NAT安全及访问控制方法、装置、设备及存储介质NAT security and access control method, device, equipment and storage medium
相关申请的交叉引用Cross-references to related applications
本申请基于申请号为201911002736.1、申请日为2019年10月21日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此以引入方式并入本申请。This application is filed based on a Chinese patent application with an application number of 201911002736.1 and an application date of October 21, 2019, and claims the priority of the Chinese patent application. The entire content of the Chinese patent application is hereby incorporated into this application by way of introduction.
技术领域Technical field
本申请涉及网络通信领域,尤其涉及一种NAT(Network Address Translation,网络地址转换)安全及访问控制方法、装置、设备及存储介质。This application relates to the field of network communications, and in particular to a NAT (Network Address Translation, network address translation) security and access control method, device, equipment, and storage medium.
背景技术Background technique
电信运营商要求设备提供商的二层网络接入设备支持MPNAT(Multi Protocol Network Address Translation,多协议网络地址转换)功能。这样通过NAT处理,局方设备可以以多种方式远程管理用户侧设备。譬如局方设备可以远程登陆Telnet管理用户侧设备的配置文件,用户侧设备也可以从局端设备下载最新版本或者配置文件。Telecom operators require the Layer 2 network access equipment of equipment providers to support MPNAT (Multi Protocol Network Address Translation) function. In this way, through NAT processing, the bureau equipment can remotely manage the user-side equipment in a variety of ways. For example, the office equipment can remotely log in to Telnet to manage the configuration files of the user-side equipment, and the user-side equipment can also download the latest version or configuration file from the central office equipment.
在相关技术中,对于从用户侧设备发过来的访问报文(例如各种协议控制报文),接入设备接收到这些访问报文后未对这些访问报文进行安全性校验,直接对这些访问报文进行NAT处理生成一条配置表项和两条转发表项,两条转发表项中一条转发表项是软件转发表项,另一条是硬件转发表项。软件表项用于控制链路报文NAT转换,硬件表项用于数据链路报文NAT转换;这种做法一方面存在安全隐患;另一方面,由于接入设备的硬件资源和软件表项资源是有限的,当用户侧设备存在持续的非法访问报文攻击时,会占用接入设备大量的转发表项资源,直至转发表项资源的耗尽,带来的后果不仅是挤压正常用户的网络带宽,接入设备的MPNAT功能的失效,局端设备不能管理用户侧设备;更严重的话,私网用户还可能会恶意破坏局端设备的系统文件,给局端设备造成更 为严重的安全隐患。In related technologies, for access messages (such as various protocol control messages) sent from user-side devices, the access device does not perform security verification on these access messages after receiving these access messages, and directly checks These access messages are processed by NAT to generate a configuration table entry and two forwarding table entries. One of the two forwarding table entries is a software forwarding table entry, and the other is a hardware forwarding table entry. Software entries are used for NAT translation of control link packets, and hardware entries are used for NAT translation of data link packets; on the one hand, this approach has security risks; on the other hand, due to the hardware resources and software entries of the access device Resources are limited. When the user-side device has continuous illegal access packet attacks, it will occupy a large amount of forwarding entry resources of the access device until the forwarding entry resources are exhausted, and the consequences will not only squeeze normal users If the network bandwidth of the access device is invalid, the MPNAT function of the access device fails, and the central office equipment cannot manage the user-side equipment; more serious, private network users may maliciously damage the system files of the central office equipment, causing more serious damage to the central office equipment. Security risks.
发明内容Summary of the invention
本申请实施例提供的一种NAT安全及访问控制方法、装置、设备及存储介质。The embodiments of the present application provide a method, device, device, and storage medium for NAT security and access control.
本申请实施例提供一种网络地址转换NAT安全控制方法,包括:接收用户侧设备发送的携带了待认证信息的协议访问报文;根据所述待认证信息对所述协议访问报文进行安全认证;在所述安全认证通过时,对所述协议访问报文进行NAT处理。The embodiment of the application provides a network address translation NAT security control method, including: receiving a protocol access message carrying information to be authenticated sent by a user-side device; and performing security authentication on the protocol access message according to the information to be authenticated ; When the security authentication is passed, NAT processing is performed on the protocol access message.
本申请实施例还提供一种访问控制方法,包括:生成协议访问报文,所述协议访问报文中包括待认证信息;将所述协议访问报文发给支持NAT功能的接入设备。An embodiment of the present application also provides an access control method, including: generating a protocol access message, the protocol access message including information to be authenticated; and sending the protocol access message to an access device supporting the NAT function.
本申请实施例还提供一种访问控制装置,包括:报文生成模块,用于生成协议访问报文,所述协议访问报文中包括待认证信息;报文发送模块,用于将所述协议访问报文发给支持NAT功能的接入设备。An embodiment of the present application also provides an access control device, including: a message generation module, configured to generate a protocol access message, the protocol access message includes information to be authenticated; a message sending module, configured to transfer the protocol The access message is sent to the access device that supports the NAT function.
本申请实施例还提供一种接入设备,所述接入设备支持NAT功能,其包括第一处理器、第一存储器和第一通信总线;所述第一通信总线用于将所述第一处理器和第一存储器连接;所述第一处理器用于执行所述第一存储器中存储的第一计算机程序,以实现如上所述的NAT安全控制方法的步骤。An embodiment of the present application also provides an access device that supports a NAT function, and includes a first processor, a first memory, and a first communication bus; the first communication bus is used to connect the first The processor is connected to the first memory; the first processor is configured to execute the first computer program stored in the first memory to implement the steps of the NAT security control method as described above.
本申请实施例还提供一种用户侧设备,包括第二处理器、第二存储器和第二通信总线;所述第二通信总线用于将所述第二处理器和第二存储器连接;所述第二处理器用于执行所述第二存储器中存储的第二计算机程序,以实现如上所述的访问控制方法的步骤。An embodiment of the present application also provides a user-side device, including a second processor, a second memory, and a second communication bus; the second communication bus is used to connect the second processor and the second memory; The second processor is configured to execute the second computer program stored in the second memory, so as to implement the steps of the access control method as described above.
本申请实施例还提供一种计算机可读存储介质,所述计算机可读存储介质存储有第一计算机程序,所述第一计算机程序可被第一处理器执行,以实现如上所述的NAT安全控制方法的步骤;或,所述计算机可读存储介质存储有第二计算机程序,所述第二计算机程序可被第二处理器执行,以实现如上所述的访问控制方法的步骤。An embodiment of the present application also provides a computer-readable storage medium, the computer-readable storage medium stores a first computer program, and the first computer program can be executed by a first processor to implement the NAT security described above The steps of the control method; or, the computer-readable storage medium stores a second computer program, and the second computer program can be executed by the second processor to implement the steps of the access control method as described above.
本申请其他特征和相应的有益效果在说明书的后面部分进行阐述说明,且应当理解,至少部分有益效果从本申请说明书中的记载变的显而易见。Other features of this application and corresponding beneficial effects are described in the latter part of the specification, and it should be understood that at least part of the beneficial effects will become apparent from the description in the specification of this application.
附图说明Description of the drawings
图1为本申请实施例一的NAT安全控制方法流程示意图;FIG. 1 is a schematic flowchart of a NAT security control method according to Embodiment 1 of this application;
图2为本申请实施例一的对协议访问报文进行安全认证流程示意图;FIG. 2 is a schematic diagram of a security authentication process for protocol access messages according to Embodiment 1 of the application;
图3为本申请实施例一的安全认证流程示意图;FIG. 3 is a schematic diagram of a security authentication process according to Embodiment 1 of this application;
图4为本申请实施例一的对认证内容进行认证的流程示意图;FIG. 4 is a schematic diagram of the process of authenticating authentication content according to Embodiment 1 of the application;
图5为本申请实施例一的发送协议访问报文的流程示意图;FIG. 5 is a schematic diagram of the process of sending a protocol access message according to the first embodiment of the application;
图6为本申请实施例二的NAT安全控制装置结构示意图;6 is a schematic structural diagram of a NAT security control device according to Embodiment 2 of the application;
图7为本申请实施例二的访问控制装置结构示意图;FIG. 7 is a schematic structural diagram of an access control device according to Embodiment 2 of this application;
图8为本申请实施例二的组网结构示意图;FIG. 8 is a schematic diagram of the networking structure of Embodiment 2 of this application;
图9为本申请实施例二的安全认证流程示意图;FIG. 9 is a schematic diagram of a security authentication process according to Embodiment 2 of this application;
图10为本申请实施例三的接入设备结构示意图;FIG. 10 is a schematic diagram of the structure of an access device according to Embodiment 3 of this application;
图11为本申请实施例三的用户侧设备结构示意图。FIG. 11 is a schematic structural diagram of a user-side device according to Embodiment 3 of this application.
具体实施方式Detailed ways
为了使本申请的目的、技术方案及优点更加清楚明白,下面通过具体实施方式结合附图对本申请实施例作进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。In order to make the objectives, technical solutions, and advantages of the present application clearer, the following further describes the embodiments of the present application in detail through specific implementations in conjunction with the accompanying drawings. It should be understood that the specific embodiments described here are only used to explain the application, and not used to limit the application.
实施例一:Example one:
针对相关技术中相关技术中接入设备接对接收到的协议访问报文不做安全性校验而直接进行NAT处理,既造成接入设备资源被恶意占用,又给接入设备和局端设备造成安全隐患的问题,本实施例提供了一种NAT安全控制方法,用户侧设备发送协议访问报文时,所发送的协议访问报文中包括待认证信息,接入设备接收到用户侧设备发送的协议访问报文后,根据该协议访问报文中的待 认证信息对协议访问报文进行安全性认证,只有认证通过时才对该协议访问报文进行NAT处理,这就保证了只有拥有合法身份的用户侧设备发送的协议访问报文才能被正常处理,既节省了接入设备的软件和硬件表项资源,也保证了接入设备和局端设备的安全性。In the related technology, the access device directly performs NAT processing on the protocol access message received in the related technology without performing security verification, which not only causes the access device resources to be maliciously occupied, but also gives the access device and the central office equipment To cause security risks, this embodiment provides a NAT security control method. When a user-side device sends a protocol access message, the sent protocol access message includes information to be authenticated, and the access device receives the message sent by the user-side device. After the protocol access message, the security authentication of the protocol access message is performed according to the information to be authenticated in the protocol access message. Only when the authentication is passed, the NAT processing is performed on the protocol access message, which ensures that only those who have legal Only the protocol access message sent by the user-side device of the identity can be processed normally, which not only saves the software and hardware table item resources of the access device, but also ensures the security of the access device and the central office device.
为了便于理解,本实施例下面结合图1所示的NAT安全控制方法为示例进行说明,请参见图1所示,包括:For ease of understanding, this embodiment is described below with reference to the NAT security control method shown in FIG. 1 as an example. Please refer to FIG. 1, which includes:
S101:接收用户侧设备发送的携带了待认证信息的协议访问报文。S101: Receive a protocol access message carrying information to be authenticated sent by a user-side device.
应当理解的是,本实施例中的用户侧设备可以为任意连接于支持NAT功能的接入设备下的各种用户侧设备,例如该用户侧设备可以为但不限于GPON(Gigabit-Capable Passive Optical Networks,具有千兆位功能的无源光网络)ONU(Optical Network Unit,光网络单元)、EPON(Ethernet Passive Optical Network,以太无源光网络)ONU,ZXDSL 9806H(ZXDSL 9806H是为FTTx应用场景(各种光纤通讯网络的总称,其中x代表光纤线路的目的地)量身定制的、小容量的全业务接入平台),MDU(Multi-Tenant Unit,多租户单元)。It should be understood that the user-side device in this embodiment can be any user-side device connected to an access device that supports the NAT function. For example, the user-side device can be, but not limited to, GPON (Gigabit-Capable Passive Optical Networks, Gigabit passive optical network) ONU (Optical Network Unit), EPON (Ethernet Passive Optical Network, Ethernet passive optical network) ONU, ZXDSL 9806H (ZXDSL 9806H is for FTTx application scenarios ( A general term for various optical fiber communication networks, where x represents the destination of the optical fiber line) tailored, small-capacity full-service access platform), MDU (Multi-Tenant Unit, multi-tenant unit).
应当理解的是,本实施例中的接入设备可以为各种支持NAT功能的接入设备,例如可为OLT(optical line terminal,光线路终端)以及各种支持NAT功能的交换机等。It should be understood that the access device in this embodiment may be a variety of access devices that support the NAT function, such as an OLT (optical line terminal, optical line terminal) and various switches that support the NAT function.
本实施例中,用户侧设备所发送的协议访问报文可以包括但不限于各种协议控制报文,例如FTP(File Transfer Protocol,文件传输协议)控制报文。In this embodiment, the protocol access message sent by the user-side device may include, but is not limited to, various protocol control messages, such as FTP (File Transfer Protocol, file transfer protocol) control messages.
本实施例中,用户侧设备所发送的协议访问报文中,所包括的待认证信息可以为用该用户侧设备预先配置的认证信息,也可以为用户侧设备根据预设的认证信息生成规则而生成的认证信息。具体的认证信息获取方式可以根据具体应用场景灵活设定。In this embodiment, the information to be authenticated included in the protocol access message sent by the user-side device may be authentication information pre-configured with the user-side device, or it may be the user-side device generating rules based on preset authentication information And the generated authentication information. The specific authentication information acquisition method can be flexibly set according to specific application scenarios.
S102:根据协议访问报文中的待认证信息,对接收到的协议访问报文进行安全认证。S102: Perform security authentication on the received protocol access message according to the to-be-authenticated information in the protocol access message.
在本实施例中,接入设备接收到用户侧设备所发送的协议访问报文后,从该协议访问报文中提取出待认证信息,然后接入设备根据该待认证信息,基于设置的认证规则进行安全认证。且应当理解的是,本实施例中的认证规则也可 根据具体需求灵活设定。In this embodiment, after the access device receives the protocol access message sent by the user-side device, it extracts the information to be authenticated from the protocol access message, and then the access device uses the information to be authenticated based on the set authentication Rules for safety certification. And it should be understood that the authentication rules in this embodiment can also be flexibly set according to specific needs.
S103:在安全认证通过时,对接收到的该协议访问报文进行NAT处理。S103: Perform NAT processing on the protocol access message received when the security authentication is passed.
本实施例中,接入设备在对接收到的协议访问报文安全认证通过后,对该协议访问报文进行正常的NAT处理,生成一条配置表项和两条转发表项,两条转发表项中一条转发表项是软件转发表项,另一条是硬件转发表项。软件表项用于控制链路报文NAT转换,硬件表项用于数据链路报文NAT转换。具体的NAT处理可采用各种NAT处理方式,在此不再赘述。In this embodiment, after passing the security authentication of the received protocol access message, the access device performs normal NAT processing on the protocol access message to generate one configuration table entry and two forwarding entries, and two forwarding tables One of the forwarding entries is a software forwarding entry, and the other is a hardware forwarding entry. The software table entry is used to control the NAT translation of link messages, and the hardware table entry is used to control the NAT translation of data link messages. The specific NAT processing can adopt various NAT processing methods, which will not be repeated here.
在本实施例的一些示例中,在安全认证未通过时,接入设备可对接收到的协议访问报文进行丢弃处理,或者放在空闲时间段处理,或者提醒用户根据用户下发的指令进行相应的处理;在本实施例的一些示例中,接入设备还可对接收到的协议访问报文进行相应的告警标记或告警处理。In some examples of this embodiment, when the security authentication fails, the access device may discard the received protocol access message, or put it in the idle time period for processing, or remind the user to proceed according to the instructions issued by the user. Corresponding processing; in some examples of this embodiment, the access device may also perform corresponding alarm marking or alarm processing on the received protocol access message.
如上所述,在本实施例中,用户侧设备所发送的协议访问报文中,所包括的待认证信息可以为用该用户侧设备预先配置的认证信息,也可以为用户侧设备根据预设的认证信息生成规则而生成的认证信息。为了便于理解,本实施例下面分别以几种示例情况进行说明。As mentioned above, in this embodiment, the information to be authenticated included in the protocol access message sent by the user-side device may be authentication information pre-configured with the user-side device, or it may be the user-side device according to a preset The authentication information generated by the authentication information generation rules. For ease of understanding, this embodiment is described below with several example situations.
在本实施例的一些示例中,可以在用户侧设备上设置相应的第一认证信息生成算法,用户侧设备在发送协议访问报文时,可根据该第一认证信息生成算法生成相应的第一认证信息并携带在协议访问报文中。在接入设备侧,也可设置与用户侧设备上设置的第一认证信息生成算法相应的第二认证信息生成算法,并根据该第二认证信息生成算法生成第二认证信息,判断第一认证信息和该第二认证信息是否相匹配,如是则认证通过;否则,认证不通过。In some examples of this embodiment, the corresponding first authentication information generation algorithm can be set on the user-side device. When the user-side device sends the protocol access message, it can generate the corresponding first authentication information generation algorithm according to the first authentication information generation algorithm. The authentication information is also carried in the protocol access message. On the access device side, a second authentication information generation algorithm corresponding to the first authentication information generation algorithm set on the user-side device can also be set, and second authentication information is generated according to the second authentication information generation algorithm, and the first authentication is determined Whether the information matches the second authentication information, if yes, the authentication is passed; otherwise, the authentication fails.
在本实施例的另一些示例中,可直接在用户侧设备和接入设备上预先配置相应的认证密钥作为认证信息,针对不同的用户侧设备,可配置相同的认证密钥,也可配置不同的认证密钥;接入设备在接收到用户侧设备发送的协议访问报文时,可直接从该协议访问报文中提取认证密钥,并与本侧对应的认证密钥进行匹配,如匹配成功,则认证通过;否则,认证失败。且应当理解的是,本实施例中的认证密钥也可以灵活设定,只要能达到安全性认证的目的即可。本示例中,根据待认证信息对协议访问报文进行安全认证请参见图2所示,包括:In other examples of this embodiment, the corresponding authentication key can be directly pre-configured as the authentication information on the user-side device and the access device. For different user-side devices, the same authentication key can be configured, or it can be configured Different authentication keys; when the access device receives the protocol access message sent by the user-side device, it can directly extract the authentication key from the protocol access message and match it with the corresponding authentication key on the local side, such as If the match is successful, the authentication is passed; otherwise, the authentication fails. And it should be understood that the authentication key in this embodiment can also be flexibly set, as long as the purpose of security authentication can be achieved. In this example, the security authentication of the protocol access message according to the information to be authenticated is shown in Figure 2, including:
S201:获取为所用户侧设备预配置的认证信息。S201: Obtain authentication information pre-configured for the user-side device.
S202:确定从协议访问报文中提取的待认证信息与为用户侧设备预配置的认证信息是否匹配。S202: Determine whether the to-be-authenticated information extracted from the protocol access message matches the authentication information pre-configured for the user-side device.
在本实施例的另一些示例中,为了进一步提升安全性认证的灵活性和可靠性,还可设置至少两种安全认证方式,以针对各用户侧设备进行安全认证方式的灵活配置,在进行安全认证时,可先进行安全认证方式的匹配,只有在安全认证方式匹配时,才继续执行后续的安全认证,也即可采用多级以及多种认证方式进行安全性认证。本示例中,认证信息则包括安全认证方式,此时的安全认证则包括图3所示的安全认证方式过程:In other examples of this embodiment, in order to further enhance the flexibility and reliability of security authentication, at least two security authentication methods can be set to perform flexible configuration of security authentication methods for each user-side device. During authentication, the security authentication method can be matched first, and only when the security authentication method matches, the subsequent security authentication can be continued, and multi-level and multiple authentication methods can be used for security authentication. In this example, the authentication information includes the safety authentication method, and the safety authentication at this time includes the safety authentication method process shown in Figure 3:
S301:获取为所用户侧设备预配置的认证信息中的安全认证方式。S301: Acquire the security authentication mode in the authentication information pre-configured for the user-side device.
S302:确定从协议访问报文中提取的待认证信息中的待安全认证方式,与为用户侧设备预配置的认证信息中的认证方式是否匹配。只有在安全认证方式匹配的情况下,才进行后续的安全认证过程。S302: Determine whether the security authentication method in the information to be authenticated extracted from the protocol access message matches the authentication method in the authentication information pre-configured for the user-side device. Only when the safety authentication mode matches, the subsequent safety authentication process is carried out.
在本示例中,安全认证信息除了包括安全认证方式外,还可包括各安全认证方式所对应的认证内容,且在一些应用场景中,不同的安全认证方式可对应不同的安全认证等级,因此可以根据相应的安全等级设置规则为对应的用户侧设备设置对应的安全认证方式(也即设置对应的安全认证等级),在对用户侧设备发送的协议访问报文进行认证时,通过图3所示的过程对安全认证方式匹配通过后,再对该安全认证方式所对应的认证内容进行认证,该认证过程请参见图4所示,包括:In this example, in addition to the safety authentication method, the safety authentication information can also include the authentication content corresponding to each safety authentication method, and in some application scenarios, different safety authentication methods can correspond to different safety authentication levels, so Set the corresponding security authentication method (that is, set the corresponding security authentication level) for the corresponding user-side device according to the corresponding security level setting rules, and when authenticating the protocol access message sent by the user-side device, it is as shown in Figure 3 After the safety authentication method is matched, the authentication content corresponding to the safety authentication method is authenticated. The authentication process is shown in Figure 4, including:
S401:获取为所用户侧设备预配置的认证信息中的安全认证方式所对应的认证内容。S401: Obtain the authentication content corresponding to the safety authentication mode in the authentication information pre-configured for the user-side device.
S402:确定从协议访问报文中提取的待认证信息中的待安全认证方式所对应的待认证内容。S402: Determine the to-be-authenticated content corresponding to the security-to-be-authenticated mode in the to-be-authenticated information extracted from the protocol access message.
S403:确定该待认证内容与为用户侧设备预配置的认证内容是否匹配。S403: Determine whether the content to be authenticated matches the authentication content pre-configured for the user-side device.
应当理解的是,本实施例的一些应用场景中,图3所示的认证方式的匹配过程和图4所示的认证内容的匹配过程的执行时序也可并无严格限制,例如可以先执行图3所示的认证过程,认证通过时再执行图4所示的认证过程;也可 先执行图4所示的认证过程,认证通过时再执行图3所示的认证过程,或者图3和图4中的认证过程也可并行执行;只有在图3和图4所示的认证过程认证都通过时,才确定认证成功。It should be understood that in some application scenarios of this embodiment, the execution sequence of the matching process of the authentication method shown in FIG. 3 and the matching process of the authentication content shown in FIG. The authentication process shown in Figure 3, the authentication process shown in Figure 4 is executed when the authentication is passed; the authentication process shown in Figure 4 can also be executed first, and the authentication process shown in Figure 3 is executed when the authentication is passed, or the authentication process shown in Figure 3 and Figures 3 and The authentication process in 4 can also be executed in parallel; the authentication is determined to be successful only when the authentication process shown in Fig. 3 and Fig. 4 are both passed.
应当理解的是,本实施例中,为用户侧设备预配置的认证方式以及该认证方式对应的认证内容可以为但不限于以下表1中所示的任意之一,且为用户侧设备配置时,可以为接入设备通过向用户侧设备下发相应的配置指令进行配置,也通过其他设备同时向接入设备和用户侧设备同步的下发相应的配置信息完成配置,或者通过相应的配置人员完成配置;通过接入设备向用户侧设备下发相应的配置指令进行配置时,接入设备可以在为用户侧设备注册过程中进行配置,也可在其他时间段为用户侧设备灵活的配置。It should be understood that, in this embodiment, the authentication method pre-configured for the user-side device and the authentication content corresponding to the authentication method can be, but not limited to, any one of the following Table 1 and is configured for the user-side device , The access device can be configured by issuing corresponding configuration instructions to the user-side device, and the configuration can also be completed by sending the corresponding configuration information to the access device and the user-side device simultaneously by other devices, or by the corresponding configuration personnel Complete the configuration; when the access device sends corresponding configuration instructions to the user side device for configuration, the access device can be configured during the registration process for the user side device, or it can be flexibly configured for the user side device in other time periods.
表1Table 1
应当理解的是,上述表1中的用户侧设备的识别信息可包括能表征用户侧设备身份的各种识别信息,例如,用户侧设备的识别信息可包括但不限于用户 侧设备的SN(Serial Number,产品序列号)和用户侧设备的MAC(Media Access Control,介质访问控制)中的至少一种。上述表1中的接入设备的识别信息也可包括能表征接入设备身份的各种识别信息,例如接入设备的识别信息可包括但不限于接入设备的MAC地址。It should be understood that the identification information of the user-side device in Table 1 above may include various identification information that can characterize the identity of the user-side device. For example, the identification information of the user-side device may include, but is not limited to, the SN (Serial Number, product serial number) and at least one of the MAC (Media Access Control, media access control) of the user-side device. The identification information of the access device in the foregoing Table 1 may also include various identification information that can characterize the identity of the access device. For example, the identification information of the access device may include, but is not limited to, the MAC address of the access device.
上述表1中,用户侧设备所属的网络切片识别信息也可包括各种能识别网络切片的信息,例如可为但不限于网络切片号。In the foregoing Table 1, the network slice identification information to which the user-side device belongs may also include various information capable of identifying network slices, such as, but not limited to, network slice numbers.
上述表1中,接入设备为用户侧设备分配的通行证密钥的生成方式可以灵活设定,且为不同的用户侧设备可以分配相同的通行证密钥,也可分配不同的通行证密钥,具体可根据需求灵活设置。In Table 1 above, the method of generating the pass key allocated by the access device to the user-side device can be flexibly set, and different user-side devices can be allocated the same pass key or different pass keys. It can be flexibly set according to needs.
另外,应当理解的是,本实施例中表1中所示例的七种认证方式可以灵活选用,例如可以根据当前的具体组网环境,用户侧设备的具体类型等因素灵活选用,且选用时可以选用表1中的部分认证方式。例如,一些应用场景中,可以采用上述表1中的认证方式一至认证方式六进行配置;在另一些应用场景中,可以采用上述表1中的认证方式一至认证方式三进行配置等。In addition, it should be understood that the seven authentication methods illustrated in Table 1 in this embodiment can be flexibly selected. For example, they can be selected flexibly according to the current specific networking environment, the specific type of user-side equipment and other factors, and the selection can be Select some of the authentication methods in Table 1. For example, in some application scenarios, authentication method 1 to authentication method 6 in Table 1 above can be used for configuration; in other application scenarios, authentication method 1 to authentication method 3 in Table 1 above can be used for configuration.
在本实施例的一些示例中,当协议访问报文携带虚拟局域网VLAN(Virtual Local Area Network,虚拟局域网)信息时,接入设备在接收到协议访问报文后,对其进行安全认证之前还可包括:In some examples of this embodiment, when the protocol access message carries virtual local area network VLAN (Virtual Local Area Network, virtual local area network) information, after receiving the protocol access message, the access device can still perform security authentication on it. include:
确定该协议访问报文携带的虚拟局域网VLAN是否属于NAT功能的管理VLAN,如是,才对协议访问报文进行安全认证;否则,确定该协议访问报文为非法协议访问报文。VLAN的认证可进一步提升安全性认证的灵活性和安全性,从而可进一步节约接入设备的软件和硬件表项资源,提升接入设备和局端设备的安全性。Determine whether the virtual local area network VLAN carried in the protocol access message belongs to the management VLAN of the NAT function. If so, the protocol access message is authenticated safely; otherwise, the protocol access message is determined to be an illegal protocol access message. VLAN authentication can further improve the flexibility and security of security authentication, which can further save the software and hardware entry resources of the access equipment, and improve the security of the access equipment and the central office equipment.
相应的,在用户侧设备向接入设备发送协议访问报文的过程请参见图5所示,包括:Correspondingly, the process of sending a protocol access message to the access device on the user side device is shown in Figure 5, including:
S501:生成协议访问报文,所生成的协议访问报文中包括待认证信息,且该待认证信息的获取方式参见上述分析所示,在此不再赘述。S501: Generate a protocol access message, the generated protocol access message includes information to be authenticated, and the method for obtaining the information to be authenticated is shown in the above analysis, and will not be repeated here.
S502:将生成的协议访问报文发给支持NAT功能的接入设备。S502: Send the generated protocol access message to the access device supporting the NAT function.
通过本实施例提供的NAT安全控制方法,可保证只有安全认证通过后的(也 即拥有合法身份)用户侧设备能够访问局端设备,不经授权(也即认证未通过的)的私网用户无法访问局端设备,既保证了节省了接入设备的软件和硬件表项资源,也保证了局端设备的安全性。Through the NAT security control method provided in this embodiment, it can be ensured that only user-side devices that have passed the security authentication (that is, have a legal identity) can access the central office device, and that private network users who are not authorized (that is, those who have not passed the authentication) can access the central office device. The inability to access the central office equipment not only ensures that the software and hardware entry resources of the access equipment are saved, but also ensures the security of the central office equipment.
实施例二:Embodiment two:
本实施例提供了一种NAT安全控制装置,其可设置于各种支持NAT功能的接入设备内,请参见图6所示,该NAT安全控制装置包括:This embodiment provides a NAT security control device, which can be installed in various access devices that support the NAT function. As shown in FIG. 6, the NAT security control device includes:
报文接收模块601,用于接收用户侧设备发送的携带了待认证信息的协议访问报文;The message receiving module 601 is configured to receive a protocol access message carrying information to be authenticated sent by a user-side device;
NAT安全控制模块602,用于根据接收到的协议访问报文中的待认证信息,对该协议访问报文进行安全认证,在安全认证通过时,对协议访问报文进行NAT处理。具体的认证控制过程请参见上述实施例所示,在此不再赘述。The NAT security control module 602 is configured to perform security authentication on the protocol access message according to the information to be authenticated in the received protocol access message, and perform NAT processing on the protocol access message when the security authentication is passed. For the specific authentication control process, please refer to the above-mentioned embodiment, which will not be repeated here.
应当理解的是,上述报文接收模块601和NAT安全控制模块602的功能可通过但不限于NAT安全控制装置所在的接入设备的第一处理器实现。It should be understood that the functions of the message receiving module 601 and the NAT security control module 602 described above can be implemented by, but not limited to, the first processor of the access device where the NAT security control apparatus is located.
本实施例提供了一种访问控制装置,其可设置于各种用户侧设备内,请参见图7所示,该访问控制装置包括:This embodiment provides an access control device, which can be installed in various user-side devices. As shown in FIG. 7, the access control device includes:
报文生成模块701,用于生成协议访问报文,协议访问报文中包括待认证信息;具体生成过程请参见上述实施例所示,在此不再赘述。The message generating module 701 is configured to generate a protocol access message, and the protocol access message includes information to be authenticated; for the specific generation process, please refer to the above-mentioned embodiment, which will not be repeated here.
报文发送模块702,用于将报文生成模块701生成的协议访问报文发给支持NAT功能的接入设备。The message sending module 702 is configured to send the protocol access message generated by the message generating module 701 to the access device supporting the NAT function.
应当理解的是,上述报文生成模块701和报文发送模块702的功能可通过但不限于访问控制装置所在的用户侧设备的第二处理器实现。It should be understood that the functions of the message generating module 701 and the message sending module 702 described above can be implemented by, but not limited to, the second processor of the user-side device where the access control apparatus is located.
为了便于理解,本实施例下面以一种具体组网示例进行说明。本组网示例中的二层接入设备为OLT(支持网络切片),用户侧设备ONU挂接在OLT的PON(Passive Optical Network,无源光纤网络)口下,OLT设备的上联口外接公网;在本组网示例中:For ease of understanding, this embodiment is described below with a specific networking example. In this networking example, the Layer 2 access device is OLT (supporting network slicing), and the user-side device ONU is connected to the PON (Passive Optical Network) port of the OLT, and the uplink port of the OLT device is connected to the public Network; in this networking example:
规划接入设备OLT支持的认证方式:以用户侧设备产品序列号SN,MAC地址以及接入设备MAC地址为核心的认证方式1;以用户侧设备可配置变化项 管理IP地址、网络切片号为核心的认证方式2;以接入设备分配的通行证密钥为核心的认证方式3;以认证方式1结合认证方式2组成双因素认证方式4,以认证方式1结合认证方式3组成双因素认证方式5,以认证方式2结合认证方式3组成双因素认证方式6;Plan the authentication methods supported by the access equipment OLT: authentication method 1 with the user-side equipment product serial number SN, MAC address and access equipment MAC address as the core; use the user-side equipment configurable change item management IP address and network slice number as Core authentication method 2; authentication method 3 based on the pass key assigned by the access device; authentication method 1 combined with authentication method 2 to form two-factor authentication method 4, authentication method 1 and authentication method 3 to form two-factor authentication method 5. Combine authentication method 2 with authentication method 3 to form two-factor authentication method 6;
认证方式的预配置:接入设备OLT可接收根据组网环境的指示,确定用户侧设备的认证方式;接入设备OLT可通过命令对用户侧设备的认证方式进行配置,接入设备OLT可同时将认证方式和认证内容实时同步到对应的用户侧设备。同时接入设备OLT更新本侧维护的认证数据库,该认证数据库中包含各用户侧设备的认证方式和认证内容;Authentication method pre-configuration: the access device OLT can receive instructions from the networking environment to determine the authentication method of the user-side device; the access device OLT can configure the authentication method of the user-side device through commands, and the access device OLT can simultaneously Synchronize the authentication method and authentication content to the corresponding user-side device in real time. At the same time, the access device OLT updates the authentication database maintained on the local side, and the authentication database contains the authentication method and authentication content of each user-side device;
当用户侧设备发起连接时,协议控制报文(一种示例的协议访问报文)被提包到接入设备OLT的主控CPU处理,NAT业务解析协议报文内容,找出报文TCP字段的options项,解析出报文携带的认证方式和认证内容,并进行认证,认证失败的协议控制报文予以丢弃;认证通过的协议控制报文,生成软件和硬件转发表项,保证能够进行正常的NAT转换。When the user-side device initiates a connection, a protocol control message (an example of a protocol access message) is packaged to the main control CPU of the access device OLT for processing. The NAT service analyzes the content of the protocol message and finds out the TCP field of the message. Options item, parse out the authentication method and authentication content carried in the message, and perform authentication. The protocol control message that fails the authentication is discarded; the protocol control message that passes the authentication is generated software and hardware forwarding entries to ensure normal operation NAT translation.
本实施例下面以接入设备OLT(支持网络切片)的一种具体组网方式进行说明。请参见图8所示,本示例中以多种控制协议中的FTP协议为示例进行说明。In this embodiment, a specific networking mode of the access device OLT (supporting network slicing) is described below. Refer to Figure 8. In this example, the FTP protocol among multiple control protocols is used as an example for description.
本示例中,GPON线卡的PON口注册ONU终端设备,设ONU的MAC地址为74-85-7e-af-66-54,SN序列号为09C62BD。PON口被划分到网络切片1,ONU的网络切片号从属于其注册的PON口,因此ONU的网络切片号为1;接入设备OLT的MAC地址为00-d0-d0-02-06-02。In this example, the PON port of the GPON line card registers ONU terminal equipment, and the MAC address of the ONU is set to 74-85-7e-af-66-54, and the SN serial number is 09C62BD. The PON port is divided into network slice 1. The network slice number of the ONU belongs to its registered PON port, so the network slice number of the ONU is 1; the MAC address of the access device OLT is 00-d0-d0-02-06-02 .
部署NAT功能的必须配置项:首先配置ONU的远程管理IP地址为172.1.1.10;其次创建L3层VLAN接口vlan100,并将该VLAN 100作为NAT功能的管理VLAN;最后配置vlan100接口的IP地址为172.1.1.1,两者IP地址属于同一网段。The necessary configuration items for deploying the NAT function: first configure the remote management IP address of the ONU as 172.1.1.10; secondly, create the L3 VLAN interface vlan100, and use this VLAN 100 as the management VLAN for the NAT function; finally configure the IP address of the vlan100 interface as 172.1 .1.1, both IP addresses belong to the same network segment.
规划接入设备的6种认证方式:以用户侧设备产品序列号SN、MAC地址以及接入设备MAC地址为核心的认证方式1,以用户侧设备可变配置项管理IP地址、网络切片号为核心的认证方式2,以接入设备分配的通行证为核心的认证 方式3,双因素认证方式4(认证方式1&认证方式2),双因素认证方式5(认证方式1&认证方式3),双因素认证方式6(认证方式2&认证方式3);Plan 6 authentication methods for access devices: authentication method 1 with the user-side device product serial number SN, MAC address, and access device MAC address as the core, and the user-side device variable configuration item management IP address and network slice number as the core Core authentication method 2, authentication method 3 based on the pass assigned by the access device, two-factor authentication method 4 (authentication method 1 & authentication method 2), two-factor authentication method 5 (authentication method 1 & authentication method 3), two-factor authentication method Authentication method 6 (Authentication method 2&Authentication method 3);
为用户侧设备分配认证方式,是否要进行认证以及认证的等级可由接入设备OLT决定。该项为可配置项,接入设备OLT可根据实际的组网环境复杂度决定(例如可根据配置人员下发的指令决定)。之后接入设备OLT将认证方式和认证内容通知到用户侧设备,用户侧设备解析并存储到本地。接入设备OLT同时更新本地维护的认证数据库。该认证数据库可以认证方式为索引的多张表项。在本示例中,采用6种认证方式,数据库表项可设置6张,一张对应一种认证方式。The authentication method is assigned to the user-side device, whether to perform authentication and the authentication level can be determined by the access device OLT. This item is a configurable item, and the access device OLT can be determined according to the complexity of the actual networking environment (for example, it can be determined according to the instructions issued by the configurator). After that, the access device OLT notifies the user-side device of the authentication method and authentication content, and the user-side device parses and stores it locally. The access device OLT also updates the locally maintained authentication database. The authentication database can be authenticated as multiple entries of the index. In this example, six authentication methods are used, and six database entries can be set, one corresponding to one authentication method.
应用场景一:Application scenario one:
假设为用户侧设备ONU预配置认证方式1,接入设备OLT将认证方式1以及对应的认证内容告知给用户侧设备,让用户侧设备发起FTP连接时,FTP报文的TCP字段options第1个4字节封装认证方式1,2~4这3个4字节封装用户侧设备自身MAC地址以及下一跳的MAC地址,5~6这2个4字节封装用户侧设备自身的序列号SN。接入设备OLT更新本侧维护的认证方式1数据库表项,一种示例见下表2所示。当用户侧设备发起FTP连接后,会生成一个TCP连接的SYN(Synchronize Sequence Numbers,同步序列编号)报文,接入设备OLT的微码驱动解析SYN报文携带的VLAN为100,VLAN 100为网络切片1的管理VLAN,就将报文提包到接入设备OLT的主控CPU;接入设备OLT的NAT业务解析该协议报文,找出TCP字段的options中填充的认证方式和认证内容。确认携带的认证方式1与指定的认证方式1一致,通过查找数据库,发现封装的MAC地址74-85-7e-af-66-54,产品序列号09C62BD存在于数据库表项中,并且下一跳的MAC地址就是接入设备,该协议报文认证通过,然后FTP控制报文经过NAT转换,会生成一条配置表项和两条转发表项,其中一条转发表项是软件转发表项,另一条是硬件转发表项,软件表项用于FTP控制链路报文NAT转换,硬件表项用于FTP数据链路报文NAT转换,转发表项建立后,局端设备和用户侧设备之间的FTP连接就正常了;Assuming that the user-side device ONU is pre-configured with authentication method 1, the access device OLT informs the user-side device of authentication method 1 and the corresponding authentication content, so that when the user-side device initiates an FTP connection, the first option in the TCP field of the FTP packet 4-byte encapsulation authentication method 1, 2~4, the 3 4-bytes encapsulate the MAC address of the user-side device and the MAC address of the next hop, and the 2 4-bytes 5--6 encapsulate the serial number SN of the user-side device . The access device OLT updates the authentication method 1 database entries maintained on the local side. An example is shown in Table 2 below. When the user-side device initiates an FTP connection, it will generate a TCP connection SYN (Synchronize Sequence Numbers) message. The microcode driver of the access device OLT analyzes the VLAN carried in the SYN message as 100, and VLAN 100 is the network. In the management VLAN of slice 1, the message is delivered to the main control CPU of the access device OLT; the NAT service of the access device OLT analyzes the protocol message to find out the authentication method and authentication content filled in the options of the TCP field. Confirm that the authentication method 1 carried is consistent with the specified authentication method 1. By searching the database, it is found that the encapsulated MAC address 74-85-7e-af-66-54, the product serial number 09C62BD exists in the database entry, and the next hop The MAC address is the access device. The protocol message is authenticated, and the FTP control message is translated through NAT. A configuration table entry and two forwarding entries will be generated. One of the forwarding entries is a software forwarding entry, and the other is a software forwarding entry. It is a hardware forwarding entry. The software entry is used for NAT translation of FTP control link messages, and the hardware entry is used for NAT translation of FTP data link messages. After the forwarding entry is established, the communication between the central office device and the user side device The FTP connection is normal;
在本应用场景中,用户侧设备通常会连接多个PC设备,假设某台私网PC机MAC地址54-65-85-62-46-00,IP地址172.1.1.20,发起一条FTP连接后,生 成一条TCP连接的SYN报文,该控制报文经过用户侧设备透传,会被送到接入设备主控CPU处理。NAT业务解析TCP字段的options,发现不携带认证方式,或者携带的认证方式与数据库中的不一致,那么认证失败,判断这是非法的FTP连接;进而会丢弃该报文,不生成配置表项和转发表项,FTP连接就会失败,因此可避免非法协议访问报文的攻击。In this application scenario, the user-side device usually connects to multiple PC devices. Assume that a private network PC has a MAC address of 54-65-85-62-46-00 and an IP address of 172.1.1.20. After an FTP connection is initiated, Generate a TCP connection SYN message. The control message is transparently transmitted by the user-side device and then sent to the main control CPU of the access device for processing. The NAT service analyzes the options in the TCP field and finds that it does not carry the authentication method, or the authentication method carried is inconsistent with the database, then the authentication fails, and it is judged that this is an illegal FTP connection; the packet will be discarded, and no configuration entries and Forwarding the entry, the FTP connection will fail, so the attack of illegal protocol access packets can be avoided.
表2Table 2
认证方式verification method
|
用户侧设备MAC地址User-side device MAC address
|
用户侧设备SNUser side equipment SN
|
认证方式1Authentication method 1
|
74-85-7e-af-66-5474-85-7e-af-66-54
|
09C62BD09C62BD
|
认证方式1Authentication method 1
|
74-85-8c-7f-00-6974-85-8c-7f-00-69
|
09C627809C6278
|
认证方式1Authentication method 1
|
74-85-e6-06-98-8274-85-e6-06-98-82
|
09C65DE09C65DE
|
认证方式1Authentication method 1
|
74-85-e6-56-08-7274-85-e6-56-08-72
|
09D523009D5230
|
……...
|
……...
|
……...
|
应用场景二:Application scenario two:
假设为用户侧设备ONU预配置认证方式2,接入设备OLT将认证方式2通知到用户侧设备,让用户侧设备发起FTP连接时,控制报文的TCP字段options第1个4字节封装认证方式2,第2个字节封装网络切片号,第3个4字节封装管理IP地址。接入设备OLT更新本地维护的认证方式2的数据库表项,见以下表3所示。在当用户侧设备ONU正常发起FTP连接后,接入设备OLT的微码驱动将协议报文提包到接入设备OLT的主控CPU处理。接入设备OLT的NAT业务解析该协议报文,找出TCP字段的options中填充的认证方式和认证内容,确认携带的认证方式与配置指定的认证方式2一致,通过查找认证方式2数据库,发现封装的网络切片号为1,管理IP地址172.1.1.10存在于数据库表项中,该协议报文通过认证;若报文解析的网络切片号为2,管理IP地址即使为172.1.1.10,报文也认证失败。Assuming that the user-side device ONU is pre-configured with authentication method 2, the access device OLT notifies the user-side device of authentication method 2 so that when the user-side device initiates an FTP connection, the first 4-byte encapsulation authentication of the TCP field options of the control packet Method 2, the second byte encapsulates the network slice number, and the third 4-byte encapsulation management IP address. The access device OLT updates the locally maintained database entries of authentication mode 2, as shown in Table 3 below. After the user-side device ONU normally initiates an FTP connection, the microcode driver of the access device OLT will package the protocol message to the main control CPU of the access device OLT for processing. The NAT service of the access device OLT parses the protocol message, finds the authentication method and authentication content filled in the options of the TCP field, confirms that the authentication method carried is consistent with the authentication method 2 specified by the configuration, and finds it by searching the authentication method 2 database The encapsulated network slice number is 1, and the management IP address 172.1.1.10 exists in the database entry, and the protocol message is authenticated; if the network slice number parsed by the message is 2, even if the management IP address is 172.1.1.10, the message Also authentication failed.
表3table 3
认证方式verification method
|
网络切片号Network slice number
|
管理IP地址Management IP address
|
认证方式2Authentication method 2
|
11
|
172.1.1.10172.1.1.10
|
认证方式2Authentication method 2
|
22
|
192.168.0.6192.168.0.6
|
认证方式2Authentication method 2
|
22
|
15.1.1.10015.1.1.100
|
认证方式2Authentication method 2
|
00
|
168.5.6.20168.5.6.20
|
……...
|
……...
|
……...
|
应用场景三:Application scenario three:
假设为用户侧设备ONU预配置认证方式3,接入设备OLT将认证方式3以及通行证(一组字符串)通知给用户侧设备,让用户侧设备发起FTP连接时,FTP报文的TCP字段options第1个4字节封装认证方式3,之后封装通行证。接入设备更新本地维护的认证方式3对应的数据库表项,见下表4所示。当用户侧设备ONU发起FTP连接后,接入设备OLT的微码驱动将协议报文提包到接入设备OLT的主控CPU处理。接入设备OLT的NAT业务解析该协议报文,找出TCP字段的options中填充的认证方式和认证内容,确认携带的认证方式与配置指定的认证方式3一致,通过查找认证方式3数据库,发现封装的通行证与数据库中的”Hello World”一致,该协议报文通过认证。若通行证为”What’s your name”,数据库中不存在这样的密钥,那么报文认证失败。Assuming that authentication mode 3 is pre-configured for the user-side device ONU, the access device OLT notifies the user-side device of authentication mode 3 and the pass (a set of character strings), so that when the user-side device initiates an FTP connection, the TCP field options of the FTP packet The first 4-byte encapsulation authentication method 3, and then encapsulate the pass. The access device updates the database entries corresponding to authentication mode 3 maintained locally, as shown in Table 4 below. After the user-side device ONU initiates an FTP connection, the microcode driver of the access device OLT will package the protocol message to the main control CPU of the access device OLT for processing. The NAT service of the access device OLT parses the protocol message, finds the authentication method and authentication content filled in the options of the TCP field, confirms that the authentication method carried is consistent with the authentication method 3 specified by the configuration, and finds it by searching the authentication method 3 database The encapsulated passport is consistent with the "Hello World" in the database, and the protocol message is authenticated. If the pass is "What’s your name" and there is no such key in the database, then the message authentication fails.
表4Table 4
认证方式verification method
|
通行证密钥Pass key
|
认证方式3Authentication method 3
|
Hello WorldHello World
|
认证方式3Authentication method 3
|
This is ChainThis is Chain
|
认证方式3Authentication method 3
|
Today is SundayToday is Sunday
|
认证方式3Authentication method 3
|
It is a sunny dayIt is a sunny day
|
……...
|
……...
|
应用场景四:Application scenario four:
假设为用户侧设备ONU预配置认证方式6,接入设备OLT将认证方式6通知给用户侧设备,让用户侧设备发起FTP连接时,FTP报文的TCP字段options第1个4字节封装认证方式6,第2个4字节封装网络切片号,第3个4字节封 装管理IP地址,后面的字节封装通行证。接入设备OLT更新本地维护的认证方式6对应的数据库表项,见表5所示。当用户侧设备ONU发起FTP连接后,接入设备OLT的微码驱动将协议报文提包到接入设备OLT的主控CPU处理;接入设备OLT的NAT业务解析该协议报文,找出TCP字段的options中填充的认证方式和认证内容,确认携带的认证方式与配置指定的认证方式6一致,通过查找认证方式6数据库,发现封装的网络切片号为1,管理IP地址为172.1.1.10,通行证为”Hello World”,与数据库中的第一条记录一致,该协议报文通过认证。若通行证为”What’s your name”,或者网络切片号不为1,再或者网络切片号以及通行证存在,但是管理IP地址为10.10.16.23不存在,那么报文认证都是失败的。Assuming that the user-side device ONU is pre-configured with authentication mode 6, the access device OLT notifies the user-side device of authentication mode 6 so that when the user-side device initiates an FTP connection, the first 4-byte encapsulation authentication of the TCP field options of the FTP message Method 6, the second 4-byte encapsulation network slice number, the third 4-byte encapsulation management IP address, and the following bytes encapsulate the pass. The access device OLT updates the database entries corresponding to authentication mode 6 maintained locally, as shown in Table 5. When the user-side device ONU initiates an FTP connection, the microcode driver of the access device OLT will package the protocol message to the main control CPU of the access device OLT for processing; the NAT service of the access device OLT parses the protocol message and finds out the TCP The authentication method and authentication content filled in the options of the field confirm that the authentication method carried is consistent with the authentication method 6 specified in the configuration. By searching the authentication method 6 database, it is found that the encapsulated network slice number is 1, and the management IP address is 172.1.1.10. The pass is "Hello World", which is consistent with the first record in the database, and the protocol message is authenticated. If the pass is "What’s your name", or the network slice number is not 1, or the network slice number and the pass exist, but the management IP address 10.10.16.23 does not exist, then the message authentication fails.
表5table 5
认证方式verification method
|
网络切片号Network slice number
|
管理IP地址Management IP address
|
通行证密钥Pass key
|
认证方式6Authentication method 6
|
11
|
172.1.1.10172.1.1.10
|
Hello WorldHello World
|
认证方式6Authentication method 6
|
22
|
192.168.0.6192.168.0.6
|
This is ChainThis is Chain
|
认证方式6Authentication method 6
|
22
|
15.1.1.10015.1.1.100
|
Today is SundayToday is Sunday
|
认证方式6Authentication method 6
|
00
|
168.5.6.20168.5.6.20
|
It is a sunny dayIt is a sunny day
|
……...
|
……...
|
……...
|
……...
|
本实施例的上述示例场景中,接入设备的一种处理流程请参见图9所示,包括:In the foregoing example scenario of this embodiment, a processing flow of the access device is shown in FIG. 9, including:
S901:接入设备OLT的PON口收FTP协议报文。S901: The PON port of the access device OLT receives FTP protocol packets.
S902:接入设备OLT的线卡收包。S902: The line card of the access device OLT receives the packet.
S903:确定收到的报文中的VLAN是否命中,也即是否属于NAT功能的管理VLAN,如否,转至S904;如是,转至S905。S903: Determine whether the VLAN in the received message is hit, that is, whether it belongs to the management VLAN of the NAT function, if not, go to S904; if yes, go to S905.
S904:将接收到的报文丢弃。S904: Discard the received message.
S905:将报文提交到接入设备OLT的主控CPU。S905: Submit the message to the main control CPU of the access device OLT.
S906:主控CPU调用NAT功能的NAT业务模块进行安全认证。S906: The main control CPU invokes the NAT service module of the NAT function to perform security authentication.
S907:安全认证是否通过,如否,转至S904;否则,转至S908。S907: Whether the safety authentication is passed, if not, go to S904; otherwise, go to S908.
S908:生成转发表项。S908: Generate a forwarding entry.
在本实施例中,认证方式1至认证方式6的各认证内容的区别分别如下:In this embodiment, the differences between the authentication contents of authentication mode 1 to authentication mode 6 are as follows:
认证方式1:认证MAC地址和产品序列号SN;Authentication method 1: Authentication MAC address and product serial number SN;
认证方式2:认证网络切片号和管理IP地址;Authentication method 2: Authentication network slice number and management IP address;
认证方式3:认证通信证密钥;Authentication method 3: Authentication communication certificate key;
认证方式4:认证MAC地址、产品序列号SN、网络切片号和管理IP地址;Authentication method 4: Authentication MAC address, product serial number SN, network slice number and management IP address;
认证方式5:认证MAC地址、产品序列号SN、通信证密钥;Authentication method 5: authentication MAC address, product serial number SN, communication certificate key;
认证方式6:认证网络切片号、管理IP地址、通信证密钥。Authentication method 6: authentication network slice number, management IP address, communication certificate key.
为了便于理解,本实施例下面以一种不设置安全认证的应用场景为示例进行对比说明。在本应用场景中,私网用户人为地将PC的IP地址设置成用户侧设备ONU的管理IP地址,那么私网PC机发起FTP服务后,由于ONU对此类动作都是透传的;同一时间段,如果私网PC机,通过多个FTP客户端发起多条FTP连接,就会占用大量的转发表项资源;当转发表项资源被耗尽后,造成的后果是,FTP动作会一直占用大量的网络带宽,影响报文的正常处理,造成丢包。较严重的,OLT设备的NAT功能就会失效,局方设备不能通过OLT管理用户侧设备。更严重的,私网用户可以恶意破坏局端设备的系统文件。通过本实施例提供的安全控制方法则可可以保证OLT设备NAT功能的正常运转,还可以大大地提供接入设备和局端设备的安全系数。For ease of understanding, this embodiment will be described below by taking an application scenario where no security authentication is set as an example for comparison. In this application scenario, the private network user artificially sets the PC's IP address to the management IP address of the user-side device ONU, then after the private network PC initiates the FTP service, the ONU transparently transmits such actions; the same During the period of time, if a private network PC initiates multiple FTP connections through multiple FTP clients, it will occupy a large amount of forwarding entry resources; when the forwarding entry resources are exhausted, the consequence is that the FTP action will continue Occupies a lot of network bandwidth, affects the normal processing of packets, and causes packet loss. More serious, the NAT function of the OLT equipment will fail, and the bureau equipment cannot manage the user-side equipment through the OLT. More serious, private network users can maliciously damage the system files of the central office equipment. The security control method provided by this embodiment can ensure the normal operation of the NAT function of the OLT device, and can also greatly provide the security factor of the access device and the central office device.
实施例三:Example three:
本实施例还提供了一种具有NAT功能的接入设备,参见图10所示,其包括第一处理器1001、第一存储器1002以及第一通信总线1003;This embodiment also provides an access device with a NAT function. As shown in FIG. 10, it includes a first processor 1001, a first memory 1002, and a first communication bus 1003;
第一通信总线1003用于实现第一处理器1001与第一存储器1002之间的通信连接;The first communication bus 1003 is used to implement a communication connection between the first processor 1001 and the first memory 1002;
一种示例中,第一处理器1001可用于执行第一存储器1002中存储的第一计算机程序,以实现如上各实施例中的NAT安全控制方法的步骤。In an example, the first processor 1001 may be used to execute the first computer program stored in the first memory 1002 to implement the steps of the NAT security control method in the above embodiments.
本实施例还提供了一种用户侧设备,参见图11所示,其包括第二处理器 1001、第二存储器1002以及第二通信总线1003;This embodiment also provides a user-side device. As shown in FIG. 11, it includes a second processor 1001, a second memory 1002, and a second communication bus 1003;
第二通信总线1003用于实现第二处理器1001与第二存储器1002之间的通信连接;The second communication bus 1003 is used to implement a communication connection between the second processor 1001 and the second memory 1002;
一种示例中,第二处理器1001可用于执行第二存储器1002中存储的第二计算机程序,以实现如上各实施例中的访问控制方法的步骤。In an example, the second processor 1001 may be used to execute the second computer program stored in the second memory 1002 to implement the steps of the access control method in the above embodiments.
本实施例还提供了一种计算机可读存储介质,该计算机可读存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、计算机程序模块或其他数据)的任何方法或技术中实施的易失性或非易失性、可移除或不可移除的介质。计算机可读存储介质包括但不限于RAM(Random Access Memory,随机存取存储器),ROM(Read-Only Memory,只读存储器),EEPROM(Electrically Erasable Programmable read only memory,带电可擦可编程只读存储器)、闪存或其他存储器技术、CD-ROM(Compact Disc Read-Only Memory,光盘只读存储器),数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。This embodiment also provides a computer-readable storage medium, which is included in any method or technology for storing information (such as computer-readable instructions, data structures, computer program modules, or other data). Volatile or non-volatile, removable or non-removable media. Computer-readable storage media include but are not limited to RAM (Random Access Memory), ROM (Read-Only Memory, read-only memory), EEPROM (Electrically Erasable Programmable read only memory, charged Erasable Programmable Read-Only Memory) ), flash memory or other memory technology, CD-ROM (Compact Disc Read-Only Memory), digital versatile disk (DVD) or other optical disk storage, magnetic cassettes, magnetic tapes, magnetic disk storage or other magnetic storage devices, Or any other medium that can be used to store desired information and that can be accessed by a computer.
在一种示例中,本实施例中的计算机可读存储介质可用于存储第一计算机程序,该第一计算机程序可被第一处理器执行,以实现如上各实施例中的NAT安全控制方法的步骤。In an example, the computer-readable storage medium in this embodiment can be used to store a first computer program, and the first computer program can be executed by the first processor to implement the NAT security control method in the above embodiments. step.
在另一种示例中,本实施例中的计算机可读存储介质可用于存储第二计算机程序,该第二计算机程序可被第二处理器执行,以实现如上各实施例中的访问控制方法的步骤。In another example, the computer-readable storage medium in this embodiment can be used to store a second computer program, and the second computer program can be executed by a second processor to implement the access control method in the above embodiments. step.
本实施例还提供了一种第一计算机程序(或称第一计算机软件),该第一计算机程序可以分布在计算机可读介质上,由可计算装置来执行,以实现如上各实施例所示的NAT安全控制方法的至少一个步骤;并且在某些情况下,可以采用不同于上述实施例所描述的顺序执行所示出或描述的至少一个步骤。This embodiment also provides a first computer program (or first computer software). The first computer program may be distributed on a computer-readable medium and executed by a computable device, so as to realize as shown in the above embodiments. At least one step of the NAT security control method; and in some cases, at least one step shown or described can be performed in a different order from that described in the above-mentioned embodiment.
本实施例还提供了一种第二计算机程序(或称第二计算机软件),该第二计算机程序可以分布在计算机可读介质上,由可计算装置来执行,以实现如上各实施例所示的访问控制方法的至少一个步骤;并且在某些情况下,可以采用不同于上述实施例所描述的顺序执行所示出或描述的至少一个步骤。This embodiment also provides a second computer program (or second computer software). The second computer program can be distributed on a computer-readable medium and executed by a computable device to realize the At least one step of the access control method; and in some cases, at least one step shown or described can be performed in a different order from the order described in the above-mentioned embodiment.
本实施例还提供了一种计算机程序产品,包括计算机可读装置,该计算机可读装置上存储有如上所示的任一计算机程序。本实施例中该计算机可读装置可包括如上所示的计算机可读存储介质。This embodiment also provides a computer program product, including a computer readable device, and any computer program as shown above is stored on the computer readable device. The computer-readable device in this embodiment may include the computer-readable storage medium as shown above.
可见,本领域的技术人员应该明白,上文中所公开方法中的全部或某些步骤、系统、装置中的功能模块/单元可以被实施为软件(可以用计算装置可执行的计算机程序代码来实现)、固件、硬件及其适当的组合。在硬件实施方式中,在以上描述中提及的功能模块/单元之间的划分不一定对应于物理组件的划分;例如,一个物理组件可以具有多个功能,或者一个功能或步骤可以由若干物理组件合作执行。某些物理组件或所有物理组件可以被实施为由处理器,如中央处理器、数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。It can be seen that those skilled in the art should understand that all or some of the steps, functional modules/units in the system, and devices in the methods disclosed above can be implemented as software (which can be implemented by computer program code executable by a computing device). ), firmware, hardware and their appropriate combination. In the hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, a physical component may have multiple functions, or a function or step may consist of several physical components. The components are executed cooperatively. Some physical components or all physical components can be implemented as software executed by a processor, such as a central processing unit, a digital signal processor, or a microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit .
此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、计算机程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。所以,本申请不限制于任何特定的硬件和软件结合。In addition, as is well known to those of ordinary skill in the art, communication media usually contain computer-readable instructions, data structures, computer program modules, or other data in a modulated data signal such as carrier waves or other transmission mechanisms, and may include any information delivery medium. Therefore, this application is not limited to any specific combination of hardware and software.
以上内容是结合具体的实施方式对本申请实施例所作的进一步详细说明,不能认定本申请的具体实施只局限于这些说明。对于本申请所属技术领域的普通技术人员来说,在不脱离本申请构思的前提下,还可以做出若干简单推演或替换,都应当视为属于本申请的保护范围。The above content is a further detailed description of the embodiments of the application in combination with specific implementations, and it cannot be considered that the specific implementations of the application are limited to these descriptions. For those of ordinary skill in the technical field to which this application belongs, a number of simple deductions or substitutions can be made without departing from the concept of this application, and they should all be regarded as belonging to the scope of protection of this application.