CN100418315C - The method of verifying the message - Google Patents
The method of verifying the message Download PDFInfo
- Publication number
- CN100418315C CN100418315C CNB2005100027607A CN200510002760A CN100418315C CN 100418315 C CN100418315 C CN 100418315C CN B2005100027607 A CNB2005100027607 A CN B2005100027607A CN 200510002760 A CN200510002760 A CN 200510002760A CN 100418315 C CN100418315 C CN 100418315C
- Authority
- CN
- China
- Prior art keywords
- authentication
- message
- response message
- word
- carried out
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 65
- 230000004044 response Effects 0.000 claims abstract description 133
- 238000012795 verification Methods 0.000 claims description 58
- 238000012545 processing Methods 0.000 claims description 35
- 239000003795 chemical substances by application Substances 0.000 claims description 22
- 238000011282 treatment Methods 0.000 claims description 10
- 238000012217 deletion Methods 0.000 claims description 8
- 230000037430 deletion Effects 0.000 claims description 8
- 238000000605 extraction Methods 0.000 claims description 6
- 239000000284 extract Substances 0.000 abstract description 11
- 238000006243 chemical reaction Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 24
- 230000008569 process Effects 0.000 description 21
- 230000006855 networking Effects 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 230000008859 change Effects 0.000 description 4
- 230000000454 anti-cipatory effect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000011269 treatment regimen Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention discloses a method for checking messages, which is used for convergence-layer equipment to check messages interacting between access-layer equipment and backbone-layer equipment. The present invention comprises the steps that after copied to a proxy-state domain of the request message by the convergence-layer equipment, a first authenticator carried by an authenticator domain of a request message sent by the access-layer equipment is sent to the backbone-layer equipment; the convergence-layer equipment extracts a second authenticator carried by an authenticator domain of a response message fed back by the backbone-layer equipment for cache; a first authenticator carried by a proxy-state domain of the response message is copied to the authenticator domain of the response message; the processed response message is carried out with a conversion operation in order to acquire a third authenticator; the method judges whether the third authenticator is consistent to the cached second authenticator, if true, the check of the response message is passed, else the check of the response message is failed. The present invention can reduce occupation of equipment running resource in order to increase the running performance of the equipment.
Description
Technical field
The present invention relates to data communication technology field, relate in particular to a kind of method of message being carried out verification.
Background technology
Along with developing rapidly of Internet technology, the networking structure of network system is increasingly sophisticatedization also, and as shown in Figure 1, this figure is the basic networking structure topological diagram of existing network system; Wherein existing network system is formed the three-layer network frame structure by Access Layer 1, convergence-level 2 and backbone layer 3 etc. substantially, and wherein the network node number in the backbone layer 3 is less, generally includes backbone layer equipment such as some service servers and P; The main task of convergence-level 2 is by linking the corresponding backbone layer equipment in the backbone layer 3 on many gigabit Ethernets with a large amount of access layer equipments 11 in the Access Layer 1, make that connecting port under the required gigabit Ethernet of backbone layer 3 reduces, thereby reduce the cost of networking, wherein the convergence-level equipment 21 in the convergence-level 2 can be high layer switch, it also can be the gateway device of finishing the variety of protocol conversions function, convergence-level equipment 21 with backbone layer 3 in server 31 carry out the mutual various communication information in, also to communicate the mutual of information with the access layer equipment 11 in the Access Layer 1; And Access Layer 1 generally is meant the network function layer of being responsible for linking to each other with each user terminal (1...... of user terminal shown in figure user terminal N), be responsible for each user terminal network access function, access layer equipment 11 wherein can be a Layer 2 switch, also can be three-tier switch.As shown in Figure 1, when the user used server 31 in the user terminal access backbone layer 3, the various response messages of its various solicited messages and server 31 feedbacks all needed the forwarding or the agent processes of the information that communicates through access layer equipment 11 in the Access Layer 1 and the convergence-level equipment 21 in the convergence-level 2 etc.
At present, general all is by create and preserve anticipatory remark ground information table in the convergence-level equipment of convergence-level 2 (as charging gateway etc.) 21, to safeguard the authentication word (Authenticator) in the message that each access layer equipment 11 sends, thereby realize utilizing each authentication word (Authenticator) of safeguarding in this local information table to reach the purpose that message identifying mutual between the server 31 in access layer equipment in the Access Layer 1 11 and the backbone layer 3 is carried out verification, the concise and to the point process of its verification is as follows:
Convergence-level equipment 21 extracts the authentication word (Authenticator 0) that carries in this authentication request packet after receiving the authentication request packet that access layer equipment 11 sends;
Set up mapping relations between the session id 1 (session id is a kind of client's of unique identification current accessed server a read-only value) that the authentication word Authenticator 0 that extracts and user are assigned with when the inferior access server 31;
Just can form the local information table of safeguarding in the convergence-level equipment 21 by a plurality of above-mentioned mapping relations, the concrete form of this table can be as follows:
| |
|
| |
|
| |
|
This anticipatory remark of storage ground information table in the convergence-level equipment 21, and the authentication request packet that access layer equipment 11 is sent is forwarded to server 31 in the backbone layer 3;
31 pairs of authentication request packets that receive of server carry out md5-challenge (MD5, Message-Digest Algorithm 5) computing, obtain authenticating word Authenticator 0 ', and will authenticate word Authenticator 0 ' and be encapsulated in and feed back to convergence-level equipment 21 in the authentication response message;
Receive the authentication response message of server 31 feedbacks when convergence-level equipment 21 after, just can inquire about the local information table, thereby obtain corresponding authentication word Authenticator 0 according to session id 1 information that comprises in the authentication response message;
Replace the authentication word Authenticator 0 ' that carries in the authentication response message with the authentication word Authenticator 0 that inquires, the authentication response message that uses MD5 that the authentication word is replaced after handling carries out computing, to obtain authenticating word Authenticator 0 ";
Relatively authenticate word Authenticator 0 " whether consistent with the former authentication word Authenticator that is replaced 0 ' (wherein comparison procedure is to Authenticator 0 " and Authenticator 0 ' compare by turn, the value of corresponding position must be identical), if it is consistent, think that then this authentication response message is legal message, and then this authentication response message is fed back to corresponding access layer equipment 11; Otherwise think that this authentication response message is illegal message, this authentication response message is carried out discard processing, thereby the authentication response message of finishing 21 pairs of servers of convergence-level equipment 31 feedback carries out the processing of verification.
By said process as can be seen, prior art is carried out in the process of verification finishing by the authentication response message of convergence-level equipment to backbone layer equipment feedback, need in convergence-level equipment, safeguard anticipatory remark ground information table, this shows a similar database, the authentication word information of carrying in the authentication request packet that convergence-level equipment needs at any time to send by access layer equipment according to the user to add in this local information table, deletion or insert the authentication word information of change, and is available at any time to safeguard this local information table.As seen, this maintenance process complexity is bigger, but also can take system's operation resource of convergence-level equipment, thereby has caused the processing speed of convergence-level equipment to descend and the reliability reduction.
In the prior art simultaneously, after the authentication response message checking that convergence-level equipment feeds back backbone layer equipment passes through, the message (as charging request message etc.) of the other types no longer access layer equipment sent is carried out checking treatment, thereby make that mutual message carries out having bigger shortcoming aspect the legitimacy verification between to access layer equipment and backbone layer equipment, also just caused the information interactive process between access layer equipment and the backbone layer equipment to have security hidden trouble.
Summary of the invention
The technical problem to be solved in the present invention is to propose a kind ofly to realize simple and can reduce the taking of equipment operation resource, to improve the method that message is carried out verification of equipment operation performance.
For addressing the above problem, the present invention proposes a kind of method that message is carried out verification, be used for the convergence-level equipment interconnection and go into Radius message mutual between layer equipment and the backbone layer equipment and carry out checking treatment, comprise step:
The first authentication word of the authentication Digital Domain carrying of the request message that convergence-level equipment is sent access layer equipment sends to backbone layer equipment after copying the Agent Status territory of described request message to;
The second authentication word of the authentication Digital Domain carrying of the response message of described convergence-level equipment extraction backbone layer equipment feedback carries out buffer memory; And
The first authentication word of the Agent Status territory of described response message carrying is copied to the authentication Digital Domain of this response message; And the response message after handling carried out transform operation to obtain the 3rd authentication word;
Whether the second authentication word of judging described the 3rd authentication word and buffer memory is consistent, if consistent, the response message verification is passed through; Otherwise do not pass through.
Wherein the response message verification by after also comprise step:
Delete the Agent Status territory of described response message; And
Replace the 3rd authentication word of filling in the authentication Digital Domain of described response message with the first authentication word of Agent Status territory carrying;
Response message after handling is carried out transform operation to obtain the 4th authentication word; And
The response message that authentication Digital Domain is carried described the 4th authentication word feeds back to access layer equipment.
Above-mentioned transform operation adopts md5-challenge.
The obstructed out-of-date step of described response message being carried out discard processing that also comprises of response message verification wherein.
Wherein said request message is an authentication request packet; Described response message is the authentication response message.
Described authentication response message checking by after also comprise step:
The 5th authentication word of authentication Digital Domain carrying carries out buffer memory in the charging request message that convergence-level equipment extraction access layer equipment is sent; And
The shared byte location of the 5th authentication word in the described charging request message is carried out zero clearing to be handled; And
Charging request message after handling is carried out transform operation to obtain the 6th authentication word;
Whether the 5th authentication word of judging described the 6th authentication word and buffer memory is consistent, if consistent, the verification of charging request message is passed through; Otherwise do not pass through.
The verification of wherein said charging request message by after also comprise step:
The 5th authentication word of buffer memory is filled in the Agent Status territory of described charging request message; And
Authentication Digital Domain to described charging request message carries out the zero clearing processing; And
Charging request message after handling is carried out transform operation to obtain the 7th authentication word;
The charging request message that authentication Digital Domain is carried described the 7th authentication word sends to backbone layer equipment;
And the Agent Status territory of deletion backbone layer equipment feedback charging response message; And
Replace the 7th authentication word of filling in the authentication Digital Domain of described charging response message with the 5th authentication word of Agent Status territory carrying;
Charging response message after handling is carried out transform operation to obtain the 8th authentication word; And
The charging response message that authentication Digital Domain is carried described the 8th authentication word feeds back to access layer equipment.
The obstructed out-of-date step of described charging request message being carried out discard processing that also comprises of the request message verification of wherein chargeing.
Above-mentioned transform operation adopts md5-challenge.Described access layer equipment is a network access server; Described convergence-level equipment is charging gateway; Described backbone layer equipment is remote authentication dialing user server.
The method that the present invention carries out verification to message by with the authentication word information copy of request message authentication Digital Domain carrying in the Agent Status territory of request message, rather than be stored in the local information table of convergence-level equipment, thereby can realize the purpose of the response message of backbone layer equipment feedback being carried out verification based on the authentication word information of request message Agent Status territory carrying, also avoided convergence-level equipment need take the operation resource of equipment simultaneously for safeguarding the local information table, thereby make the checking procedure simple possible of message, also reduced and be the equipment operation resource of safeguarding that the local information table takies, improved the runnability of equipment.
In addition, the present invention carries out verification to message method is after passing through authentication request packet and authentication response message checking, also will be further the message of other types such as charging request message be carried out checking treatment, go into the dynamics that message mutual between layer equipment and the backbone layer equipment carries out verification thereby strengthened the convergence-level equipment interconnection, improved the information interaction safety between access layer equipment and the backbone layer equipment.
Description of drawings
Fig. 1 is the basic networking structure topological diagram of existing network system;
Fig. 2 is the main realization principle flow chart of the present invention's method of message being carried out verification;
Fig. 3 is the reference format schematic diagram in Proxy-State territory in the Radius message;
Fig. 4 is that the present invention carries out the authentication request packet form schematic diagram that access layer equipment sends in the method for verification and will be transmitted to the authentication request packet form schematic diagram of backbone layer equipment after the convergence-level device processes to message;
Fig. 5 is that the present invention carries out the form schematic diagram of the authentication response message of backbone layer equipment feedback in the method for verification and through feeding back to the authentication response message format schematic diagram of access layer equipment after the convergence-level device processes to message;
Fig. 6 is after the present invention carries out message the authentication response message checking being passed through in the method for verification again, the main implementation procedure flow chart that the charging request message is carried out verification and handles and the charging response message is handled;
Fig. 7 is that the present invention carries out the charging request message form schematic diagram that access layer equipment sends in the method for verification and will be transmitted to the charging request message form schematic diagram of backbone layer equipment after the convergence-level device processes to message;
Fig. 8 is that the present invention carries out backbone layer equipment feedback charging response message form schematic diagram in the method for verification and will feed back to the charging response message form schematic diagram of access layer equipment after the convergence-level device processes to message;
Fig. 9 is that campus network is used the group network topological structure figure that authentication request packet that the present invention carries out verification to message method sends the campus user and authentication response message carry out checking treatment.
Embodiment
Design philosophy of the present invention is to be transmitted to backbone layer equipment again after the authentication word of the authentication Digital Domain carrying of the request message access layer equipment sent by convergence-level equipment copies in the Agent Status territory of this request message, because any change is carried out in the Agent Status territory in the request message that backbone layer equipment can not sent convergence-level equipment, feed back to convergence-level equipment in the response message but directly the Agent Status territory is encapsulated in, thereby convergence-level equipment just can come response message is carried out checking treatment according to the authentication word information that carry in the Agent Status territory of response message, thereby can avoid convergence-level plant maintenance local information table, improve the runnability of convergence-level equipment.
Below in conjunction with each accompanying drawing, the preferential execution mode that message is carried out the method for verification at the present invention is explained in detail.At first see also Fig. 2, this figure is the main realization principle flow chart of the present invention's method of message being carried out verification; Its main implementation procedure is as follows:
After the first authentication word (Authenticator 1) of the authentication Digital Domain carrying of the request message that step S10, convergence-level equipment send access layer equipment copies the Agent Status territory (Proxy-State) of this request message to, transmit the backbone layer equipment of giving again;
Step S20, second of the authentication Digital Domain carrying of the response message of convergence-level equipment extraction backbone layer equipment feedback authenticates word (Authenticator 2), and the Authenticator 2 that extracts is carried out buffer memory;
Step S30, convergence-level equipment copy the first authentication word (Authenticator 1) of the Proxy-State territory carrying of this response message to the authentication Digital Domain of this response message;
Step S40, response message after the step S30 processing is carried out transform operation to obtain the 3rd authentication word (Authenticator 3), wherein the transform operation here can adopt but be not limited to md5-challenge (MD5, Message-Digest Algorithm 5);
Whether the 3rd authentication word (Authenticator3) that step S50, convergence-level equipment determining step S40 calculate and the second authentication word (Authenticator 2) of step S20 buffer memory be consistent, if, execution in step S60; Otherwise execution in step S100;
Step S60, the Proxy-State territory of this response message of convergence-level unit deletion;
Step S70, and utilize the first authentication word (Authenticator 1) of Proxy-State territory carrying to replace the 3rd authentication word (Authenticator 3) of filling in the authentication Digital Domain of this response message;
Response message after step S80, convergence-level equipment handle step S70 carries out transform operation to obtain the 4th authentication word (Authenticator 4), and wherein the transform operation here also can adopt but be not limited to the MD5 algorithm;
Step S90, convergence-level equipment feeds back to access layer equipment with the response message that authentication Digital Domain carries the 4th authentication word (Authenticator 4) of being tried to achieve among the step S80;
Step S100, convergence-level equipment carries out discard processing to this response message.
Request message wherein recited above can be authentication request packet (Access-Request); Described response message can be authentication response message (Access-Accept/Reject).
See also Fig. 3, this figure is the reference format schematic diagram in Proxy-State territory in remote authentication dialing client server (Radius, RemoteAuthentication Dial In User the Service) message; Wherein the Proxy-State territory is as remote authentication dialing user server (Radius, RemoteAuthentication Dial In User Service) standard attribute in the message (specifically can with reference to RFC2865 and RFC2866) is followed the TLS/TLV form of standard.Type is expressed as type field among the figure; Length is expressed as length field, is used to identify the length in whole Proxy-State territory; Authenticator will add the field of authentication word for the present invention; Can also comprise other content behind the Authenticator territory, its existence does not influence mentality of designing of the present invention and implementation process.
See also Fig. 4, this figure is that the present invention carries out the authentication request packet form schematic diagram that access layer equipment sends in the method for verification and will be transmitted to the authentication request packet form schematic diagram of backbone layer equipment after the convergence-level device processes to message; Wherein (a) is depicted as the authentication request packet form schematic diagram that access layer equipment that convergence-level equipment receives is sent among Fig. 4, send in the authentication request packet of convergence-level equipment at access layer equipment, the authentication word Authenticator 1 of authentication Digital Domain carrying is the random number of one 16 byte, after convergence-level equipment is received this authentication request packet, copy Authenticator 1 that this 16 byte random number constituted Proxy-State territory, constitute the value in Proxy-State territory to this authentication request packet.Wherein the Type value in Proxy-State territory fixedly is taken as 33 (stipulating among the RFC2865), and Length ' value is the byte number that byte number+Length ' territory that Authenticator 1 length+Type territory takies takies.This Proxy-State territory is carried at the back of authentication request packet.The length of changing whole authentication request packet at last is Length+Length ', will send to backbone layer equipment through the authentication request packet after the above-mentioned processing, specifically via the form of the authentication request packet after the above-mentioned processing specifically referring among Fig. 4 shown in (b).
Wherein can also carry other content in the Proxy-State territory of authentication request packet, carrying of these contents can't influence concrete enforcement of the present invention.
See also Fig. 5, this figure is that the present invention carries out the form schematic diagram of the authentication response message of backbone layer equipment feedback in the method for verification and through feeding back to the authentication response message format schematic diagram of access layer equipment after the convergence-level device processes to message; Wherein:
Backbone layer equipment feeds back to the form schematic diagram of authentication response message of convergence-level equipment shown in (a) among Fig. 5, because backbone layer equipment can not carry out any change processing to the Proxy-State territory of the authentication response message that convergence-level equipment sends, feed back to convergence-level equipment in the authentication response message but directly this Proxy-State territory is encapsulated in, so the authentication word by Proxy-State territory carrying in the authentication response message of backbone layer equipment feedback that convergence-level equipment receives also is above-mentioned Authenticator 1.
The Authenticator 2 of the authentication Digital Domain of the authentication response message of backbone layer equipment feedback carrying is for after backbone layer equipment carries out some processing (as adding attribute such as Tunnel_Private_Group_ID) to the authentication response message in addition, the authentication word that obtains with the MD5 algorithm computation.Convergence-level equipment receives among Fig. 5 behind the authentication response message shown in (a), carries out following processing:
1) extracts the authentication word Authenticator 2 of authentication Digital Domain carrying in the authentication response message, and it is buffered in the temporary variable in the program;
2) Authenticator 1 that carries in the Proxy-State territory of copy authentication response message promptly replaces Authenticator 2 with Authenticator 1 to the authentication Digital Domain of this message;
3) to above-mentioned 2) authentication response message after handling carries out MD5 and calculates, and obtains authenticating word Authenticator 3, and it is filled in the authentication Digital Domain of this authentication response message, obtains the message format schematic diagram shown in (b) among Fig. 5;
Whether the Authenticator 3 that calculates the Authenticator 2 and 3 of buffer memory 4) relatively 1)) is in full accord, if in full accord, shows that this authentication response message in transmission course, is not distorted, the processing below continuing to carry out; Otherwise just show that this authentication response message may be distorted in transmission course, the authentication response message is carried out discard processing;
5) the Proxy-State territory (promptly deleting Type, Length ' and territory that Authenticator 1 forms in the authentication response message) of deletion authentication response message, and the length of changing whole authentication response message is Length-Length ';
6) Authenticator 1 that carries in the Proxy-State territory with deletion substitutes the Authenticator that authentication Digital Domain carried 3 of the authentication response message shown in (b), then the authentication response message after handling is carried out the MD5 algorithm computation, obtain Authenticator 4, and the authentication word Authenticator 4 that will calculate is filled in the authentication Digital Domain of authentication response message; The concrete form of the authentication response message after said process is handled is referring among Fig. 5 shown in (c);
7) with above-mentioned 6) authentication response message after handling feeds back to access layer equipment.
Simultaneously, the method that the present invention carries out verification to message also proposes convergence-level equipment again authentication request packet and authentication response message are carried out verification and pass through after, the processing mode that will further carry out verification also to charging request message (AccountingRequest).See also Fig. 6, this figure is after the present invention carries out message the authentication response message checking being passed through in the method for verification again, the main implementation procedure flow chart that the charging request message is carried out verification and handles and the charging response message is handled; Its main implementation procedure is as follows:
Step S110, the 5th of the authentication Digital Domain carrying the authenticates word (Authenticator 5) in the charging request message that convergence-level equipment extraction access layer equipment is sent, and the Authenticator 5 that extracts is carried out buffer memory;
Step S120 carries out whole zero clearings to Authenticator 5 shared byte locations in this charging request message and handles;
Charging request message after step S130, convergence-level equipment handle step S120 carries out transform operation to obtain the 6th authentication word Authenticator 6; Wherein the transform operation here can adopt but be not limited to md5-challenge (MD5, Message-Digest Algorithm 5);
Whether the Authenticator 5 of buffer memory is consistent among the step S140, the Authenticator 6 that is tried to achieve among the convergence-level equipment determining step S130 and step S110, if, execution in step S150; Otherwise execution in step S230;
Need to prove, because when access layer equipment generates the charging request message, the authentication Digital Domain of the charging request message of this generation is a cleared condition, promptly do not fill any authentication word information, at this moment for guaranteeing the fail safe of charging request message in transmission course, access layer equipment need adopt the MD-5 algorithm that the charging request message of this generation is carried out transform operation, thereby can obtain an authentication word, and this authentication word is the 5th above-mentioned authentication word Authenticator 5; Access layer equipment will send to convergence-level equipment after will calculating the authentication Digital Domain of charging request message that the 5th authentication word Authenticator 5 that generates is encapsulated in generation then; Convergence-level equipment receives and extracts the 5th of authentication Digital Domain carrying in this newspaper behind the charging request message and authenticate word Authenticator 5 and carry out buffer memory like this, authentication Digital Domain to this message carries out the zero clearing processing again, charging request message after handling like this is consistent with the charging request message that the initial generation of above-mentioned access layer equipment does not encapsulate authentication word information, then the message after this processing is carried out the MD-5 computing equally, can obtain an authentication word, be the 6th above-mentioned authentication word Authenticator 6, if the charging request message is being transferred to by access layer equipment in the process of convergence-level equipment, do not attacked, then the 6th authentication word Authenticator 6 that obtains of convergence-level calculation of equipments obviously with access layer equipment calculate the 5th to authenticate word Authenticator 5 identical, therefore can be by the comparison of above step, whether consistent by definite Authenticator 5 with Authenticator 6, confirm whether this charging request message is legal, whether attacked in transmission course.
Step S150, convergence-level equipment is filled in the Authenticator 5 of buffer memory among the step S110 in the Proxy-State territory of charging request message;
Step S160, the authentication Digital Domain to the charging request message carries out whole zero clearings processing again;
Step S170, the convergence-level equipment charging request message after to above-mentioned processing carries out transform operation to obtain the 7th authentication word Authenticator 7, and wherein the transform operation here also can adopt but be not limited to the MD5 algorithm;
Step S180, convergence-level equipment sends to backbone layer equipment with the charging request message that authentication Digital Domain carries the Authenticator 7 that is tried to achieve among the step S170;
Because any processing is not carried out in the Proxy-State territory in the charging request message that backbone layer equipment is sent convergence-level equipment, so the Proxy-State territory can be encapsulated in the charging response message (AccountingResponse) and feed back to convergence-level equipment, but because convergence-level equipment is not stored the authentication word Authenticator 7 that the authentication Digital Domain of charging request message before handling carries in advance in backbone layer equipment, so convergence-level equipment can't carry out checking treatment to the charging response message;
Step S190, the Proxy-State territory of convergence-level unit deletion backbone layer equipment feedback charging response message;
Step S200, the Authenticator 5 that carries with the Proxy-State territory of deletion replaces the Authenticator 7 that fills in the authentication Digital Domain of these charging response messages;
Step S210 carries out transform operation to obtain the 8th authentication word Authenticator 8 to the charging response message after the above-mentioned processing; Wherein the transform operation here also can adopt but be not limited to the MD5 algorithm;
Step S220, last convergence-level equipment feeds back to access layer equipment with the charging response message that authentication Digital Domain carries the Authenticator 8 that is tried to achieve among the step S210;
Step S230, convergence-level equipment carries out discard processing to this charging request message.
See also Fig. 7, this figure is that the present invention carries out the charging request message form schematic diagram that access layer equipment sends in the method for verification and will be transmitted to the charging request message form schematic diagram of backbone layer equipment after the convergence-level device processes to message; Wherein:
The charging request message that convergence-level equipment receives from access layer equipment is shown in (a) Fig. 7; The authentication word that Authenticator 5 calculates the charging request message with the MD5 algorithm for access layer equipment in this message wherein, it is the random number of 16 bytes, computational process is:
At first the authentication Digital Domain of charging request message is carried out whole zero clearings and handle (promptly fill 16 bytes 0), calculate with the charging request message of MD5 algorithm after then, to obtain Authenticator 5 to processing in the Authenticator territory.Convergence-level equipment receives and carries out following processing behind this charging request message:
1) extracts the authentication word Authenticator 5 of the authentication Digital Domain carrying of the charging request message that access layer equipment sends, and the Authenticator 5 that extracts is buffered in the temporary variable in the program;
2) the 5 16 shared byte locations of Authenticator in the charging request message are carried out whole zero clearings and handle, with the MD5 algorithm charging request message after handling is calculated then, obtain authenticating word Authenticator 6;
Whether the Authenticator 6 that calculates the Authenticator 5 and 2 of buffer memory 3) relatively 1)) is in full accord, if the two is in full accord, and the processing below then continuing to carry out, otherwise directly abandon this charging request message;
4) with 1) in the Authenticator 5 of buffer memory be filled in the Proxy-State territory of this charging request message, this Proxy-State territory is carried at the back of this charging request message;
5) length value of the whole charging request message of change is Length+Length ';
6) will be through 5) authentication Digital Domain of charging request message after handling carries out whole zero clearings once more and handles, and the charging request message after with the MD5 algorithm this being managed everywhere calculates, and obtains authenticating word Authenticator 7;
7) will send to backbone layer equipment (wherein the charging request message form through sending to backbone layer equipment after the convergence-level device processes is shown in (b) among Fig. 7) through the charging request message after the above-mentioned processing.
See also Fig. 8, this figure is that the present invention carries out backbone layer equipment feedback charging response message form schematic diagram in the method for verification and will feed back to the charging response message form schematic diagram of access layer equipment after the convergence-level device processes to message; Wherein:
Convergence-level equipment receive by backbone layer equipment feedback charging response message form shown in (a) among Fig. 8, wherein convergence-level equipment is the processing of charging response message and processing procedure difference to above-mentioned authentication response message: the legitimacy of not verification of convergence-level equipment charging response message, because convergence-level equipment is not known the authentication word Authenticator 7 that authentication Digital Domain carried of backbone layer equipment with the request message that charges before the MD5 algorithm computation charging request message, therefore can't make correct checking treatment.
After convergence-level equipment receives the charging response message, can do following processing:
1) from the Proxy-State territory of the charging response message that receives, extracts Authenticator 5, and replace the Authenticator7 information that the authentication Digital Domain of these charging response messages carries with the Authenticator 5 that extracts;
2) delete the Proxy-State territory of this charging response message, and the length value of changing whole charging response message is Length-Length ';
3) calculate with the charging response message of MD5 algorithm after, obtain authenticating word Authenticator 8, and the Authenticator 8 that calculates is filled into the authentication Digital Domain of charging response message above-mentioned processing;
4) authentication Digital Domain after the above-mentioned processing is carried the charging response message that authenticates word Authenticator 8 and feed back to access layer equipment (wherein the form of the charging response message through feeding back to access layer equipment after the convergence-level device processes is shown in (b) among Fig. 8).
In the present invention message is carried out wherein that above-mentioned mentioned access layer equipment can be network access server (NAS, Network Access Server) in the method for verification; Convergence-level equipment can be charging gateway; Backbone layer equipment can be remote authentication dialing user server (RADIUS, Remote AuthenticationDial In User Service).
In conjunction with a concrete application example the present invention carries out the method for verification to message concrete performance is described in further detail again below.See also Fig. 9, this figure is that campus network is used the group network topological structure figure that authentication request packet that the present invention carries out verification to message method sends the campus user and authentication response message carry out checking treatment; Because present campus network no longer has been satisfied with original charged according to time or simply charge by flow, but to charge to service traffics (service traffics are exactly the network traffics of user capture, include and go out both direction).In campus network, during the design discharge charge system, taken all factors into consideration the network construction characteristic of realizing charge on traffic here, realized smart charge in conjunction with each function device of networking.
Because switch supports that all (the port flow mirror image is meant that the flow that goes out or go on certain port A can obtain on the switch to the port flow mirror image on another one port B at present, port B is called the mirror port of port A), switch is in surface speed forwarding (surface speed forwarding is meant that the interface throughput on Ethernet switch or the router reaches 100%), can the traffic mirroring that input or output be come out linear speed ground, so utilize this mirror image feature can obtain the network traffics of input and output well, and utilize high performance network processes equipment, the network traffics of input and output are handled and gathered, utilize the distributed treatment pattern to implement charge on traffic then.
In networking structure figure shown in Figure 9, the campus user needs to authenticate to radius server 300 by IEEE 802.1x authentication mode, and from the networking topological diagram as can be seen, charging gateway 200 is played the part of the role of radius proxy in whole networking structure; So in the software design of charging gateway 200, need to consider following two kinds of function combinations:
1) link to each other with gigabit port with core switch, the message that can come to the core switch mirror image is fast added up according to customer flow, comprises and searches subscriber's meter, adds up this user's I/O traffic;
2) link to each other by internal network with radius server 300, set up and being connected of radius server 200 (generally by the udp protocol connection), carry out message interaction, send user's flow information to radius server 300 by radius protocol.
Charging gateway 200 need constantly receive, handles and transmit authentication request packet that core switch sends over and charging request message etc. in system's running; Simultaneously, and otherwise authentication response message that disconnecting is received, handled and forwarding radius server 300 sends over and charging response message etc.For realizing that the flow that the core switch mirror image is come is gathered, analyze and monitoring, and all kinds of request messages that core switch and radius server 300 are sended over and response message carries out effectively and distribution reliably, can in the Proxy-State territory of radius protocol message, add essential authentication word Authenticator information etc., the authentication word Authenticator information of adding in the Proxy-State territory of charging gateway 200 by identification radius protocol message comes various request messages and response message are carried out checking treatment like this, thereby avoided in the charging gateway 200 to safeguarding the complexity that the local information table is brought, the corresponding complexity that has reduced charging gateway 200 realizations, and guaranteed validity and the reliability of all kinds of messages in transmission course, improved the runnability of charging gateway 200.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (10)
1. method that message is carried out verification is used for the convergence-level equipment interconnection and goes into Radius message mutual between layer equipment and the backbone layer equipment and carry out checking treatment, it is characterized in that, comprises step:
The first authentication word of the authentication Digital Domain carrying of the request message that convergence-level equipment is sent access layer equipment sends to backbone layer equipment after copying the Agent Status territory of described request message to;
The second authentication word of the authentication Digital Domain carrying of the response message of described convergence-level equipment extraction backbone layer equipment feedback carries out buffer memory; And
The first authentication word of the Agent Status territory of described response message carrying is copied to the authentication Digital Domain of this response message; And
Response message after handling is carried out transform operation to obtain the 3rd authentication word;
Whether the second authentication word of judging described the 3rd authentication word and buffer memory is consistent, if consistent, the response message verification is passed through; Otherwise do not pass through.
2. the method that message is carried out verification as claimed in claim 1 is characterized in that, the response message verification by after also comprise step:
Delete the Agent Status territory of described response message; And
Replace the 3rd authentication word of filling in the authentication Digital Domain of described response message with the first authentication word of Agent Status territory carrying;
Response message after handling is carried out transform operation to obtain the 4th authentication word; And
The response message that authentication Digital Domain is carried described the 4th authentication word feeds back to access layer equipment.
3. the method that message is carried out verification as claimed in claim 1 is characterized in that, the obstructed out-of-date step of described response message being carried out discard processing that also comprises of response message verification.
4. as claim 1, the 2 or 3 described methods that message is carried out verification, it is characterized in that the described request message is an authentication request packet; Described response message is the authentication response message.
5. the method that message is carried out verification as claimed in claim 4 is characterized in that, described authentication response message checking by after also comprise step:
The 5th authentication word of authentication Digital Domain carrying carries out buffer memory in the charging request message that convergence-level equipment extraction access layer equipment is sent; And
The shared byte location of the 5th authentication word in the described charging request message is carried out zero clearing to be handled; And
Charging request message after handling is carried out transform operation to obtain the 6th authentication word;
Whether the 5th authentication word of judging described the 6th authentication word and buffer memory is consistent, if consistent, the verification of charging request message is passed through; Otherwise do not pass through.
6. the method that message is carried out verification as claimed in claim 5 is characterized in that, the verification of described charging request message by after also comprise step:
The 5th authentication word of buffer memory is filled in the Agent Status territory of described charging request message; And
Authentication Digital Domain to described charging request message carries out the zero clearing processing; And
Charging request message after handling is carried out transform operation to obtain the 7th authentication word;
The charging request message that authentication Digital Domain is carried described the 7th authentication word sends to backbone layer equipment;
And the Agent Status territory of deletion backbone layer equipment feedback charging response message; And
Replace the 7th authentication word of filling in the authentication Digital Domain of described charging response message with the 5th authentication word of Agent Status territory carrying;
Charging response message after handling is carried out transform operation to obtain the 8th authentication word; And
The charging response message that authentication Digital Domain is carried described the 8th authentication word feeds back to access layer equipment.
7. the method that message is carried out verification as claimed in claim 5 is characterized in that, the obstructed out-of-date step of described charging request message being carried out discard processing that also comprises of charging request message verification.
8. the method that message is carried out verification as claimed in claim 1 or 2 is characterized in that, described transform operation adopts md5-challenge.
9. as claim 5 or the 6 described methods that message is carried out verification, it is characterized in that described transform operation adopts md5-challenge.
10. the method that message is carried out verification as claimed in claim 1 is characterized in that, described access layer equipment is a network access server; Described convergence-level equipment is charging gateway; Described backbone layer equipment is remote authentication dialing user server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100027607A CN100418315C (en) | 2005-01-26 | 2005-01-26 | The method of verifying the message |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100027607A CN100418315C (en) | 2005-01-26 | 2005-01-26 | The method of verifying the message |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1725679A CN1725679A (en) | 2006-01-25 |
| CN100418315C true CN100418315C (en) | 2008-09-10 |
Family
ID=35924935
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100027607A Expired - Fee Related CN100418315C (en) | 2005-01-26 | 2005-01-26 | The method of verifying the message |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100418315C (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10341221B2 (en) | 2015-02-26 | 2019-07-02 | Cisco Technology, Inc. | Traffic engineering for bit indexed explicit replication |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030051140A1 (en) * | 2001-09-13 | 2003-03-13 | Buddhikot Milind M. | Scheme for authentication and dynamic key exchange |
| KR20030040619A (en) * | 2001-11-15 | 2003-05-23 | 엘지전자 주식회사 | Method of Identifying Account Session of RADIUS Server in Mobile Telephone Packet Data Network |
| US20040073793A1 (en) * | 2002-10-10 | 2004-04-15 | Kabushiki Kaisha Toshiba | Network system, information processing device, repeater, and method of building network system |
| US6771665B1 (en) * | 2000-08-31 | 2004-08-03 | Cisco Technology, Inc. | Matching of RADIUS request and response packets during high traffic volume |
-
2005
- 2005-01-26 CN CNB2005100027607A patent/CN100418315C/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6771665B1 (en) * | 2000-08-31 | 2004-08-03 | Cisco Technology, Inc. | Matching of RADIUS request and response packets during high traffic volume |
| US20030051140A1 (en) * | 2001-09-13 | 2003-03-13 | Buddhikot Milind M. | Scheme for authentication and dynamic key exchange |
| KR20030040619A (en) * | 2001-11-15 | 2003-05-23 | 엘지전자 주식회사 | Method of Identifying Account Session of RADIUS Server in Mobile Telephone Packet Data Network |
| US20040073793A1 (en) * | 2002-10-10 | 2004-04-15 | Kabushiki Kaisha Toshiba | Network system, information processing device, repeater, and method of building network system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1725679A (en) | 2006-01-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8191119B2 (en) | Method for protecting against denial of service attacks | |
| JP3459183B2 (en) | Packet verification method | |
| CN111010376A (en) | IoT authentication system and method based on master-slave chain | |
| CN101217482A (en) | A method for issuing policies through NAT and a communication device | |
| CN113507483B (en) | Instant messaging method, device, server and storage medium | |
| CN1647451B (en) | Apparatus, method and system for monitoring information in a network environment | |
| CN107360154A (en) | A kind of intranet security cut-in method and system | |
| CN1938982B (en) | Method and apparatus for preventing network attacks by authenticating internet control message protocol packets | |
| CN101902482A (en) | Method and system for realizing terminal security admission control based on IPv6 (Internet Protocol Version 6) automatic configuration | |
| US8406223B2 (en) | Mechanism for protecting H.323 networks for call set-up functions | |
| CN112351117A (en) | Domain name management method and device, electronic equipment and storage medium | |
| CN105703999A (en) | Method and equipment for establishing GRE channel | |
| CN102571640A (en) | Gateway system, gateway device, and load distribution method | |
| CN112383393A (en) | Trusted communication system and method of software defined sensor network | |
| CN115189913B (en) | Data message transmission method and device | |
| CN112202812A (en) | Water conservancy Internet of things terminal access authentication method and system based on block chain | |
| CN101478537A (en) | Network security protection method and apparatus in uni-direction environment | |
| CN106487643B (en) | Information storage method and device for instant messaging | |
| CN100418315C (en) | The method of verifying the message | |
| CN101112046A (en) | IP sharer detection and interception system and method | |
| CN107547431B (en) | Message processing method and device | |
| CN107835099B (en) | Information synchronization method and device | |
| CN100334860C (en) | Message intercommunication method with improved forwarding performance of equipment | |
| WO2022002969A1 (en) | Method and system for enhanced performance of dlt networks | |
| KR20210062351A (en) | Apparatus and method for generating pseudonym identifier |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: NEW H3C TECHNOLOGIES Co.,Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080910 |