[go: up one dir, main page]

CN101188614A - A method, system and device for user access security control - Google Patents

A method, system and device for user access security control Download PDF

Info

Publication number
CN101188614A
CN101188614A CNA2007101951023A CN200710195102A CN101188614A CN 101188614 A CN101188614 A CN 101188614A CN A2007101951023 A CNA2007101951023 A CN A2007101951023A CN 200710195102 A CN200710195102 A CN 200710195102A CN 101188614 A CN101188614 A CN 101188614A
Authority
CN
China
Prior art keywords
user
access
request message
control
llid
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2007101951023A
Other languages
Chinese (zh)
Other versions
CN101188614B (en
Inventor
顾勤丰
李教峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2007101951023A priority Critical patent/CN101188614B/en
Publication of CN101188614A publication Critical patent/CN101188614A/en
Priority to PCT/CN2008/072243 priority patent/WO2009067871A1/en
Application granted granted Critical
Publication of CN101188614B publication Critical patent/CN101188614B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种用户接入安全控制的方法、系统和设备,属于通信领域。方法包括接收接入请求报文,接入请求报文携带用户链路标识;解析接入请求报文得到用户链路标识;根据用户链路标识判断接入请求报文是否满足预设接入条件;如果是,允许用户链路标识对应的用户接入。系统包括用户节点、接入设备和控制设备。接入设备包括接收模块,标识插入模块,发送模块;控制设备包括接收模块,解析模块,处理模块。本发明通过在BNG设备上配置逻辑接口,在多业务的模式下能够唯一识别出用户链路,从而根据预先配置好的逻辑接口的安全控制策略,通过用户链路标识信息实现对单个用户链路实施接入控制、带宽控制以及组播控制等安全控制策略。

Figure 200710195102

The invention discloses a method, system and equipment for user access security control, belonging to the communication field. The method includes receiving an access request message, where the access request message carries a user link identifier; analyzing the access request message to obtain the user link identifier; judging whether the access request message satisfies the preset access condition according to the user link identifier ; If yes, allow the user corresponding to the user link identifier to access. The system includes user nodes, access equipment and control equipment. The access device includes a receiving module, an identification insertion module, and a sending module; the control device includes a receiving module, an analysis module, and a processing module. The present invention can uniquely identify the user link in the multi-service mode by configuring the logical interface on the BNG device, so that according to the security control policy of the pre-configured logical interface, the identification information of the user link can be used to realize the security of a single user link. Implement security control strategies such as access control, bandwidth control, and multicast control.

Figure 200710195102

Description

一种用户接入安全控制的方法、系统和设备 A method, system and device for user access security control

技术领域technical field

本发明涉及通信领域,特别涉及一种用户接入安全控制的方法、系统和设备。The present invention relates to the communication field, in particular to a method, system and equipment for user access security control.

背景技术Background technique

随着宽带接入技术的发展,网络的接入方式和接入技术已经发生了很大的变化。网络也由传统的只提供Internet接入业务的网络,发展为多业务承载的网络。参见图1,为现有技术提供的宽带接入技术的组网示意图,其中,电视机顶盒、VoIP(Voice over InternetProtocol,网络电话)终端、连接Internet的PC、以及移动电话终端、手持多媒体终端等用户通过RG(Residential Gateway,家庭网关设备)完成统一地接入,RG通过电话双绞线或通过ADSL(Asymmetric Digital Subscriber Line,异步数字用户线路)/VDSL(Very-high-data-rate Digital Subscriber Line,高速数字用户线路)等技术接入到DSLAM(Digital Subscriber Line Access Multiplexer,数字用户线路接入设备),其中DSLAM是一个二层设备,用于完成对用户接入链路的汇聚,实现xDSL(ADSL/VDSL)和上行的以太链路的转换;然后DSLAM通过接入网接入到BNG(Broadband Network Gateway,宽带网络网关),其中BNG可以是BRAS(Broadband Remote Access Server,宽带远程接入服务设备),也可以是专门提供业务的路由器,在网络中BNG用于实现PPPoE(PPP over Ethernet,承载在Ethernet上的PPP协议)的接入,通常是实现PC接入Internet的业务;用于实现DHCP(Dynamic Host Configuration Protocol,动态主机分配协议)接入,通常是实现电视机顶盒、VoIP终端等的接入管理;BNG还用于将由ASP(Application Service Provider,应用服务提供商)/ISP(Internet Service Provider,Internet接入服务提供商)提供不同的业务数据流量分发到对应的用户,其中ASP/ISP提供的业务包括IPTV、Internet接入、VoIP等。网络中还包括通过向网络中的各个网关设备下发控制策略实现对用户/业务管理的策略服务器,网关服务器等。With the development of broadband access technology, great changes have taken place in network access methods and access technologies. The network has also developed from a traditional network that only provides Internet access services to a network that bears multiple services. Referring to Fig. 1 , it is a schematic diagram of a network of broadband access technology provided by the prior art, wherein, users such as TV set-top boxes, VoIP (Voice over Internet Protocol, network telephone) terminals, PCs connected to the Internet, mobile phone terminals, and handheld multimedia terminals Complete unified access through RG (Residential Gateway, home gateway equipment), RG through telephone twisted pair or through ADSL (Asymmetric Digital Subscriber Line, asynchronous digital subscriber line) / VDSL (Very-high-data-rate Digital Subscriber Line, High-speed digital subscriber line) and other technologies are connected to DSLAM (Digital Subscriber Line Access Multiplexer, digital subscriber line access equipment), in which DSLAM is a layer 2 device, used to complete the aggregation of user access links and realize xDSL (ADSL /VDSL) and uplink Ethernet link conversion; then the DSLAM is connected to BNG (Broadband Network Gateway, broadband network gateway) through the access network, where BNG can be BRAS (Broadband Remote Access Server, broadband remote access service equipment) , or it can be a router dedicated to providing services. In the network, BNG is used to realize the access of PPPoE (PPP over Ethernet, the PPP protocol carried on Ethernet), usually to realize the business of PC accessing the Internet; it is used to realize DHCP ( Dynamic Host Configuration Protocol (Dynamic Host Configuration Protocol) access, usually to realize the access management of TV set-top boxes, VoIP terminals, etc.; Internet access service provider) provides different service data traffic distribution to corresponding users, and the services provided by ASP/ISP include IPTV, Internet access, VoIP, etc. The network also includes policy servers, gateway servers, etc. that implement user/service management by delivering control policies to each gateway device in the network.

由此可见,BNG在网络中是处于处理用户接入管理、业务分发、业务策略实施等功能的核心节点。It can be seen that the BNG is the core node in the network that handles functions such as user access management, service distribution, and service policy implementation.

参见图2,为现有技术提供的用户业务接入映射示意图。不同的用户业务通过RG接入后,通过不同的VC(Virtual Circuit,虚拟电路)接入到DSLAM,其中,电视机顶盒业务通过VC1接入、VoIP业务通过VC2接入、PC业务通过VC3接入。DSLAM完成VC到VLAN的映射时,现有技术提供了两种映射模型:Referring to FIG. 2 , it is a schematic diagram of user service access mapping provided in the prior art. After different user services are accessed through the RG, they are connected to the DSLAM through different VCs (Virtual Circuits). Among them, TV set-top box services are accessed through VC1, VoIP services are accessed through VC2, and PC services are accessed through VC3. When the DSLAM completes the mapping from VC to VLAN, the prior art provides two mapping models:

1)N∶1模型:相同的业务类型,映射到同一个S-VLAN,即一台DSLAM上,所有的用户的相同业务类型的流量,到达BNG的时候,BNG是通过相同的S-VLAN来识别的。1) N∶1 model: the same service type is mapped to the same S-VLAN, that is, on one DSLAM, when the traffic of the same service type of all users reaches the BNG, the BNG passes through the same S-VLAN. identified.

2)1∶1模型:DSLAM为每个业务类型,分配唯一的S-VLAN+C-VLAN的组合,一般S-VLAN来识别业务,C-VLAN来识别用户,即一台DSLAM上,用户的每种业务类型的数据报文到达BNG的时候,BNG是通过S-VLAN+C-VLAN的组合进行唯一确定的。2) 1:1 model: DSLAM assigns a unique combination of S-VLAN+C-VLAN for each service type. Generally, S-VLAN is used to identify services, and C-VLAN is used to identify users. That is, on one DSLAM, the user’s When the data packets of each service type arrive at the BNG, the BNG is uniquely determined through the combination of S-VLAN+C-VLAN.

发明人在实现本发明的过程中发现,现有技术至少存在以下缺点和不足:The inventor finds in the process of realizing the present invention that there are at least the following disadvantages and deficiencies in the prior art:

BNG识别接入的用户链路是通过VLAN/QinQ实现,安全控制也是以VLAN/QinQ为粒度进行的,在多业务的模式下,BNG无法通过VLAN/QinQ唯一地识别出用户链路,进而也就无法对单个用户链路实施安全控制。The user link identified by the BNG is implemented through VLAN/QinQ, and security control is also performed at the granularity of VLAN/QinQ. In multi-service mode, the BNG cannot uniquely identify the user link through VLAN/QinQ, and thus It is impossible to implement security control on individual user links.

发明内容Contents of the invention

为了能够使BNG对单个用户链路实施安全控制,本发明实施例提供了一种用户接入安全控制的方法、系统和设备。所述技术方案如下:In order to enable the BNG to implement security control on a single user link, embodiments of the present invention provide a method, system and device for user access security control. Described technical scheme is as follows:

本发明实施例提供了一种用户接入安全控制的方法,所述方法包括:An embodiment of the present invention provides a method for user access security control, the method comprising:

接收接入请求报文,所述接入请求报文携带用户链路标识;receiving an access request message, where the access request message carries a user link identifier;

解析所述接入请求报文得到所述用户链路标识;Analyzing the access request message to obtain the user link identifier;

根据所述用户链路标识判断所述接入请求报文是否满足预设接入条件;judging whether the access request message satisfies a preset access condition according to the user link identifier;

如果是,允许所述用户链路标识对应的用户接入。If yes, allow the user corresponding to the user link identifier to access.

本发明实施例还提供了一种用户接入安全控制的系统,所述系统包括:The embodiment of the present invention also provides a system for user access security control, the system includes:

用户节点,用于发送接入请求报文;A user node, configured to send an access request message;

接入设备,用于接收所述用户节点发送的接入请求报文,在所述用户节点发送的接入请求报文中插入用户链路标识,发送插入用户链路标识的接入请求报文;The access device is configured to receive the access request message sent by the user node, insert the user link identifier into the access request message sent by the user node, and send the access request message inserted with the user link identifier ;

控制设备,用于接收到所述接入设备发送的插入用户链路标识的接入请求报文后,进行解析得到所述用户链路标识;根据所述用户链路标识判断所述接入请求报文是否满足预设接入条件,如果是,允许所述用户链路标识对应的所述用户节点接入。The control device is configured to analyze and obtain the user link identifier after receiving the access request message inserted into the user link identifier sent by the access device; judge the access request according to the user link identifier Whether the packet satisfies the preset access condition, and if so, allowing the user node corresponding to the user link identifier to access.

本发明实施例还提供了一种接入设备,所述设备包括:The embodiment of the present invention also provides an access device, and the device includes:

接收模块,用于接收用户节点发送的接入请求报文;A receiving module, configured to receive an access request message sent by a user node;

标识插入模块,用于在所述接收模块接收的接入请求报文中插入用户链路标识;An identification inserting module, configured to insert a user link identification into the access request message received by the receiving module;

发送模块,用于发送所述标识插入模块插入用户链路标识后的接入请求报文。A sending module, configured to send the access request message after the user link identifier is inserted by the identifier inserting module.

本发明实施例还提供了一种控制设备,所述设备包括:The embodiment of the present invention also provides a control device, the device includes:

接收模块,用于接收接入设备发送的接入请求报文,所述接入请求报文中携带用户链路标识;A receiving module, configured to receive an access request message sent by an access device, where the access request message carries a user link identifier;

解析模块,用于解析所述接收模块接收的接入请求报文得到所述用户链路标识;A parsing module, configured to parse the access request message received by the receiving module to obtain the user link identifier;

处理模块,用于根据所述解析模块解析得到的用户链路标识判断所述接入请求报文是否满足预设接入条件,如果是,允许所述用户链路标识对应的用户接入。A processing module, configured to judge whether the access request message satisfies a preset access condition according to the user link identifier parsed by the parsing module, and if so, allow the user corresponding to the user link identifier to access.

本发明实施例提供的技术方案的有益效果是:The beneficial effects of the technical solution provided by the embodiments of the present invention are:

通过在BNG设备上配置逻辑接口,在多业务的模式下能够唯一识别出用户链路,从而实现在预先配置好的逻辑接口上根据用户链路标识信息对单个用户链路实施安全控制。By configuring the logical interface on the BNG device, the user link can be uniquely identified in the multi-service mode, thereby implementing security control on a single user link based on the user link identification information on the pre-configured logical interface.

附图说明Description of drawings

图1是现有技术提供的宽带接入技术的组网示意图;FIG. 1 is a schematic diagram of a broadband access technology provided by the prior art;

图2是现有技术提供的用户业务接入映射示意图;FIG. 2 is a schematic diagram of user service access mapping provided by the prior art;

图3是本发明实施例1提供的用户接入安全控制的方法流程图;FIG. 3 is a flowchart of a method for user access security control provided by Embodiment 1 of the present invention;

图4是本发明实施例2提供的用户接入安全控制的方法流程图;FIG. 4 is a flowchart of a method for user access security control provided by Embodiment 2 of the present invention;

图5是本发明实施例3提供的用户接入安全控制的方法流程图;FIG. 5 is a flowchart of a method for user access security control provided by Embodiment 3 of the present invention;

图6是本发明实施例4提供的用户接入安全控制的系统示意图;FIG. 6 is a schematic diagram of a system for user access security control provided by Embodiment 4 of the present invention;

图7是本发明实施例5提供的接入设备的示意图;FIG. 7 is a schematic diagram of an access device provided in Embodiment 5 of the present invention;

图8是本发明实施例6提供的控制设备的示意图。Fig. 8 is a schematic diagram of a control device provided by Embodiment 6 of the present invention.

具体实施方式Detailed ways

为使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明实施方式作进一步地详细描述。In order to make the object, technical solution and advantages of the present invention clearer, the implementation manner of the present invention will be further described in detail below in conjunction with the accompanying drawings.

本发明实施例提供的技术方案,BNG能够在多业务的模式下唯一地识别出用户链路标识信息,进而对单个用户链路实施安全控制。其中,方法包括接收接入请求报文,接入请求报文携带用户链路标识;解析接入请求报文得到用户链路标识;根据用户链路标识判断接入请求报文是否满足预设接入条件;如果是,允许用户链路标识对应的用户接入。In the technical solution provided by the embodiment of the present invention, the BNG can uniquely identify user link identification information in a multi-service mode, and then implement security control on a single user link. Wherein, the method includes receiving an access request message, where the access request message carries a user link identifier; parsing the access request message to obtain the user link identifier; judging whether the access request message satisfies the preset connection identifier according to the user link identifier The entry condition; if yes, allow the user corresponding to the user link identifier to access.

下面根据配置的具体的安全控制策略对本发明实施例提供的技术方案做详细的阐述:The technical solution provided by the embodiment of the present invention will be described in detail below according to the configured specific security control strategy:

实施例1Example 1

参见图3,本发明实施例提供了一种用户接入安全控制的方法,步骤如下:Referring to Fig. 3, an embodiment of the present invention provides a method for user access security control, the steps are as follows:

步骤101:BNG获取用户链路标识。Step 101: the BNG obtains the user link identifier.

BNG获取用户链路标识信息时可以采用如下两种方式实现:When BNG obtains user link identification information, it can implement the following two methods:

1)利用管理员在BNG上通过命令行的方式手工配置出DSLAM的设备信息实现。DSLAM的设备信息具体包括:设备的框号、槽号和端口号,其中,DSLAM能够通过框号+槽号+端口号可以唯一确定接入DSLAM的一条用户链路。  参考命令行格式如下:1) Use the administrator to manually configure the device information of the DSLAM on the BNG through the command line. The device information of the DSLAM specifically includes: the frame number, slot number and port number of the device, wherein the DSLAM can uniquely determine a user link to access the DSLAM through the frame number + slot number + port number. The reference command line format is as follows:

access-loop-circuit-identifier dslaml-atm-frame-slot/port:[vpi.vci]。access-loop-circuit-identifier dslaml-atm-frame-slot/port:[vpi.vci].

其中,access-loop-circuit-identifier是命令字,表示BNG上需要配置一个用户链路标识,接着是各标识对应的字符串,其中,dslaml标识表示某个DSLAM节点名称,atm表示RG和DSLAM链路层是ATM,frame是DSLAM的框号,slot是DSLAM中的槽号,port是DSLAM的端口号,vpi.vci是可选的PVC(Permanent Virtual Circuit,永久虚电路)信息。Among them, access-loop-circuit-identifier is a command word, indicating that a user link identifier needs to be configured on the BNG, followed by a string corresponding to each identifier, among which, the dslaml identifier indicates the name of a certain DSLAM node, and atm indicates the RG and DSLAM chain The road layer is ATM, frame is the frame number of DSLAM, slot is the slot number in DSLAM, port is the port number of DSLAM, vpi.vci is optional PVC (Permanent Virtual Circuit, permanent virtual circuit) information.

2)利用ANCP协议提供的链路信息上报功能实现。ANCP协议是通过TCP作为传输层协议,提供了BNG和DSLAM之间控制信息传递的通道,当用户启动RG,激活用户链路时,DSLAM就会通过ANCP协议将该用户的用户链路信息上报给BNG,其中,用户链路信息包括用户链路状态、用户链路标识以及相关的用户链路参数等。ANCP协议定义如下:2) Realized by using the link information reporting function provided by the ANCP protocol. The ANCP protocol uses TCP as the transport layer protocol to provide a channel for the transmission of control information between the BNG and DSLAM. When the user starts the RG and activates the user link, the DSLAM will report the user link information of the user to the BNG, wherein the user link information includes user link status, user link identifier, and related user link parameters. The ANCP protocol is defined as follows:

Type(Access-Loop-Circuit-ID=Ox01),长度最大为64,协议默认的格式为:Type(Access-Loop-Circuit-ID=Ox01), the maximum length is 64, and the default format of the protocol is:

access-Node-Identifier atm slot/port[:vlan-id]access-Node-Identifier atm slot/port[:vlan-id]

步骤102:BNG根据获取的用户链路标识,为用户链路标识创建对应的逻辑链路标识。Step 102: The BNG creates a corresponding logical link identifier for the user link identifier according to the acquired user link identifier.

其中,该逻辑链路标识具体可以为用户链路标识,也可以是根据用户链路标识所创建的逻辑接口,本发明实施例以逻辑链路标识为逻辑接口为例进行说明。BNG创建的逻辑接口与用户链路标识唯一对应。创建接口时参考命令行如下:Wherein, the logical link identifier may specifically be a user link identifier, or may be a logical interface created according to the user link identifier. The embodiment of the present invention uses the logical link identifier as a logical interface as an example for illustration. The logical interface created by the BNG corresponds uniquely to the user link ID. When creating an interface, refer to the command line as follows:

interface user-line dslaml-atm-frame-slot/port:[vpi.vci]interface user-line dslaml-atm-frame-slot/port:[vpi.vci]

当BNG创建好逻辑接口后,就可以在创建的逻辑接口是实施安全控制策略了。After the logical interface is created by BNG, the security control policy can be implemented on the created logical interface.

步骤103:用户X通过DHCP发起接入请求,即发送DHCP接入请求报文。Step 103: User X initiates an access request through DHCP, that is, sends a DHCP access request message.

其中,用户针对自身的业务类型的不同,通常会通过DHCP协议或PPPoE协议发起接入请求,例如,如果是PC用户请求接入Internet的业务时,会通过PPPoE协议发起接入请求;如果电视机顶盒用户请求接入IPTV业务或VoIP电话终端用户请求接入VoIP业务时,则会通过DHCP协议发起接入请求。本实施例以用户X通过DHCP发起接入请求为例进行说明,但是不限制接入请求的类型。Among them, the user usually initiates an access request through the DHCP protocol or the PPPoE protocol according to the different types of services. When a user requests to access the IPTV service or a VoIP phone terminal user requests to access the VoIP service, an access request will be initiated through the DHCP protocol. In this embodiment, user X initiates an access request through DHCP as an example for illustration, but the type of the access request is not limited.

步骤104:DSLAM接收用户X发送的DHCP接入请求报文,在接收到的DHCP接入请求报文中插入用户链路标识,并将插入用户链路标识后的DHCP接入请求报文转发到BNG。Step 104: the DSLAM receives the DHCP access request message sent by user X, inserts the user link identifier in the received DHCP access request message, and forwards the DHCP access request message inserted into the user link identifier to BNG.

其中,由于DHCP协议自身的特点,在报文中存在一个Agent-Circuit-ID选项,用来表示用户接入的线路的标识。当接收到用户X发送的DHCP接入请求报文时,DSLAM知道该接入请求报文是通过自身的哪个框口、槽口和端口接收的,相应地,插入对应的用户链路标识,其用户链路标识的格式必须和BNG预设的用户链路标识的格式一致。Wherein, due to the characteristics of the DHCP protocol itself, there is an Agent-Circuit-ID option in the message, which is used to indicate the identifier of the circuit accessed by the user. When receiving the DHCP access request message sent by user X, the DSLAM knows which frame, notch and port of the access request message is received by itself, and accordingly inserts the corresponding user link identifier, where The format of the user link ID must be consistent with the format of the user link ID preset by the BNG.

步骤105:BNG接收由DSLAM发送的携带用户链路标识的DHCP接入请求报文,根据DHCP接入请求报文中携带的用户链路标识,判断是否能查找到对应的逻辑接口,如果是执行步骤106,否则,执行步骤107。Step 105: BNG receives the DHCP access request message carrying the user link identifier sent by the DSLAM, and judges whether the corresponding logical interface can be found according to the user link identifier carried in the DHCP access request message. Step 106, otherwise, go to step 107.

步骤106:BNG创建绑定在逻辑接口的用户接入表项,保存用户X的信息,并执行步骤108。Step 106: BNG creates a user access entry bound to the logical interface, saves the information of user X, and executes step 108.

其中,可以将用户X的信息和对应的逻辑接口标识保存在用户接入表中,用户X的信息包括用户X的MAC(Media Access Control,媒体访问控制)地址、IP地址、认证、计费等信息。Wherein, the information of user X and the corresponding logical interface identifier can be stored in the user access table, and the information of user X includes MAC (Media Access Control, media access control) address, IP address, authentication, billing, etc. of user X information.

步骤107:BNG丢弃收到接入请求报文,禁止用户X接入,结束。Step 107: BNG discards the received access request message, prohibits user X from accessing, and ends.

步骤108:BNG向DSLAM返回DHCP响应报文,该DHCP响应报文中携带用户链路标识信息。Step 108: The BNG returns a DHCP response message to the DSLAM, and the DHCP response message carries user link identification information.

步骤109:DSLAM收到BNG返回的DHCP响应报文,删除DHCP响应报文中携带的用户链路标识信息,将删除了用户链路标识信息的DHCP响应报文转发到用户X。Step 109: DSLAM receives the DHCP response message returned by the BNG, deletes the user link identification information carried in the DHCP response message, and forwards the DHCP response message with the user link identification information deleted to user X.

步骤110:DCHP协商完成后,用户X成功接入BNG,结束。Step 110: After the DCHP negotiation is completed, user X successfully accesses the BNG, and ends.

当用户接入BNG设备后,还可以进一步地对用户进行安全控制。例如:After the user accesses the BNG device, further security control can be performed on the user. For example:

1)当需要对用户X实施带宽控制时,BNG还可以为创建的逻辑接口配置带宽参数,其中带宽参数具体包括上行方向带宽参数和下行方向带宽参数。1) When it is necessary to implement bandwidth control on user X, the BNG can also configure bandwidth parameters for the created logical interface, where the bandwidth parameters specifically include bandwidth parameters in the uplink direction and bandwidth parameters in the downlink direction.

当用户X成功接入BNG后,用户X发送数据报文,该数据报文中携带用户MAC地址和IP地址等信息,BNG根据接收到的数据报文中携带的用户MAC地址和IP地址查找用户接入表表,找到对应的逻辑接口,根据该逻辑接口配置的上行方向带宽参数,对该数据报文进行带宽控制;当网络中提供服务的设备(如ASP)通过BNG向用户X发送数据报文时,根据该数据报文中携带的用户MAC地址,查找用户接入表,找到对应的逻辑接口上,根据该逻辑接口上配置的下行方向带宽参数,对向用户X发送的数据报文进行带宽控制。When user X successfully accesses BNG, user X sends a data message, which carries information such as the user's MAC address and IP address, and BNG searches for the user according to the user's MAC address and IP address carried in the received data message. Access the table, find the corresponding logical interface, and control the bandwidth of the data packet according to the uplink bandwidth parameters configured on the logical interface; When sending a message, search the user access table according to the user MAC address carried in the data message, find the corresponding logical interface, and perform the data message sent to user X according to the bandwidth parameters in the downlink direction configured on the logical interface. Bandwidth control.

2)当需要对用户X实施访问控制控制时,即进行流量控制,还可以利用traffic-policy命令在BNG逻辑接口上配置访问控制策略。2) When access control needs to be implemented for user X, that is, traffic control is performed, and the traffic-policy command can also be used to configure access control policies on the BNG logical interface.

当用户X成功接入BNG后,用户X发送数据报文,该数据报文中携带用户MAC地址和IP地址等信息,BNG根据接收到的数据报文中携带的用户MAC地址和IP地址查找用户接入表,找到用户X对应的逻辑接口,根据该逻辑接口配置的访问控制策略,对该用户X发送的数据报文进行流量控制;当网络中提供服务的设备(如ASP)通过BNG向用户X发送数据报文时,根据该数据报文中携带的用户X的MAC地址查找用户接入表,找到用户X对应的逻辑接口,该数据报文的下一跳地址为BNG设备上用户X对应的逻辑接口,根据该逻辑接口配置的访问控制策略,对通过BNG向用户X发送的数据报文进行流量控制。When user X successfully accesses BNG, user X sends a data message, which carries information such as the user's MAC address and IP address, and BNG searches for the user according to the user's MAC address and IP address carried in the received data message. Access the table, find the logical interface corresponding to user X, and control the flow of data packets sent by user X according to the access control policy configured on the logical interface; When X sends a data packet, it searches the user access table according to the MAC address of user X carried in the data packet, finds the logical interface corresponding to user X, and the next hop address of the data packet is the corresponding According to the access control policy configured on the logical interface, flow control is performed on the data packets sent to user X through the BNG.

3)当用户X请求IGMP(Internet Group Management Protocol,网络组管理协议)点播希望加入组播组时,进一步,BNG还可以在逻辑接口配置组播控制策略,即配置组播控制列表。3) When user X requests IGMP (Internet Group Management Protocol, Internet Group Management Protocol) order and wants to join the multicast group, further, BNG can also configure the multicast control policy on the logical interface, that is, configure the multicast control list.

当用户X成功接入BNG后,用户X发送IGMP报文请求,该报文请求中携带用户MAC地址;BNG收到用户X发送的IGMP报文请求后,根据MAC地址查找用户接入表,找到用户X对应的逻辑接口,根据该逻辑接口配置的组播控制列表判断是否允许用户X加入组播组,如果是,则BNG允许用户X加入组播组,处理用户X发送IGMP报文请求,下发组播数据流量;否则,丢弃用户X发送IGMP报文请求。When user X successfully accesses BNG, user X sends an IGMP packet request, which carries the user MAC address; after receiving the IGMP packet request sent by user X, BNG searches the user access table according to the MAC address, and finds The logical interface corresponding to user X judges whether user X is allowed to join the multicast group according to the multicast control list configured on the logical interface. Send multicast data traffic; otherwise, discard user X's request to send IGMP packets.

本发明实施例提供的方法通过在BNG设备上配置逻辑接口,在多业务的模式下能够唯一识别出用户链路,从而实现通过在逻辑接口上配置的安全控制策略,根据用户链路标识信息对单个用户链路实施接入控制、带宽控制、流量控制以及组播控制等安全控制。The method provided by the embodiment of the present invention can uniquely identify the user link in the multi-service mode by configuring the logical interface on the BNG device, so as to implement the security control strategy configured on the logical interface, according to the identification information of the user link. A single user link implements security controls such as access control, bandwidth control, flow control, and multicast control.

实施例2Example 2

参见图4,本发明实施例提供了一种用户接入安全控制的方法,步骤如下:Referring to Figure 4, an embodiment of the present invention provides a method for user access security control, the steps are as follows:

步骤201:BNG获取用户链路标识。Step 201: the BNG obtains the user link identifier.

步骤202:BNG根据获取的用户链路标识,为用户链路标识信息创建对应的逻辑链路标识。Step 202: The BNG creates a corresponding logical link identifier for the user link identifier information according to the obtained user link identifier.

其中,本发明实施例以逻辑链路标识为逻辑接口为例进行说明。Wherein, the embodiment of the present invention is described by taking a logical link identifier as a logical interface as an example.

步骤203:BNG限制逻辑接口上用户的IP Session个数,即预设用户的IP Session的上限。Step 203: BNG limits the number of IP Sessions of users on the logical interface, that is, the upper limit of IP Sessions of preset users.

步骤204:用户X通过DHCP发起接入请求,即发送DHCP接入请求报文。Step 204: User X initiates an access request through DHCP, that is, sends a DHCP access request message.

步骤205:DSLAM接收用户X发送的DHCP接入请求报文,在接收的DHCP接入请求报文中插入用户链路标识,并将插入用户链路标识后的DHCP接入请求报文转发到BNG。Step 205: DSLAM receives the DHCP access request message sent by user X, inserts the user link identifier into the received DHCP access request message, and forwards the DHCP access request message inserted after the user link identifier to the BNG .

步骤206:BNG接收由DSLAM发送的携带用户链路标识的DHCP接入请求报文,根据接入请求报文中携带的用户链路标识,判断是否能查找到对应的逻辑接口,如果是执行步骤207,否则,执行步骤208。Step 206: BNG receives the DHCP access request message carrying the user link identifier sent by the DSLAM, and judges whether the corresponding logical interface can be found according to the user link identifier carried in the access request message. 207, otherwise, go to step 208.

步骤207:判断用户X的IP Session个数是否小于查找到逻辑接口上预设用户的IPSession的上限,如果是,则执行步骤209,否则执行步骤208。Step 207: judge whether the number of IP Sessions of user X is less than the upper limit of the IPSessions of preset users found on the logical interface, if yes, then execute step 209, otherwise execute step 208.

步骤208:BNG丢弃收到接入请求报文,禁止用户X接入,结束。Step 208: BNG discards the received access request message, prohibits user X from accessing, and ends.

步骤209:BNG创建绑定在逻辑接口的用户接入表项,保存用户X的信息;并向DSLAM返回响应报文,该响应报文中携带用户链路标识。Step 209: The BNG creates a user access entry bound to the logical interface, saves the information of user X; and returns a response message to the DSLAM, the response message carrying the user link identifier.

步骤210:DSLAM收到BNG返回的DHCP响应报文,删除报文中携带的用户链路标识,将删除了用户链路标识的DHCP响应报文转发到用户X。Step 210: The DSLAM receives the DHCP response message returned by the BNG, deletes the user link identifier carried in the message, and forwards the DHCP response message with the user link identifier deleted to user X.

步骤211:DHCP协商完成后,用户X成功接入BNG;BNG设备将记录的该用户IP Session个数加1,结束。Step 211: After the DHCP negotiation is completed, user X successfully accesses the BNG; the BNG device adds 1 to the recorded number of IP sessions of the user, and ends.

当用户接入BNG设备后,还可以进一步地对接入的用户进行安全控制。例如:After the user accesses the BNG device, further security control can be performed on the accessing user. For example:

1)当需要对用户X实施带宽控制时,BNG还可以为创建的逻辑接口配置带宽参数,其中带宽参数具体包括上行方向带宽参数和下行方向带宽参数。1) When it is necessary to implement bandwidth control on user X, the BNG can also configure bandwidth parameters for the created logical interface, where the bandwidth parameters specifically include bandwidth parameters in the uplink direction and bandwidth parameters in the downlink direction.

当用户X成功接入BNG后,用户X发送数据报文,该数据报文中携带用户MAC地址和IP地址等信息,BNG根据接收到的数据报文中携带的用户MAC地址和IP地址查找用户接入表表,找到对应的逻辑接口,根据该逻辑接口配置的上行方向带宽参数,对该数据报文进行带宽控制;当网络中提供服务的设备(如ASP)通过BNG向用户X发送数据报文时,根据该数据报文中携带的用户MAC地址,查找用户接入表,找到对应的逻辑接口上,根据该逻辑接口上配置的下行方向带宽参数,对向用户X发送的数据报文进行带宽控制。When user X successfully accesses BNG, user X sends a data message, which carries information such as the user's MAC address and IP address, and BNG searches for the user according to the user's MAC address and IP address carried in the received data message. Access the table, find the corresponding logical interface, and control the bandwidth of the data packet according to the uplink bandwidth parameters configured on the logical interface; When sending a message, search the user access table according to the user MAC address carried in the data message, find the corresponding logical interface, and perform the data message sent to user X according to the bandwidth parameters in the downlink direction configured on the logical interface. Bandwidth control.

2)当需要对用户X实施访问控制控制时,即进行流量控制,还可以利用traffic-policy等命令在BNG逻辑接口上配置访问控制策略。2) When access control needs to be implemented for user X, that is, traffic control is performed, and access control policies can also be configured on the BNG logical interface by using commands such as traffic-policy.

当用户X成功接入BNG后,用户X发送数据报文,该数据报文中携带用户MAC地址和IP地址等信息,BNG根据接收到的数据报文中携带的用户MAC地址和IP地址查找用户接入表,找到用户X对应的逻辑接口,根据该逻辑接口配置的访问控制策略,对该用户X发送的数据报文进行流量控制;当网络中提供服务的设备(如ASP)通过BNG向用户X发送数据报文时,根据该数据报文中携带的用户X的MAC地址查找用户接入表,找到用户X对应的逻辑接口,该数据报文的下一跳地址为BNG设备上用户X对应的逻辑接口,根据该逻辑接口配置的访问控制策略,对通过BNG向用户X发送的数据报文进行流量控制。When user X successfully accesses BNG, user X sends a data message, which carries information such as the user's MAC address and IP address, and BNG searches for the user according to the user's MAC address and IP address carried in the received data message. Access the table, find the logical interface corresponding to user X, and control the flow of data packets sent by user X according to the access control policy configured on the logical interface; When X sends a data packet, it searches the user access table according to the MAC address of user X carried in the data packet, finds the logical interface corresponding to user X, and the next hop address of the data packet is the corresponding According to the access control policy configured on the logical interface, flow control is performed on the data packets sent to user X through the BNG.

3)当用户X请求IGMP(Internet Group Management Protocol,网络组管理协议)点播希望加入组播组时,进一步,BNG还可以在逻辑接口配置组播控制策略,即配置组播控制列表。3) When user X requests IGMP (Internet Group Management Protocol, Internet Group Management Protocol) order and wants to join the multicast group, further, BNG can also configure the multicast control policy on the logical interface, that is, configure the multicast control list.

当用户X成功接入BNG后,用户X发送IGMP报文请求,该报文请求中携带用户MAC地址;BNG收到用户X发送的IGMP报文请求后,根据MAC地址查找用户接入表,找到用户X对应的逻辑接口,根据该逻辑接口配置的组播控制列表判断是否允许用户X加入组播组,如果是,则BNG允许用户X加入组播组,处理用户X发送IGMP报文请求,下发组播数据流量;否则,丢弃用户X发送IGMP报文请求。When user X successfully accesses BNG, user X sends an IGMP packet request, which carries the user MAC address; after receiving the IGMP packet request sent by user X, BNG searches the user access table according to the MAC address, and finds The logical interface corresponding to user X judges whether user X is allowed to join the multicast group according to the multicast control list configured on the logical interface. Send multicast data traffic; otherwise, discard user X's request to send IGMP packets.

本发明实施例提供的方法通过在BNG设备上配置逻辑接口,在多业务的模式下能够唯一识别出用户链路,从而实现通过在逻辑接口上配置的安全控制策略,根据用户链路标识信息对单个用户链路实施接入控制、带宽控制、流量控制以及组播控制等安全控制。The method provided by the embodiment of the present invention can uniquely identify the user link in the multi-service mode by configuring the logical interface on the BNG device, so as to implement the security control strategy configured on the logical interface, according to the identification information of the user link. A single user link implements security controls such as access control, bandwidth control, flow control, and multicast control.

实施例3Example 3

参见图5,本发明实施例提供了一种用户接入安全控制的方法,步骤如下:Referring to Figure 5, an embodiment of the present invention provides a method for user access security control, the steps are as follows:

步骤301:BNG获取用户链路标识。Step 301: the BNG obtains the user link identifier.

步骤302:BNG根据获取的用户链路标识,为用户链路标识创建对应的逻辑链路标识。Step 302: The BNG creates a corresponding logical link identifier for the user link identifier according to the acquired user link identifier.

其中,本发明实施例以逻辑链路标识为逻辑接口为例进行说明。Wherein, the embodiment of the present invention is described by taking a logical link identifier as a logical interface as an example.

步骤303:BNG通过不同的关键字配置逻辑接口上不同的用户类型。参考命令行如下:Step 303: BNG configures different user types on the logical interface through different keywords. The reference command line is as follows:

[BNG]terminal-type voip dhcp-option-60 include VoIP[BNG]terminal-type voip dhcp-option-60 include VoIP

步骤304:用户X通过DHCP发起接入请求,即发送DHCP接入请求报文。Step 304: User X initiates an access request through DHCP, that is, sends a DHCP access request message.

其中,用户X通过DHCP发起接入请求,例如,该DHCP接入请求中携带关键字为VoIP-ISP-1,表明用户X是ISP-1的VoIP终端。Wherein, user X initiates an access request through DHCP, for example, the keyword carried in the DHCP access request is VoIP-ISP-1, indicating that user X is a VoIP terminal of ISP-1.

通过步骤302和步骤303实现了用户和BNG同时定义不同类型用户的关键字。Through steps 302 and 303, users and BNG simultaneously define keywords of different types of users.

步骤305:DSLAM接收用户X发送的DHCP接入请求报文,在接收到DHCP接入请求报文中插入用户链路标识,并将插入用户链路标识后的DHCP接入请求报文转发到BNG。Step 305: The DSLAM receives the DHCP access request message sent by user X, inserts the user link identifier into the received DHCP access request message, and forwards the DHCP access request message inserted into the user link identifier to the BNG .

步骤306:BNG接收由DSLAM发送的携带用户链路标识信息的DHCP接入请求报文,根据DHCP接入请求报文中携带的用户链路标识,判断是否能查找到对应的逻辑接口,如果是执行步骤307,否则,执行步骤308.Step 306: BNG receives the DHCP access request message carrying the user link identification information sent by the DSLAM, and judges whether the corresponding logical interface can be found according to the user link identification carried in the DHCP access request message, if yes Execute step 307, otherwise, execute step 308.

步骤307:BNG判断用户X的DHCP接入请求报文中携带的关键字是否和该逻辑接口上配置的关键字匹配,如果是,执行步骤309,否则执行步骤308。Step 307: The BNG judges whether the keyword carried in the DHCP access request message of user X matches the keyword configured on the logical interface, if yes, execute step 309, otherwise execute step 308.

步骤308:BNG丢弃收到接入请求报文,禁止用户X接入,结束。Step 308: BNG discards the received access request message, prohibits user X from accessing, and ends.

步骤309:BNG创建绑定在逻辑接口的用户接入表项,保存用户X的信息;并向DSLAM返回DHCP响应报文,该DHCP响应报文中携带用户链路标识。Step 309: BNG creates a user access entry bound to the logical interface, saves the information of user X; and returns a DHCP response message to the DSLAM, and the DHCP response message carries the user link identifier.

步骤310:DSLAM收到BNG返回的DHCP响应报文,删除报文中携带的用户链路标识,将删除了用户链路标识的响应报文转发到用户X。Step 310: The DSLAM receives the DHCP response message returned by the BNG, deletes the user link identifier carried in the message, and forwards the response message with the user link identifier deleted to user X.

步骤311:DHCP协商完成后,用户X成功接入BNG,结束。Step 311: After the DHCP negotiation is completed, user X successfully accesses the BNG, and ends.

当用户接入BNG设备后,还可以进一步地对接入的用户进行安全控制。例如:After the user accesses the BNG device, further security control can be performed on the accessing user. For example:

1)当需要对用户X实施带宽控制时,BNG还可以为创建的逻辑接口配置带宽参数,其中带宽参数具体包括上行方向带宽参数和下行方向带宽参数。1) When it is necessary to implement bandwidth control on user X, the BNG can also configure bandwidth parameters for the created logical interface, where the bandwidth parameters specifically include bandwidth parameters in the uplink direction and bandwidth parameters in the downlink direction.

当用户X成功接入BNG后,用户X发送数据报文,该数据报文中携带用户MAC地址和IP地址等信息,BNG根据接收到的数据报文中携带的用户MAC地址和IP地址查找用户接入表表,找到对应的逻辑接口,根据该逻辑接口配置的上行方向带宽参数,对该数据报文进行带宽控制;当网络中提供服务的设备(如ASP)通过BNG向用户X发送数据报文时,根据该数据报文中携带的用户MAC地址,查找用户接入表,找到对应的逻辑接口上,根据该逻辑接口上配置的下行方向带宽参数,对向用户X发送的数据报文进行带宽控制。When user X successfully accesses BNG, user X sends a data message, which carries information such as the user's MAC address and IP address, and BNG searches for the user according to the user's MAC address and IP address carried in the received data message. Access the table, find the corresponding logical interface, and control the bandwidth of the data packet according to the uplink bandwidth parameters configured on the logical interface; When sending a message, search the user access table according to the user MAC address carried in the data message, find the corresponding logical interface, and perform the data message sent to user X according to the bandwidth parameters in the downlink direction configured on the logical interface. Bandwidth control.

2)当需要对用户X实施访问控制控制时,即进行流量控制,还可以利用traffic-policy等命令在BNG逻辑接口上配置访问控制策略。2) When access control needs to be implemented for user X, that is, traffic control is performed, and access control policies can also be configured on the BNG logical interface by using commands such as traffic-policy.

当用户X成功接入BNG后,用户X发送数据报文,该数据报文中携带用户MAC地址和IP地址等信息,BNG根据接收到的数据报文中携带的用户MAC地址和IP地址查找用户接入表,找到用户X对应的逻辑接口,根据该逻辑接口配置的访问控制策略,对该用户X发送的数据报文进行流量控制;当网络中提供服务的设备(如ASP)通过BNG向用户X发送数据报文时,根据该数据报文中携带的用户X的MAC地址查找用户接入表,找到用户X对应的逻辑接口,该数据报文的下一跳地址为BNG设备上用户X对应的逻辑接口,根据该逻辑接口配置的访问控制策略,对通过BNG向用户X发送的数据报文进行流量控制。When user X successfully accesses BNG, user X sends a data message, which carries information such as the user's MAC address and IP address, and BNG searches for the user according to the user's MAC address and IP address carried in the received data message. Access the table, find the logical interface corresponding to user X, and control the flow of data packets sent by user X according to the access control policy configured on the logical interface; When X sends a data packet, it searches the user access table according to the MAC address of user X carried in the data packet, finds the logical interface corresponding to user X, and the next hop address of the data packet is the corresponding According to the access control policy configured on the logical interface, flow control is performed on the data packets sent to user X through the BNG.

3)当用户X请求IGMP(Internet Group Management Protocol,网络组管理协议)点播希望加入组播组时,进一步,BNG还可以在逻辑接口配置组播控制策略,即配置组播控制列表。3) When user X requests IGMP (Internet Group Management Protocol, Internet Group Management Protocol) order and wants to join the multicast group, further, BNG can also configure the multicast control policy on the logical interface, that is, configure the multicast control list.

当用户X成功接入BNG后,用户X发送IGMP报文请求,该报文请求中携带用户MAC地址;BNG收到用户X发送的IGMP报文请求后,根据MAC地址查找用户接入表,找到用户X对应的逻辑接口,根据该逻辑接口配置的组播控制列表判断是否允许用户X加入组播组,如果是,则BNG允许用户X加入组播组,处理用户X发送IGMP报文请求,下发组播数据流量;否则,丢弃用户X发送IGMP报文请求。When user X successfully accesses BNG, user X sends an IGMP packet request, which carries the user MAC address; after receiving the IGMP packet request sent by user X, BNG searches the user access table according to the MAC address, and finds The logical interface corresponding to user X judges whether user X is allowed to join the multicast group according to the multicast control list configured on the logical interface. Send multicast data traffic; otherwise, discard user X's request to send IGMP packets.

本发明实施例提供的方法通过在BNG设备上配置逻辑接口,在多业务的模式下能够唯一识别出用户链路,从而实现通过在逻辑接口上配置的安全控制策略,根据用户链路标识信息对单个用户链路实施接入控制、带宽控制、流量控制以及组播控制等安全控制。The method provided by the embodiment of the present invention can uniquely identify the user link in the multi-service mode by configuring the logical interface on the BNG device, so as to implement the security control strategy configured on the logical interface, according to the identification information of the user link. A single user link implements security controls such as access control, bandwidth control, flow control, and multicast control.

上述本发明实施例中创建逻辑接口只是实现的一种方式,任何在BNG等类似的设备上基于逻辑链路标识所实现的接入控制、流量控制、带宽控制、组播控制等安全控制,都在本发明的保护范围之内。Creating a logical interface in the above-mentioned embodiments of the present invention is only one way of implementation. Any security control such as access control, flow control, bandwidth control, and multicast control implemented on a BNG or similar device based on a logical link identifier is all Within the protection scope of the present invention.

实施例4Example 4

参见图6,本发明实施例提供了一种用户接入安全控制的系统,系统包括:Referring to Figure 6, an embodiment of the present invention provides a system for user access security control, the system includes:

用户节点,用于发送接入请求报文;A user node, configured to send an access request message;

接入设备,用于接收用户节点发送的接入请求报文,在用户节点发送的接入请求报文中插入用户链路标识,发送插入用户链路标识的接入请求报文;The access device is configured to receive the access request message sent by the user node, insert the user link identifier into the access request message sent by the user node, and send the access request message inserted with the user link identifier;

控制设备,用于接收到接入设备发送的插入用户链路标识的接入请求报文后,进行解析得到用户链路标识;根据用户链路标识判断接入请求报文是否满足预设接入条件,如果是,允许用户链路标识对应的用户节点接入。The control device is configured to analyze and obtain the user link identifier after receiving the access request message inserted into the user link identifier sent by the access device; judge whether the access request message meets the preset access requirements according to the user link identifier The condition, if yes, allows the user node corresponding to the user link identifier to access.

其中,控制设备包括:Among them, the control equipment includes:

接收模块,用于接收接入设备发送的接入请求报文;A receiving module, configured to receive an access request message sent by the access device;

解析模块,用于解析接收模块接收的接入请求报文得到用户链路标识;The parsing module is used to parse the access request message received by the receiving module to obtain the user link identifier;

判断模块,用于根据解析模块解析得到的用户链路标识判断是否能够查找到用户链路标识对应的逻辑链路标识;A judging module, configured to judge whether the logical link identifier corresponding to the user link identifier can be found according to the user link identifier parsed by the parsing module;

处理模块,当判断模块判断的结果是能够查找到用户链路标识对应的逻辑链路标识时,允许用户链路标识对应的用户节点接入。The processing module allows the user node corresponding to the user link identifier to access when the judging result of the judging module is that the logical link identifier corresponding to the user link identifier can be found.

其中,控制设备包括:Among them, the control equipment includes:

接收模块,用于接收接入设备发送的接入请求报文;A receiving module, configured to receive an access request message sent by the access device;

解析模块,用于解析接收模块接收的接入请求报文得到用户链路标识;The parsing module is used to parse the access request message received by the receiving module to obtain the user link identifier;

查找模块,用于根据解析模块解析得到用户链路标识查找用户链路标识对应的逻辑链路标识;The search module is used to search for the logical link identifier corresponding to the user link identifier according to the analysis module to obtain the user link identifier;

判断模块,用于判断查找模块查找到的逻辑链路标识已接入的用户会话个数是否达到预设门限;A judging module, configured to judge whether the number of user sessions accessed by the logical link identifier found by the searching module reaches a preset threshold;

处理模块,用于当判断模块判断的结果是已接入的用户会话个数没有达到预设门限时,允许用户链路标识对应的用户节点接入,并将已接入的用户会话个数加1。The processing module is used to allow the user node corresponding to the user link identifier to access when the judging result of the judging module is that the number of user sessions that have been accessed does not reach the preset threshold, and add the number of user sessions that have been accessed to 1.

其中,控制设备包括:Among them, the control equipment includes:

接收模块,用于接收接入设备发送的接入请求报文;A receiving module, configured to receive an access request message sent by the access device;

解析模块,用于解析接收模块接收的接入请求报文得到用户链路标识;The parsing module is used to parse the access request message received by the receiving module to obtain the user link identifier;

查找模块,用于根据解析模块解析得到用户链路标识查找用户链路标识对应的逻辑链路标识;The search module is used to search for the logical link identifier corresponding to the user link identifier according to the analysis module to obtain the user link identifier;

判断模块,用于判断接入请求报文中携带的用户类型是否和查找模块查找到的逻辑链路标识上预设的用户类型一致;A judgment module, configured to judge whether the user type carried in the access request message is consistent with the preset user type on the logical link identifier found by the search module;

处理模块,用于当判断模块判断的结果是接入请求报文中携带的用户类型和查找模块查找到的逻辑链路标识上预设的用户类型一致时,允许用户链路标识对应的用户节点接入。The processing module is configured to allow the user node corresponding to the user link identifier when the judgment result of the judgment module is that the user type carried in the access request message is consistent with the preset user type on the logical link identifier found by the search module access.

本发明实施例提供的系统通过在控制设备上配置逻辑链路标识,在多业务的模式下能够唯一识别出用户链路,从而实现通过预先配置好的逻辑链路标识对应的安全控制策略,根据用户链路标识信息对单个用户链路实施接入控制、带宽控制、流量控制以及组播控制等安全控制策略。The system provided by the embodiment of the present invention can uniquely identify the user link in the multi-service mode by configuring the logical link identifier on the control device, so as to realize the security control strategy corresponding to the pre-configured logical link identifier, according to User link identification information implements security control strategies such as access control, bandwidth control, flow control, and multicast control for a single user link.

实施例5Example 5

参见图7,本发明实施例提供了一种接入设备,设备包括:Referring to Figure 7, an embodiment of the present invention provides an access device, which includes:

接收模块,用于接收用户节点发送的接入请求报文;A receiving module, configured to receive an access request message sent by a user node;

标识插入模块,用于在接收模块接收的接入请求报文中插入用户链路标识;An identification inserting module, configured to insert the user link identification into the access request message received by the receiving module;

发送模块,用于发送标识插入模块插入用户链路标识后的接入请求报文。The sending module is configured to send the access request message after the user link identifier is inserted by the identifier inserting module.

本发明实施例提供的接入设备能够接收用户接点发送的接入请求报文,并在接收到的接入请求报文中插入用户链路标识,并发送插入了用户链路标识后的接入请求报文。其中,该设备对接收到的接入请求报文还可以插入其他的信息如用户类型等。The access device provided by the embodiment of the present invention can receive the access request message sent by the user node, insert the user link identifier into the received access request message, and send the access device with the user link identifier inserted. request message. Wherein, the device may also insert other information, such as user type, into the received access request message.

实施例6Example 6

参见图8,本发明实施例提供了一种控制设备,设备包括:Referring to Figure 8, an embodiment of the present invention provides a control device, which includes:

接收模块,用于接收接入设备发送的接入请求报文,接入请求报文中携带用户链路标识;The receiving module is used to receive the access request message sent by the access device, and the access request message carries the user link identifier;

解析模块,用于解析接收模块接收的接入请求报文得到用户链路标识;The parsing module is used to parse the access request message received by the receiving module to obtain the user link identifier;

处理模块,用于根据解析模块解析得到的用户链路标识判断接入请求报文是否满足预设接入条件,如果是,允许用户链路标识对应的用户接入。The processing module is configured to judge whether the access request message satisfies the preset access condition according to the user link identifier parsed by the parsing module, and if so, allow the user corresponding to the user link identifier to access.

其中,处理模块包括:Among them, the processing module includes:

判断单元,用于根据解析模块解析得到的用户链路标识判断是否能够查找到用户链路标识对应的逻辑链路标识;A judging unit, configured to judge whether the logical link identifier corresponding to the user link identifier can be found according to the user link identifier parsed by the parsing module;

处理单元,用于当判断单元判断的结果是能够查找到用户链路标识对应的逻辑链路标识时,允许用户链路标识对应的用户接入。The processing unit is configured to allow the user corresponding to the user link identifier to access when the judgment result of the judging unit is that the logical link identifier corresponding to the user link identifier can be found.

其中,处理模块包括:Among them, the processing module includes:

查找单元,用于根据解析模块解析得到用户链路标识查找用户链路标识对应的逻辑链路标识;A search unit, configured to search for a logical link identifier corresponding to the user link identifier according to the user link identifier analyzed by the parsing module;

判断单元,用于判断查找单元查找到的逻辑链路标识已接入的用户会话个数是否达到预设门限;A judging unit, configured to judge whether the number of user sessions accessed by the logical link identifier found by the searching unit reaches a preset threshold;

处理单元,用于当判断单元判断的结果是已接入的用户会话个数没有达到预设门限时,允许用户链路标识对应的用户接入,并将已接入的用户会话个数加1。A processing unit, configured to allow the user corresponding to the user link identifier to access when the judgment result of the judging unit is that the number of user sessions that have been accessed does not reach the preset threshold, and add 1 to the number of user sessions that have been accessed .

其中,处理模块包括:Among them, the processing module includes:

查找单元,用于根据解析模块解析得到用户链路标识查找用户链路标识对应的逻辑链路标识;A search unit, configured to search for a logical link identifier corresponding to the user link identifier according to the user link identifier analyzed by the parsing module;

判断单元,用于判断接入请求报文中携带的用户类型是否和查找单元查找到的逻辑链路标识上的预设的用户类型一致;A judging unit, configured to judge whether the user type carried in the access request message is consistent with the preset user type on the logical link identifier found by the search unit;

处理单元,用于当判断单元判断的结果是接入请求报文中携带的用户类型和查找单元查找到的逻辑链路标识上预设的用户类型一致时,允许用户链路标识对应的用户接入。A processing unit, configured to allow the user corresponding to the user link identifier to access when the judgment result of the judging unit is that the user type carried in the access request message is consistent with the user type preset on the logical link identifier found by the search unit. enter.

当用户接入控制设备后,还可以进一步地对接入的用户进行安全控制,此时,控制设备还包括:After the user accesses the control device, it can further perform security control on the accessed user. At this time, the control device also includes:

记录模块,用于当处理模块允许用户链路标识对应的用户接入时,根据接入请求报文将用户的媒体访问控制地址、IP地址、用户链路标识以及逻辑链路标识记录在用户接入表中;A recording module, configured to record the user's media access control address, IP address, user link identifier, and logical link identifier on the user interface according to the access request message when the processing module allows the user corresponding to the user link identifier to access into the table;

配置模块,用于根据记录模块在用户接入表中记录的逻辑链路标识为逻辑链路标识配置控制策略。The configuration module is configured to configure a control strategy for the logical link ID according to the logical link ID recorded in the user access table by the recording module.

第一控制模块,用于当接收到用户发送的数据报文时,根据数据报文中携带的媒体访问控制地址和IP地址在记录模块的用户接入表中查找对应的逻辑链路标识,根据查找到的逻辑链路标识对应的控制策略,对数据报文进行控制;The first control module is configured to search for the corresponding logical link identifier in the user access table of the recording module according to the media access control address and IP address carried in the data message when receiving the data message sent by the user, according to The control strategy corresponding to the found logical link identifier controls the data message;

第二控制模块,用于当接收到发往用户的数据报文时,根据向发往用户的数据报文中携带的媒体访问控制地址在记录模块中查找对应的逻辑链路标识,根据查找到的逻辑链路标识对应的控制策略,对发往用户的数据报文进行控制。The second control module is configured to search for the corresponding logical link identifier in the recording module according to the media access control address carried in the data message sent to the user when receiving the data message sent to the user, and according to the found The control strategy corresponding to the logical link identifier controls the data packets sent to the user.

上述配置模块配置的控制策略可以为访问控制策略或/和带宽控制策略,相应地,可以进行数据报文的流量控制或/带宽控制。本发明实施例不限制配置模块配置的控制策略类型。The control strategy configured by the above configuration module may be an access control strategy or/and a bandwidth control strategy, and accordingly, flow control or/bandwidth control of data packets may be performed. The embodiment of the present invention does not limit the type of control strategy configured by the configuration module.

当用户X请求IGMP点播希望加入组播组时,控制设备还包括:When user X requests IGMP VOD and wants to join a multicast group, the control device also includes:

记录模块,用于当处理模块允许用户链路标识对应的用户接入时,根据接入请求报文将用户的媒体访问控制地址、IP地址、用户链路标识以及逻辑链路标识记录在用户接入表中;A recording module, configured to record the user's media access control address, IP address, user link identifier, and logical link identifier on the user interface according to the access request message when the processing module allows the user corresponding to the user link identifier to access into the table;

配置模块,用于根据记录模块记录的逻辑链路标识为逻辑链路标识配置组播控制策略。The configuration module is configured to configure a multicast control strategy for the logical link identifier according to the logical link identifier recorded by the recording module.

组播控制模块,用于当接收到用户发送的请求加入组播组的网络组管理协议报文时,根据网络组管理协议报文中携带的媒体访问控制地址在记录模块的用户接入表中查找对应的逻辑链路标识,根据查找到的逻辑链路标识对应的组播控制策略,判断是否允许用户加入组播组,如果是,允许用户加入组播组。The multicast control module is configured to record the media access control address in the user access table of the recording module according to the media access control address carried in the network group management protocol message when receiving the network group management protocol message sent by the user to request to join the multicast group Find the corresponding logical link ID, and judge whether to allow the user to join the multicast group according to the multicast control strategy corresponding to the found logical link ID, and if so, allow the user to join the multicast group.

本发明实施例提供的通过在控制设备上配置逻辑链路标识,在多业务的模式下能够唯一识别出用户链路,从而实现通过预先配置好的逻辑链路标识的对应安全控制策略,根据用户链路标识信息对单个用户链路实施接入控制、带宽控制、流量控制以及组播控制等安全控制策略。According to the embodiment of the present invention, by configuring the logical link identifier on the control device, the user link can be uniquely identified in the multi-service mode, so as to realize the corresponding security control strategy through the pre-configured logical link identifier, according to the user Link identification information implements security control strategies such as access control, bandwidth control, flow control, and multicast control for a single user link.

上述本发明实施例提供的技术方案通过在BNG等类似控制设备上配置逻辑链路标识,在多业务的模式下能够唯一识别出用户链路,从而实现通过预先配置好的逻辑链路标识对应的安全控制策略,根据用户链路标识信息对单个用户链路实施接入控制、带宽控制、流量控制以及组播控制等安全控制策略。The technical solution provided by the above-mentioned embodiments of the present invention can uniquely identify the user link in the multi-service mode by configuring the logical link identifier on the BNG and other similar control devices, so as to realize the pre-configured logical link identifier corresponding to the The security control strategy implements security control strategies such as access control, bandwidth control, flow control, and multicast control for a single user link according to the user link identification information.

本发明实施例中的部分步骤,可以利用软件实现,相应的软件程序可以存储在可读取的存储介质中,如光盘或硬盘等。Part of the steps in the embodiments of the present invention can be realized by software, and the corresponding software program can be stored in a readable storage medium, such as an optical disk or a hard disk.

上所述仅为本发明的较佳实施例,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the protection of the present invention. within range.

Claims (18)

1. the method for user's access security control is characterized in that described method comprises:
Receive and insert request message, described access request message carries the user link sign;
Resolve described access request message and obtain described user link sign;
Judge according to described user link sign whether described access request message satisfies default access conditions;
If allow the corresponding user of described user link sign to insert.
2. the method for user's access security as claimed in claim 1 control is characterized in that, describedly judges according to described user link sign whether described access request message satisfies the step of presetting access conditions and comprise:
Judge whether to find the corresponding LLID of described user link sign;
If satisfy default access conditions.
3. the method for user's access security as claimed in claim 1 control is characterized in that, describedly judges according to described user link sign whether described access request message satisfies the step of presetting access conditions and comprise:
Search the corresponding LLID of described user link sign;
Check whether the number of user sessions that described LLID has inserted reaches default thresholding,, then satisfy default access conditions if do not reach described default thresholding;
Correspondingly, also comprise after the step that the corresponding user of the described user link sign of described permission inserts:
The described number of user sessions that has inserted is added 1.
4. the method for user's access security control as claimed in claim 1 is characterized in that, also carries user type in the described access request message;
Correspondingly, describedly judge according to described user link sign whether described access request message satisfies the step of presetting access conditions and comprise:
Search the corresponding LLID of described user link sign;
Judge that the user type of carrying in the described access request message is whether consistent with the default user type of described LLID, if satisfy default access conditions.
5. the method for user's access security control as claimed in claim 1 is characterized in that, also comprises after the step that the corresponding user of the described user link sign of described permission inserts:
According to described access request message user's media access control address, IP address, user link sign and LLID are recorded in user's access table, for the user of described LLID correspondence disposes control strategy;
When receiving the data message of user's transmission, in described user's access table, search corresponding LLID according to media access control address that carries in the described data message and IP address, according to the control strategy of the LLID correspondence that finds, described data message is controlled;
When receiving to when mailing to described user's data message, in described user's access table, search corresponding LLID according to the described media access control address that carries in the described user's data message that mails to, according to the control strategy of the LLID correspondence that finds, mail to described user's data message and control described.
6. the method for user's access security control as claimed in claim 5 is characterized in that described control strategy is specially:
Access control policy is or/and the bandwidth control strategy.
7. the method for user's access security control as claimed in claim 1 is characterized in that, also comprises after the step that the corresponding user of the described user link sign of described permission inserts:
According to described access request message user's media access control address, IP address, user link sign and LLID are recorded in user's access table, for the user of described LLID correspondence disposes the multicast control strategy;
When the request that receives user's transmission adds the group of networks management agreement message of multicast group, in described user's access table, search corresponding LLID according to the media access control address that carries in the described group of networks management agreement message, multicast control strategy according to the LLID correspondence that finds, judge whether to allow described user to add multicast group, if allow described user to add multicast group.
8. the system of user's access security control is characterized in that described system comprises:
User node is used for sending the access request message;
Access device is used to receive the access request message that described user node sends, and inserts the user link sign in the access request message that described user node sends, and sends the access request message that inserts the user link sign;
Control appliance, be used to receive the access request message of the insertion user link sign that described access device sends after, resolve and obtain described user link sign; Judge according to described user link sign whether described access request message satisfies default access conditions, if allow the corresponding described user node of described user link sign to insert.
9. the system of user's access security control as claimed in claim 8 is characterized in that described control appliance comprises:
Receiver module is used to receive the access request message that described access device sends;
Parsing module is used to resolve the access request message that described receiver module receives and obtains described user link sign;
Judge module is used for resolving the user link sign that obtains according to described parsing module and judges whether to find the corresponding LLID of described user link sign;
Processing module, the result who judges when described judge module is in the time of can finding the LLID of described user link sign correspondence, allows the corresponding user node of described user link sign to insert.
10. the system of user's access security control as claimed in claim 8 is characterized in that described control appliance comprises:
Receiver module is used to receive the access request message that described access device sends;
Parsing module is used to resolve the access request message that described receiver module receives and obtains described user link sign;
Search module, be used for obtaining the user link sign and search the corresponding LLID of described user link sign according to described parsing module parsing;
Judge module, be used to judge described search module searches to the number of user sessions that inserted of LLID whether reach default thresholding;
Processing module, be used for when result that described judge module is judged be that the described number of user sessions that has inserted is not when reaching described default thresholding, allow the corresponding described user node of described user link sign to insert, and the described number of user sessions that has inserted is added 1.
11. the system of user's access security control as claimed in claim 8 is characterized in that described control appliance comprises:
Receiver module is used to receive the access request message that described access device sends;
Parsing module is used to resolve the access request message that described receiver module receives and obtains described user link sign;
Search module, be used for obtaining the user link sign and search the corresponding LLID of described user link sign according to described parsing module parsing;
Judge module, be used for judging user type that described access request message carries whether with described search module searches to LLID on default user type consistent;
Processing module, be used for when result that described judge module is judged be the described access request message user type of carrying with described search module searches to LLID on default user type when consistent, allow the corresponding described user node access of described user link sign.
12. an access device is characterized in that, described equipment comprises:
Receiver module is used to receive the access request message that user node sends;
The sign insert module, the access request message that is used for receiving at described receiver module inserts the user link sign;
Sending module is used to send the access request message after described sign insert module is inserted the user link sign.
13. a control appliance is characterized in that, described equipment comprises:
Receiver module is used to receive the access request message that access device sends, and carries the user link sign in the described access request message;
Parsing module is used to resolve the access request message that described receiver module receives and obtains described user link sign;
Processing module is used for resolving the user link sign that obtains according to described parsing module and judges whether described access request message satisfies default access conditions, if allow the corresponding user of described user link sign to insert.
14. control appliance as claimed in claim 13 is characterized in that, described processing module comprises:
Judging unit is used for resolving the user link sign that obtains according to described parsing module and judges whether to find the corresponding LLID of described user link sign;
Processing unit, the result who is used for when described judgment unit judges is in the time of can finding the LLID of described user link sign correspondence, allows the corresponding user of described user link sign to insert.
15. control appliance as claimed in claim 13 is characterized in that, described processing module comprises:
Search the unit, be used for obtaining the user link sign and search the corresponding LLID of described user link sign according to described parsing module parsing;
Judging unit is used to judge and describedly searches the number of user sessions that LLID that the unit finds inserted and whether reach default thresholding;
Processing unit when being used for result when described judgment unit judges and being the described number of user sessions that has inserted and not reaching described default thresholding, allows the corresponding user of described user link sign to insert, and the described number of user sessions that has inserted is added 1.
16. control appliance as claimed in claim 13 is characterized in that, described processing module comprises:
Search the unit, be used for obtaining the user link sign and search the corresponding LLID of described user link sign according to described parsing module parsing;
Judging unit is used for judging that user type that described access request message carries is whether consistent with described default user type of searching on the LLID that the unit finds;
Processing unit, be used for result when described judgment unit judges and be user type that described access request message carries and search user type default on the LLID that the unit finds when consistent, allow the corresponding user's access of described user link sign with described.
17. control appliance as claimed in claim 13 is characterized in that, described equipment also comprises:
Logging modle, be used for when described processing module allows the corresponding user of described user link sign to insert, be recorded in user's access table according to media access control address, IP address, user link sign and the LLID of described access request message with the user;
Configuration module, being used for according to the LLID that described logging modle writes down at described user's access table is described LLID configuration control strategy.
First control module, be used for when receiving the data message of user's transmission, in user's access table of described logging modle, search corresponding LLID according to media access control address that carries in the described data message and IP address, according to the control strategy of the LLID correspondence that finds, described data message is controlled;
Second control module, be used for when receiving when mailing to described user's data message, according in described logging modle, searching corresponding LLID to the described media access control address that carries in the described user's data message that mails to, according to the control strategy of the LLID correspondence that finds, mail to described user's data message and control described.
18. control appliance as claimed in claim 13 is characterized in that, described equipment also comprises:
Logging modle, be used for when described processing module allows the corresponding user of described user link sign to insert, be recorded in user's access table according to media access control address, IP address, user link sign and the LLID of described access request message with the user;
Configuration module, the LLID that is used for according to described logging modle record is described LLID configuration multicast control strategy.
The multicast control module, be used for when the request that receives user's transmission adds the group of networks management agreement message of multicast group, in user's access table of described logging modle, search corresponding LLID according to the media access control address that carries in the described group of networks management agreement message, multicast control strategy according to the LLID correspondence that finds, judge whether to allow described user to add multicast group, if allow described user to add multicast group.
CN2007101951023A 2007-11-28 2007-11-28 A method, system and device for user access security control Expired - Fee Related CN101188614B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN2007101951023A CN101188614B (en) 2007-11-28 2007-11-28 A method, system and device for user access security control
PCT/CN2008/072243 WO2009067871A1 (en) 2007-11-28 2008-09-02 Method, system and device for user access security control

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2007101951023A CN101188614B (en) 2007-11-28 2007-11-28 A method, system and device for user access security control

Publications (2)

Publication Number Publication Date
CN101188614A true CN101188614A (en) 2008-05-28
CN101188614B CN101188614B (en) 2011-01-19

Family

ID=39480803

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007101951023A Expired - Fee Related CN101188614B (en) 2007-11-28 2007-11-28 A method, system and device for user access security control

Country Status (2)

Country Link
CN (1) CN101188614B (en)
WO (1) WO2009067871A1 (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009067871A1 (en) * 2007-11-28 2009-06-04 Huawei Technologies Co., Ltd. Method, system and device for user access security control
CN101902743A (en) * 2010-08-02 2010-12-01 中兴通讯股份有限公司 Terminal safety control method and device
CN102164075A (en) * 2011-03-18 2011-08-24 杭州华三通信技术有限公司 Internet protocol video monitoring method and access layer switchboard
CN102413009A (en) * 2011-11-17 2012-04-11 盛科网络(苏州)有限公司 Interface extension method and device for network equipment test
WO2012048603A1 (en) * 2010-10-15 2012-04-19 华为技术有限公司 Method and device for use in pcp marking and user identification
CN103780513A (en) * 2012-10-24 2014-05-07 中兴通讯股份有限公司 Response method and system based on BNG pool, and related device
CN103905236A (en) * 2012-12-28 2014-07-02 中国移动通信集团福建有限公司 Terminal positioning method, system and device
CN104202219A (en) * 2014-09-17 2014-12-10 上海斐讯数据通信技术有限公司 Multi-service wan connection binding testing method and system
CN104363111A (en) * 2014-10-29 2015-02-18 中国建设银行股份有限公司 Third-party system access control method and device
CN104426686A (en) * 2013-08-22 2015-03-18 中国电信股份有限公司 Broadband access gateway user access method and apparatus, and broadband access gateway
CN104506349A (en) * 2014-12-18 2015-04-08 易联众信息技术股份有限公司 Service platform and service management method thereof
CN105635068A (en) * 2014-11-04 2016-06-01 阿里巴巴集团控股有限公司 Method and apparatus for controlling business security
CN106357483A (en) * 2015-07-17 2017-01-25 华为技术有限公司 Message transmission method, access node, access controller and access system
WO2017012443A3 (en) * 2015-07-17 2017-03-23 华为技术有限公司 Message transmission method, access node, access controller and access system
CN110297211A (en) * 2019-06-12 2019-10-01 Oppo(重庆)智能科技有限公司 A kind of localization method and electronic equipment
CN112565031A (en) * 2020-11-30 2021-03-26 福州汇思博信息技术有限公司 Parameter configuration method and terminal for PPP connection
CN114389828A (en) * 2020-10-19 2022-04-22 南京中兴软件有限责任公司 Communication control method, electronic device and storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1553674A (en) * 2003-05-26 2004-12-08 广东省电信有限公司科学技术研究院 Method for wideband connection server to obtain port numbers of its uers
CN100352203C (en) * 2003-09-04 2007-11-28 华为技术有限公司 Method for controlling wide band network user to access network
US7797745B2 (en) * 2004-12-22 2010-09-14 Electronics And Telecommunications Research Institute MAC security entity for link security entity and transmitting and receiving method therefor
CN101188614B (en) * 2007-11-28 2011-01-19 华为技术有限公司 A method, system and device for user access security control

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009067871A1 (en) * 2007-11-28 2009-06-04 Huawei Technologies Co., Ltd. Method, system and device for user access security control
CN101902743A (en) * 2010-08-02 2010-12-01 中兴通讯股份有限公司 Terminal safety control method and device
CN101902743B (en) * 2010-08-02 2015-05-13 中兴通讯股份有限公司 Terminal safety control method and device
CN102457478B (en) * 2010-10-15 2015-04-29 华为技术有限公司 Method and equipment for marking primary control program (PCP) and identifying user
WO2012048603A1 (en) * 2010-10-15 2012-04-19 华为技术有限公司 Method and device for use in pcp marking and user identification
CN102457478A (en) * 2010-10-15 2012-05-16 华为技术有限公司 Method and equipment for marking PCP and identifying user
CN102164075A (en) * 2011-03-18 2011-08-24 杭州华三通信技术有限公司 Internet protocol video monitoring method and access layer switchboard
CN102413009A (en) * 2011-11-17 2012-04-11 盛科网络(苏州)有限公司 Interface extension method and device for network equipment test
CN102413009B (en) * 2011-11-17 2014-04-02 盛科网络(苏州)有限公司 Interface expanding method and device for network equipment test
CN103780513A (en) * 2012-10-24 2014-05-07 中兴通讯股份有限公司 Response method and system based on BNG pool, and related device
CN103780513B (en) * 2012-10-24 2018-08-10 中兴通讯股份有限公司 A kind of response method, system and relevant device based on the ponds BNG
CN103905236A (en) * 2012-12-28 2014-07-02 中国移动通信集团福建有限公司 Terminal positioning method, system and device
CN104426686B (en) * 2013-08-22 2018-06-08 中国电信股份有限公司 Broad access network gate user access method, device and broad access network gate
CN104426686A (en) * 2013-08-22 2015-03-18 中国电信股份有限公司 Broadband access gateway user access method and apparatus, and broadband access gateway
CN104202219A (en) * 2014-09-17 2014-12-10 上海斐讯数据通信技术有限公司 Multi-service wan connection binding testing method and system
CN104363111B (en) * 2014-10-29 2019-05-17 中国建设银行股份有限公司 A kind of control method and equipment of third party system access
CN104363111A (en) * 2014-10-29 2015-02-18 中国建设银行股份有限公司 Third-party system access control method and device
CN105635068A (en) * 2014-11-04 2016-06-01 阿里巴巴集团控股有限公司 Method and apparatus for controlling business security
CN105635068B (en) * 2014-11-04 2019-06-04 阿里巴巴集团控股有限公司 A kind of method and device carrying out service security control
CN104506349A (en) * 2014-12-18 2015-04-08 易联众信息技术股份有限公司 Service platform and service management method thereof
WO2017012443A3 (en) * 2015-07-17 2017-03-23 华为技术有限公司 Message transmission method, access node, access controller and access system
CN106357483A (en) * 2015-07-17 2017-01-25 华为技术有限公司 Message transmission method, access node, access controller and access system
CN113225238A (en) * 2015-07-17 2021-08-06 华为技术有限公司 Message transmission method, access node, access controller and access system
US11178073B2 (en) 2015-07-17 2021-11-16 Huawei Technologies Co., Ltd. Message transmission method, access node, access controller, and access system
CN113225238B (en) * 2015-07-17 2022-08-26 华为技术有限公司 Message transmission method, access node, access controller and access system
US11902183B2 (en) 2015-07-17 2024-02-13 Huawei Technologies Co., Ltd. Message transmission method, access node, access controller, and access system
CN110297211A (en) * 2019-06-12 2019-10-01 Oppo(重庆)智能科技有限公司 A kind of localization method and electronic equipment
CN114389828A (en) * 2020-10-19 2022-04-22 南京中兴软件有限责任公司 Communication control method, electronic device and storage medium
WO2022083446A1 (en) * 2020-10-19 2022-04-28 中兴通讯股份有限公司 Communication control method, electronic device, and storage medium
CN112565031A (en) * 2020-11-30 2021-03-26 福州汇思博信息技术有限公司 Parameter configuration method and terminal for PPP connection

Also Published As

Publication number Publication date
WO2009067871A1 (en) 2009-06-04
CN101188614B (en) 2011-01-19

Similar Documents

Publication Publication Date Title
CN101188614B (en) A method, system and device for user access security control
CN102726069B (en) The dynamic Service group of dialogue-based attribute
CN102088391B (en) Processing method, equipment and system for Internet protocol version 6 (IPv6) message
US8908687B2 (en) Method for transmitting policy information between network equipment
US7746799B2 (en) Controlling data link layer elements with network layer elements
AU2010255430B2 (en) Dynamically configuring attributes of a parent circuit on a network element
CA2538613C (en) A method for identifying user position
US8681779B2 (en) Triple play subscriber and policy management system and method of providing same
EP3937433A1 (en) Point-to-multipoint functionality in a bridged network
US7801123B2 (en) Method and system configured for facilitating residential broadband service
US8854974B2 (en) Methods, systems, and computer readable media for deep packet inspection (DPI)-enabled traffic management for xDSL networks
CN101663862B (en) Edge router and method for dynamic learning of an end device MAC address
WO2007124679A1 (en) Method and system of network communication
US20060245435A1 (en) Scalable system and method for DSL subscriber traffic over an Ethernet network
WO2012130142A1 (en) Method, system, and access device for user service access
EP2014058A2 (en) Associating hosts with subscriber and service based requirements
WO2008058477A1 (en) Location information management method, apparatus and system
WO2014153860A1 (en) Network access method, gateway and system
Cisco Cisco IOS Command Reference Master Index Release 12.1
CN101030877B (en) A Method of Realizing Multicast Service by Point-to-Point Protocol
CN100550901C (en) The method of obtaining broadband user access port information for broadwide access server
Reddy Building MPLS-based broadband access VPNs
De Smedt et al. D TF3. 2–DETAILED DESCRIPTION OF RESIDENTIAL GATEWAY AND ADVANCED FEATURES
Torkko Feasibility of replacing multiple ADSL connections with Multi-Dwelling Access

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110119