[go: up one dir, main page]

WO2019237683A1 - Protocol packet, and method for managing virtual client terminal device - Google Patents

Protocol packet, and method for managing virtual client terminal device Download PDF

Info

Publication number
WO2019237683A1
WO2019237683A1 PCT/CN2018/119058 CN2018119058W WO2019237683A1 WO 2019237683 A1 WO2019237683 A1 WO 2019237683A1 CN 2018119058 W CN2018119058 W CN 2018119058W WO 2019237683 A1 WO2019237683 A1 WO 2019237683A1
Authority
WO
WIPO (PCT)
Prior art keywords
vcpe
message
authentication
network controller
protocol
Prior art date
Application number
PCT/CN2018/119058
Other languages
French (fr)
Chinese (zh)
Inventor
李和松
许赛群
王晔
王颖
Original Assignee
烽火通信科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 烽火通信科技股份有限公司 filed Critical 烽火通信科技股份有限公司
Publication of WO2019237683A1 publication Critical patent/WO2019237683A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/04Network management architectures or arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/06Notations for structuring of protocol data, e.g. abstract syntax notation one [ASN.1]

Definitions

  • the present invention relates to the field of communication technologies, and in particular, to a method for managing protocol messages and virtual client terminal equipment.
  • FIG. 1 shows the deployment of a virtual customer premise equipment (VCPE) on the existing network, including a service orchestrator, network controller, and VCPE for virtual customer terminal equipment connected to multiple users.
  • the service orchestrator performs services. Policy release and management, unified management of the network controller, network controller to VCPE online management and identity authentication management.
  • VCPE is the most compelling business model in Software-Defined-Wide Area Network (SD-WAN) solutions, which can enable network operators to further extend services to user exits, while also bringing users, especially Small and medium-sized enterprises are freed from tedious network management, which is a typical win-win model.
  • SD-WAN Software-Defined-Wide Area Network
  • the purpose of the present invention is to provide a method for managing protocol packets and virtual client terminals.
  • the UUID of the VCPE is used as the unique identifier for remote management of the VCPE by the network controller.
  • the present invention provides a protocol message for communication between a network controller and a virtual client terminal device VCPE:
  • the payload part of the protocol message has a common header, and the common header includes a field for indicating a universal unique identifier UUID of the VCPE, and the UUID is generated when the VCPE is first started.
  • the common header is a type length value TLV, including a protocol version number, a message type, a total message length, and an authentication encryption field.
  • the message types include an authentication request, an authentication response, a heartbeat, and reporting of node information.
  • the message type further includes a service port announcement and a session close.
  • the service port announcement message includes an IP type, an IP address of a network controller, and service port information, and is used to notify the VCPE to the network control The controller actively initiates a control connection.
  • the authentication encryption field includes an authentication type and corresponding password information
  • the authentication type includes simple password authentication and MD5 authentication
  • the password information is a plain text password or all 0s.
  • the common header further includes a reserved field for a custom function
  • the custom function includes alarm reporting and automatic topology discovery.
  • the protocol message is a TCP message or a UDP message.
  • the present invention also provides a method for managing a virtual client terminal device using the foregoing protocol message, which includes:
  • the network controller performs user identity verification according to the user authentication request sent by the VCPE. After the authentication is passed, the service configuration information delivered by the service orchestrator is forwarded to the VCPE.
  • the user authentication request and the service configuration message are both It is carried by a protocol message of the UUID of the VCPE.
  • the common header is a type length value TLV, including a protocol version number, a message type, a total message length, and an authentication encryption field.
  • the protocol message includes an authentication request message. Message, authentication response message, heartbeat message, and node information report message;
  • an authentication request message with the user authentication request is sent to a network controller, where the user authentication request includes a user name, a password, and the VCPE IP address
  • the network controller extracts the user authentication request and performs authentication, and returns an authentication response message with an authentication result.
  • the protocol message further includes a service port announcement message, and the service port announcement message includes an IP type, an IP address of the network controller, and service port information, and is used to notify the VCPE to the network control Controller initiates a control connection actively;
  • the network controller When the network controller receives the authentication request message sent by the VCPE, it compares the IP address of the VCPE and the source IP address of the protocol message, and if it is not consistent, sends the service port to the VCPE. Notification message.
  • VCPE equipment security certification is a key measure of product maturity. Due to the decentralized and open nature of VCPE deployment, identity authentication of VCPE is a key issue involving business security. A reasonable authentication scheme greatly improves the availability of VCPE and prevents the entire business network from being down.
  • Figure 1 is a schematic diagram of a VCPE live network deployment
  • FIG. 2 is a schematic structural diagram of a protocol message according to the first embodiment of the present invention.
  • FIG. 3 is a schematic diagram of a common header of a protocol message according to the first embodiment of the present invention.
  • FIG. 6 is a flowchart of online management of a VCPE in a third embodiment of the present invention.
  • FIG. 7 is a network controller protocol state machine according to a third embodiment of the present invention.
  • FIG. 8 is a flowchart of establishing a command line channel under NAT traversal according to a sixth embodiment of the present invention.
  • the present invention provides a protocol message for communication between a network controller and a virtual client terminal device VCPE.
  • the payload portion of the protocol message has a common header, and the common header includes a universal unique identifier for indicating the VCPE. (Universally Unique Identifier, UUID) field.
  • UUID is generated when the VCPE is first started, and stored in the VCPE configuration file as the unique identifier of the VCPE.
  • Uuidgen.exe and other tools can be used to generate the UUID.
  • VCPE is essentially a software function entity
  • the UUID of VCPE is used, so that the network controller remotely manages VCPE needs a serial number similar to the physical device as the unique identifier of VCPE, as the basis for VCPE going online and the subsequent service configuration management. Based on this, a complete set of VCPE management protocol messages is formulated to quickly and reliably achieve large-scale deployment of VCPE, which has the advantages of low cost, good scalability, strong adaptability, and easy implementation and deployment.
  • a first embodiment of the present invention provides a protocol message.
  • the protocol message includes a message header and a payload part.
  • the payload part of the protocol message has a common header and protocol data.
  • the format of the header is shown in Figure 3.
  • the common header is the type length value TLV (Type, Length, Value).
  • the common header includes the protocol version number (Version), message type (Type), total message length (Length), And a field for indicating the universal unique identifier UUID of the VCPE, which is generated when the VCPE is first started.
  • the public header also includes an authentication encryption field.
  • the authentication encryption field includes an authentication type (Auth Type) and corresponding password information (Authentication).
  • the authentication type includes simple password authentication and MD5 authentication.
  • the password information is a plain text password or all 0s.
  • the public header also includes a Reserved field for custom functions.
  • the custom functions include alarm reporting and automatic topology discovery.
  • Protocol version number Version customizable, 1 byte
  • UUID 16 bytes, the unique identifier of VCPE
  • Authentication type 0 means no authentication, 1 means simple password authentication, and 2 means Message Digest Algorithm 5 (MD5) authentication;
  • Password information Authentication For simple password authentication, the password is in plain text, and it is all 0 when no authentication or MD5;
  • AuthType When AuthType is 2, it indicates MD5 authentication. There is an extra 16 bytes of MD5 check field at the end of the protocol data of the message.
  • the payload part of the protocol message has a common header and adopts the format of TLV, so it has good scalability and can meet the needs of later diversification.
  • the second embodiment of the present invention provides a protocol message.
  • the specific definition of the message type Type can be shown in FIG. 5.
  • the content described in FIG. 5 are all protocol data.
  • the Type values in the ministry are distinguished as follows:
  • Authentication request includes user name length (UserName), user name (UserName), password length (Password), password (Password), VCPE IP address length (IP Len), and VCPE IP address (My IP) .
  • the authentication response (Type 2) includes an authentication result (Result) and a reserved character (Reserved).
  • the network controller sends the VCPE to respond to the VCPE user authentication request.
  • the Result field is 0.
  • the Result field returns 1; when re-authentication is required, the Result field is filled with 2.
  • the heartbeat (connection keep-alive, Type3) includes the magic word (Magic number).
  • the magic word is used for checking the heartbeat message, and can also be used as a reserved field for extended purposes.
  • the node information report (Type 4) includes a sub type, a sub length, and a sub value.
  • Service port announcement (Type 5) is used by the network controller to notify the VCPE to actively initiate a control connection to the network controller, including the IP type (IP Type), the network controller's IP address length (IP, Len), and the network controller's IP address (IP ) And service port information.
  • the service port information includes a port type (Port Type), a port length (Port), and a port number (Port).
  • the session close (Type 6) includes closing the connection (close) and the reserve word (Reserve).
  • the close is 1 byte, and the reserve word (Reserve) is 7 bytes, which is used for other function extensions.
  • the protocol message is a Transmission Control Protocol (TCP) message or a User Datagram Protocol (UDP) message.
  • TCP Transmission Control Protocol
  • UDP User Datagram Protocol
  • the packet header of a protocol packet includes an IP header and a TCP / UDP header.
  • the definition of the common header does not mandate the use of TCP or UDP for the bearer protocol, but considering the resource consumption of TCP itself And to maximize the management capability of the network controller, UDP is preferred. Practice has shown that using UDP to carry the authentication protocol defined above has the characteristics of short development cycle and low resource consumption.
  • VCPE supports IPv4 / IPv6 dual stack, which can be deployed in IPv4 and IPv6 networks.
  • VCPE equipment security certification is a key measure of product maturity. Due to the decentralized and open nature of VCPE deployment, identity authentication of VCPE is a key issue involving business security and reasonable authentication. The scheme greatly improves the availability of VCPE and prevents the entire service network from being paralyzed.
  • a third embodiment of the present invention provides a method for managing a virtual client terminal device using the protocol message of the second embodiment, which includes:
  • the network controller performs user identity verification according to the user authentication request sent by the VCPE. After the authentication is passed, the service configuration information delivered by the service orchestrator is forwarded to the VCPE. The user authentication request and the service configuration message are both based on the VCPE UUID protocol. Message bearer.
  • protocol messages include authentication request messages, authentication response messages, heartbeat messages, and node information reporting messages.
  • the VCPE When the VCPE is started for the first time, it sends an authentication request packet with a user authentication request to the network controller.
  • the user authentication request includes the user name, password, and IP address of the VCPE.
  • the network controller extracts a user authentication request and performs authentication, and returns an authentication response packet with an authentication result.
  • Each VCPE can be used as an example.
  • the authentication server and the network controller can be integrated or separated.
  • AAA authentication, authorization, and accounting
  • the network controller uses Remote User Authentication Service (Remote Authentication) Dial In User Service (Radius) or Terminal Access Controller Access Control System (TACACS) protocol interacts with the authentication server, which can meet the needs of large-scale commercial use.
  • Remote User Authentication Service Remote Authentication
  • Dial In User Service Dial In User Service
  • TACACS Terminal Access Controller Access Control System
  • the S1 administrator assigns a username, password, and location code to the VCPE to be opened and stores it in the authentication server database;
  • the S2 administrator notifies the user of the device through email or text message of the user name, password, and location code.
  • the S3 provisioning staff writes the user name, password, and location code to the VCPE configuration file through the configuration file or the WEB client.
  • the location code is a unique number assigned by the network controller to the entire network VCPE.
  • the location code can be used to obtain the VCPE geographic location. location information;
  • S4VCPE generates a UUID when it is first started and saves it in the configuration file; VCPE communicates with the controller through Dynamic Host Configuration Protocol (DHCP) or a statically assigned IP address, and integrates the user name, password, location code, and local management The IP address is sent to the network controller through a private authentication message, and data encryption or integrity check is performed if necessary.
  • DHCP Dynamic Host Configuration Protocol
  • IP address is sent to the network controller through a private authentication message, and data encryption or integrity check is performed if necessary.
  • the S5 network controller extracts the user name, password, UUID, and location information in the VCPE authentication request message and sends it to the authentication server for authentication.
  • the authentication server performs user identity verification according to the local database and returns the authentication result to the controller;
  • the S6 network controller receives the authentication result returned by the authentication server. If the authentication is successful, it is a legitimate VCPE and reports the VCPE information to the scheduler. If the authentication fails, the VCPE authentication request is discarded and recorded by the log.
  • the S7 service orchestrator issues service configuration data to the authenticated VCPE through the interface
  • the S8 network controller uses the UUID as an identifier to convert the configuration issued by the service orchestrator into a device protocol and deliver it to each VCPE instance.
  • the network controller receives the VCPE authentication request message and sends an authentication request to the AAA server.
  • the AAA server fails the authentication, returns the result, and waits for authentication again.
  • Authentication status (Authorized): The AAA server is authenticated, obtains topology information, and works with packets.
  • VCPE device security authentication is a key measure of product maturity. Due to the decentralized and open nature of VCPE deployment, identity authentication on VCPE is a key issue that involves business security The reasonable authentication scheme greatly improves the availability of VCPE and avoids the paralysis of the entire business network.
  • the fourth embodiment of the present invention provides a method for managing a virtual client terminal device. Based on the third embodiment of the present invention, it is used for re-authenticating the migrated VCPE, and specifically includes:
  • a fifth embodiment of the present invention provides a method for managing a virtual client terminal device. Based on the third embodiment of the present invention, it is used for a network controller to actively request VCPE to perform re-authentication, and specifically includes: the network controller sends an authentication response message to VCPE Message, the message type in the authentication response message is authentication response (Type 2), where the Result field is filled with 2, indicating that re-authentication is required.
  • the fourth embodiment and the fifth embodiment of the present invention solve the re-authentication problem of VCPE migration: In the actual application of NFV, software migration is the most common requirement.
  • the embodiments of the present invention can be used in the case of VCPE migration and IP address changes. Reliable re-authentication of VCPE, and re-authentication can be initiated by VCPE or network controller to further improve the availability and management efficiency of VCPE.
  • the sixth embodiment of the present invention provides a method for managing a virtual client terminal device. Based on the third embodiment of the present invention, it is used to solve the problem of NAT traversal, including:
  • the network controller When the network controller receives the authentication request message from the VCPE, it compares the IP address of the VCPE with the source IP address of the protocol message. If it is not the same, it sends a service port announcement message to the VCPE.
  • the controller when the controller receives the authentication request message, compare the management IP of the payload part of the message with the source IP of the message. If the two IPs do not match, the VCPE is behind the NAT gateway and the network control The controller cannot actively initiate a control connection. At this time, the network controller will start a random port as the listening server, and notify the VCPE of the port information through this message. After receiving the message, the VCPE can initiate a control connection to the designated port of the network controller. It can be known from the structure of the message that IPv4 and IPv6, and TCP / UDP compatibility issues have been fully considered.
  • VCPE includes a UDP authentication module and a command line interface (CLI).
  • CLI command line interface
  • the S201UDP authentication module sends an authentication request message to the network controller.
  • the S202 network controller compares the source IP of the UDP header with the IP field of the VCPE in the payload part according to the authentication request message. If they are not consistent, the VCPE is behind the NAT gateway, and the network controller dynamically allocates a TCP port number to start the server. VCPE is notified by sending a Type 5 service port notification message.
  • the S203UDP authentication module initiates a connection to the service port of the network controller.
  • the S204UDP authentication module dynamically establishes a TCP connection to the command line interface CLI.
  • the S205 network controller sends command line data to the established TCP connection.
  • the S206UDP authentication module transparently transmits command line data to the command line interface CLI.
  • the S208UDP authentication module transparently transmits the returned data to the network controller.
  • the S209 network controller After the S209 network controller sends the command line, it sends a Type 6 close connection packet to the UDP authentication module.
  • the S210UDP authentication module closes the connection.
  • the UDP authentication module actually functions as a proxy controlling the connection.
  • VCPE In the deployment scenario of the existing network, many small and medium-sized enterprises have no public network address at the exit, but are behind the NAT gateway of the operator, and the private network address is dynamically obtained.
  • the control connection of VCPE is generally initiated by the controller.
  • VCPE is often used as the server of the remote terminal protocol Telnet / Secure Shell (SSH), and the network controller actively connects through the client.
  • SSH Telnet / Secure Shell
  • the network controller cannot actively initiate a control connection to the VCPE.
  • the embodiment of the present invention enables a VCPE to actively initiate a control connection, thereby effectively solving this special problem in the practical process of VCPE.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed are a protocol packet, and a method for managing a virtual client terminal device, which are used for communication between a network controller and the virtual client terminal device VCPE, and relate to the technical field of communications. A payload part of the protocol packet has a common header, wherein the common header comprises a field for indicating a universally unique identifier (UUID) of the VCPE, and the UUID is generated when the VCPE is started for the first time. In the present invention, the UUID of the VCPE serves as a unique identifier for the network controller to remotely manage the VCPE and is a basis for online and later service configuration management of the VCPE, such that large-scale deployment of the VCPE can be quickly and reliably realized.

Description

一种协议报文以及虚拟客户终端设备的管理方法Protocol message and management method of virtual client terminal equipment 技术领域Technical field
本发明涉及通信技术领域,具体是涉及一种协议报文以及虚拟客户终端设备的管理方法。The present invention relates to the field of communication technologies, and in particular, to a method for managing protocol messages and virtual client terminal equipment.
背景技术Background technique
在软件定义网络(Software Defined Network,SDN)/网络功能虚拟化(Network Function Virtualization,NFV)技术的驱动下,通信行业迎来了云化的浪潮。通过将传统通信设备的硬件和软件解耦,并利用SDN的思想实现集中化的管理和业务开通,可极大地提高网络运营商的运维成本,同时最大程度地挖掘网络的附加值。图1所示为一种虚拟用户驻地设备(Virtual Customer Premise Equipment,VCPE)现网部署,包括业务编排器、网络控制器和分别连接多个用户的虚拟客户终端设备的VCPE,业务编排器进行业务的策略下发和管理,对网络控制器进行统一管理,网络控制器对VCPE进行上线管理和身份认证等管理。其中,VCPE是软件定义广域网(Software Defined-Wide Area Network,SD-WAN)解决方案中最引人注目的商业模式,可以使网络运营商将服务进一步延伸至用户出口的同时,也将用户特别是中小型企业从繁琐的网络管理中解脱出来,是一个典型的双赢模式。然而,由于用户具有分散性的特点,如何实现大规模VCPE的远程管理和业务开通,是VCPE走向实用化需要解决的关键问题。Driven by Software Defined Network (SDN) / Network Function Virtualization (NFV) technology, the communications industry has ushered in a wave of cloudification. By decoupling the hardware and software of traditional communication equipment, and using SDN to achieve centralized management and service provisioning, the network operator's operation and maintenance costs can be greatly increased, while maximizing the value-added of the network. Figure 1 shows the deployment of a virtual customer premise equipment (VCPE) on the existing network, including a service orchestrator, network controller, and VCPE for virtual customer terminal equipment connected to multiple users. The service orchestrator performs services. Policy release and management, unified management of the network controller, network controller to VCPE online management and identity authentication management. Among them, VCPE is the most compelling business model in Software-Defined-Wide Area Network (SD-WAN) solutions, which can enable network operators to further extend services to user exits, while also bringing users, especially Small and medium-sized enterprises are freed from tedious network management, which is a typical win-win model. However, due to the decentralized nature of users, how to achieve remote management and service provisioning of large-scale VCPE is a key issue that VCPE needs to solve in order to be practical.
发明内容Summary of the Invention
针对现有技术中存在的缺陷,本发明的目的在于提供一种协议报 文以及虚拟客户终端设备的管理方法,采用VCPE的UUID作为网络控制器对VCPE进行远程管理的唯一标识,成为VCPE上线以及后期业务配置管理的依据,从而快速、可靠地实现VCPE的大规模部署。In view of the shortcomings in the prior art, the purpose of the present invention is to provide a method for managing protocol packets and virtual client terminals. The UUID of the VCPE is used as the unique identifier for remote management of the VCPE by the network controller. The basis for later service configuration management, so as to quickly and reliably realize the large-scale deployment of VCPE.
本发明提供一种协议报文,用于网络控制器与虚拟客户终端设备VCPE之间的通信:The present invention provides a protocol message for communication between a network controller and a virtual client terminal device VCPE:
所述协议报文的净荷部分具有公共头部,所述公共头部包括用于指示所述VCPE的通用唯一识别码UUID的字段,所述UUID是所述VCPE首次启动时生成的。The payload part of the protocol message has a common header, and the common header includes a field for indicating a universal unique identifier UUID of the VCPE, and the UUID is generated when the VCPE is first started.
在上述技术方案的基础上,所述公共头部为类型长度值TLV,包括协议版本号、消息类型、消息总长度和认证加密字段。On the basis of the above technical solution, the common header is a type length value TLV, including a protocol version number, a message type, a total message length, and an authentication encryption field.
在上述技术方案的基础上,所述消息类型包括认证请求、认证应答、心跳和节点信息上报。On the basis of the above technical solution, the message types include an authentication request, an authentication response, a heartbeat, and reporting of node information.
在上述技术方案的基础上,所述消息类型还包括服务端口通告和会话关闭,服务端口通告报文包括IP类型、网络控制器的IP地址和服务端口信息,用于通知所述VCPE向网络控制器主动发起控制连接。Based on the above technical solution, the message type further includes a service port announcement and a session close. The service port announcement message includes an IP type, an IP address of a network controller, and service port information, and is used to notify the VCPE to the network control The controller actively initiates a control connection.
在上述技术方案的基础上,所述认证加密字段包括认证类型和对应的密码信息,所述认证类型包括简单密码认证和MD5认证,所述密码信息为明文密码或者全0。Based on the above technical solution, the authentication encryption field includes an authentication type and corresponding password information, the authentication type includes simple password authentication and MD5 authentication, and the password information is a plain text password or all 0s.
在上述技术方案的基础上,所述公共头部还包括保留字段,用于自定义功能,自定义功能包括告警上报和拓扑自动发现。Based on the above technical solution, the common header further includes a reserved field for a custom function, and the custom function includes alarm reporting and automatic topology discovery.
在上述技术方案的基础上,所述协议报文为TCP报文或者UDP报文。Based on the above technical solution, the protocol message is a TCP message or a UDP message.
本发明还提供一种使用上述协议报文的虚拟客户终端设备的管理方法,其包括:The present invention also provides a method for managing a virtual client terminal device using the foregoing protocol message, which includes:
网络控制器根据所述VCPE发出的用户认证请求进行用户身份校验,认证通过后,将业务编排器下发的业务配置信息转发给所述VCPE,其中,所述用户认证请求和业务配置消息均由所述VCPE的UUID的协议报文承载。The network controller performs user identity verification according to the user authentication request sent by the VCPE. After the authentication is passed, the service configuration information delivered by the service orchestrator is forwarded to the VCPE. The user authentication request and the service configuration message are both It is carried by a protocol message of the UUID of the VCPE.
在上述技术方案的基础上,所述公共头部为类型长度值TLV,包括协议版本号、消息类型、消息总长度和认证加密字段,基于所述消息类型,所述协议报文包括认证请求报文、认证应答报文、心跳报文和节点信息上报报文;On the basis of the above technical solution, the common header is a type length value TLV, including a protocol version number, a message type, a total message length, and an authentication encryption field. Based on the message type, the protocol message includes an authentication request message. Message, authentication response message, heartbeat message, and node information report message;
当所述VCPE首次启动以及所述VCPE的IP地址发生变化时,向网络控制器发出带有所述用户认证请求的认证请求报文,所述用户认证请求包括用户名、密码和所述VCPE的IP地址;When the VCPE is started for the first time and the IP address of the VCPE is changed, an authentication request message with the user authentication request is sent to a network controller, where the user authentication request includes a user name, a password, and the VCPE IP address
网络控制器提取所述用户认证请求并进行认证,以及返回带有认证结果的认证应答报文。The network controller extracts the user authentication request and performs authentication, and returns an authentication response message with an authentication result.
在上述技术方案的基础上,所述协议报文还包括服务端口通告报文,服务端口通告报文包括IP类型、网络控制器的IP地址和服务端口信息,用于通知所述VCPE向网络控制器主动发起控制连接;Based on the above technical solution, the protocol message further includes a service port announcement message, and the service port announcement message includes an IP type, an IP address of the network controller, and service port information, and is used to notify the VCPE to the network control Controller initiates a control connection actively;
当网络控制器收到所述VCPE发出的所述认证请求报文时,对比所述VCPE的IP地址以及所述协议报文的源IP地址,如果不一致,则向所述VCPE发出所述服务端口通告报文。When the network controller receives the authentication request message sent by the VCPE, it compares the IP address of the VCPE and the source IP address of the protocol message, and if it is not consistent, sends the service port to the VCPE. Notification message.
与现有技术相比,本发明的优点如下:Compared with the prior art, the advantages of the present invention are as follows:
(1)实现VCPE设备上线管理:由于VCPE本质上是一个软件功能实体,采用VCPE的UUID,使得网络控制器对VCPE进行远程管理需要一个类似于物理设备序列号作为VCPE的唯一标识,作为VCPE上线以及后期业务配置管理的依据,在此基础上制定出一套完善的VCPE管理协议报文,从而快速、可靠地实现VCPE的大规模部 署,具有成本低、可扩展性好、适应性强、易于实现和部署等优点。(1) Realization of VCPE equipment online management: Since VCPE is essentially a software function entity, the UUID of VCPE is adopted, so that the network controller remotely manages VCPE needs a serial number similar to the physical device as the unique identifier of VCPE, and goes online as VCPE And the basis for later business configuration management. Based on this, a complete set of VCPE management protocol messages is formulated to quickly and reliably implement large-scale deployment of VCPE. It has low cost, good scalability, strong adaptability, and easy Implementation and deployment advantages.
(2)实现VCPE设备的身份认证:VCPE的设备安全认证是产品成熟度的关键衡量因素,由于VCPE部署的分散性和开放性的特点,对VCPE进行身份认证是涉及业务安全的关键性问题,合理的认证方案极大地提高了VCPE的可用性,避免整个业务网络的瘫痪。(2) Identification of VCPE equipment: VCPE equipment security certification is a key measure of product maturity. Due to the decentralized and open nature of VCPE deployment, identity authentication of VCPE is a key issue involving business security. A reasonable authentication scheme greatly improves the availability of VCPE and prevents the entire business network from being down.
(3)解决VCPE迁移的重认证问题:在NFV的实际应用中,软件迁移是最为常见的需求,本发明实施例能够在VCPE发生迁移、IP地址变化的情况下对VCPE进行可靠的重认证,且重认证可以由VCPE或者网络控制器发起,进一步提高VCPE的可用性和管理效率。(3) Solve the re-authentication problem of VCPE migration: In the actual application of NFV, software migration is the most common requirement. The embodiments of the present invention can perform reliable re-authentication of VCPE in the case of VCPE migration and IP address change And re-authentication can be initiated by VCPE or network controller to further improve the availability and management efficiency of VCPE.
(4)解决NAT穿越问题:在现网的部署场景中,很多中小型企业出口并没有公网地址,而是处于运营商NAT网关的背后,且私网地址是动态获取的,本发明实施例使得VCPE可以主动发起控制连接,从而有效地解决了VCPE实用化过程中的这种特殊问题。(4) Solve the problem of NAT traversal: In the deployment scenario of the existing network, many small and medium-sized enterprises have no public network address at the exit, but are behind the NAT gateway of the operator, and the private network address is dynamically obtained. Embodiments of the present invention The VCPE can actively initiate a control connection, thereby effectively solving this special problem in the practical process of VCPE.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1是一种VCPE现网部署示意图;Figure 1 is a schematic diagram of a VCPE live network deployment;
图2是本发明第一实施例协议报文的结构示意图;2 is a schematic structural diagram of a protocol message according to the first embodiment of the present invention;
图3是本发明第一实施例协议报文的公共头部示意图;3 is a schematic diagram of a common header of a protocol message according to the first embodiment of the present invention;
图4是本发明第一实施例协议报文的消息类型;4 is a message type of a protocol message according to the first embodiment of the present invention;
图5是本发明第二实施例协议报文的各消息类型所对应的协议数据;5 is protocol data corresponding to each message type of a protocol message according to a second embodiment of the present invention;
图6是本发明第三实施例中,VCPE的上线管理流程图;6 is a flowchart of online management of a VCPE in a third embodiment of the present invention;
图7是本发明第三实施例网络控制器协议状态机;7 is a network controller protocol state machine according to a third embodiment of the present invention;
图8是本发明第六实施例NAT穿越下的命令行通道建立流程图。8 is a flowchart of establishing a command line channel under NAT traversal according to a sixth embodiment of the present invention.
具体实施方式detailed description
下面结合附图及具体实施例对本发明作进一步的详细描述。The present invention is described in further detail below with reference to the drawings and specific embodiments.
本发明提供一种协议报文,用于网络控制器与虚拟客户终端设备VCPE之间的通信,协议报文的净荷部分具有公共头部,公共头部包括用于指示VCPE的通用唯一识别码(Universally Unique Identifier,UUID)的字段,UUID是VCPE首次启动时生成的,并存储在VCPE的配置文件中作为VCPE的唯一标识,生成UUID可以利用uuidgen.exe等工具。The present invention provides a protocol message for communication between a network controller and a virtual client terminal device VCPE. The payload portion of the protocol message has a common header, and the common header includes a universal unique identifier for indicating the VCPE. (Universally Unique Identifier, UUID) field. The UUID is generated when the VCPE is first started, and stored in the VCPE configuration file as the unique identifier of the VCPE. Uuidgen.exe and other tools can be used to generate the UUID.
由于VCPE本质上是一个软件功能实体,采用VCPE的UUID,使得网络控制器对VCPE进行远程管理需要一个类似于物理设备序列号作为VCPE的唯一标识,作为VCPE上线以及后期业务配置管理的依据,在此基础上制定出一套完善的VCPE管理协议报文,从而快速、可靠地实现VCPE的大规模部署,具有成本低、可扩展性好、适应性强、易于实现和部署等优点。Since VCPE is essentially a software function entity, the UUID of VCPE is used, so that the network controller remotely manages VCPE needs a serial number similar to the physical device as the unique identifier of VCPE, as the basis for VCPE going online and the subsequent service configuration management. Based on this, a complete set of VCPE management protocol messages is formulated to quickly and reliably achieve large-scale deployment of VCPE, which has the advantages of low cost, good scalability, strong adaptability, and easy implementation and deployment.
参见图2所示,本发明第一实施例提供一种协议报文,协议报文包括报文头部和净荷部分,其中,协议报文的净荷部分具有公共头部和协议数据,公共头部的格式参见图3所示,公共头部为类型长度值TLV(Type、Length、Value),公共头部包括协议版本号(Version)、消息类型(Type)、消息总长度(Length)、以及用于指示VCPE的通用唯一识别码UUID的字段,UUID是VCPE首次启动时生成的。Referring to FIG. 2, a first embodiment of the present invention provides a protocol message. The protocol message includes a message header and a payload part. The payload part of the protocol message has a common header and protocol data. The format of the header is shown in Figure 3. The common header is the type length value TLV (Type, Length, Value). The common header includes the protocol version number (Version), message type (Type), total message length (Length), And a field for indicating the universal unique identifier UUID of the VCPE, which is generated when the VCPE is first started.
公共头部还包括认证加密字段,认证加密字段包括认证类型(Auth Type)和对应的密码信息(Authentication),认证类型包括简单密码认证和MD5认证,密码信息为明文密码或者全0。The public header also includes an authentication encryption field. The authentication encryption field includes an authentication type (Auth Type) and corresponding password information (Authentication). The authentication type includes simple password authentication and MD5 authentication. The password information is a plain text password or all 0s.
公共头部还包括保留字段(Reserved),用于自定义功能,自定义功能包括告警上报和拓扑自动发现。The public header also includes a Reserved field for custom functions. The custom functions include alarm reporting and automatic topology discovery.
参见图3所示,对各字段描述如下:Referring to FIG. 3, the fields are described as follows:
(1)协议版本号Version:可自定义,1字节;(1) Protocol version number Version: customizable, 1 byte;
(2)消息类型Type:1字节,定义的消息类型参见图4所示,包括认证请求(Type1)、认证应答(Type2)、心跳(连接保活,Type3)、节点信息上报(Type4)、服务端口通告(Type5)和会话关闭(Type6)。可按实际需要进行扩展;(2) Message type: 1 byte. See Figure 4 for the defined message types, including authentication request (Type1), authentication response (Type2), heartbeat (connection keepalive, Type3), node information reporting (Type4), Service port announcement (Type 5) and session close (Type 6). Can be expanded according to actual needs;
(3)消息总长度Length:消息包括本公共头部和数据部分;(3) Total message length: The message includes the common header and data part;
(4)UUID:16字节,VCPE的唯一标志;(4) UUID: 16 bytes, the unique identifier of VCPE;
(5)保留字段Reserved:3字节,留作实际需要进行扩展;(5) Reserved field: 3 bytes, reserved for actual needs for expansion;
(6)认证类型Auth Type:0表示不认证,1表示简单密码认证,2表示消息摘要算法第五版(Message Digest Algorithm,MD5)认证;(6) Authentication type: 0 means no authentication, 1 means simple password authentication, and 2 means Message Digest Algorithm 5 (MD5) authentication;
(7)密码信息Authentication:为简单密码认证时携带的是明文密码,不认证或者MD5时全0;(7) Password information Authentication: For simple password authentication, the password is in plain text, and it is all 0 when no authentication or MD5;
当AuthType为2时,表示MD5认证,在报文的协议数据尾部有额外16字节的MD5的校验字段。When AuthType is 2, it indicates MD5 authentication. There is an extra 16 bytes of MD5 check field at the end of the protocol data of the message.
由上面的描述可知,该协议报文的净荷部分具有公共头部,采用的是TLV的格式,因此具有良好的扩展性,可以满足后期多样化的需求。It can be known from the above description that the payload part of the protocol message has a common header and adopts the format of TLV, so it has good scalability and can meet the needs of later diversification.
本发明第二实施例提供一种协议报文,在本发明第一实施例的基础上,消息类型Type的具体定义可以如图5所示,图5描述的内容均为协议数据,根据公共头部中的Type值进行区分,具体说明如下:The second embodiment of the present invention provides a protocol message. On the basis of the first embodiment of the present invention, the specific definition of the message type Type can be shown in FIG. 5. The content described in FIG. 5 are all protocol data. The Type values in the ministry are distinguished as follows:
认证请求(Type1)包括用户名长度(UserName Len)、用户名(UserName)、密码长度(Password Len)、密码(Password),VCPE的IP地址长度(IP Len)和VCPE的IP地址(My IP)。Authentication request (Type1) includes user name length (UserName), user name (UserName), password length (Password), password (Password), VCPE IP address length (IP Len), and VCPE IP address (My IP) .
认证应答(Type2)包括认证结果(Result)和保留字符(Reserved)。 由网络控制器发往VCPE,用于对VCPE的用户认证请求给予应答,当认证成功时,Result字段为0,当认证失败时,Result字段返回1;需要重认证时,Result字段填2。The authentication response (Type 2) includes an authentication result (Result) and a reserved character (Reserved). The network controller sends the VCPE to respond to the VCPE user authentication request. When the authentication is successful, the Result field is 0. When the authentication fails, the Result field returns 1; when re-authentication is required, the Result field is filled with 2.
心跳(连接保活,Type3)包括魔术字(Magic number),魔术字用于心跳报文的校验,也可作为保留字段用作扩展用途。The heartbeat (connection keep-alive, Type3) includes the magic word (Magic number). The magic word is used for checking the heartbeat message, and can also be used as a reserved field for extended purposes.
节点信息上报(Type4)包括子类型(Sub Type)、子长度(Sub Length)和子值(Sub Value)。The node information report (Type 4) includes a sub type, a sub length, and a sub value.
服务端口通告(Type5)用于网络控制器通知VCPE向网络控制器主动发起控制连接,包括IP类型(IP Type)、网络控制器的IP地址长度(IP Len)、网络控制器的IP地址(IP)和服务端口信息,服务端口信息包括端口类型(Port Type)、端口长度(Port Len)和端口号(Port)。Service port announcement (Type 5) is used by the network controller to notify the VCPE to actively initiate a control connection to the network controller, including the IP type (IP Type), the network controller's IP address length (IP, Len), and the network controller's IP address (IP ) And service port information. The service port information includes a port type (Port Type), a port length (Port), and a port number (Port).
其中,IP类型=1时,IPv4;IP类型=2时,IPv6。端口类型=1:TCP;端口类型=2:UDP。When IP type = 1, IPv4; when IP type = 2, IPv6. Port type = 1: TCP; port type = 2: UDP.
会话关闭(Type6)包括关闭连接(关闭)和保留字(Reserve),关闭为1个字节,保留字(Reserve)为7个字节,用于其他功能扩展。The session close (Type 6) includes closing the connection (close) and the reserve word (Reserve). The close is 1 byte, and the reserve word (Reserve) is 7 bytes, which is used for other function extensions.
协议报文为传输控制协议(Transmission Control Protocol,TCP)报文或者用户数据报协议(User Datagram Protocol,UDP)报文。参见图2所示,协议报文的报文头部包括IP头部以及TCP/UDP头部,公共头部的定义并没有强制要求承载协议使用TCP还是UDP,但是考虑到TCP本身对资源的消耗以及最大限度地提高网络控制器的管理能力,优选使用UDP,实践表明,使用UDP承载上面定义的认证协议具有开发周期短,资源消耗低等特点。The protocol message is a Transmission Control Protocol (TCP) message or a User Datagram Protocol (UDP) message. As shown in Figure 2, the packet header of a protocol packet includes an IP header and a TCP / UDP header. The definition of the common header does not mandate the use of TCP or UDP for the bearer protocol, but considering the resource consumption of TCP itself And to maximize the management capability of the network controller, UDP is preferred. Practice has shown that using UDP to carry the authentication protocol defined above has the characteristics of short development cycle and low resource consumption.
VCPE支持IPv4/IPv6双栈,可以在IPv4和IPv6网络中部署。VCPE supports IPv4 / IPv6 dual stack, which can be deployed in IPv4 and IPv6 networks.
实现VCPE设备的身份认证:VCPE的设备安全认证是产品成熟度的关键衡量因素,由于VCPE部署的分散性和开放性的特点,对VCPE进行身份认证是涉及业务安全的关键性问题,合理的认证方案极大地提高了VCPE的可用性,避免整个业务网络的瘫痪。Achieve identity authentication of VCPE equipment: VCPE equipment security certification is a key measure of product maturity. Due to the decentralized and open nature of VCPE deployment, identity authentication of VCPE is a key issue involving business security and reasonable authentication. The scheme greatly improves the availability of VCPE and prevents the entire service network from being paralyzed.
本发明第三实施例提供使用上述第二实施例协议报文的虚拟客户终端设备的管理方法,其包括:A third embodiment of the present invention provides a method for managing a virtual client terminal device using the protocol message of the second embodiment, which includes:
网络控制器根据VCPE发出的用户认证请求进行用户身份校验,认证通过后,将业务编排器下发的业务配置信息转发给VCPE,其中,用户认证请求和业务配置消息均由VCPE的UUID的协议报文承载。The network controller performs user identity verification according to the user authentication request sent by the VCPE. After the authentication is passed, the service configuration information delivered by the service orchestrator is forwarded to the VCPE. The user authentication request and the service configuration message are both based on the VCPE UUID protocol. Message bearer.
基于消息类型,协议报文包括认证请求报文、认证应答报文、心跳报文和节点信息上报报文。Based on the message type, protocol messages include authentication request messages, authentication response messages, heartbeat messages, and node information reporting messages.
当VCPE首次启动时,向网络控制器发出带有用户认证请求的认证请求报文,用户认证请求包括用户名、密码和VCPE的IP地址。When the VCPE is started for the first time, it sends an authentication request packet with a user authentication request to the network controller. The user authentication request includes the user name, password, and IP address of the VCPE.
网络控制器提取用户认证请求并进行认证,以及返回带有认证结果的认证应答报文。The network controller extracts a user authentication request and performs authentication, and returns an authentication response packet with an authentication result.
VCPE的上线管理流程参见图6所示,每个VCPE可以作为一个实例,认证服务器与网络控制器可以集成在一起,也可进行功能分离。为了提高网络控制器管理的网络规模,优选使用独立的验证、授权、计费(Authentication、Authorization、Accounting,AAA)服务器作为认证服务器,网络控制器通过远程用户拨号认证服务(Remote Authentication Dial In User Service,Radius)或者终端访问控制器访问控制系统(Terminal Access Controller Access Control System,TACACS)协议与认证服务器进行交互,可以满足规模商用的需求。Refer to Figure 6 for the online management process of VCPE. Each VCPE can be used as an example. The authentication server and the network controller can be integrated or separated. In order to improve the network scale managed by the network controller, it is preferable to use an independent authentication, authorization, and accounting (AAA) server as the authentication server, and the network controller uses Remote User Authentication Service (Remote Authentication) Dial In User Service (Radius) or Terminal Access Controller Access Control System (TACACS) protocol interacts with the authentication server, which can meet the needs of large-scale commercial use.
S1管理员为即将开通的VCPE分配用户名,密码以及位置代码,并存储在认证服务器数据库内;The S1 administrator assigns a username, password, and location code to the VCPE to be opened and stores it in the authentication server database;
S2管理员通过邮件或者短信的方式将用户名,密码以及位置代码等信息告知设备开通人员;The S2 administrator notifies the user of the device through email or text message of the user name, password, and location code.
S3开通人员通过配置文件或者WEB客户端将用户名、密码以及位置代码等信息写入到VCPE配置文件,位置代码为网络控制器对全网VCPE的一个唯一编号,通过位置代码可以获取VCPE的地理位置信息;The S3 provisioning staff writes the user name, password, and location code to the VCPE configuration file through the configuration file or the WEB client. The location code is a unique number assigned by the network controller to the entire network VCPE. The location code can be used to obtain the VCPE geographic location. location information;
S4VCPE首次启动时生成UUID,并保存在配置文件中;VCPE通过动态主机配置协议(Dynamic Host Configuration Protocol,DHCP)或者静态指定的IP地址与控制器互通,将用户名、密码、位置代码和本地管理IP地址等通过私有认证报文发送到网络控制器,必要时进行数据加密或者完整性校验。S4VCPE generates a UUID when it is first started and saves it in the configuration file; VCPE communicates with the controller through Dynamic Host Configuration Protocol (DHCP) or a statically assigned IP address, and integrates the user name, password, location code, and local management The IP address is sent to the network controller through a private authentication message, and data encryption or integrity check is performed if necessary.
S5网络控制器提取VCPE认证请求报文中的用户名,密码,UUID以及位置信息,并发送到认证服务器进行认证,认证服务器根据本地数据库进行用户身份校验,同时向控制器返回认证结果;The S5 network controller extracts the user name, password, UUID, and location information in the VCPE authentication request message and sends it to the authentication server for authentication. The authentication server performs user identity verification according to the local database and returns the authentication result to the controller;
S6网络控制器接收认证服务器返回的认证结果,如果认证通过,则为合法的VCPE,将VCPE的信息上报编排器;如果认证不通过,则丢弃VCPE的认证请求,并通过日志进行记录;The S6 network controller receives the authentication result returned by the authentication server. If the authentication is successful, it is a legitimate VCPE and reports the VCPE information to the scheduler. If the authentication fails, the VCPE authentication request is discarded and recorded by the log.
S7业务编排器通过界面向通过认证的VCPE下发业务配置数据;The S7 service orchestrator issues service configuration data to the authenticated VCPE through the interface;
S8网络控制器以UUID为标识,将业务编排器下发的配置转化成设备协议并下发给各VCPE实例。The S8 network controller uses the UUID as an identifier to convert the configuration issued by the service orchestrator into a device protocol and deliver it to each VCPE instance.
VCPE认证过程中,网络控制器协议状态机参见图7所示。During VCPE authentication, the network controller protocol state machine is shown in Figure 7.
启动状态(Init):网络控制器收到VCPE认证请求报文,向AAA服务器发送认证请求。Init state: The network controller receives the VCPE authentication request message and sends an authentication request to the AAA server.
未认证状态(Unauthorized):AAA服务器认证不通过,返回结果,等待再次认证。Unauthorized: The AAA server fails the authentication, returns the result, and waits for authentication again.
认证状态(Authorized):AAA服务器认证通过,获取拓扑信息,并会和包活。Authentication status (Authorized): The AAA server is authenticated, obtains topology information, and works with packets.
会话超时后,从认证状态(Authorized)转换为未认证状态(Unauthorized);认证超时后,从未认证状态(Unauthorized)转换为启动状态(Init)。After the session times out, it transitions from the authenticated state to the unauthorized state; after the authentication times out, it transitions from the unauthorized state to the init state.
本发明实施例实现VCPE设备的身份认证:VCPE的设备安全认证是产品成熟度的关键衡量因素,由于VCPE部署的分散性和开放性的特点,对VCPE进行身份认证是涉及业务安全的关键性问题,合理的认证方案极大地提高了VCPE的可用性,避免整个业务网络的瘫痪。The embodiment of the present invention implements identity authentication of VCPE devices: VCPE device security authentication is a key measure of product maturity. Due to the decentralized and open nature of VCPE deployment, identity authentication on VCPE is a key issue that involves business security The reasonable authentication scheme greatly improves the availability of VCPE and avoids the paralysis of the entire business network.
本发明第四实施例提供虚拟客户终端设备的管理方法,在本发明第三实施例的基础上,用于对迁移的VCPE进行重认证,具体包括:The fourth embodiment of the present invention provides a method for managing a virtual client terminal device. Based on the third embodiment of the present invention, it is used for re-authenticating the migrated VCPE, and specifically includes:
当VCPE的IP地址发生变化时,重复上述图6中的过程,向网络控制器重新发出带有用户认证请求的认证请求报文,网络控制器提取用户认证请求并进行认证,以及返回带有认证结果的认证应答报文。When the VCPE's IP address changes, repeat the process in Figure 6 above to re-send an authentication request message with a user authentication request to the network controller. The network controller extracts the user authentication request and performs authentication, and returns the authentication request with authentication. The resulting authentication response message.
本发明第五实施例提供虚拟客户终端设备的管理方法,在本发明第三实施例的基础上,用于网络控制器主动要求VCPE进行重认证,具体包括:网络控制器向VCPE发出认证应答报文,认证应答报文中消息类型为认证应答(Type2),其中,Result字段填2,表示需要重认证。A fifth embodiment of the present invention provides a method for managing a virtual client terminal device. Based on the third embodiment of the present invention, it is used for a network controller to actively request VCPE to perform re-authentication, and specifically includes: the network controller sends an authentication response message to VCPE Message, the message type in the authentication response message is authentication response (Type 2), where the Result field is filled with 2, indicating that re-authentication is required.
本发明第四实施例和第五实施例解决VCPE迁移的重认证问题:在NFV的实际应用中,软件迁移是最为常见的需求,本发明实施例能够在VCPE发生迁移、IP地址变化的情况下对VCPE进行可靠的重认证,且重认证可以由VCPE或者网络控制器发起,进一步提高 VCPE的可用性和管理效率。The fourth embodiment and the fifth embodiment of the present invention solve the re-authentication problem of VCPE migration: In the actual application of NFV, software migration is the most common requirement. The embodiments of the present invention can be used in the case of VCPE migration and IP address changes. Reliable re-authentication of VCPE, and re-authentication can be initiated by VCPE or network controller to further improve the availability and management efficiency of VCPE.
本发明第六实施例提供虚拟客户终端设备的管理方法,在本发明第三实施例的基础上,用于解决NAT穿越问题,包括:The sixth embodiment of the present invention provides a method for managing a virtual client terminal device. Based on the third embodiment of the present invention, it is used to solve the problem of NAT traversal, including:
当网络控制器收到VCPE发出的认证请求报文时,对比VCPE的IP地址以及协议报文的源IP地址,如果不一致,则向VCPE发出服务端口通告报文。When the network controller receives the authentication request message from the VCPE, it compares the IP address of the VCPE with the source IP address of the protocol message. If it is not the same, it sends a service port announcement message to the VCPE.
由上面Type1类型消息的描述可知,当控制器接收到认证请求报文,对比报文净荷部分的管理IP以及报文的源IP,如果两个IP不一致,则VCPE处于NAT网关背后,网络控制器无法主动发起控制连接。此时网络控制器会启动一个随机端口作为侦听服务端,并将端口信息通过该消息通告给VCPE。VCPE收到该消息后,可主动向网络控制器的指定端口发起控制连接。由该消息的结构可知,已经充分地考虑IPv4和IPv6,以及TCP/UDP的兼容性问题。According to the description of the Type1 message above, when the controller receives the authentication request message, compare the management IP of the payload part of the message with the source IP of the message. If the two IPs do not match, the VCPE is behind the NAT gateway and the network control The controller cannot actively initiate a control connection. At this time, the network controller will start a random port as the listening server, and notify the VCPE of the port information through this message. After receiving the message, the VCPE can initiate a control connection to the designated port of the network controller. It can be known from the structure of the message that IPv4 and IPv6, and TCP / UDP compatibility issues have been fully considered.
参见图8所示,VCPE包括UDP认证模块和命令行界面(Command Line Interface,CLI),在NAT穿越下的命令行通道建立过程中,网络控制器、认证模块和命令行界面CLI的交互过程如下:As shown in Figure 8, VCPE includes a UDP authentication module and a command line interface (CLI). During the establishment of a command line channel under NAT traversal, the interaction process between the network controller, authentication module, and command line interface CLI is as follows: :
S201UDP认证模块向网络控制器发送认证请求报文。The S201UDP authentication module sends an authentication request message to the network controller.
S202网络控制器根据认证请求报文,对比UDP头的源IP和净荷部分中的VCPE的IP字段,如果不一致,则VCPE处于NAT网关背后,网络控制器动态分配TCP端口号启动服务端,同时发送Type 5的服务端口通告报文告知VCPE。The S202 network controller compares the source IP of the UDP header with the IP field of the VCPE in the payload part according to the authentication request message. If they are not consistent, the VCPE is behind the NAT gateway, and the network controller dynamically allocates a TCP port number to start the server. VCPE is notified by sending a Type 5 service port notification message.
S203UDP认证模块向网络控制器的服务端口主动发起连接。The S203UDP authentication module initiates a connection to the service port of the network controller.
S204UDP认证模块向命令行界面CLI动态建立TCP连接。The S204UDP authentication module dynamically establishes a TCP connection to the command line interface CLI.
S205网络控制器向建立的TCP连接发送命令行数据。The S205 network controller sends command line data to the established TCP connection.
S206UDP认证模块透传命令行数据到命令行界面CLI。The S206UDP authentication module transparently transmits command line data to the command line interface CLI.
S207命令行界面CLI返回数据。S207 CLI returns data.
S208UDP认证模块透传返回数据到网络控制器。The S208UDP authentication module transparently transmits the returned data to the network controller.
S209网络控制器命令行发送完毕后,发送Type6的关闭连接报文到UDP认证模块。After the S209 network controller sends the command line, it sends a Type 6 close connection packet to the UDP authentication module.
S210UDP认证模块关闭连接。The S210UDP authentication module closes the connection.
由图中可以看出,在NAT穿越的情景下,UDP认证模块其实是作为控制连接的代理发挥作用的。As can be seen from the figure, in the context of NAT traversal, the UDP authentication module actually functions as a proxy controlling the connection.
在现网的部署场景中,很多中小型企业出口并没有公网地址,而是处于运营商NAT网关的背后,且私网地址是动态获取的。VCPE的控制连接一般由控制器主动发起,如典型的命令行配置通道情况下,VCPE往往作为远程终端协议Telnet/安全外壳协议(Secure Shell,SSH)的服务端,网络控制器通过客户端主动连接VCPE。然而,当VCPE处于NAT网关背后时,网络控制器不能主动发起到VCPE的控制连接。本发明实施例使得VCPE可以主动发起控制连接,从而有效地解决了VCPE实用化过程中的这种特殊问题。In the deployment scenario of the existing network, many small and medium-sized enterprises have no public network address at the exit, but are behind the NAT gateway of the operator, and the private network address is dynamically obtained. The control connection of VCPE is generally initiated by the controller. For example, in the case of a typical command line configuration channel, VCPE is often used as the server of the remote terminal protocol Telnet / Secure Shell (SSH), and the network controller actively connects through the client. VCPE. However, when the VCPE is behind a NAT gateway, the network controller cannot actively initiate a control connection to the VCPE. The embodiment of the present invention enables a VCPE to actively initiate a control connection, thereby effectively solving this special problem in the practical process of VCPE.
本发明不局限于上述实施方式,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也视为本发明的保护范围之内。本说明书中未作详细描述的内容属于本领域专业技术人员公知的现有技术。The present invention is not limited to the above embodiments. For those of ordinary skill in the art, without departing from the principle of the present invention, several improvements and retouches can be made. These improvements and retouches are also considered to be the protection of the present invention. Within range. What is not described in detail in this specification belongs to the prior art known to those skilled in the art.

Claims (10)

  1. 一种协议报文,用于网络控制器与虚拟客户终端设备VCPE之间的通信,其特征在于:A protocol message is used for communication between the network controller and the virtual client terminal equipment VCPE, which is characterized by:
    所述协议报文的净荷部分具有公共头部,所述公共头部包括用于指示所述VCPE的通用唯一识别码UUID的字段,所述UUID是所述VCPE首次启动时生成的。The payload part of the protocol message has a common header, and the common header includes a field for indicating a universal unique identifier UUID of the VCPE, and the UUID is generated when the VCPE is first started.
  2. 如权利要求1所述的协议报文,其特征在于:所述公共头部为类型长度值TLV,包括协议版本号、消息类型、消息总长度和认证加密字段。The protocol message according to claim 1, wherein the common header is a type length value TLV, including a protocol version number, a message type, a total message length, and an authentication encryption field.
  3. 如权利要求2所述的协议报文,其特征在于:所述消息类型包括认证请求、认证应答、心跳和节点信息上报。The protocol message according to claim 2, wherein the message type includes an authentication request, an authentication response, a heartbeat, and reporting of node information.
  4. 如权利要求2所述的协议报文,其特征在于:所述消息类型还包括服务端口通告和会话关闭,服务端口通告报文包括IP类型、网络控制器的IP地址和服务端口信息,用于通知所述VCPE向网络控制器主动发起控制连接。The protocol message according to claim 2, wherein the message type further comprises a service port announcement and a session close, and the service port announcement message includes an IP type, an IP address of a network controller, and service port information, and is used for: The VCPE is notified to initiate a control connection to the network controller.
  5. 如权利要求2所述的协议报文,其特征在于:所述认证加密字段包括认证类型和对应的密码信息,所述认证类型包括简单密码认证和MD5认证,所述密码信息为明文密码或者全0。The protocol message according to claim 2, wherein the authentication encryption field includes an authentication type and corresponding password information, the authentication type includes simple password authentication and MD5 authentication, and the password information is a plain text password or a full password. 0.
  6. 如权利要求1所述的协议报文,其特征在于:所述公共头部还包括保留字段,用于自定义功能,自定义功能包括告警上报和拓扑自动发现。The protocol message according to claim 1, wherein the common header further comprises a reserved field for a custom function, and the custom function includes an alarm report and an automatic topology discovery.
  7. 如权利要求1所述的协议报文,其特征在于:所述协议报文为TCP报文或者UDP报文。The protocol message according to claim 1, wherein the protocol message is a TCP message or a UDP message.
  8. 一种使用权利要求1至7任一项所述的协议报文的虚拟客户终端设备的管理方法,其特征在于,其包括:A method for managing a virtual client terminal device using the protocol message according to any one of claims 1 to 7, characterized in that it comprises:
    网络控制器根据所述VCPE发出的用户认证请求进行用户身份校验,认证通过后,将业务编排器下发的业务配置信息转发给所述VCPE,其中,所述用户认证请求和业务配置消息均由所述VCPE的UUID的协议报文承载。The network controller performs user identity verification according to the user authentication request sent by the VCPE. After the authentication is passed, the service configuration information delivered by the service orchestrator is forwarded to the VCPE. The user authentication request and the service configuration message are both It is carried by a protocol message of the UUID of the VCPE.
  9. 如权利要求8所述的虚拟客户终端设备的管理方法,其特征在于:所述公共头部为类型长度值TLV,包括协议版本号、消息类型、消息总长度和认证加密字段,基于所述消息类型,所述协议报文包括认证请求报文、认证应答报文、心跳报文和节点信息上报报文;The method for managing a virtual client terminal device according to claim 8, wherein the common header is a type length value TLV, including a protocol version number, a message type, a total message length, and an authentication encryption field, based on the message Type, the protocol message includes an authentication request message, an authentication response message, a heartbeat message, and a node information reporting message;
    当所述VCPE首次启动以及所述VCPE的IP地址发生变化时,向网络控制器发出带有所述用户认证请求的认证请求报文,所述用户认证请求包括用户名、密码和所述VCPE的IP地址;When the VCPE is started for the first time and the IP address of the VCPE is changed, an authentication request message with the user authentication request is sent to a network controller, where the user authentication request includes a user name, a password, and the VCPE IP address
    网络控制器提取所述用户认证请求并进行认证,以及返回带有认证结果的认证应答报文。The network controller extracts the user authentication request and performs authentication, and returns an authentication response message with an authentication result.
  10. 如权利要求9所述的虚拟客户终端设备的管理方法,其特征在于:所述协议报文还包括服务端口通告报文,服务端口通告报文包括IP类型、网络控制器的IP地址和服务端口信息,用于通知所述VCPE向网络控制器主动发起控制连接;The method for managing a virtual client terminal device according to claim 9, wherein the protocol message further comprises a service port announcement message, and the service port announcement message includes an IP type, an IP address of a network controller, and a service port Information for notifying the VCPE to actively initiate a control connection to the network controller;
    当网络控制器收到所述VCPE发出的所述认证请求报文时,对比所述VCPE的IP地址以及所述协议报文的源IP地址,如果不一致,则向所述VCPE发出所述服务端口通告报文。When the network controller receives the authentication request message sent by the VCPE, it compares the IP address of the VCPE and the source IP address of the protocol message, and if it is not consistent, sends the service port to the VCPE. Notification message.
PCT/CN2018/119058 2018-06-14 2018-12-04 Protocol packet, and method for managing virtual client terminal device WO2019237683A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810614712.0A CN108964985B (en) 2018-06-14 2018-06-14 Method for managing virtual client terminal equipment using protocol message
CN201810614712.0 2018-06-14

Publications (1)

Publication Number Publication Date
WO2019237683A1 true WO2019237683A1 (en) 2019-12-19

Family

ID=64488982

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/119058 WO2019237683A1 (en) 2018-06-14 2018-12-04 Protocol packet, and method for managing virtual client terminal device

Country Status (2)

Country Link
CN (1) CN108964985B (en)
WO (1) WO2019237683A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11129023B2 (en) * 2019-06-06 2021-09-21 Cisco Technology, Inc. Systems and methods for distributing SD-WAN policies
CN110611658B (en) * 2019-08-20 2020-10-09 烽火通信科技股份有限公司 SD-WAN-based equipment authentication method and system
CN113163414B (en) * 2020-01-22 2023-09-22 大唐移动通信设备有限公司 Information processing method and near-real-time radio access network controller
CN113448744B (en) * 2020-03-26 2023-08-01 大唐移动通信设备有限公司 Application program selection method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105681055A (en) * 2014-11-18 2016-06-15 中兴通讯股份有限公司 Access method, device and system of shared file server
CN105959188A (en) * 2016-06-07 2016-09-21 华为技术有限公司 Method and device for controlling user terminal to be online
CN106533883A (en) * 2016-11-16 2017-03-22 中国联合网络通信集团有限公司 Network private line establishment method, apparatus and system
WO2017107963A1 (en) * 2015-12-25 2017-06-29 北京奇虎科技有限公司 Message sending and receiving method and apparatus

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105391568B (en) * 2014-09-05 2019-07-23 华为技术有限公司 A kind of implementation method, the device and system of software defined network SDN
US9578008B2 (en) * 2015-05-11 2017-02-21 Intel Corporation Technologies for secure bootstrapping of virtual network functions
US10339317B2 (en) * 2015-12-18 2019-07-02 Intel Corporation Computing devices
US9948606B2 (en) * 2015-12-25 2018-04-17 Kn Group, Ghq Enhancing privacy and security on a SDN network using SDN flow based forwarding control

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105681055A (en) * 2014-11-18 2016-06-15 中兴通讯股份有限公司 Access method, device and system of shared file server
WO2017107963A1 (en) * 2015-12-25 2017-06-29 北京奇虎科技有限公司 Message sending and receiving method and apparatus
CN105959188A (en) * 2016-06-07 2016-09-21 华为技术有限公司 Method and device for controlling user terminal to be online
CN106533883A (en) * 2016-11-16 2017-03-22 中国联合网络通信集团有限公司 Network private line establishment method, apparatus and system

Also Published As

Publication number Publication date
CN108964985A (en) 2018-12-07
CN108964985B (en) 2020-07-28

Similar Documents

Publication Publication Date Title
WO2019237683A1 (en) Protocol packet, and method for managing virtual client terminal device
CN101471936B (en) Method, device and system for establishing IP conversation
CN101212374A (en) Method and system for realizing remote access to campus network resources
CN104780069B (en) A kind of key-course towards SDN and data Layer communication port self-configuration method and its system
JP3831364B2 (en) Communication system and security policy distribution method in the communication system
CN102271134B (en) Method and system for configuring network configuration information, client and authentication server
CN101217482A (en) A method for issuing policies through NAT and a communication device
WO2009082889A1 (en) A method for internet key exchange negotiation and device, system thereof
CN101420455A (en) Systems and/or methods for streaming reverse http gateway, and network including the same
CN102255918A (en) DHCP (Dynamic Host Configuration Protocol) Option 82 based user accessing authority control method
CN107483558A (en) A cloud platform for AP configuration management and wireless terminal access control method
CN109005179A (en) Network security tunnel establishing method based on port controlling
CN115499177B (en) Cloud desktop access method, zero trust gateway, cloud desktop client and server
CN106209522A (en) Token networking construction method based on token protocol
CN108848145A (en) Pass through the method, system and distal end network management of WEB proxy access equipment near-end network management
US20020178356A1 (en) Method for setting up secure connections
CN106878161A (en) Method and system for resolving domain name system requests
CN103944716A (en) User authentication method and device
CN107277058A (en) A kind of interface authentication method and system based on BFD agreements
JP2001036561A (en) Tcp/ip network system
CN101599834A (en) An authentication deployment method and a management device
US20090271852A1 (en) System and Method for Distributing Enduring Credentials in an Untrusted Network Environment
CN104780229A (en) Method, system and cloud system for setting cloud server IP address through cloud terminal
CN102447710A (en) Method and system for controlling access right of user
CN100556027C (en) A kind of address renewing method of IKE Network Based

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18922241

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18922241

Country of ref document: EP

Kind code of ref document: A1