WO2021031465A1 - Procédé et système d'authentification de dispositif basés sur un réseau sd-wan - Google Patents

Procédé et système d'authentification de dispositif basés sur un réseau sd-wan Download PDF

Info

Publication number
WO2021031465A1
WO2021031465A1 PCT/CN2019/124188 CN2019124188W WO2021031465A1 WO 2021031465 A1 WO2021031465 A1 WO 2021031465A1 CN 2019124188 W CN2019124188 W CN 2019124188W WO 2021031465 A1 WO2021031465 A1 WO 2021031465A1
Authority
WO
WIPO (PCT)
Prior art keywords
wan
authentication
ssh
controller
user authentication
Prior art date
Application number
PCT/CN2019/124188
Other languages
English (en)
Chinese (zh)
Inventor
王巍
赵伟
Original Assignee
烽火通信科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 烽火通信科技股份有限公司 filed Critical 烽火通信科技股份有限公司
Publication of WO2021031465A1 publication Critical patent/WO2021031465A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles

Definitions

  • the present invention relates to the field of communication technology, in particular to an SD-WAN-based device authentication method and system.
  • SDN Software Defined Network
  • Wide Area Network WAN (Wide Area Network) is a telecom network or computer network covering a long distance.
  • Virtual WAN is based on the existing public WAN network to realize the user's private WAN, thereby saving funds and operating and maintaining costs.
  • SD-WAN Software-Defined Wide Area Network
  • SDN SDN concept for user private WAN network management to realize Efficient management of WAN.
  • the SD-WAN controller is a centralized controller for the SD-WAN network. It is used to uniformly manage and configure WAN network devices through standardized interfaces, realize flexible traffic strategies, fault monitoring, and simplify WAN management and troubleshooting.
  • NETCONF Network Configuration Protocol, network configuration protocol
  • XML Extensible Markup Language
  • Extensible Markup Language Extensible Markup Language
  • SSH Secure Shell
  • RPC Remote Procedure Call, remote Process call protocol
  • the active mode is generally adopted, that is, the controller actively connects to the device.
  • the device's authentication information is bound to the device's IP address, and the controller actively uses the device authentication information to connect to the device's IP address.
  • Device authentication is completed.
  • the IP address of the device connection will dynamically change with the user's network. The controller cannot predict the IP address of the device, and the device needs to be authenticated actively.
  • the purpose of the present invention is to provide an SD-WAN-based device authentication method and system. Based on the device authentication identifier in the authentication configuration file, each WAN device is authenticated without being affected by each WAN device. Active online, IP address changes and the influence of device information independence ensure the smooth progress of device certification.
  • the present invention discloses an SD-WAN-based device authentication method, the method includes the following steps:
  • the SD-WAN controller performs an SSH connection with the WAN device, and the WAN device performs SSH key exchange with the SD-WAN controller according to the device authentication identifier in the authentication configuration file of the WAN device;
  • the SD-WAN controller obtains the device authentication identifier, obtains user authentication information according to the device authentication identifier, and performs SSH user authentication on the WAN device according to the user authentication information.
  • the WAN device performs SSH key exchange with the SD-WAN controller according to the device authentication identifier in the authentication configuration file of the WAN device, which specifically includes the following steps:
  • the WAN device interacts with the SD-WAN controller to unify key agreement and key exchange algorithm
  • the WAN device sets the device authentication identifier in the authentication configuration file as a key exchange characteristic value
  • the SD-WAN controller performs key exchange with the WAN device, and obtains the key exchange characteristic value.
  • the SD-WAN controller obtains the device authentication identifier, obtains user authentication information according to the device authentication identifier, and performs SSH user authentication on the WAN device according to the user authentication information. It includes the following steps:
  • the SD-WAN controller obtains the user authentication information of the WAN device in a preset local data table according to the device authentication identifier;
  • the SD-WAN controller sends an SSH user authentication request to the WAN device in accordance with the SSH protocol standard, where the SSH user authentication request includes the user authentication information;
  • the WAN device In response to the user authentication information, the WAN device passes the SSH user authentication.
  • the method further includes the following steps:
  • the WAN device is initialized according to the authentication configuration file
  • the SD-WAN controller establishes a TCP connection with the WAN device, and the SD-WAN controller initiates SSH user authentication to the WAN device;
  • the SD-WAN controller After the SSH user authentication of the WAN device is passed, the SD-WAN controller sends a NETCONF connection request to the WAN device, and the WAN device responds and generates a NETCONF connection feedback.
  • the method further includes the following steps:
  • the SD-WAN controller registers the WAN equipment, and will generate a device online form and a device certification form;
  • the SD-WAN controller generates the authentication configuration file, and publishes the authentication configuration file to the WAN device;
  • the device online table is used to record WAN devices that have completed device registration on the SD-WAN controller
  • the device authentication table is used to record device SSH authentication information of the SDN-WAN controller.
  • the present invention also discloses an SD-WAN-based device authentication system, the system includes:
  • the SSH key exchange unit is used to control the SD-WAN controller and the WAN according to the device authentication identifier in the authentication configuration file of the WAN device after the SD-WAN controller and the WAN device are connected via SSH.
  • the device performs SSH key exchange;
  • the SSH user authentication unit is used to obtain user authentication information according to the device authentication identifier after the SD-WAN controller obtains the device authentication identifier, and perform SSH user authentication on the WAN device according to the user authentication information Certification.
  • the SSH key exchange unit is also used to unify a key agreement and a key exchange algorithm between the WAN device and the SD-WAN controller;
  • the SSH key exchange unit is further configured to set the device authentication identifier in the authentication configuration file as a key exchange characteristic value
  • the SSH key exchange unit is further configured to control the SD-WAN controller to obtain the key exchange characteristic value after completing the SSH key exchange with the WAN device.
  • the SSH user authentication unit is further configured to control the SD-WAN controller to obtain user authentication information of the WAN device in a preset local data table according to the device authentication identifier;
  • the SSH user authentication unit is further configured to control the SD-WAN controller to send an SSH user authentication request to the WAN device in accordance with the SSH protocol standard, where the SSH user authentication request includes the user authentication information;
  • the SSH user authentication unit is further configured to wait for the WAN device to issue SSH user authentication passing information in response to the user authentication information.
  • the system further includes:
  • the TCP connection unit is configured to control the WAN device to perform a TCP connection with the SD-WAN controller after the WAN device completes initialization according to the authentication configuration file;
  • NETCONF connection unit which is used to control the NETCONF connection with the SD-WAN controller after the SSH user authentication of the WAN device is passed;
  • the authentication judging unit is used to determine that the WAN device passes the device authentication when the TCP connection is completed, the SHH authentication is passed, and the NETCONF connection is completed, and otherwise, the WAN device authentication fails.
  • the system further includes:
  • a pre-preparation unit which is used to control the SD-WAN controller to register the WAN device, and generate a device online table and a device authentication table;
  • the pre-preparation unit is further configured to control the SD-WAN controller to generate an authentication configuration file and publish the authentication configuration file to the WAN device;
  • the device online table is used to record WAN devices that have completed device registration on the SD-WAN controller
  • the device authentication table is used to record device SSH authentication information of the SDN-WAN controller.
  • the invention authenticates each WAN device based on the device authentication identifier in the authentication configuration file, and is not affected by the active online of each WAN device, IP address change, and device information independence, and ensures the smooth progress of the device authentication work.
  • FIG. 1 is a flowchart of the steps of an SD-WAN-based device authentication method in an embodiment of the present invention
  • FIG. 2 is a step flow chart of the preamble process of the SD-WAN-based device authentication method in an embodiment of the present invention
  • FIG. 3 is a step flow diagram of step S1 of the SD-WAN-based device authentication process in the embodiment of the present invention.
  • step S2 of the SD-WAN-based device authentication method in the embodiment of the present invention is a flowchart of step S2 of the SD-WAN-based device authentication method in the embodiment of the present invention.
  • FIG. 5 is a flow chart of the steps of the pre-preparation process of the SD-WAN-based device authentication method in the embodiment of the present invention.
  • step C1 of the SD-WAN-based device authentication method in the embodiment of the present invention is a step flow chart of step C1 of the SD-WAN-based device authentication method in the embodiment of the present invention.
  • FIG. 7 is a structural block diagram of an SD-WAN-based device authentication system in an embodiment of the present invention.
  • SDN Software Defined Network, software customized network
  • WAN Wide Area Network, a telecommunications network or computer network covering a long distance;
  • SD-WAN Software-Defined Wide Area Network is the combination of Virtual WAN and traditional WAN, which is used for coverage processing. SD-WAN uses the SDN concept for user private WAN network management to achieve efficient management of private WAN;
  • Virtual WAN Virtual Wide Area Network, virtual wide area network
  • TCP Transmission Control Protocol, transmission control protocol, is a connection-oriented, reliable, byte stream-based transport layer communication protocol
  • SSH Secure Shell, secure shell protocol
  • NETCONF NETCONF protocol, an XML-based network configuration protocol
  • IP address IP Address, Internet Protocol Address, Internet Protocol address, also known as Internet Protocol address, is a digital label assigned to Internet Protocol devices used by users to access the Internet;
  • Diffie-Hellman key exchange algorithm The Diffie-Hellman-Group-Exchange-SHA algorithm enables both parties in communication to exchange keys securely in an insecure channel for encrypting subsequent communication messages.
  • An SD-WAN-based device authentication method includes the following steps:
  • the SD-WAN controller connects with the WAN device through SSH, and the WAN device exchanges SSH keys with the SD-WAN controller according to the device authentication identifier in the authentication configuration file of the WAN device;
  • the SD-WAN controller obtains the device authentication ID, obtains user authentication information according to the device authentication ID, and performs SSH user authentication on the WAN device according to the user authentication information.
  • the embodiment of the present invention realizes the active online of the WAN device, and ensures the isolation of authentication information of different WAN devices through the use of the device authentication identifier, thereby enhancing the security of device online authentication.
  • the method embodiment of the present invention provides an SD-WAN-based device authentication method, the method includes the following steps:
  • the SD-WAN controller connects with the WAN device through SSH, and the WAN device exchanges SSH keys with the SD-WAN controller according to the device authentication identifier in the authentication configuration file of the WAN device;
  • the SD-WAN controller obtains the device authentication ID, obtains user authentication information according to the device authentication ID, and performs SSH user authentication on the WAN device according to the user authentication information.
  • the SD-WAN controller establishes a TCP connection with the WAN device, and the SD-WAN controller initiates SSH user authentication to the WAN device;
  • the SD-WAN controller After the SSH user of the WAN device is authenticated, the SD-WAN controller sends a NETCONF connection request to the WAN device, and the WAN device responds and generates a NETCONF connection feedback.
  • the WAN device first initializes according to a preset authentication configuration file. During specific operations, the WAN device can obtain the online configuration information in the authentication configuration file by email or other methods, and then complete the device initialization operation;
  • the WAN device initializes the device according to the authentication configuration file.
  • the key information in the authentication configuration file includes the SD-WAN controller IP address, local exit configuration, SSH login user name, and SSH user authentication information (password or controller public key) ;
  • the SD-WAN controller and the WAN device will perform a TCP connection.
  • the WAN device can use the SD-WAN controller IP address and port to actively initiate a TCP connection to the SDWAN controller, and the SD -The WAN controller monitors TCP port 6622, and then obtains the TCP connection request initiated by the WAN device;
  • the SD-WAN controller performs SSH user authentication with the WAN device according to the device authentication identifier in the authentication configuration file of the WAN device;
  • the device authentication identifier in the configuration properties is used as the seed value of the Diffie-Hellman key exchange algorithm
  • SD- The WAN controller completes the SSH key exchange process according to the SSH protocol standard, establishes an SSH session between the SD-WAN controller and the WAN device, and obtains the key exchange algorithm seed value from the received SSH key exchange message, and SD-WAN controls
  • the device obtains the seed value of the Diffie-Hellman key exchange algorithm as the unique identifier of the authentication of the WAN device, that is, the device authentication identifier, and obtains the SSH user authentication information of the WAN device from the local data table
  • the SD-WAN controller follows the SSH protocol standard , Send an SSH user authentication message to the WAN device, and the WAN device responds to the SSH user authentication message to complete the SSH user authentication;
  • the NETCONF Client module of the SD-WAN controller that is, the NETCONF client module, uses the SSH channel to send NETCONF handshake messages to establish a NETCONF connection.
  • the SD-WAN controller acts as a NETCONF client and uses the NETCONF protocol to configure WAN devices.
  • the NETCONF SERVICE module that is, the NETCONF server module, uses the SSH channel to accept NETCONF messages, respond to the NETCONF network configuration request of the SD-WAN controller, and generate NETCONF connection feedback, and the device authentication will pass, otherwise the device authentication will fail;
  • the WAN device re-initiates a TCP request and completes the NETCONF over SSH process again.
  • the active online of the WAN device is realized, and the authentication information of different WAN devices is isolated through the use of the device authentication identifier, thereby enhancing the security of the device online authentication.
  • the Diffie-Hellman key exchange algorithm namely the Diffie-Hellman-Group-Exchange-SHA algorithm
  • the DH algorithm is the key exchange algorithm required by the SSH2.0 protocol
  • the security of the Diffie-Hellman key exchange algorithm depends on such a Fact: Although it is relatively easy to calculate an exponent modulo a prime number, it is difficult to calculate the discrete logarithm. For large prime numbers, it is almost impossible to calculate the discrete logarithm.
  • the large prime numbers mentioned here are the equipment certification mark .
  • the networking topology of a typical SD-WAN network includes an SD-WAN controller, multiple WAN devices, that is, WAN network devices;
  • the SD-WAN controller is the management core of the entire network. It communicates with each WAN device in the network through a common WAN network (mainly Internet, MPLS dedicated line), manages the device certification of each WAN device, and assigns each WAN device at the same time Authentication message. At the same time, each WAN device is also connected to the same public WAN network.
  • the public WAN network ensures that the IP of each WAN device is reachable, that is, the IP of the host or network port is reachable;
  • the WAN devices mentioned in the embodiments of the present invention mainly refer to WAN network edge routers with routing functions. These devices can be specific hardware facilities or virtualized software.
  • the devices used in SD-WAN networks are also called For SD-WAN equipment;
  • the SD-WAN controller manages network equipment through the NETCONF protocol, and at the same time uses the SSH protocol as the connection layer of the NETCONF protocol, referred to as NETCONF over SSH,
  • the SD-WAN controller serves as the NETCONF client, and the WAN device serves as the NETCONF server.
  • the common way for the NETCONF client to connect to the server is that the client initiates an SSH connection through the pre-configured server IP address and SSH user authentication information. After the SSH session is established, the NETCONF connection is established;
  • NETCONF connection establishment requires the client (SD-WAN controller) to obtain the IP address of the server (WAN device) and SSH user authentication in advance.
  • SD-WAN controller the client
  • the WAN device IP address is dynamically allocated.
  • the authentication information of the WAN device cannot be bound to the WAN device IP address.
  • the SD-WAN controller needs to be dynamically online after the WAN device IP address changes.
  • the traditional technical solution does not meet the characteristics of the SD-WAN network. , And the embodiments of the present invention can deal with this technical problem.
  • the authentication configuration file includes SD-WAN controller IP address, local exit configuration, SSH login user name, and SSH user authentication information;
  • SSH user authentication information is different from SSH user authentication messages.
  • the former SSH user authentication information is data related to SSH user authentication in the authentication configuration file, while the latter SSH user authentication message is a message sent during SSH user authentication.
  • step S1 specifically includes the following steps:
  • A1 WAN equipment interacts with SD-WAN controller, unified key agreement and key exchange algorithm
  • the WAN device sets the device authentication identifier in the authentication configuration file as the key exchange characteristic value
  • the SD-WAN controller performs key exchange with the WAN device and obtains the key exchange characteristic value.
  • the SD-WAN controller obtains the device authentication ID, obtains user authentication information according to the device authentication ID, and performs SSH user authentication on the WAN device according to the user authentication information, that is, the step S2 specifically includes the following steps:
  • the SD-WAN controller obtains the user authentication information of the WAN device in the preset local data table according to the device authentication identifier;
  • the SD-WAN controller sends an SSH user authentication request to the WAN device in accordance with the SSH protocol standard.
  • the SSH user authentication request includes user authentication information;
  • the WAN device responds to the user authentication information, and the SSH user is authenticated.
  • the WAN device before the WAN device is initialized according to the preset authentication configuration file, it also includes a pre-preparation process, and the pre-preparation process specifically includes the following steps:
  • C1 SD-WAN controller registers WAN equipment, and will generate equipment online form and equipment certification form
  • SD-WAN controller generates authentication configuration files, and publishes authentication configuration files to WAN devices;
  • the device online table is used to record the WAN devices that have completed device registration on the SD-WAN controller
  • the device authentication table is used to record the device SSH authentication information of the SDN-WAN controller.
  • the device SSH authentication information records the SSH device authentication results of each WAN device when the SDN-WAN controller performs SSH authentication;
  • the SD-WAN controller When the SD-WAN controller registers the WAN device, the SD-WAN controller mainly generates the device online table and the device certification table according to the device registration message.
  • the key data in the online table is to generate a large prime number as the device's certification mark;
  • authentication configuration files include: email authentication URL, local configuration file or local installation package.
  • step C1 the SD-WAN controller registers the WAN device, and generates the device online list and the device certification table, which specifically include the following steps:
  • the SD-WAN controller configures the authentication identifier for the device according to the device registration message. This identifier will be used as a key parameter in the subsequent algorithm. According to the requirements of the DH key exchange algorithm, the device authentication identifier is a large prime number;
  • the SD-WAN controller assigns independent SSH user login names and user authentication messages to the WAN device according to the characteristic messages of the device user.
  • SSH user authentication supports key authentication and key authentication;
  • the SD-WAN controller configures the online information for the WAN device according to the device registration message.
  • the configured online information mainly includes the device outlet network information and the controller network information;
  • step C13 update the device authentication table and the device online table in the local database of the SD-WAN controller;
  • the SD-WAN controller issues the authentication configuration file described in step C14 in an offline or online manner.
  • system embodiment of the present invention provides an embodiment of an SD-WAN-based device authentication system, which is specifically as follows:
  • an SD-WAN-based device authentication system includes:
  • the SSH key exchange unit 1 which is used to control the SD-WAN controller and the WAN device to perform SSH keys according to the device authentication identifier in the authentication configuration file of the WAN device after the SD-WAN controller and the WAN device have an SSH connection exchange;
  • SSH user authentication unit 2 which is used to obtain user authentication information according to the device authentication ID after the SD-WAN controller obtains the device authentication ID, and perform SSH user authentication on the WAN device according to the user authentication information;
  • system also includes:
  • the TCP connection unit 3 which is used to control the WAN device to perform a TCP connection with the SD-WAN controller after the WAN device is initialized according to the authentication configuration file;
  • NETCONF connection unit 4 which is used to control the NETCONF connection with the SD-WAN controller after the SSH user authentication of the WAN device is passed;
  • the authentication judgment unit 5 is used to determine that the WAN device has passed the device authentication when the TCP connection is completed, the SHH authentication is passed, and the NETCONF connection is completed, and otherwise, the WAN device authentication has failed.
  • the WAN device first initializes according to a preset authentication configuration file. During specific operations, the WAN device can obtain the online configuration information in the authentication configuration file by email or other methods, and then complete the device initialization operation;
  • the WAN device initializes the device according to the authentication configuration file.
  • the key information in the authentication configuration file includes the SD-WAN controller IP address, local exit configuration, SSH login user name, and SSH user authentication information (password or controller public key) ;
  • the SD-WAN controller and the WAN device will perform a TCP connection.
  • the WAN device can use the SD-WAN controller IP address and port to actively initiate a TCP connection to the SDWAN controller, and the SD -The WAN controller monitors TCP port 6622, and then obtains the TCP connection request initiated by the WAN device;
  • the SD-WAN controller performs SSH user authentication with the WAN device according to the device authentication identifier in the authentication configuration file of the WAN device;
  • the device authentication identifier in the configuration properties is used as the seed value of the Diffie-Hellman key exchange algorithm
  • SD- The WAN controller completes the SSH key exchange process according to the SSH protocol standard, establishes an SSH session between the SD-WAN controller and the WAN device, and obtains the key exchange algorithm seed value from the received SSH key exchange message, and SD-WAN controls
  • the device obtains the seed value of the Diffie-Hellman key exchange algorithm as the unique identifier of the authentication of the WAN device, that is, the device authentication identifier, and obtains the SSH user authentication information of the WAN device from the local data table
  • the SD-WAN controller follows the SSH protocol standard , Send an SSH user authentication message to the WAN device, and the WAN device responds to the SSH user authentication message to complete the SSH user authentication;
  • the NETCONF Client module of the SD-WAN controller that is, the NETCONF client module, uses the SSH channel to send NETCONF handshake messages to establish a NETCONF connection.
  • the SD-WAN controller acts as a NETCONF client and uses the NETCONF protocol to configure WAN devices.
  • the NETCONF SERVICE module that is, the NETCONF server module, uses the SSH channel to accept NETCONF messages, respond to the NETCONF network configuration request of the SD-WAN controller, and generate NETCONF connection feedback, and the device authentication will pass, otherwise the device authentication will fail;
  • the WAN device re-initiates a TCP request and completes the NETCONF over SSH process again.
  • the active online of the WAN device is realized, and the authentication information of different WAN devices is isolated through the use of the device authentication identifier, thereby enhancing the security of the device online authentication.
  • the Diffie-Hellman key exchange algorithm namely the Diffie-Hellman-Group-Exchange-SHA algorithm
  • the DH algorithm is the key exchange algorithm required by the SSH2.0 protocol
  • the security of the Diffie-Hellman key exchange algorithm depends on such a Fact: Although it is relatively easy to calculate an exponent modulo a prime number, it is difficult to calculate the discrete logarithm. For large prime numbers, it is almost impossible to calculate the discrete logarithm.
  • the large prime numbers mentioned here are the equipment certification mark .
  • the networking topology of a typical SD-WAN network includes an SD-WAN controller, multiple WAN devices, that is, WAN network devices;
  • the SD-WAN controller is the management core of the entire network. It communicates with each WAN device in the network through a common WAN network (mainly Internet, MPLS dedicated line), manages the device certification of each WAN device, and assigns each WAN device at the same time Authentication message. At the same time, each WAN device is also connected to the same public WAN network.
  • the public WAN network ensures that the IP of each WAN device is reachable, that is, the IP of the host or network port is reachable;
  • the WAN devices mentioned in the embodiments of the present invention mainly refer to WAN network edge routers with routing functions. These devices can be specific hardware facilities or virtualized software.
  • the devices used in SD-WAN networks are also called For SD-WAN equipment;
  • the SD-WAN controller manages network equipment through the NETCONF protocol, and at the same time uses the SSH protocol as the connection layer of the NETCONF protocol, referred to as NETCONF over SSH,
  • the SD-WAN controller serves as the NETCONF client, and the WAN device serves as the NETCONF server.
  • the common way for the NETCONF client to connect to the server is that the client initiates an SSH connection through the pre-configured server IP address and SSH user authentication information. After the SSH session is established, the NETCONF connection is established;
  • NETCONF connection establishment requires the client (SD-WAN controller) to obtain the IP address of the server (WAN device) and SSH user authentication in advance.
  • SD-WAN controller the client
  • the WAN device IP address is dynamically allocated.
  • the authentication information of the WAN device cannot be bound to the WAN device IP address.
  • the SD-WAN controller needs to be dynamically online after the WAN device IP address changes.
  • the traditional technical solution does not meet the characteristics of the SD-WAN network. , And the embodiments of the present invention can deal with this technical problem.
  • the authentication configuration file includes the SD-WAN controller IP address, local exit configuration, SSH login user name, and SSH user authentication information.
  • the SSH key exchange unit 1 is also used to unify the key agreement and the key exchange algorithm between the WAN device and the SD-WAN controller;
  • the SSH key exchange unit 1 is also used to set the device authentication identifier in the authentication configuration file as the key exchange characteristic value;
  • the SSH key exchange unit 1 is also used to control the SD-WAN controller to obtain the key exchange characteristic value after the SD-WAN controller and the WAN device complete the SSH key exchange.
  • the SSH user authentication unit 2 is further configured to control the SD-WAN controller to obtain user authentication information of the WAN device in a preset local data table according to the device authentication identifier;
  • the SSH user authentication unit 2 is also used to control the SD-WAN controller to send an SSH user authentication request to the WAN device in accordance with the SSH protocol standard, and the SSH user authentication request includes user authentication information;
  • the SSH user authentication unit 2 is also used for the waiting WAN device to release SSH user authentication information in response to the user authentication information.
  • the system further includes a pre-preparation unit 6, which is used to control the SD-WAN controller to register the WAN device and generate a device online list and a device authentication list;
  • the pre-preparation unit 6 is also used to control the SD-WAN controller to generate an authentication configuration file, and to release the authentication configuration file to the WAN device;
  • the device online table is used to record the WAN devices that have completed device registration on the SD-WAN controller
  • the device authentication table is used to record the device SSH authentication information of the SDN-WAN controller.
  • the device SSH authentication information records the SSH device authentication results of each WAN device when the SDN-WAN controller performs SSH authentication;
  • the SD-WAN controller When the SD-WAN controller registers the WAN device, the SD-WAN controller mainly generates the device online table and the device certification table according to the device registration message.
  • the key data in the online table is to generate a large prime number as the device's certification mark;
  • authentication configuration files include: email authentication URL, local configuration file or local installation package.
  • the embodiments of the present invention can be provided as methods, systems, servers, or computer program products. Therefore, the present invention may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, the present invention may be in the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, optical storage, etc.) containing computer-usable program codes.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.

Abstract

L'invention concerne un procédé et un système d'authentification de dispositif basés sur un réseau SD-WAN, qui se rapportent au domaine technique des communications. Le procédé comprend les étapes suivantes : un dispositif de commande de réseau SD-WAN réalise une connexion SSH avec un dispositif de réseau WAN et le dispositif de réseau WAN effectue un échange de clés SSH avec le dispositif de commande de réseau SD-WAN selon un identifiant d'authentification de dispositif dans un fichier de configuration d'authentification du dispositif de réseau WAN ; et le dispositif de commande de réseau SD-WAN acquiert l'identifiant d'authentification de dispositif et obtient des informations d'authentification d'utilisateur selon l'identifiant d'authentification de dispositif et réalise une authentification d'utilisateur SSH sur le dispositif de réseau WAN selon les informations d'authentification d'utilisateur. Selon la présente invention, sur la base de l'identifiant d'authentification de dispositif dans un fichier de configuration d'authentification, chaque dispositif de réseau WAN est authentifié, sans être affecté par chaque dispositif de réseau WAN activement en ligne, un changement d'adresse IP et l'indépendance des informations de dispositif, ce qui permet d'assurer la progression régulière de l'authentification du dispositif.
PCT/CN2019/124188 2019-08-20 2019-12-10 Procédé et système d'authentification de dispositif basés sur un réseau sd-wan WO2021031465A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910770683.1A CN110611658B (zh) 2019-08-20 2019-08-20 一种基于sd-wan的设备认证方法及系统
CN201910770683.1 2019-08-20

Publications (1)

Publication Number Publication Date
WO2021031465A1 true WO2021031465A1 (fr) 2021-02-25

Family

ID=68889905

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/124188 WO2021031465A1 (fr) 2019-08-20 2019-12-10 Procédé et système d'authentification de dispositif basés sur un réseau sd-wan

Country Status (2)

Country Link
CN (1) CN110611658B (fr)
WO (1) WO2021031465A1 (fr)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111148056B (zh) * 2020-04-03 2020-12-01 南京华智达网络技术有限公司 可运营网络配置方法及系统
CN111526069B (zh) * 2020-04-29 2022-03-11 深圳市吉祥腾达科技有限公司 基于sd-wan的并发隧道性能测试方法
US11296947B2 (en) 2020-06-29 2022-04-05 Star2Star Communications, LLC SD-WAN device, system, and network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180091481A1 (en) * 2016-09-26 2018-03-29 Versa Networks, Inc. Method and system for protecting data flow between pairs of branch nodes in a software-defined wide-area network
CN108713309A (zh) * 2018-03-21 2018-10-26 深圳前海达闼云端智能科技有限公司 Sd-wan系统、sd-wan系统的使用方法及相关装置
CN108964985A (zh) * 2018-06-14 2018-12-07 烽火通信科技股份有限公司 一种协议报文以及虚拟客户终端设备的管理方法
US20190052558A1 (en) * 2017-08-08 2019-02-14 Versa Networks, Inc. Method and system for routing connections in a software-defined wide area network

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108347713B (zh) * 2012-04-27 2021-12-28 交互数字专利控股公司 Wtru及由wtru执行的方法
US9319881B2 (en) * 2013-03-15 2016-04-19 Tyfone, Inc. Personal digital identity device with fingerprint sensor
CN104468618B (zh) * 2014-12-26 2017-10-03 重庆邮电大学 基于传感器网络的xmpp协议安全接入方法
CN106936608B (zh) * 2015-12-29 2020-09-18 华为技术有限公司 一种建立ssh连接的方法、相关设备及系统
US20170289120A1 (en) * 2016-04-04 2017-10-05 Mastercard International Incorporated Systems and methods for authenticating user for secure data access using multi-party authentication system
CN106685785B (zh) * 2016-12-27 2020-06-05 北京航空航天大学 一种基于IPsec VPN代理的Intranet接入系统
CN109068326B (zh) * 2018-07-24 2020-07-31 腾讯科技(深圳)有限公司 一种认证方法、装置、终端、存储介质以及系统
CN109150907B (zh) * 2018-09-30 2021-10-12 百度在线网络技术(北京)有限公司 车载工控机登录方法、装置、系统、计算机设备及介质

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180091481A1 (en) * 2016-09-26 2018-03-29 Versa Networks, Inc. Method and system for protecting data flow between pairs of branch nodes in a software-defined wide-area network
US20190052558A1 (en) * 2017-08-08 2019-02-14 Versa Networks, Inc. Method and system for routing connections in a software-defined wide area network
CN108713309A (zh) * 2018-03-21 2018-10-26 深圳前海达闼云端智能科技有限公司 Sd-wan系统、sd-wan系统的使用方法及相关装置
CN108964985A (zh) * 2018-06-14 2018-12-07 烽火通信科技股份有限公司 一种协议报文以及虚拟客户终端设备的管理方法

Also Published As

Publication number Publication date
CN110611658A (zh) 2019-12-24
CN110611658B (zh) 2020-10-09

Similar Documents

Publication Publication Date Title
US10666639B2 (en) Customer-centric workflow for initial on-boarding of an OpenFlow enabled switch
US10686761B2 (en) Methods and apparatus for providing a secure overlay network between clouds
CN108551464B (zh) 一种混合云的连接建立、数据传输方法、装置和系统
CN110120934B (zh) 应用防火墙策略的方法、软件定义网络控制器和介质
US7219223B1 (en) Method and apparatus for providing data from a service to a client based on encryption capabilities of the client
US7716724B2 (en) Extensible authentication protocol (EAP) state server
EP3152865B1 (fr) Fourniture et gestion de tranches d'un dispositif d'équipement de locaux de client
JP2022550356A (ja) マルチテナントソフトウェア定義ワイドエリアネットワーク(sd-wan)ノードを提供するための方法、システム、およびコンピュータ読取可能媒体
WO2021031465A1 (fr) Procédé et système d'authentification de dispositif basés sur un réseau sd-wan
US10523657B2 (en) Endpoint privacy preservation with cloud conferencing
US10187356B2 (en) Connectivity between cloud-hosted systems and on-premises enterprise resources
US9667436B2 (en) Method and apparatus for communicating with an access node
US11689522B2 (en) Method and apparatus for secure hybrid cloud connectivity
JP5679343B2 (ja) クラウドシステム、ゲートウェイ装置、通信制御方法、及び通信制御プログラム
US9100369B1 (en) Secure reverse connectivity to private network servers
WO2016172501A1 (fr) Fourniture de services hybrides
US20200228373A1 (en) Autonomous system bridge connecting in a telecommunications network
EP3288235B1 (fr) Système et appareil pour garantir le respect d'un accord de niveau de service (sla) dans un environnement cloud via l'utilisation de signature électronique
WO2011147334A1 (fr) Procédé, dispositif et système pour fournir un service de réseau privé virtuel
EP4080850A1 (fr) Intégration de dispositifs réseau virtualisés à un système d'assurance réseau en nuage
US11888898B2 (en) Network configuration security using encrypted transport
US20200287868A1 (en) Systems and methods for in-band remote management
TWI836974B (zh) 用於私有通訊架構的私有安全聊天連結機制
US20230040377A1 (en) Autonomous distributed wide area network having control plane and order management on a blockchain
WO2024010597A1 (fr) Procédé et système de configuration de serveur netconf au moyen d'un contrôleur netconf

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19942512

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19942512

Country of ref document: EP

Kind code of ref document: A1