[go: up one dir, main page]

CN101426029A - Method for identifying customer by network and system thereof - Google Patents

Method for identifying customer by network and system thereof Download PDF

Info

Publication number
CN101426029A
CN101426029A CNA200710166425XA CN200710166425A CN101426029A CN 101426029 A CN101426029 A CN 101426029A CN A200710166425X A CNA200710166425X A CN A200710166425XA CN 200710166425 A CN200710166425 A CN 200710166425A CN 101426029 A CN101426029 A CN 101426029A
Authority
CN
China
Prior art keywords
user
identity
domain
network
identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA200710166425XA
Other languages
Chinese (zh)
Inventor
季新生
刘彩霞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PLA Information Engineering University
Original Assignee
PLA Information Engineering University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PLA Information Engineering University filed Critical PLA Information Engineering University
Priority to CNA200710166425XA priority Critical patent/CN101426029A/en
Publication of CN101426029A publication Critical patent/CN101426029A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种网络标识用户的方法,包括步骤:将网络划分为不同的网域;用掩护身份标识代替真实身份标识作为用户在网络中的身份标识;用户地址标识在预置的不同网域中分别定义和使用;将掩护身份标识与分别定义的用户地址标识在不同网域的服务器和用户终端设备中进行映射。此外,本发明还公开了一种网络标识用户的系统。通过运用本发明,使得用户的数据包在网络中进行传输时,在该数据包中不同时包含用户的真实身份信息和真实地址信息,并且在接入域和服务域中不存在用户真实身份标识和地址标识的绑定,还使用用户掩护身份标识来标识用户,从而可以防止因为用户真实身份标识泄漏而引起的用户位置信息泄露问题。

Figure 200710166425

The invention discloses a method for identifying users on a network, comprising the steps of: dividing the network into different network domains; replacing the real identity with a masked identity as the user's identity in the network; The domains are respectively defined and used; the mask identity and the user address identification respectively defined are mapped in servers and user terminal devices in different network domains. In addition, the invention also discloses a system for identifying users on the network. By using the present invention, when the user's data packet is transmitted in the network, the data packet does not contain the user's real identity information and real address information at the same time, and there is no user's real identity in the access domain and the service domain Binding with the address identifier also uses the user mask identity identifier to identify the user, thus preventing the leakage of user location information caused by the leakage of the user's real identity identifier.

Figure 200710166425

Description

一种网络标识用户的方法及其系统 Method and system for network identification user

技术领域 technical field

本发明涉及网络通信技术领域,特别是涉及一种网络标识用户的方法及其系统。The invention relates to the technical field of network communication, in particular to a method and system for identifying a user in a network.

背景技术 Background technique

目前,在网络数据通信中,标识用户的方法有两种,一种是用户的身份标识和地址标识合一的方法,例如,IP地址在网络中同时标识用户的身份和地址;另一种是用户的身份标识和地址标识功能分离的方法,例如,IP地址只是作为用户的地址标识,另外用号码或者通用资源标识符(URI)来标识一个用户在网络中的身份。At present, in network data communication, there are two ways to identify users. One is the method of combining the user's identity and address. For example, the IP address simultaneously identifies the user's identity and address in the network; the other is The method of separating the user's identity and address identification functions, for example, the IP address is only used as the user's address identification, and a number or Universal Resource Identifier (URI) is used to identify a user's identity in the network.

运用前一种方法时,用户的IP地址通常固定不变且采用全局编址规则,这种标识用户的方法在当前的网络运营过程中已经暴露了许多问题:首先,是用户的安全问题,因为一旦分配给用户的IP地址泄漏,那么就意味着用户在网络中的身份和位置信息暴露,于是用户可能面临被跟踪、信息被窃取的安全威胁或者遭受有目的的攻击和骚扰;其次,是对用户的移动性支持问题,用户对网络的要求是网络能够提供无时不在、无处不在、无所不有的综合服务,尤其是在未来的融合网络中,用户的这种需求将更加突出,但是由于最初的TCP/IP协议体系是面向固定位置的主机而设计的,因此IP地址被赋予了标识身份和位置的双重功能,从而这种功能耦合的方法无法支持主机IP地址的动态绑定,进而无法解决主机的移动问题。When using the former method, the user's IP address is usually fixed and adopts global addressing rules. This method of identifying users has exposed many problems in the current network operation process: first, it is the user's security problem, because Once the IP address assigned to the user is leaked, it means that the user's identity and location information in the network are exposed, so the user may face the security threat of being tracked, information stolen, or subject to purposeful attacks and harassment; The user's mobility support problem. The user's requirement for the network is that the network can provide omnipresent, ubiquitous, and omnipresent comprehensive services. Especially in the future converged network, this user's demand will become more prominent. However, since the original TCP/IP protocol system was designed for fixed-location hosts, the IP address was endowed with the dual function of identifying identity and location, so this method of functional coupling cannot support the dynamic binding of host IP addresses. Then the mobile problem of the host computer cannot be solved.

运用后一种方法标识用户进行数据通信时,虽然身份标识和地址标识在网络中实现了功能的去耦合,但是网络的通信机制使得用户的两种标识在网络中通常捆绑使用、存储和传输,从而网络实体或终端用户很容易从网络中获取特定用户的身份和地址信息,参见图1-图4所示。图1为用户身份标识和地址标识在网络中捆绑使用示意图,如图所示,为了通信过程寻址以及计费、认证等功能,网络通信机制要求数据包在传输时同时携带有用户的身份信息和地址信息。图2为用户身份标识和地址标识在网络中绑定存储示意图。参见图3,为了支持用户的移动性,网络要求终端用户定期或者实时将位置变化信息通知网络,网络中的用户信息数据库维护用户对身份标识和地址标识的映射,以供网络通信实体或其它用户查询。此外,参见图4,在基于控制与承载分离的全IP网络架构中,通信双方将在呼叫控制的信令过程中,首先由对方的身份标识(这里指用户用于通信的身份标识)获得对方的地址标识,然后开始业务数据的发送。When using the latter method to identify users for data communication, although the identity identifier and address identifier have achieved functional decoupling in the network, the communication mechanism of the network makes the two identifiers of the user usually bundled for use, storage and transmission in the network. Therefore, network entities or terminal users can easily obtain identity and address information of specific users from the network, as shown in FIGS. 1-4 . Figure 1 is a schematic diagram of the bundled use of user identity and address identifiers in the network. As shown in the figure, for the communication process addressing, billing, authentication and other functions, the network communication mechanism requires that the data packets carry the user's identity information at the same time during transmission and address information. Fig. 2 is a schematic diagram of binding storage of user identity identifiers and address identifiers in the network. Referring to Figure 3, in order to support user mobility, the network requires terminal users to notify the network of location changes on a regular basis or in real time, and the user information database in the network maintains the mapping between user identification and address identification for network communication entities or other users Inquire. In addition, referring to Figure 4, in an all-IP network architecture based on the separation of control and bearer, the two communicating parties will first obtain the identity of the other party (here, the identity used for communication by the user) during the signaling process of call control. address identification, and then start sending business data.

此外,鉴于用户需要通过注册过程完成用户身份标识和地址标识在网络中的绑定,由于通信一方已知对方身份标识,因此,通信一方同样可以很容易从网络中得到对方对应的地址标识,由于用户的地址标识也采用全局命名规则,地址标识泄漏则意味着用户在网络中的位置信息泄漏,因此,后一种方法同样会导致用户真实身份、当前位置信息等用户重要敏感信息的泄漏。In addition, in view of the fact that the user needs to complete the binding of the user identity and the address identifier in the network through the registration process, since the communicating party knows the other party's identity, the communicating party can also easily obtain the corresponding address identifier of the other party from the network, because The user's address identifier also adopts the global naming rule, and the leakage of the address identifier means the leakage of the user's location information in the network. Therefore, the latter method will also lead to the leakage of important and sensitive user information such as the user's real identity and current location information.

当前,还没有一种网络标识用户的方法可以在网络通信中保证用户真实身份、当前位置信息的安全。Currently, there is no method for network identification of users that can guarantee the security of the user's real identity and current location information in network communication.

发明内容 Contents of the invention

有鉴于此,本发明解决的问题是提供一种网络标识用户的方法及其系统,可以有效地防止用户身份信息和位置信息泄露,对用户的身份信息和位置信息实施安全保护。In view of this, the problem to be solved by the present invention is to provide a method and system for identifying users on the network, which can effectively prevent leakage of user identity information and location information, and implement security protection for user identity information and location information.

为此,本发明提供了一种网络标识用户的方法,包括以下步骤:To this end, the present invention provides a method for network identification of users, comprising the following steps:

将网络划分为不同的网域;Divide the network into different domains;

用掩护身份标识代替真实身份标识作为用户在网络中的身份标识;Replace the real identity with the masked identity as the user's identity in the network;

用户地址标识在预置的不同网域中分别定义和使用;User address identifiers are defined and used in different preset domains;

将掩护身份标识与分别定义的用户地址标识在不同网域的服务器和用户终端设备中进行映射。Mapping the mask identity identifier and the respectively defined user address identifier in the server and the user terminal equipment in different network domains.

优选地,将网络划分为不同的网域具体为:Preferably, the network is divided into different network domains as follows:

根据用户的角度将网络划分为接入域、服务域和归属域。According to the perspective of users, the network is divided into access domain, service domain and home domain.

优选地,所述预置的不同网域为接入域和服务域,用户地址标识在接入域定义为接入域标识,在服务域定义为服务域标识。Preferably, the preset different network domains are an access domain and a service domain, and the user address identifier is defined as an access domain identifier in the access domain, and defined as a service domain identifier in the service domain.

优选地,将掩护身份标识与分别定义的用户地址标识在不同网域的服务器和用户终端设备中进行映射具体为:Preferably, mapping the masked identity and the respectively defined user address identifiers between servers and user terminal devices in different network domains is as follows:

在用户终端设备中维护用户掩护身份标识和用户真实身份标识之间的映射关系;Maintain the mapping relationship between the user's cover identity and the user's real identity in the user terminal device;

在接入域服务器中维护用户的接入域标识与用户掩护身份标识的映射关系;Maintaining the mapping relationship between the user's access domain identifier and the user's cover identity identifier in the access domain server;

在服务域服务器中维护用户的服务域标识与接入域标识、服务域标识与掩护身份标识之间的映射关系。The mapping relationship between the user's service domain identifier and access domain identifier, and between the service domain identifier and the cover identity identifier is maintained in the service domain server.

优选地,还包括步骤:Preferably, it also includes the steps of:

在用户终端设备存储用户的归属域服务器地址和接入域服务器地址;Store the user's home domain server address and access domain server address in the user terminal device;

在接入域服务器中存储用户当前的服务域服务器地址;Store the user's current service domain server address in the access domain server;

在服务域服务器中存储用户的归属域服务器地址。The user's home domain server address is stored in the service domain server.

优选地,所述用户终端设备中的归属域服务器地址在用户入网使用前固定分配,或者在使用过程中动态更新。Preferably, the address of the home domain server in the user terminal equipment is fixedly assigned before the user accesses the network, or is dynamically updated during use.

优选地,在用户终端设备首次接入网络时获取所述用户终端设备中的接入域服务器地址。Preferably, the address of the access domain server in the user terminal equipment is acquired when the user terminal equipment accesses the network for the first time.

优选地,所述接入域中的服务域服务器地址和服务域中的归属域服务器地址在用户准备使用网络并完成接入认证过程后获取。Preferably, the service domain server address in the access domain and the home domain server address in the service domain are acquired after the user prepares to use the network and completes the access authentication process.

此外,本发明还提供了一种网络标识系统,包括:In addition, the present invention also provides a network identification system, including:

用户终端设备,用于维护用户掩护身份标识和用户真实身份标识之间的映射关系以及存储用户的归属域服务器地址和接入域服务器地址;The user terminal device is used to maintain the mapping relationship between the user's cover identity and the user's real identity and store the user's home domain server address and access domain server address;

接入域服务器,用于维护用户的接入域标识与用户掩护身份标识的映射关系以及存储用户当前服务域的服务器地址;The access domain server is used to maintain the mapping relationship between the user's access domain identifier and the user's cover identity identifier and store the server address of the user's current service domain;

服务域服务器,用于维护用户的服务域标识与接入域标识、服务域标识与掩护身份标识之间的映射关系以及存储用户的归属域服务器地址;The service domain server is used to maintain the mapping relationship between the user's service domain identifier and the access domain identifier, the service domain identifier and the cover identity identifier, and store the address of the user's home domain server;

归属域服务器,用于维护用户真实身份标识与掩护身份标识、真实身份标识与当前服务域标识之间的映射关系。The home domain server is configured to maintain the mapping relationship between the user's real identity and the masked identity, and between the real identity and the current service domain identity.

与现有技术相比,本发明具有以下优点:Compared with the prior art, the present invention has the following advantages:

为了防止用户信息泄露,通过运用本发明,使得用户的数据包在网络中进行传输时,在该数据包中不同时包含用户的真实身份信息和真实地址信息,并且在接入域和服务域中不存在用户真实身份标识和地址标识的绑定。另外,由于在网络接入侧,鉴于用户的位置信息容易被跟踪,所以用户终端设备与接入域服务器间的信息交互中使用用户掩护身份标识来标识用户,从而可以防止因为用户真实身份标识泄漏而引起的用户位置信息泄露问题。In order to prevent user information from leaking, by using the present invention, when the user's data packet is transmitted in the network, the user's real identity information and real address information are not included in the data packet at the same time, and the user's real identity information and real address information are not included in the data packet in the access domain and the service domain. There is no binding between the user's real identity and address. In addition, since the user's location information is easy to be tracked on the network access side, the user's masked identity is used to identify the user in the information exchange between the user terminal device and the access domain server, thereby preventing leakage of the user's real identity. The problem of leakage of user location information is caused.

附图说明 Description of drawings

图1是用户身份标识和地址标识在网络中捆绑使用示意图;Fig. 1 is a schematic diagram of the bundled use of user identity and address identifiers in the network;

图2是用户身份标识和地址标识在网络中绑定存储示意图;Fig. 2 is a schematic diagram of binding and storing user identity and address identifiers in the network;

图3是网络实体由用户身份标识获取地址标识的示意图;Fig. 3 is a schematic diagram of a network entity obtaining an address identifier from a user identity identifier;

图4是在基于控制与承载分离的全IP网络架构中,网络实体由用户身份标识获取地址标识的示意图;FIG. 4 is a schematic diagram of a network entity obtaining an address identifier from a user identifier in an all-IP network architecture based on the separation of control and bearer;

图5为本发明提供的网络标识用户的方法的流程图;FIG. 5 is a flowchart of a method for network identification of users provided by the present invention;

图6为是本发明定义的网络结构示意图;Fig. 6 is a schematic diagram of the network structure defined by the present invention;

图7为用户终端设备在网络归属域认证时不同标识的使用示意图;FIG. 7 is a schematic diagram of the use of different identifications of user terminal equipment during network home domain authentication;

图8为在用户接入域改变、服务域不变时的位置更新过程中,用户的不同标识交替使用示意图;Fig. 8 is a schematic diagram of alternate use of different identifiers of the user during the location update process when the user's access domain changes and the service domain remains unchanged;

图9是在用户A接入域和服务域均改变时的位置更新过程中,用户的不同标识交替使用示意图;Fig. 9 is a schematic diagram of alternate use of different identities of the user during the location update process when both the user A's access domain and service domain change;

图10为用户A与用户B在网络中进行通信时数据包的传递过程图;Fig. 10 is a diagram of the delivery process of data packets when user A and user B communicate in the network;

图11为本发明提供的一种网络标识用户的系统的结构示意图。FIG. 11 is a schematic structural diagram of a system for network identification of users provided by the present invention.

具体实施方式 Detailed ways

为使本领域技术人员更好地理解本发明,下面结合具体实施例对本发明的技术方案作具体说明。In order to enable those skilled in the art to better understand the present invention, the technical solutions of the present invention will be specifically described below in conjunction with specific embodiments.

本发明提供了一种网络标识用户的方法,参见图5,该方法包括以下步骤:The present invention provides a method for network identification of users, referring to Figure 5, the method includes the following steps:

步骤S501:将网络划分为不同的网域。Step S501: Divide the network into different network domains.

本发明从用户的角度把网络划分为不同的网域。例如,可以划分网络为接入域、服务域和归属域,参见图6所示。The invention divides the network into different network domains from the perspective of users. For example, the network can be divided into an access domain, a service domain, and a home domain, as shown in FIG. 6 .

在接入域设置有接入域服务器,与一定范围内的网络接入点相连;在服务域设置有服务域服务器,负责当前服务域网络覆盖范围内用户的移动性管理、通信过程的控制与信息转发等;而归属域位于用户的签约地,设置有归属域服务器,管理其归属用户的签约信息、移动性管理以及通信过程的控制与信息转发等。The access domain server is set in the access domain, which is connected to the network access points within a certain range; the service domain server is set in the service domain, which is responsible for the mobility management of users within the network coverage of the current service domain, the control of the communication process and the Information forwarding, etc.; while the home domain is located in the user's contracting place, and a home domain server is set up to manage the subscription information of the home user, mobility management, control of the communication process, and information forwarding.

步骤S502:用掩护身份标识代替真实身份标识作为用户在网络中的身份标识。Step S502: Replace the real identity with the masked identity as the user's identity in the network.

其中,步骤S501与步骤S502之间的先后顺序可以根据实际情况进行调整。Wherein, the sequence between step S501 and step S502 can be adjusted according to the actual situation.

本发明将用户真实身份标识作为签约信息存储于归属域服务器,根据用户的需要也可以同时存储于用户终端设备中。The present invention stores the real identity of the user as the subscription information in the home domain server, and can also be stored in the user terminal equipment at the same time according to the needs of the user.

本发明为了防止用户的真实身份标识在用户接入网络和通信时泄露,本发明为有安全需求的用户分配掩护身份标识,用掩护身份标识代替用户的真实身份标识,在用户接入网络和通信时使用。In order to prevent the user's real identity from leaking when the user accesses the network and communicates, the present invention assigns a cover identity to users with security needs, and uses the cover identity to replace the user's real identity. used when.

本发明可以在归属域的服务器中存储用户的真实身份标识和掩护身份标识的绑定或映射关系,从而由用户的归属域服务器分配用户的掩护身份标识,具体分配上可以采用固定分配的方式,也可以采用动态分配方式,当然,本发明不限定掩护身份标识的具体分配方式。The present invention can store the binding or mapping relationship between the user's real identity and the cover identity in the server of the home domain, so that the user's home domain server allocates the user's cover identity, and the specific allocation can adopt a fixed allocation method, A dynamic distribution method may also be adopted, and of course, the present invention does not limit the specific distribution method of the mask identity.

步骤S503:将用户地址标识在预置的不同网域中分别定义和使用。Step S503: Define and use user address identifiers in different preset network domains respectively.

在本发明中,所述预置的不同网域为接入域和服务域。例如,如图6所示,用户地址标识在接入域和服务域中分别定义和使用,分别定义为接入域地址标识(下文简称为接入域标识)和服务域地址标识(简称为服务域标识)。其中,接入域标识用于数据包在接入域的通信,服务域标识用于数据包在服务域的通信,如寻址和路由。In the present invention, the preset different network domains are access domain and service domain. For example, as shown in Figure 6, user address identifiers are defined and used in the access domain and the service domain respectively, and are respectively defined as the access domain address identifier (hereinafter referred to as the access domain identifier) and the service domain address identifier (referred to as the service domain identifier for short). Domain ID). Wherein, the access domain identifier is used for the communication of the data packet in the access domain, and the service domain identifier is used for the communication of the data packet in the service domain, such as addressing and routing.

本发明不限定接入域标识和服务域标识的分配方式和这两个地址标识中所隐含的信息,这两个标识可以在用户终端设备接入网络前固定分配,也可以在接入网络时实时动态分配。The present invention does not limit the allocation method of the access domain identifier and the service domain identifier and the information implied in these two address identifiers. These two identifiers can be fixedly assigned before the user terminal equipment accesses the network, or can real-time dynamic allocation.

步骤S504:将掩护身份标识与分别定义的用户地址标识在不同网域的服务器和用户终端设备中进行映射。Step S504: Mapping the mask identity and the respectively defined user address identifiers in servers and user terminal devices in different network domains.

如图6所示,用户终端设备中维护用户掩护身份标识和用户真实身份标识之间的映射关系,此外,用户终端设备需要存储用户的归属域服务器地址和接入域服务器地址。As shown in Figure 6, the user terminal device maintains the mapping relationship between the user's cover identity and the user's real identity. In addition, the user terminal device needs to store the user's home domain server address and access domain server address.

接入域服务器中维护用户的接入域标识与用户掩护身份标识的映射关系,此外需要存储用户当前的服务域服务器地址。The access domain server maintains the mapping relationship between the user's access domain identifier and the user's cover identity identifier, and also needs to store the user's current service domain server address.

服务域服务器中维护着用户的服务域标识与接入域标识、服务域标识与掩护身份标识之间的映射关系,此外需要存储用户的归属域服务器地址。The service domain server maintains the mapping relationship between the user's service domain identifier and the access domain identifier, and the service domain identifier and the cover identity identifier, and also needs to store the address of the user's home domain server.

归属域服务器中维护用户真实身份标识与掩护身份标识、真实身份标识与当前服务域标识之间的映射关系。The home domain server maintains the mapping relationship between the user's real identity and the masked identity, and between the real identity and the current service domain identity.

如上所述可知,本发明中,除了在用户终端设备和归属域服务器,掩护身份标识和用户真实身份标识在网络的其他设备中不存在绑定或者映射关系。因此,使用掩护身份标识作为用户在网络中的身份标识,即使掩护身份标识被泄露,也不会带来用户真实身份标识的泄露,从而防止因用户真实身份标识泄露而引起的用户终端设备位置信息泄露。As can be seen from the above, in the present invention, except for the user terminal device and the home domain server, there is no binding or mapping relationship between the masked identity and the user's real identity in other devices in the network. Therefore, using the masked identity as the user's identity in the network, even if the masked identity is leaked, it will not cause the leakage of the user's real identity, thereby preventing the location information of the user terminal device from being leaked due to the leak of the user's real identity. Give way.

本发明为了防止用户信息泄露,用户的数据包在网络中进行传输时,在该数据包中不同时包含用户的真实身份信息和真实地址信息,并且在接入域和服务域中不存在用户真实身份标识和地址标识的绑定。另外,由于在网络接入侧,鉴于用户的位置信息容易被跟踪,所以用户终端设备与接入域服务器间的信息交互中使用用户掩护身份标识来标识用户,从而可以防止因为用户真实身份标识泄漏而引起的用户位置信息泄露问题。In order to prevent user information from leaking, the present invention does not contain the user's real identity information and real address information at the same time when the user's data packet is transmitted in the network, and there is no user's real identity information in the access domain and the service domain. Binding of identity identifiers and address identifiers. In addition, since the user's location information is easy to be tracked on the network access side, the user's masked identity is used to identify the user in the information exchange between the user terminal device and the access domain server, thereby preventing leakage of the user's real identity. The problem of leakage of user location information is caused.

同样,在通信对方的网络域,也可以采用用户掩护身份标识来标识该端用户,以防止该端用户的位置信息(包括服务域位置信息和接入域位置信息)泄露。Similarly, in the network domain of the communication partner, the user mask identity can also be used to identify the end user, so as to prevent the leakage of the location information of the end user (including the location information of the service domain and the location information of the access domain).

根据用户的信息安全需要,本发明的用户掩护身份标识和分别定义的地址标识可以在用户终端设备接入网络的认证过程(参见图7)、位置更新过程(即位置移动过程)(参见图8和9)以及通信过程中使用(参见图10),当然,本发明不限定掩护身份标识和分别定义的地址标识的使用场合。According to the user's information security needs, the user's mask identity and the address identification respectively defined in the present invention can be used in the authentication process (referring to Fig. and 9) and used in the communication process (see FIG. 10), of course, the present invention does not limit the usage occasions of masked identity mark and separately defined address mark.

图7为用户终端设备在网络归属域认证时不同标识的使用示意图。如图所示,用户A向归属域服务器A发出认证请求数据包,在该数据包中携带有用户的掩护身份标识和归属域服务器地址,根据归属域服务器地址,在网络中经寻址和路由,到达用户A的归属域服务器A701,由于在归属域服务器A701中绑定存储着用户的真实身份标识与掩护身份标识,所以归属域服务器A701将认证请求数据包中用户的掩护身份标识替换为用户的真实身份标识,从而使用用户的真实身份标识作为用户身份标识,把认证请求数据包转交给用户A的认证服务器A702,由认证服务器A702完成对用户A的认证。Fig. 7 is a schematic diagram of the use of different identifiers when the user terminal equipment is authenticated in the home domain of the network. As shown in the figure, user A sends an authentication request packet to home domain server A, which carries the user’s masked identity and home domain server address, and is addressed and routed in the network according to the home domain server address. , arrives at the home domain server A701 of user A, since the real identity and the masked identity of the user are bound and stored in the home domain server A701, so the home domain server A701 replaces the user’s masked identity in the authentication request packet with the user Therefore, using the user's real identity as the user identity, the authentication request data packet is forwarded to the authentication server A702 of user A, and the authentication server A702 completes the authentication of user A.

需要说明的是,在本发明中,用户的认证服务器A702与其归属域服务器A701可以是分立的装置,也可以集成在一起。It should be noted that, in the present invention, the user's authentication server A702 and its home domain server A701 may be separate devices, or may be integrated together.

本发明不限定网络中各类服务器的具体功能设置和实现过程。网络中接入域或者服务域对用户认证的过程类似,均采用标识映射和替换的机制实现。The present invention does not limit the specific function setting and realization process of various servers in the network. The process of user authentication in the access domain or service domain in the network is similar, and is implemented by the mechanism of identity mapping and replacement.

图8、图9示意了用户的不同标识在用户位置更新(移动)过程中交替使用的情况,其中,图8是在用户接入域改变、服务域不变时的位置更新过程中,用户的不同标识交替使用示意图,图9是在用户A接入域和服务域均改变时的位置更新过程中,用户的不同标识交替使用示意图。Figures 8 and 9 illustrate the alternate use of different identities of the user in the process of updating (moving) the user's location, where Figure 8 shows the process of updating the user's location when the user's access domain changes and the service domain remains unchanged. A schematic diagram of alternate use of different identities. FIG. 9 is a schematic diagram of alternate use of different identities of the user during the location update process when user A's access domain and service domain both change.

图8中的位置更新请求数据包用于完成用户的不同标识在新的接入域服务器801、服务域服务器803的绑定和映射的过程。用户清除请求数据包用于清除用户标识在先前的接入域服务器802的绑定和映射过程。与图7所示的用户的接入认证过程一样,位置更新请求数据包从用户A发出时,携带着用户A的掩护身份标识,到达新接入域服务器A801后,新接入域服务器A801将用户A的掩护身份标识替换为新接入域标识A,到达服务域服务器A803后,服务域服务器A803向旧接入域服务器A802发出用户清楚请求数据包,该数据包中携带有旧接入域标识A。The location update request data packet in FIG. 8 is used to complete the process of binding and mapping of different identities of users in the new access domain server 801 and service domain server 803 . The user clear request data packet is used to clear the binding and mapping process of the user ID in the previous access domain server 802 . The same as the user access authentication process shown in Figure 7, when the location update request packet is sent from user A, it carries the masked identity of user A, and after arriving at the new access domain server A801, the new access domain server A801 will The cover identity of user A is replaced by the new access domain identifier A. After reaching the service domain server A803, the service domain server A803 sends a user clear request packet to the old access domain server A802, which contains the old access domain Identify A.

图9中位置更新请求数据包完成用户不同标识在新的接入域服务器801、新的服务域服务器901、归属域服务器A701的绑定和映射的过程。用户清除请求数据包是清除用户的不同标识在先前的接入域服务器802和先前的服务域服务器902的绑定和映射过程。如图9所示,位置更新请求数据包从用户A发出时,携带着用户的掩护身份标识A,到达新接入域服务器801后,用户的掩护身份标识替换为新接入域标识A,该数据包到达新服务域服务器A901后,新接入域标识替换为新服务域标识A,同样,用户清除请求数据包从归属域服务器A701发出时,携带着用户A的旧服务域标识。In FIG. 9, the location update request data packet completes the process of binding and mapping different user IDs in the new access domain server 801, the new service domain server 901, and the home domain server A701. The user clear request data packet is to clear the binding and mapping process of the user's different identities in the previous access domain server 802 and the previous service domain server 902 . As shown in Figure 9, when the location update request data packet is sent from user A, it carries the user's cover identity A, and after arriving at the new access domain server 801, the user's cover identity is replaced by the new access domain identity A, the After the data packet arrives at the new service domain server A901, the new access domain ID is replaced with the new service domain ID A. Similarly, when the user clear request data packet is sent from the home domain server A701, it carries the old service domain ID of user A.

图10示意了通信过程中,数据包在通信双方用户的接入域、服务域以及归属域的传送过程。FIG. 10 schematically illustrates the transmission process of data packets in the access domain, service domain, and home domain of users on both sides of the communication during the communication process.

通信数据包在不同的网域传输时,使用对应的地址标识完成寻址、路由和标识用户,并在归属域中实现用户服务域地址标识和用户真实身份标识的替换。图10以用户A给用户B发送数据包为例,具体过程如下:When the communication data packets are transmitted in different network domains, the corresponding address identification is used to complete addressing, routing and identification of users, and realize the replacement of user service domain address identification and user real identity identification in the home domain. Figure 10 takes user A sending a data packet to user B as an example, the specific process is as follows:

步骤S1001:用户A将数据包中的“发送方用户标识”填写A的掩护身份标识,“接收方用户标识”填写用户B的真实身份标识,用户A将数据包发送给对应的接入域服务器A。Step S1001: User A fills in the "sender user ID" in the data packet with the cover ID of A, and the "receiver user ID" with the real ID of user B, and user A sends the data packet to the corresponding access domain server a.

步骤S1002:接入域服务器A将数据包中用户A的掩护身份标识替换为用户A的接入域标识,并将数据包转送给服务域服务器A。Step S1002: Access domain server A replaces user A's cover ID in the data packet with user A's access domain identifier, and forwards the data packet to service domain server A.

步骤S1003:服务器服务域A将数据包中用户A的接入域标识替换为用户A的服务域标识,并将数据包转发给归属域服务器A。Step S1003: Server service domain A replaces user A's access domain identifier in the data packet with user A's service domain identifier, and forwards the data packet to home domain server A.

步骤S1004:归属域服务器A将包含用户A和B的真实身份标识的数据包转发给归属域服务器B。Step S1004: The home domain server A forwards the data packet containing the real identities of users A and B to the home domain server B.

该步骤包括三个子步骤:This step includes three substeps:

步骤S1004a:归属域服务器A向解析服务器发送用户B的归属域请求消息,这里的解析服务器可以根据用户的真实身份标识解析出该用户对应的归属域服务器。Step S1004a: the home domain server A sends the home domain request message of the user B to the resolution server, where the resolution server can resolve the home domain server corresponding to the user according to the real identity of the user.

步骤S1004b:根据用户B的真实身份标识,解析服务器返回用户B的归属域请求响应,该归属域请求响应包含用户B的归属域服务器B的地址。Step S1004b: According to the real identity of user B, the resolution server returns the home domain request response of user B, and the home domain request response includes the address of user B's home domain server B.

步骤S1004c:归属域服务器A将数据包中用户A的服务域标识替换为用户A的真实身份标识后,将数据包转发给归属域服务器B。Step S1004c: The home domain server A forwards the data packet to the home domain server B after replacing the service domain identifier of the user A in the data packet with the real identity identifier of the user A.

步骤S1005:归属域服务器B将数据包中B的真实身份标识替换为B的服务域标识,并将数据包转发给服务域服务器B。Step S1005: The home domain server B replaces B's real identity in the data packet with the service domain identity of B, and forwards the data packet to the service domain server B.

步骤S1006:服务域服务器B将数据包中B服务域标识替换为B接入域标识,并将数据包转发给接入域服务器B。Step S1006: The service domain server B replaces the service domain identifier of B in the data packet with the access domain identifier of B, and forwards the data packet to the access domain server B.

步骤S1007:接入域服务器B将数据包中B的接入域标识替换为B的掩护身份标识,并将数据包发送给用户B。Step S1007: the access domain server B replaces the access domain identifier of B in the data packet with the cover identity identifier of B, and sends the data packet to user B.

由以上用户接入认证过程可以分析,在用户认证过程中,由于在归属域服务器中存储有用户的真实身份标识与掩护身份标识之间的映射关系,认证服务器根据归属域服务器中存储的真实身份标识来认证用户的身份,所以用户终端设备需要提前获知用户的归属域服务器地址,以使认证请求数据包寻址到达归属域服务器,从而利用归属域服务器中存储的用户的真实身份标识与掩护身份标识之间的映射关系。From the above user access authentication process, it can be analyzed that during the user authentication process, since the mapping relationship between the user's real identity and the masked identity is stored in the home domain server, the authentication server uses the real identity stored in the home domain server. ID to authenticate the user's identity, so the user terminal device needs to know the address of the user's home domain server in advance, so that the authentication request data packet can be addressed to the home domain server, so as to use the user's real identity and mask identity stored in the home domain server The mapping relationship between identifiers.

此外,从上述通信过程可以看出,用户当前的接入域服务器中需要存储用户当前服务域服务器的地址,在服务域服务器中需要存储用户的归属域服务器地址。In addition, it can be seen from the above communication process that the address of the user's current service domain server needs to be stored in the user's current access domain server, and the user's home domain server address needs to be stored in the service domain server.

需要说明的是,用户终端设备中的归属域服务器地址可以在用户入网使用前固定分配,也可以在后续使用过程中动态更新。而用户终端设备中的接入域服务器地址可以是用户首次接入网络时自动获得。接入域和服务域中的服务域服务器地址和归属域服务器地址可以是在用户准备使用网络并完成接入认证过程后获取。It should be noted that the home domain server address in the user terminal device may be fixedly assigned before the user accesses the network, or may be dynamically updated during subsequent use. The address of the access domain server in the user terminal device may be automatically obtained when the user first accesses the network. The server address of the service domain and the server address of the home domain in the access domain and the service domain may be acquired after the user prepares to use the network and completes the access authentication process.

在这需要说明的是,对不同网域服务器地址的获取过程或者方法,本发明不予以限定。What needs to be explained here is that the present invention does not limit the processes or methods for obtaining addresses of servers in different network domains.

参见图11,基于上述本发明提供的网络标识用户的方法,本发明还提供了一种网络标识系统,包括:Referring to Fig. 11, based on the above-mentioned method for network identification provided by the present invention, the present invention also provides a network identification system, including:

用户终端设备1101,用于维护用户掩护身份标识和用户真实身份标识之间的映射关系以及存储用户的归属域服务器地址和接入域服务器地址;The user terminal device 1101 is configured to maintain the mapping relationship between the user's cover identity and the user's real identity and store the user's home domain server address and access domain server address;

接入域服务器1102,用于维护用户的接入域标识与用户掩护身份标识的映射关系以及存储用户当前服务域的服务器地址;The access domain server 1102 is used to maintain the mapping relationship between the user's access domain identifier and the user's cover identity identifier and store the server address of the user's current service domain;

服务域服务器1103,用于维护用户的服务域标识与接入域标识、服务域标识与掩护身份标识之间的映射关系以及存储用户的归属域服务器地址;The service domain server 1103 is used to maintain the mapping relationship between the user's service domain identifier and access domain identifier, service domain identifier and mask identity identifier, and store the user's home domain server address;

归属域服务器1104,用于维护用户真实身份标识与掩护身份标识、真实身份标识与当前服务域标识之间的映射关系。The home domain server 1104 is configured to maintain the mapping relationship between the user's real identity and the masked identity, and between the real identity and the current service domain identity.

以上所述仅是本发明的优选实施方式,并不用以限制本发明。应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干修改,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. It should be pointed out that for those of ordinary skill in the art, some modifications can be made without departing from the principles of the present invention, and any modifications, equivalent replacements, improvements, etc., should be included in the protection of the present invention. within range.

Claims (9)

1、一种网络标识用户的方法,其特征在于,包括以下步骤:1. A method for network identification of users, comprising the following steps: 将网络划分为不同的网域;Divide the network into different domains; 用掩护身份标识代替真实身份标识作为用户在网络中的身份标识;Replace the real identity with the masked identity as the user's identity in the network; 用户地址标识在预置的不同网域中分别定义和使用;User address identifiers are defined and used in different preset domains; 将掩护身份标识与分别定义的用户地址标识在不同网域的服务器和用户终端设备中进行映射。Mapping the mask identity identifier and the respectively defined user address identifier in the server and the user terminal equipment in different network domains. 2、根据权利要求1所述的方法,其特征在于,将网络划分为不同的网域具体为:2. The method according to claim 1, wherein dividing the network into different network domains is specifically: 根据用户的角度将网络划分为接入域、服务域和归属域。According to the perspective of users, the network is divided into access domain, service domain and home domain. 3、根据权利要求2所述的方法,其特征在于,所述预置的不同网域为接入域和服务域,用户地址标识在接入域定义为接入域标识,在服务域定义为服务域标识。3. The method according to claim 2, wherein the preset different network domains are an access domain and a service domain, and the user address identifier is defined as an access domain identifier in the access domain, and defined as an access domain identifier in the service domain. Service domain ID. 4、根据权利要求3所述的方法,其特征在于,将掩护身份标识与分别定义的用户地址标识在不同网域的服务器和用户终端设备中进行映射具体为:4. The method according to claim 3, characterized in that, mapping the mask identity and the respectively defined user address identifiers in servers and user terminal devices in different network domains is specifically: 在用户终端设备中维护用户掩护身份标识和用户真实身份标识之间的映射关系;Maintain the mapping relationship between the user's cover identity and the user's real identity in the user terminal device; 在接入域服务器中维护用户的接入域标识与用户掩护身份标识的映射关系;Maintaining the mapping relationship between the user's access domain identifier and the user's cover identity identifier in the access domain server; 在服务域服务器中维护用户的服务域标识与接入域标识、服务域标识与掩护身份标识之间的映射关系。The mapping relationship between the user's service domain identifier and access domain identifier, and between the service domain identifier and the cover identity identifier is maintained in the service domain server. 5、根据权利要求4所述的方法,其特征在于,还包括步骤:5. The method according to claim 4, further comprising the steps of: 在用户终端设备存储用户的归属域服务器地址和接入域服务器地址;Store the user's home domain server address and access domain server address in the user terminal device; 在接入域服务器中存储用户当前的服务域服务器地址;Store the user's current service domain server address in the access domain server; 在服务域服务器中存储用户的归属域服务器地址。The user's home domain server address is stored in the service domain server. 6、根据权利要求5所述的方法,其特征在于,所述用户终端设备中的归属域服务器地址在用户入网使用前固定分配,或者在使用过程中动态更新。6. The method according to claim 5, wherein the address of the home domain server in the user terminal device is fixedly assigned before the user accesses the network, or is dynamically updated during use. 7、根据权利要求5所述的方法,其特征在于,在用户终端设备首次接入网络时获取所述用户终端设备中的接入域服务器地址。7. The method according to claim 5, wherein the address of the access domain server in the user terminal equipment is obtained when the user terminal equipment accesses the network for the first time. 8、根据权利要求5所述的方法,其特征在于,所述接入域中的服务域服务器地址和服务域中的归属域服务器地址在用户准备使用网络并完成接入认证过程后获取。8. The method according to claim 5, wherein the server address of the service domain in the access domain and the address of the home domain server in the service domain are obtained after the user prepares to use the network and completes the access authentication process. 9、一种网络标识系统,其特征在于,包括:9. A network identification system, characterized in that it comprises: 用户终端设备,用于维护用户掩护身份标识和用户真实身份标识之间的映射关系以及存储用户的归属域服务器地址和接入域服务器地址;The user terminal device is used to maintain the mapping relationship between the user's cover identity and the user's real identity and store the user's home domain server address and access domain server address; 接入域服务器,用于维护用户的接入域标识与用户掩护身份标识的映射关系以及存储用户当前服务域的服务器地址;The access domain server is used to maintain the mapping relationship between the user's access domain identifier and the user's cover identity identifier and store the server address of the user's current service domain; 服务域服务器,用于维护用户的服务域标识与接入域标识、服务域标识与掩护身份标识之间的映射关系以及存储用户的归属域服务器地址;The service domain server is used to maintain the mapping relationship between the user's service domain identifier and the access domain identifier, the service domain identifier and the cover identity identifier, and store the address of the user's home domain server; 归属域服务器,用于维护用户真实身份标识与掩护身份标识、真实身份标识与当前服务域标识之间的映射关系。The home domain server is configured to maintain the mapping relationship between the user's real identity and the masked identity, and between the real identity and the current service domain identity.
CNA200710166425XA 2007-10-31 2007-10-31 Method for identifying customer by network and system thereof Pending CN101426029A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNA200710166425XA CN101426029A (en) 2007-10-31 2007-10-31 Method for identifying customer by network and system thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNA200710166425XA CN101426029A (en) 2007-10-31 2007-10-31 Method for identifying customer by network and system thereof

Publications (1)

Publication Number Publication Date
CN101426029A true CN101426029A (en) 2009-05-06

Family

ID=40616357

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA200710166425XA Pending CN101426029A (en) 2007-10-31 2007-10-31 Method for identifying customer by network and system thereof

Country Status (1)

Country Link
CN (1) CN101426029A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102202285A (en) * 2010-03-24 2011-09-28 华为终端有限公司 Management method of converged personal network, apparatus and system thereof
CN107205173A (en) * 2017-06-26 2017-09-26 武汉斗鱼网络科技有限公司 A kind of method and apparatus of barrage interaction in network direct broadcasting
CN107770183A (en) * 2017-10-30 2018-03-06 新华三信息安全技术有限公司 A kind of data transmission method and device
CN114944918A (en) * 2022-05-09 2022-08-26 令牌云(上海)科技有限公司 Privacy and safety data transmission method and device

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102202285A (en) * 2010-03-24 2011-09-28 华为终端有限公司 Management method of converged personal network, apparatus and system thereof
CN102202285B (en) * 2010-03-24 2014-01-22 华为终端有限公司 Management method of converged personal network, apparatus and system thereof
CN107205173A (en) * 2017-06-26 2017-09-26 武汉斗鱼网络科技有限公司 A kind of method and apparatus of barrage interaction in network direct broadcasting
CN107205173B (en) * 2017-06-26 2020-07-31 武汉斗鱼网络科技有限公司 Live webcast interaction method and device
CN107770183A (en) * 2017-10-30 2018-03-06 新华三信息安全技术有限公司 A kind of data transmission method and device
CN107770183B (en) * 2017-10-30 2020-11-20 新华三信息安全技术有限公司 Data transmission method and device
CN114944918A (en) * 2022-05-09 2022-08-26 令牌云(上海)科技有限公司 Privacy and safety data transmission method and device

Similar Documents

Publication Publication Date Title
US8559448B2 (en) Method and apparatus for communication of data packets between local networks
US8929360B2 (en) Systems, methods, media, and means for hiding network topology
CN102045314B (en) The method of anonymous communication, register method, information transceiving method and system
US20180343236A1 (en) Identity and Metadata Based Firewalls in Identity Enabled Networks
US8554946B2 (en) NAT traversal method and apparatus
CN109981633B (en) Method, apparatus and computer-readable storage medium for accessing server
US20190007275A1 (en) Identifier-Based Resolution of Identities
US20120191754A1 (en) Locating Subscription Data in a Multi-Tenant Network
WO2015169044A1 (en) Session binding method, device and system in roaming scenario
CN102255916A (en) Access authentication method, device, server and system
CN102045350A (en) Apparatus and method for integrated signal processing for ip-based convergence network
US20200084633A1 (en) Method for establishing a secure connection
BRPI0622025A2 (en) policy control architecture, policy independent, policy user, and business policy controllers, methods on a user terminal of launching the service on a first source network and launching that service on a second network, and , Methods on an Independent Identity Provider, User Policy Controller, Business Policy Controller, Service Policy Controller and Network Policy Controller
CN101426029A (en) Method for identifying customer by network and system thereof
CN104253798A (en) Network security monitoring method and system
CN100442920C (en) Method for user accessing information in next generation network
CN102238148B (en) identity management method and system
CN104301450B (en) The method and device of addressing
CN1972225B (en) Method for interacting user information between different sub-systems in next generation network
JP2014505387A (en) ID / locator separation network monitoring method and system
CN102655475B (en) Mobile communication switching method, device and system
CN103138953B (en) The method for group sending of Multimedia Message and group sending system
US11196666B2 (en) Receiver directed anonymization of identifier flows in identity enabled networks
JP5169859B2 (en) Network system, network terminal address selection method, network terminal address selection device
US20090154422A1 (en) Method of providing seamless qos guarantees in internet protocol (ip) network when ip-based mobility service is provided

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Open date: 20090506