device first initializes according to a preset authentication configuration file. During specific operations, the WAN device can obtain the online configuration information in the authentication configuration file by email or other methods, and then complete the device initialization operation;
其中,进行WAN设备根据认证配置文件,初始化设备,认证配置文件中的关键信息包括SD-WAN控制器IP地址、本地出口配置、SSH登陆用户名以及SSH用户认证信息(密码或者控制器公钥);Among them, the WAN device initializes the device according to the authentication configuration file. The key information in the authentication configuration file includes the SD-WAN controller IP address, local exit configuration, SSH login user name, and SSH user authentication information (password or controller public key) ;
待WAN设备初始化完成后,SD-WAN控制器与WAN设备进行TCP连接,具体进行TCP连接时,可以是WAN设备使用SD-WAN控制器IP地址和端口主动向SDWAN控制器发起TCP连接,而SD-WAN控制器监听TCP的端口6622,进而获得WAN设备发起的TCP连接请求;After the initialization of the WAN device is completed, the SD-WAN controller and the WAN device will perform a TCP connection. When a specific TCP connection is made, the WAN device can use the SD-WAN controller IP address and port to actively initiate a TCP connection to the SDWAN controller, and the SD -The WAN controller monitors TCP port 6622, and then obtains the TCP connection request initiated by the WAN device;
进而,待TCP连接完成后,SD-WAN控制器根据WAN设备的认证配置文件中的设备认证标识与WAN设备进行SSH用户认证;Furthermore, after the TCP connection is completed, the SD-WAN controller performs SSH user authentication with the WAN device according to the device authentication identifier in the authentication configuration file of the WAN device;
进而在SSH用户认证过程,即在SSH连接过程中,需要进行密钥交换,而在密钥交换阶段中,使用配置属性中的设备认证标识作为 Diffie-Hellman密钥交换算法的种子值,SD-WAN控制器按照SSH协议标准完成SSH密钥交换流程,建立SD-WAN控制器和WAN设备间的SSH会话,同时从接收到SSH密钥交换消息中获取密钥交换算法种子值,SD-WAN控制器获得Diffie-Hellman密钥交换算法的种子值作为WAN设备的认证的唯一标识,即设备认证标识,从本地数据表中获得WAN设备的SSH用户认证信息,进而SD-WAN控制器按照SSH协议标准,向WAN设备发送SSH用户认证消息,WAN设备响应SSH用户认证消息,完成SSH的用户认证;Furthermore, in the SSH user authentication process, that is, during the SSH connection process, key exchange is required. In the key exchange phase, the device authentication identifier in the configuration properties is used as the seed value of the Diffie-Hellman key exchange algorithm, SD- The WAN controller completes the SSH key exchange process according to the SSH protocol standard, establishes an SSH session between the SD-WAN controller and the WAN device, and obtains the key exchange algorithm seed value from the received SSH key exchange message, and SD-WAN controls The device obtains the seed value of the Diffie-Hellman key exchange algorithm as the unique identifier of the authentication of the WAN device, that is, the device authentication identifier, and obtains the SSH user authentication information of the WAN device from the local data table, and the SD-WAN controller follows the SSH protocol standard , Send an SSH user authentication message to the WAN device, and the WAN device responds to the SSH user authentication message to complete the SSH user authentication;
SD-WAN控制器的NETCONF Client模块,即NETCONF客户端模块,使用SSH通道发送NETCONF的握手消息,建立NETCONF连接,SD-WAN控制器作为NETCONF客户端,使用NETCONF协议配置WAN设备,而WAN设备的NETCONF SERVICE模块,即NETCONF服务端模块,使用SSH通道接受NETCONF消息,响应SD-WAN控制器的NETCONF网络配置请求,并生成NETCONF连接回馈,则通过设备认证,反之则设备认证失败;The NETCONF Client module of the SD-WAN controller, that is, the NETCONF client module, uses the SSH channel to send NETCONF handshake messages to establish a NETCONF connection. The SD-WAN controller acts as a NETCONF client and uses the NETCONF protocol to configure WAN devices. The NETCONF SERVICE module, that is, the NETCONF server module, uses the SSH channel to accept NETCONF messages, respond to the NETCONF network configuration request of the SD-WAN controller, and generate NETCONF connection feedback, and the device authentication will pass, otherwise the device authentication will fail;
假设,当SD-WAN控制器和WAN设备发生连接异常,则WAN设备重新发起TCP请求,重新完成NETCONF over SSH流程。Assume that when the SD-WAN controller and the WAN device are connected abnormally, the WAN device re-initiates a TCP request and completes the NETCONF over SSH process again.
本发明实施例中,实现了WAN设备的主动上线,通过设备认证标识的使用,保证不同WAN设备的认证信息隔离,从而加强了设备上线认证的安全性。In the embodiment of the present invention, the active online of the WAN device is realized, and the authentication information of different WAN devices is isolated through the use of the device authentication identifier, thereby enhancing the security of the device online authentication.
其中,Diffie-Hellman密钥交换算法,即Diffie-Hellman-Group-Exchange-SHA算法,DH算法是SSH2.0协议要求的密钥交换算法,Diffie-Hellman密钥交换算法的安全性依赖于这样一个事实:虽然计算以一个素数为模的指数相对容易,但计算离散对数却很困难,对于大的素数,计算出离散对数几乎是不可能的,这里提到的大素数,即设 备认证标识。Among them, the Diffie-Hellman key exchange algorithm, namely the Diffie-Hellman-Group-Exchange-SHA algorithm, the DH algorithm is the key exchange algorithm required by the SSH2.0 protocol, and the security of the Diffie-Hellman key exchange algorithm depends on such a Fact: Although it is relatively easy to calculate an exponent modulo a prime number, it is difficult to calculate the discrete logarithm. For large prime numbers, it is almost impossible to calculate the discrete logarithm. The large prime numbers mentioned here are the equipment certification mark .
需要说明的是,典型SD-WAN网络的组网拓扑,包括SD-WAN控制器,多个WAN设备,即WAN网络设备;It should be noted that the networking topology of a typical SD-WAN network includes an SD-WAN controller, multiple WAN devices, that is, WAN network devices;
其中,SD-WAN控制器是整个网络的管理核心,它通过共同WAN网络(主要是Internet,MPLS专线)与网络中各个WAN设备进行通信,管理各个WAN设备的设备认证,同时为各个WAN设备分派认证消息,同时各个WAN设备也连接到相同的公共WAN网络之上,公共WAN网络保证了各个WAN设备IP可达,即到主机或者网络端口IP可达;Among them, the SD-WAN controller is the management core of the entire network. It communicates with each WAN device in the network through a common WAN network (mainly Internet, MPLS dedicated line), manages the device certification of each WAN device, and assigns each WAN device at the same time Authentication message. At the same time, each WAN device is also connected to the same public WAN network. The public WAN network ensures that the IP of each WAN device is reachable, that is, the IP of the host or network port is reachable;
本发明实施例中提到的WAN设备主要是指具备路由功能WAN网络边缘路由器,这些设备可以是具体的硬件设施,也可以是虚拟化的软件,在SD-WAN网络中使用的设备,也称为SD-WAN设备;The WAN devices mentioned in the embodiments of the present invention mainly refer to WAN network edge routers with routing functions. These devices can be specific hardware facilities or virtualized software. The devices used in SD-WAN networks are also called For SD-WAN equipment;
本发明实施例中SD-WAN控制器是通过NETCONF协议管理网络设备,同时使用SSH协议作为NETCONF协议的连接层,简称NETCONF over SSH,In the embodiment of the present invention, the SD-WAN controller manages network equipment through the NETCONF protocol, and at the same time uses the SSH protocol as the connection layer of the NETCONF protocol, referred to as NETCONF over SSH,
其中SD-WAN控制器作为NETCONF客户端,而WAN设备为NETCONF服务端。The SD-WAN controller serves as the NETCONF client, and the WAN device serves as the NETCONF server.
另外,常用的NETCONF客户端连接服务器端的方式是客户端通过预先配置的服务器IP地址,SSH用户认证信息,主动发起SSH连接,SSH会话建立完成后,建立NETCONF连接;In addition, the common way for the NETCONF client to connect to the server is that the client initiates an SSH connection through the pre-configured server IP address and SSH user authentication information. After the SSH session is established, the NETCONF connection is established;
从上面描述可以看出,NETCONF连接建立需要客户端(SD-WAN控制器)预先获得服务端(WAN设备)的IP地址和SSH用户认证,但是在SD-WAN场景中,WAN设备的数目众多,WAN设备IP地址动态分配,WAN设备的认证信息无法和WAN设备IP地址进行绑定,SD-WAN控制器在WAN设备IP地址发生变化后需要动态上 线,传统的技术方案不符合SD-WAN网络特点,而本发明实施例能够应对该技术问题。As can be seen from the above description, NETCONF connection establishment requires the client (SD-WAN controller) to obtain the IP address of the server (WAN device) and SSH user authentication in advance. However, in the SD-WAN scenario, there are a large number of WAN devices. The WAN device IP address is dynamically allocated. The authentication information of the WAN device cannot be bound to the WAN device IP address. The SD-WAN controller needs to be dynamically online after the WAN device IP address changes. The traditional technical solution does not meet the characteristics of the SD-WAN network. , And the embodiments of the present invention can deal with this technical problem.
需要说明的是,认证配置文件包括SD-WAN控制器IP地址、本地出口配置、SSH登陆用户名以及SSH用户认证信息。It should be noted that the authentication configuration file includes the SD-WAN controller IP address, local exit configuration, SSH login user name, and SSH user authentication information.
本发明实施例中的另一种实施方式,SSH密钥交换单元1还用于在WAN设备与SD-WAN控制器之间统一密钥协议以及密钥交换算法;In another implementation manner in the embodiment of the present invention, the SSH key exchange unit 1 is also used to unify the key agreement and the key exchange algorithm between the WAN device and the SD-WAN controller;
SSH密钥交换单元1还用于将认证配置文件中的设备认证标识设置为密钥交换特征值;The SSH key exchange unit 1 is also used to set the device authentication identifier in the authentication configuration file as the key exchange characteristic value;
SSH密钥交换单元1还用于SD-WAN控制器与WAN设备完成SSH密钥交换后,控制SD-WAN控制器获取密钥交换特征值。The SSH key exchange unit 1 is also used to control the SD-WAN controller to obtain the key exchange characteristic value after the SD-WAN controller and the WAN device complete the SSH key exchange.
本发明实施例中的另一种实施方式,SSH用户认证单元2还用于控制SD-WAN控制器根据设备认证标识在预设的本地数据表中获取WAN设备的用户认证信息;In another implementation manner in the embodiment of the present invention, the SSH user authentication unit 2 is further configured to control the SD-WAN controller to obtain user authentication information of the WAN device in a preset local data table according to the device authentication identifier;
SSH用户认证单元2还用于控制SD-WAN控制器按照SSH协议标准,向WAN设备发送SSH用户认证请求,SSH用户认证请求包括用户认证信息;The SSH user authentication unit 2 is also used to control the SD-WAN controller to send an SSH user authentication request to the WAN device in accordance with the SSH protocol standard, and the SSH user authentication request includes user authentication information;
SSH用户认证单元2还用于待WAN设备响应于用户认证信息,发布SSH用户认证通过信息。The SSH user authentication unit 2 is also used for the waiting WAN device to release SSH user authentication information in response to the user authentication information.
本发明实施例中的另一种实施方式,该系统还包括预准备单元6,其用于控制SD-WAN控制器对WAN设备进行注册工作,并将生成设备上线表和设备认证表;In another implementation manner in the embodiment of the present invention, the system further includes a pre-preparation unit 6, which is used to control the SD-WAN controller to register the WAN device and generate a device online list and a device authentication list;
预准备单元6,其还用于控制SD-WAN控制器生成认证配置文件,并向WAN设备发布认证配置文件;The pre-preparation unit 6 is also used to control the SD-WAN controller to generate an authentication configuration file, and to release the authentication configuration file to the WAN device;
其中,设备上线表用于记录已在SD-WAN控制器上完成设备注 册的WAN设备,设备认证表用于记录SDN-WAN控制器的设备SSH认证信息,Among them, the device online table is used to record the WAN devices that have completed device registration on the SD-WAN controller, and the device authentication table is used to record the device SSH authentication information of the SDN-WAN controller.
而设备SSH认证信息记录有SDN-WAN控制器在进行SSH认证时,各WAN设备的SSH设备认证结果;The device SSH authentication information records the SSH device authentication results of each WAN device when the SDN-WAN controller performs SSH authentication;
SD-WAN控制器对WAN设备进行注册工作时,SD-WAN控制器主要是根据设备注册消息生成设备上线表、设备认证表,上线表中关键数据为生成一个大素数作为设备的认证标识;When the SD-WAN controller registers the WAN device, the SD-WAN controller mainly generates the device online table and the device certification table according to the device registration message. The key data in the online table is to generate a large prime number as the device's certification mark;
认证配置文件常见的配置形式包括:邮件认证URL、本地配置文件或本地安装包。Common configuration forms of authentication configuration files include: email authentication URL, local configuration file or local installation package.
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、服务器或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present invention can be provided as methods, systems, servers, or computer program products. Therefore, the present invention may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, the present invention may be in the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, optical storage, etc.) containing computer-usable program codes.
本发明是参照根据本发明实施例的方法、设备(系统)、服务器和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowcharts and/or block diagrams of methods, devices (systems), servers, and computer program products according to embodiments of the present invention. It should be understood that each process and/or block in the flowchart and/or block diagram, and the combination of processes and/or blocks in the flowchart and/or block diagram can be implemented by computer program instructions. These computer program instructions can be provided to the processors of general-purpose computers, special-purpose computers, embedded processors, or other programmable data processing equipment to generate a machine, so that instructions executed by the processor of the computer or other programmable data processing equipment are used It is a device that realizes the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数 据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device. The device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment. The instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.
显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. In this way, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention is also intended to include these modifications and variations.

Claims (10)

  1. 一种基于SD-WAN的设备认证方法,其特征在于,所述方法包括以下步骤:An SD-WAN-based device authentication method, characterized in that the method includes the following steps:
    SD-WAN控制器与WAN设备进行SSH连接,所述WAN设备根据所述WAN设备的认证配置文件中的设备认证标识,与所述SD-WAN控制器进行SSH密钥交换;The SD-WAN controller performs an SSH connection with the WAN device, and the WAN device performs SSH key exchange with the SD-WAN controller according to the device authentication identifier in the authentication configuration file of the WAN device;
    所述SD-WAN控制器获取所述设备认证标识,并根据所述设备认证标识获得用户认证信息,并根据所述用户认证信息对所述WAN设备进行SSH用户认证。The SD-WAN controller obtains the device authentication identifier, obtains user authentication information according to the device authentication identifier, and performs SSH user authentication on the WAN device according to the user authentication information.
  2. 如权利要求1所述的方法,其特征在于,所述WAN设备根据所述WAN设备的认证配置文件中的设备认证标识,与所述SD-WAN控制器进行SSH密钥交换,具体包括以下步骤:The method of claim 1, wherein the WAN device performs SSH key exchange with the SD-WAN controller according to the device authentication identifier in the authentication configuration file of the WAN device, which specifically includes the following steps :
    所述WAN设备与所述SD-WAN控制器进行交互,统一密钥协议以及密钥交换算法;The WAN device interacts with the SD-WAN controller to unify key agreement and key exchange algorithm;
    所述WAN设备将所述认证配置文件中的所述设备认证标识设置为密钥交换特征值;The WAN device sets the device authentication identifier in the authentication configuration file as a key exchange characteristic value;
    所述SD-WAN控制器与所述WAN设备进行密钥交换,并获取所述密钥交换特征值。The SD-WAN controller performs key exchange with the WAN device, and obtains the key exchange characteristic value.
  3. 如权利要求2所述的方法,其特征在于,所述SD-WAN控制器获取所述设备认证标识,并根据所述设备认证标识获得用户认证信息,并根据所述用户认证信息对WAN设备进行SSH用户认证,具体包括以下步骤:The method according to claim 2, wherein the SD-WAN controller obtains the device authentication ID, obtains user authentication information according to the device authentication ID, and performs a check on the WAN device according to the user authentication information. SSH user authentication includes the following steps:
    所述SD-WAN控制器根据所述设备认证标识在预设的本地数据表中获取所述WAN设备的用户认证信息;The SD-WAN controller obtains the user authentication information of the WAN device in a preset local data table according to the device authentication identifier;
    所述SD-WAN控制器按照SSH协议标准,向所述WAN设备发 送SSH用户认证请求,所述SSH用户认证请求包括所述用户认证信息;The SD-WAN controller sends an SSH user authentication request to the WAN device in accordance with the SSH protocol standard, where the SSH user authentication request includes the user authentication information;
    所述WAN设备响应于所述用户认证信息,SSH用户认证通过。In response to the user authentication information, the WAN device passes the SSH user authentication.
  4. 如权利要求1所述的方法,其特征在于,所述方法还包括以下步骤:The method of claim 1, wherein the method further comprises the following steps:
    所述WAN设备根据所述认证配置文件进行初始化;The WAN device is initialized according to the authentication configuration file;
    SD-WAN控制器与所述WAN设备建立TCP连接,SD-WAN控制器向所述WAN设备发起SSH用户认证;The SD-WAN controller establishes a TCP connection with the WAN device, and the SD-WAN controller initiates SSH user authentication to the WAN device;
    待所述WAN设备的SSH用户认证通过后,所述SD-WAN控制器向WAN设备发送NETCONF连接请求,所述WAN设备响应并生成NETCONF连接回馈。After the SSH user authentication of the WAN device is passed, the SD-WAN controller sends a NETCONF connection request to the WAN device, and the WAN device responds and generates a NETCONF connection feedback.
  5. 如权利要求1所述的方法,其特征在于,所述方法还包括以下步骤:The method of claim 1, wherein the method further comprises the following steps:
    SD-WAN控制器对WAN设备进行注册工作,并将生成设备上线表和设备认证表;The SD-WAN controller registers the WAN equipment, and will generate a device online form and a device certification form;
    SD-WAN控制器生成所述认证配置文件,并向所述WAN设备发布所述认证配置文件;The SD-WAN controller generates the authentication configuration file, and publishes the authentication configuration file to the WAN device;
    其中,所述设备上线表用于记录已在所述SD-WAN控制器上完成设备注册的WAN设备,所述设备认证表用于记录所述SDN-WAN控制器的设备SSH认证信息。Wherein, the device online table is used to record WAN devices that have completed device registration on the SD-WAN controller, and the device authentication table is used to record device SSH authentication information of the SDN-WAN controller.
  6. 一种基于SD-WAN的设备认证系统,其特征在于,所述系统包括:An SD-WAN-based device authentication system, characterized in that, the system includes:
    SSH密钥交换单元,其用于待SD-WAN控制器与WAN设备进行SSH连接后,根据所述WAN设备的认证配置文件中的设备认证标识,控制所述SD-WAN控制器与所述WAN设备进行SSH密钥交换;The SSH key exchange unit is used to control the SD-WAN controller and the WAN according to the device authentication identifier in the authentication configuration file of the WAN device after the SD-WAN controller and the WAN device are connected via SSH. The device performs SSH key exchange;
    SSH用户认证单元,其用于待所述SD-WAN控制器获取所述设备认证标识后,根据所述设备认证标识获得用户认证信息,并根据所述用户认证信息对所述WAN设备进行SSH用户认证。The SSH user authentication unit is used to obtain user authentication information according to the device authentication identifier after the SD-WAN controller obtains the device authentication identifier, and perform SSH user authentication on the WAN device according to the user authentication information Certification.
  7. 如权利要求6所述的系统,其特征在于:The system of claim 6, wherein:
    所述SSH密钥交换单元还用于在所述WAN设备与所述SD-WAN控制器之间统一密钥协议以及密钥交换算法;The SSH key exchange unit is also used to unify a key agreement and a key exchange algorithm between the WAN device and the SD-WAN controller;
    所述SSH密钥交换单元还用于将所述认证配置文件中的所述设备认证标识设置为密钥交换特征值;The SSH key exchange unit is further configured to set the device authentication identifier in the authentication configuration file as a key exchange characteristic value;
    所述SSH密钥交换单元还用于所述SD-WAN控制器与所述WAN设备完成SSH密钥交换后,控制所述SD-WAN控制器获取所述密钥交换特征值。The SSH key exchange unit is further configured to control the SD-WAN controller to obtain the key exchange characteristic value after completing the SSH key exchange with the WAN device.
  8. 如权利要求6所述的系统,其特征在于:The system of claim 6, wherein:
    所述SSH用户认证单元还用于控制所述SD-WAN控制器根据所述设备认证标识在预设的本地数据表中获取所述WAN设备的用户认证信息;The SSH user authentication unit is further configured to control the SD-WAN controller to obtain user authentication information of the WAN device in a preset local data table according to the device authentication identifier;
    所述SSH用户认证单元还用于控制所述SD-WAN控制器按照SSH协议标准,向所述WAN设备发送SSH用户认证请求,所述SSH用户认证请求包括所述用户认证信息;The SSH user authentication unit is further configured to control the SD-WAN controller to send an SSH user authentication request to the WAN device in accordance with the SSH protocol standard, where the SSH user authentication request includes the user authentication information;
    所述SSH用户认证单元还用于待所述WAN设备响应所述用户认证信息,发布SSH用户认证通过信息。The SSH user authentication unit is further configured to wait for the WAN device to respond to the user authentication information and release the SSH user authentication passing information.
  9. 如权利要求6所述的系统,其特征在于,所述系统还包括:The system of claim 6, wherein the system further comprises:
    TCP连接单元,其用于待WAN设备根据所述认证配置文件完成初始化后,控制所述WAN设备与所述SD-WAN控制器进行TCP连接;The TCP connection unit is configured to control the WAN device to perform a TCP connection with the SD-WAN controller after the WAN device completes initialization according to the authentication configuration file;
    NETCONF连接单元,其用于待所述WAN设备的SSH用户认证 通过后,控制所述与所述SD-WAN控制器进行NETCONF连接;The NETCONF connection unit is used to control the NETCONF connection with the SD-WAN controller after the SSH user authentication of the WAN device is passed;
    认证判断单元,其用于当TCP连接完成、SHH认证通过以及NETCONF连接完成时,判定所述WAN设备通过设备认证,反之则所述WAN设备认证失败。The authentication judging unit is used to determine that the WAN device passes the device authentication when the TCP connection is completed, the SHH authentication is passed, and the NETCONF connection is completed, and otherwise, the WAN device authentication fails.
  10. 如权利要求6所述的系统,其特征在于,所述系统还包括:The system of claim 6, wherein the system further comprises:
    预准备单元,其用于控制所述SD-WAN控制器对所述WAN设备进行注册工作,并将生成设备上线表和设备认证表;A pre-preparation unit, which is used to control the SD-WAN controller to register the WAN device, and generate a device online table and a device authentication table;
    所述预准备单元,其还用于控制所述SD-WAN控制器生成认证配置文件,并向所述WAN设备发布所述认证配置文件;The pre-preparation unit is further configured to control the SD-WAN controller to generate an authentication configuration file and publish the authentication configuration file to the WAN device;
    其中,所述设备上线表用于记录已在所述SD-WAN控制器上完成设备注册的WAN设备,所述设备认证表用于记录所述SDN-WAN控制器的设备SSH认证信息。Wherein, the device online table is used to record WAN devices that have completed device registration on the SD-WAN controller, and the device authentication table is used to record device SSH authentication information of the SDN-WAN controller.
PCT/CN2019/124188 2019-08-20 2019-12-10 Sd-wan-based device authentication method and system WO2021031465A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910770683.1 2019-08-20
CN201910770683.1A CN110611658B (en) 2019-08-20 2019-08-20 SD-WAN-based equipment authentication method and system

Publications (1)

Publication Number Publication Date
WO2021031465A1 true WO2021031465A1 (en) 2021-02-25

Family

ID=68889905

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/124188 WO2021031465A1 (en) 2019-08-20 2019-12-10 Sd-wan-based device authentication method and system

Country Status (2)

Country Link
CN (1) CN110611658B (en)
WO (1) WO2021031465A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111148056B (en) * 2020-04-03 2020-12-01 南京华智达网络技术有限公司 Operable network configuration method and system
CN111526069B (en) * 2020-04-29 2022-03-11 深圳市吉祥腾达科技有限公司 Concurrent tunnel performance test method based on SD-WAN
US11296947B2 (en) 2020-06-29 2022-04-05 Star2Star Communications, LLC SD-WAN device, system, and network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180091481A1 (en) * 2016-09-26 2018-03-29 Versa Networks, Inc. Method and system for protecting data flow between pairs of branch nodes in a software-defined wide-area network
CN108713309A (en) * 2018-03-21 2018-10-26 深圳前海达闼云端智能科技有限公司 SD-WAN system, use method of SD-WAN system and related device
CN108964985A (en) * 2018-06-14 2018-12-07 烽火通信科技股份有限公司 A kind of management method of protocol massages and virtual client terminal device
US20190052558A1 (en) * 2017-08-08 2019-02-14 Versa Networks, Inc. Method and system for routing connections in a software-defined wide area network

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3897016A3 (en) * 2012-04-27 2021-11-24 Interdigital Patent Holdings, Inc. Method and apparatus for provisioning of d2d policies for a wireless transmit receive unit (wtru)
US9319881B2 (en) * 2013-03-15 2016-04-19 Tyfone, Inc. Personal digital identity device with fingerprint sensor
CN104468618B (en) * 2014-12-26 2017-10-03 重庆邮电大学 XMPP safety access method based on sensor network
CN106936608B (en) * 2015-12-29 2020-09-18 华为技术有限公司 Method, related equipment and system for establishing SSH connection
US20170289120A1 (en) * 2016-04-04 2017-10-05 Mastercard International Incorporated Systems and methods for authenticating user for secure data access using multi-party authentication system
CN106685785B (en) * 2016-12-27 2020-06-05 北京航空航天大学 Intranet access system based on IPsec VPN proxy
CN109068326B (en) * 2018-07-24 2020-07-31 腾讯科技(深圳)有限公司 Authentication method, device, terminal, storage medium and system
CN109150907B (en) * 2018-09-30 2021-10-12 百度在线网络技术(北京)有限公司 Vehicle-mounted industrial personal computer login method, device, system, computer equipment and medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180091481A1 (en) * 2016-09-26 2018-03-29 Versa Networks, Inc. Method and system for protecting data flow between pairs of branch nodes in a software-defined wide-area network
US20190052558A1 (en) * 2017-08-08 2019-02-14 Versa Networks, Inc. Method and system for routing connections in a software-defined wide area network
CN108713309A (en) * 2018-03-21 2018-10-26 深圳前海达闼云端智能科技有限公司 SD-WAN system, use method of SD-WAN system and related device
CN108964985A (en) * 2018-06-14 2018-12-07 烽火通信科技股份有限公司 A kind of management method of protocol massages and virtual client terminal device

Also Published As

Publication number Publication date
CN110611658A (en) 2019-12-24
CN110611658B (en) 2020-10-09

Similar Documents

Publication Publication Date Title
US10666638B2 (en) Certificate-based dual authentication for openflow enabled switches
US10686761B2 (en) Methods and apparatus for providing a secure overlay network between clouds
CN108551464B (en) Connection establishment and data transmission method, device and system of hybrid cloud
US7219223B1 (en) Method and apparatus for providing data from a service to a client based on encryption capabilities of the client
US7716724B2 (en) Extensible authentication protocol (EAP) state server
JP2022550356A (en) Methods, systems, and computer-readable media for providing multi-tenant software-defined wide area network (SD-WAN) nodes
WO2021031465A1 (en) Sd-wan-based device authentication method and system
US10523657B2 (en) Endpoint privacy preservation with cloud conferencing
US10187356B2 (en) Connectivity between cloud-hosted systems and on-premises enterprise resources
US20150358399A1 (en) Provisioning and managing slices of a consumer premises equipment device
US9667436B2 (en) Method and apparatus for communicating with an access node
US11689522B2 (en) Method and apparatus for secure hybrid cloud connectivity
JP5679343B2 (en) Cloud system, gateway device, communication control method, and communication control program
US9100369B1 (en) Secure reverse connectivity to private network servers
WO2016172501A1 (en) Provisioning hybrid services
US20200228373A1 (en) Autonomous system bridge connecting in a telecommunications network
EP3288235B1 (en) System and apparatus for enforcing a service level agreement (sla) in a cloud environment using digital signatures
WO2011147334A1 (en) Method, device and system for providing virtual private network service
EP4080850A1 (en) Onboarding virtualized network devices to cloud-based network assurance system
US11888898B2 (en) Network configuration security using encrypted transport
US20200287868A1 (en) Systems and methods for in-band remote management
US11569997B1 (en) Security mechanisms for data plane extensions of provider network services
TWI836974B (en) Private and secure chat connection mechanism for use in a private communication architecture
WO2024010597A1 (en) Method and system for configuring netconf server by netconf controller
TW202345559A (en) Private and secure chat connection mechanism for use in a private communication architecture

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19942512

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19942512

Country of ref document: EP

Kind code of ref document: A1