CN102917071B - A kind of tunnel connection request distribution method and device - Google Patents
A kind of tunnel connection request distribution method and device Download PDFInfo
- Publication number
- CN102917071B CN102917071B CN201210428576.9A CN201210428576A CN102917071B CN 102917071 B CN102917071 B CN 102917071B CN 201210428576 A CN201210428576 A CN 201210428576A CN 102917071 B CN102917071 B CN 102917071B
- Authority
- CN
- China
- Prior art keywords
- message
- connection request
- user
- lns
- request message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 238000012545 processing Methods 0.000 claims abstract description 12
- 230000008569 process Effects 0.000 claims description 23
- 238000012544 monitoring process Methods 0.000 claims description 19
- 238000005516 engineering process Methods 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 230000006855 networking Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- YZMCKZRAOLZXAZ-UHFFFAOYSA-N sulfisomidine Chemical compound CC1=NC(C)=CC(NS(=O)(=O)C=2C=CC(N)=CC=2)=N1 YZMCKZRAOLZXAZ-UHFFFAOYSA-N 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000004148 unit process Methods 0.000 description 1
Landscapes
- Computer And Data Communications (AREA)
Abstract
The present invention provides a kind of tunnel connection request distribution method, it is applied in NAT gateway in order to dispatch the L2TP connection request from the user outside NAT gateway, the method: judge to be authenticated from the L2TP connection request message of user the need of in this locality according to predetermined policy, if it is at processing locality, otherwise to user's return authentication failure message; When receiving authentification failure message, the session characteristics of this message is saved in conversational list; During subsequently received request message, obtain the session characteristics of this message, according to this session characteristics searches in preposition conversational list whether have corresponding list item, if it has, then forward the packet to LNS server in NAT; If it is not, at processing locality L2TP connection request message; Wherein the business network of LNS server service is different from local service network. The present invention can follow the purpose LNS server that existing standard agreement identifies that user view connects intelligently.
Description
Technical field
The present invention relates to data communication field, especially a kind of under Intranet tunnel connection request distribution method and device.
Background technology
Along with the network technology of standardization and easily extension, especially IP technology development, the Intelligent Video Surveillance Technology of IP based network is rapidly developed, and IP monitoring has become as the main flow of monitoring at present. And for safety and cost, most monitoring network is all deployed in private network. A lot of mobile subscribers or public network user use decoding client (such as VC) to access the monitoring resource (the live resource on such as encoder EC) being positioned at private network, may be dialled by L2TP, the private network being linked into enterprise by the mode in tunnel is conducted interviews, the thus typical application scenarios of Fig. 1, utilize the correlation technique of Tunnel Passing monitoring network NAT, it is possible to reference to the related application that the applicant is previously proposed.
In order to save the investment in networking, and also to be easy to network operation management, video surveillance network and enterprise's office data network usually unite two into one. Refer to shown in Fig. 2, the NAT router in enterprise network outlet provides LNS service, enables the user being in outer net by the data of L2TP dialing access enterprises. In corporate intranet, also has the LNS equipment exclusively for video monitoring service service simultaneously. Under such application scenarios, it is necessary to take user's access monitoring business that correct treatment measures make to be in outer net just to dial in the monitoring LNS server of Intranet, access the subscriber dialing of other data of enterprise to the LNS server of enterprise network.
A kind of roadmap being readily apparent that is that the mode being modified port numbers realizes. Such as, it is necessary to when dialing in enterprise network, user can use 1701 port dialing, it is necessary to when dialing in monitoring service, user uses 1801 port dialing, and namely user distinguishes the different Network self wanting to access by different port numbers.But IETF(Internet Engineering Task group) to define L2TP destination slogan in the RFC2661 standard document issued can only be 1701, if carried out above-mentioned change, then meaning cannot compatibility standard mode, it is necessary to carries out the agreement transformation of privatization, is unfavorable for that large-scale commercial applications is applied.
Summary of the invention
In view of this, the present invention provides the device that a kind of tunnel connection request is distributed, and is applied in NAT gateway in order to dispatch the L2TP connection request from the user outside NAT gateway, and wherein this device includes:
LNS service unit, for judging to be authenticated from the L2TP connection request message of user the need of in this locality according to predetermined policy, if it is processes this request message, otherwise to user's return authentication failure message;
Preposition matching unit, for when receiving the authentification failure message from the return of LNS service unit, the session characteristics of this message is saved in preposition conversational list, when receiving the L2TP connection request message of user, obtain the session characteristics of this L2TP connection request message, according to this session characteristics searches in preposition conversational list whether have corresponding list item, if it has, then this L2TP connection request message is transmitted to the LNS server in NAT gateway internal network; If it is not, this L2TP connection request message is sent to LNS service unit;
Wherein said LNS service unit respectively serves different business networks from LNS server.
The present invention also provides for a kind of tunnel connection request distribution method, is applied in NAT gateway in order to dispatch the L2TP connection request from the user outside NAT gateway, it is characterised in that the method comprises the following steps:
Step A, judge to be authenticated from the L2TP connection request message of user the need of in this locality according to predetermined policy, if it is at this request message of processing locality, otherwise to user's return authentication failure message;
Step B, receive step A return authentification failure message time, the session characteristics of this message is saved in preposition conversational list, when receiving the L2TP connection request message of user, obtain the session characteristics of this L2TP connection request message, according to this session characteristics searches in preposition conversational list whether have corresponding list item, if it has, then this L2TP connection request message is transmitted to the LNS server in NAT gateway internal network; If it is not, return step A at processing locality L2TP connection request message; Wherein the business network of LNS server service is different from local service network.
The present invention can follow existing standard agreement, does not change under user terminal software premise, identifies the purpose LNS server that user view connects intelligently, completes user's tunnel linking objective to different business network, and need not the too much manual intervention of user.
Accompanying drawing explanation
Fig. 1 is a kind of typical video monitoring networking schematic diagram of prior art.
Fig. 2 is a kind of networking diagram typically with two LNS servers.
Fig. 3 is the building-block of logic of tunnel connection request dispensing device in one embodiment of the present invention.
Fig. 4 is the process chart of one embodiment of the present invention.
Detailed description of the invention
The present invention is by processing especially in the authentication phase of L2TP connection request, under the premise of basic guarantee user's experience, the L2TP connection request of Intelligent Recognition user, is distributed to the L2TP connection request of user on the LNS server of different business network front ends and processes.Below in conjunction with accompanying drawing, realizing in detail in better embodiment of the present invention is described.
Refer to Fig. 2, Fig. 3 and Fig. 4, the present invention provides a kind of tunnel connection request dispensing device. In a preferred embodiment, the present invention adopts computer program to realize, and this plant running is in NAT gateway, including preposition matching unit and LNS service unit. The function this plant running being described below existing with NAT gateway in NAT gateway coordinates the handling process realizing foregoing invention purpose.
Step 101, L2TP connection request message up sending, after receiving L2TP connection request message, is processed by NAT gateway to preposition matching unit;
NAT gateway is after receiving message, if protocol massages then needs to send software view to process, different protocol massages is delivered to different functional units protocol stack in other words and goes to process. In the prior art, L2TP connection request message is to carry out processing as the LNS service unit of LNS server by being integrated in inside NAT gateway, and L2TP connection request message can be delivered to LNS service unit on directly and go to process. But such handling process is broken by the present invention, first these L2TP connection request message up sending are processed to preposition matching unit.
Step 102, preposition matching unit extracts the session characteristics of L2TP connection request message, searches the list item whether having correspondence in preposition conversational list; If going to step 103 process, otherwise go to step 104 process;
Step 103, this L2TP connection request message is forwarded to the LNS server of Intranet by preposition matching unit, goes to step 108 and is processed by this LNS server;
Step 104, this L2TP connection request message is submitted to the LNS service unit of this locality by preposition matching unit, goes to step 105 and is processed by this LNS service unit;
Step 105, LNS service unit first determines whether whether this L2TP connection request message meets predetermined policy; If otherwise return authentication failure message, go to step 106 process; If it is, go to step 107 process;
Step 106, in the in the reverse direction of session, when preposition matching unit receives the authentification failure message that LNS service unit returns, the civilian session characteristics extracting this authentification failure report is saved in preposition conversational list;
Step 107, the user name in this L2TP connection request message and password are authenticated by LNS service unit, if authentification failure, return authentication failure message; If it succeeds, return authentication success message set up L2TP Tunnel with this user and be connected;
Step 108, the user name in this L2TP connection request message and password are authenticated by LNS server, if authentification failure, return authentication failure message; If it succeeds, return authentication success message set up L2TP Tunnel with this user and be connected;
The session characteristics of message has a variety of, it is possible to the feature combination based on various levels builds. The present invention illustrates for most popular five-tuple. Message five-tuple includes source IP address, purpose IP address, source port, destination interface and protocol type. In the present invention, if preposition conversational list is hit, the message of same session characteristics is had to be processed by LNS service unit in step 107 before then illustrating, and the result of LNS service unit is authentification failure or is not matched to predetermined policy, now preposition matching unit needs to be forwarded in Intranet by this message LNS server and goes to process. It should be noted that preposition conversational list is only a concept in logic, functionally define, not necessarily an independent list item, entirely possible be incorporated in existing various conversational lists.
In the present invention, LNS service unit is it can be appreciated that a kind of LNS server on logical meaning, only different from the business network that the LNS server of Intranet services. In preferred mode, LNS service unit serves non-video monitoring business network, such as various office service networks, and Intranet LNS server service is in video monitoring service network. The present invention needs to distinguish the intention of user's L2TP connection request, judges that the connection request of user is intended to be sent on which LNS server on earth intelligently. This judgement is realized by LNS service unit.
When LNS service unit receives L2TP connection request message, it is not set about processing this request at once according to protocol requirement, but first judges whether this message will at processing locality according to predetermined policy. In preferred mode, predetermined policy is that the business network mark carried according to message judges, such as the user name form in message is probably userdomain, LNS service unit and can judge the intention of user according to this business network of domian mark. The form assuming user name is " user office service network ", that is user name includes " office service network " this exemplary identification, this business network identifier declaration user is desirably connected on local LNS service unit, because LNS service unit corresponding with service is local service network (i.e. office service network in this example), so LNS service unit continues with according to protocol requirement. Assuming that user name is " user video monitoring service network ", business network identifier declaration user therein is desirably connected on the LNS server of Intranet, and now LNS service unit just can return an authentification failure message. Authentification failure message is through preposition matching unit, and the five-tuple of authentification failure message can be added in preposition conversational list by preposition matching unit in step 106, and This move is meant that, the connection request of this user was once rejected.
After user terminal receives authentification failure message, many times user terminal can initiate L2TP connection request (such as user is locally configured autonomous retransmission strategy) again. The L2TP connection request message that user terminal resends can arrive preposition conversational list in step 102 hit by nature when arriving preposition matching unit, is then turned on the Intranet LNS server removing corresponding video monitoring service network and processes. Here logical process is summarized as follows: if user wants to connect the LNS server corresponding to video monitoring service network, then will necessarily be refused by LNS service unit, the session characteristics of corresponding message can be added in preposition conversational list, it is again coupled to hit conversational list, and causes that new L2TP connection request is correctly forwarded on LNS server and processes. The present invention, by once returning failure handling, reconnects, by user, the L2TP connection request that user resends by the mode that will necessarily mate session entry and is correctly transmitted on LNS server. If user to be originally connected to LNS service unit certainly, such failure handling would not be experienced.
The situation of a kind of relative ideal described above, the processing procedure can being suitable in most cases in other words. But above-mentioned processing procedure still has particular case need to consider. Assume that user was intended to initiate connection request to LNS server originally, but owing to not having any business network mark in L2TP connection request message, (such as the form of user name is exactly " user ", there is no " domain "), now LNS service unit obviously depending on for coupling predetermined policy thus may proceed to process, if the username and password carried in user's message is correct, illustrate that this L2TP connection request is just sent to this locality, can return authentication success message, the intention of user accesses office service network exactly.If but the user name carried in user's message or code error, then in two kinds of situation: first, what user view connected is LNS service unit, but makes mistakes when user inputs user name or password; Second, what user view connected is LNS server, and username and password is in LNS service unit certification mistake certainly.
Under both of these case, LNS service unit all can return authentication failure message, for the second situation, after preposition matching unit processes, user reconnects on its LNS server wishing to connect, and username and password is without inputing by mistake, and nature can authenticate successfully. But for the first situation, even if user have modified username and password in the L2TP connection request message resend, but owing to preposition matching unit can be sent on LNS server according to the L2TP connection request message that user is automatically initiated by session characteristics again that add conversational list before to, now LNS server is certain to find the username and password mistake of user; Because the user name that LNS server preserves from LNS service unit and password combination are usually different. So, in the first scenario, no matter how user processes, and the L2TP connection request message that it resends all can be sent on LNS server and process, and result is all authentification failure all the time.
In order to evade the problem that above-mentioned special circumstances cause, preposition matching unit (had received authentification failure message before namely user being described) except doing forward process when hitting conversational list, also need to delete the list item being currently hit, thus avoid user in the first situation above-mentioned constantly to ask to connect, constantly failed problem, it is passable that certain premise is that the combination of username and password can be revised as correct combination ability in follow-up reconnecting by user in request. The present invention can follow existing standard agreement, does not change under user terminal software premise, identifies the purpose LNS server that user view connects intelligently, completes user's tunnel linking objective to different business network, and need not the too much manual intervention of user.
The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all within the spirit and principles in the present invention, any amendment of making, equivalent replacement, improvement etc., should be included within the scope of protection of the invention.
Claims (8)
1. a device for tunnel connection request distribution, is applied in NAT gateway in order to dispatch the L2TP connection request from the user outside NAT gateway, it is characterised in that this device includes:
LNS service unit, for judging to be authenticated from the L2TP connection request message of user the need of in this locality according to predetermined policy, if it is processes this request message, otherwise to user's return authentication failure message;
Preposition matching unit, for when receiving the authentification failure message from the return of LNS service unit, the session characteristics of this message is saved in preposition conversational list, when receiving the L2TP connection request message of user, obtain the session characteristics of this L2TP connection request message, according to this session characteristics searches in preposition conversational list whether have corresponding list item, if had, then this L2TP connection request message is transmitted to the LNS server in NAT gateway internal network, and the list item being currently hit is deleted; If it is not, this L2TP connection request message is sent to LNS service unit;
Wherein, described LNS server service is in video monitoring service network, and described LNS service unit serves non-video monitoring business network.
2. device as claimed in claim 1, it is characterised in that described predetermined policy includes: if message identifying carries the mark of business network corresponding to LNS service unit, then process this certification request; Otherwise to user's return authentication failure message.
3. device as claimed in claim 1, it is characterised in that when wherein this preposition matching unit is further used for the list item that existence is corresponding with the session characteristics of message in determining preposition conversational list, delete the list item of this correspondence.
4. device as claimed in claim 1, it is characterised in that described session characteristics is the five-tuple of message.
5. a tunnel connection request distribution method, is applied in NAT gateway in order to dispatch the L2TP connection request from the user outside NAT gateway, it is characterised in that the method comprises the following steps:
Step A, judge to be authenticated from the L2TP connection request message of user the need of in this locality according to predetermined policy, if it is at this request message of processing locality, otherwise to user's return authentication failure message;
Step B, receive step A return authentification failure message time, the session characteristics of this message is saved in preposition conversational list, when receiving the L2TP connection request message of user, obtain the session characteristics of this L2TP connection request message, according to this session characteristics searches in preposition conversational list whether have corresponding list item, if it has, then this L2TP connection request message to be transmitted to the LNS server in NAT gateway internal network, and the list item being currently hit is deleted; If it is not, return step A at processing locality L2TP connection request message;
Wherein, described LNS server service is in video monitoring service network, and described local service network is non-video monitoring business network.
6. method as claimed in claim 5, it is characterised in that described predetermined policy includes: if message identifying carries the mark of local service network, then process this certification request; Otherwise to user's return authentication failure message.
7. method as claimed in claim 5, it is characterised in that described step B farther includes:
When there is the list item corresponding with the session characteristics of message in determining preposition conversational list, delete the list item of this correspondence.
8. method as claimed in claim 5, it is characterised in that described session characteristics is the five-tuple of message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210428576.9A CN102917071B (en) | 2012-10-31 | 2012-10-31 | A kind of tunnel connection request distribution method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210428576.9A CN102917071B (en) | 2012-10-31 | 2012-10-31 | A kind of tunnel connection request distribution method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102917071A CN102917071A (en) | 2013-02-06 |
| CN102917071B true CN102917071B (en) | 2016-06-08 |
Family
ID=47615301
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210428576.9A Active CN102917071B (en) | 2012-10-31 | 2012-10-31 | A kind of tunnel connection request distribution method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102917071B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111600832B (en) * | 2019-07-25 | 2022-09-30 | 新华三技术有限公司 | Message processing method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1374537B1 (en) * | 2001-03-27 | 2010-01-20 | Ericsson AB | Tunneling through access networks |
| CN102546350A (en) * | 2012-02-10 | 2012-07-04 | 浙江宇视科技有限公司 | Method and device for saving WAN (wide area network) bandwidth in IP (internet protocol) monitoring system |
| CN102546657A (en) * | 2012-02-10 | 2012-07-04 | 浙江宇视科技有限公司 | Methods for passing through and assisting in passing through network isolation equipment in Internet protocol (IP) monitoring system, and node |
| CN102571524A (en) * | 2012-02-10 | 2012-07-11 | 浙江宇视科技有限公司 | Method for traversing and assisting to transverse network isolation equipment in IP (Internet Protocol) monitoring system and node |
-
2012
- 2012-10-31 CN CN201210428576.9A patent/CN102917071B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1374537B1 (en) * | 2001-03-27 | 2010-01-20 | Ericsson AB | Tunneling through access networks |
| CN102546350A (en) * | 2012-02-10 | 2012-07-04 | 浙江宇视科技有限公司 | Method and device for saving WAN (wide area network) bandwidth in IP (internet protocol) monitoring system |
| CN102546657A (en) * | 2012-02-10 | 2012-07-04 | 浙江宇视科技有限公司 | Methods for passing through and assisting in passing through network isolation equipment in Internet protocol (IP) monitoring system, and node |
| CN102571524A (en) * | 2012-02-10 | 2012-07-11 | 浙江宇视科技有限公司 | Method for traversing and assisting to transverse network isolation equipment in IP (Internet Protocol) monitoring system and node |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102917071A (en) | 2013-02-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7735129B2 (en) | Firewall device | |
| EP2710776B1 (en) | Anonymous signalling | |
| US8769262B2 (en) | VPN connection system and VPN connection method | |
| CN105578463B (en) | A kind of method and device of dual link safety communication | |
| CN112217771B (en) | Data forwarding method and data forwarding device based on tenant information | |
| CN106302371A (en) | A kind of firewall control method based on subscriber service system and system | |
| CN105407008A (en) | Reconnecting method and system for interrupted TCP (Transmission Control Protocol) connection, terminal and server | |
| EP2693691B1 (en) | Method and apparatus for initializing gateway in device management system | |
| CN106790251A (en) | User access method and subscriber access system | |
| CN105592141A (en) | Connection number control method and device | |
| CN102202071A (en) | Microsoft service network (MSN)-based network video monitoring method and system | |
| US20110176437A1 (en) | Traffic volume monitoring system | |
| CN110474922B (en) | Communication method, PC system and access control router | |
| CN103973648B (en) | Application data method for pushing, apparatus and system | |
| CN106533894A (en) | Brand new secure instant messaging system | |
| CN103001966B (en) | The process of a kind of private network IP, recognition methods and device | |
| CN102917071B (en) | A kind of tunnel connection request distribution method and device | |
| CN105072148A (en) | Method and device for building connection with terminal | |
| CN104702612B (en) | A kind of user authentication process method and device | |
| CN104902497A (en) | Method and device for managing mobile phone hotspot connection | |
| US20040230830A1 (en) | Receiver, connection controller, transmitter, method, and program | |
| CN106899635B (en) | Method and device for realizing fixed communication port of file transfer protocol data link | |
| US20040228357A1 (en) | Receiver, connection controller, transmitter, method, and program | |
| CN100450018C (en) | Method for raising Diameter internodal communication reliability | |
| CN101047698B (en) | Remote access protection system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |