[go: up one dir, main page]

WO2009082910A1 - Procédé et dispositif de configuration de réseau pour un terminal d'utilisateur - Google Patents

Procédé et dispositif de configuration de réseau pour un terminal d'utilisateur Download PDF

Info

Publication number
WO2009082910A1
WO2009082910A1 PCT/CN2008/073466 CN2008073466W WO2009082910A1 WO 2009082910 A1 WO2009082910 A1 WO 2009082910A1 CN 2008073466 W CN2008073466 W CN 2008073466W WO 2009082910 A1 WO2009082910 A1 WO 2009082910A1
Authority
WO
WIPO (PCT)
Prior art keywords
user terminal
configuration
server
address
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2008/073466
Other languages
English (en)
Chinese (zh)
Inventor
Chuan Li
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2009082910A1 publication Critical patent/WO2009082910A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0806Configuration setting for initial configuration or provisioning, e.g. plug-and-play

Definitions

  • Network configuration of user terminals using the OMA framework can be divided into two processes: an initial configuration process and a reconfiguration process.
  • the authentication, authorization, and accounting protocol (Authentication, Authorization, Account, AAA for short) informs the Open Mobile Terminal Alliance Data Management (OMADM) server that the user terminal accesses the network, and the OMA DM server initiates the The network configuration process of the user terminal; in the process of the user terminal performing the reconfiguration process, the AAA server provides related information of the user terminal to the OMA DM server, and the OMA DM server initiates network configuration of the user terminal according to the related information of the user terminal.
  • OMADM Open Mobile Terminal Alliance Data Management
  • the AAA server and the OMA DM server belong to different subnets (the AAA server is a service processing domain).
  • the OMA DM server is a device that operates the maintenance domain.
  • the two devices are separately networked. In the two isolated subnets, the two devices can be enabled.
  • ASN-GW Access Service Network Gate
  • NAT Network Address Translation
  • a method for network configuration of a user terminal is applied to a global microwave access interoperability network; and includes the following steps:
  • a user terminal accessing a global microwave access interoperability network, including:
  • a tunnel creation unit configured to establish a secure transport layer protocol tunnel between the user terminal and the configuration server
  • the method and device for performing network configuration on a user terminal the user terminal actively initiates establishment of a secure transport layer protocol tunnel to the configuration server according to the IP address of the configuration server, and the user terminal passes the
  • the method for obtaining the configuration data by the secure transport layer protocol tunnel overcomes the prior art.
  • the configuration data actively sent by the configuration server cannot pass through a firewall or a device with a NAT function, thereby configuring
  • the problem that the server cannot perform network configuration on the user terminal ensures the communication security between the user terminal and the configuration device.
  • FIG. 3 is a timing diagram of establishing a TLS tunnel between an MS/SS and an OMA DM server according to a method for performing network configuration on a user terminal according to an embodiment of the present invention
  • FIG. 4 is a schematic diagram of a network configuration method for a user terminal according to an embodiment of the present invention shown in FIG. 2, A timing diagram of network configuration of the MS/SS by the OMA DM server;
  • Step 102 Acquire configuration data by using the established TLS tunnel, and configure parameters of the MS/SS according to the acquired configuration data.
  • the network configuration of the MS/SS in step 101 can be divided into two types: one is, when the MS/SS enters the network for the first time, the MS/SS is initially configured; the other is After the MS/SS has accessed the network, the network configuration of the MS/SS is updated, that is, the MS/SS is reconfigured. The following describes them separately:
  • Step 201 The MS/SS and the BS negotiate air interface parameters, and the air interface parameters are negotiated to enable the MS/SS and the BS to perform normal communication.
  • the MS/SS When the MS/SS loses its network configuration data due to an abnormality in the network, the MS/SS may also set the service type field in its identity to be needed. Perform network configuration; After receiving the MS/SS identity information, the AAA server uses the extended authentication protocol - Transport Layer Security (Ext Ensible Authentication Protocol - Transport Layer Security (EAP-TLS), or the Extensible Authentication Protocol - Tunneled Transport Layer Security (EAP-TTLS) protocol for the identity of the MS/SS Certification.
  • EAP-TLS Ext Ensible Authentication Protocol - Transport Layer Security
  • EAP-TTLS Extensible Authentication Protocol - Tunneled Transport Layer Security
  • Step 203 After the AAA server successfully authenticates the MS/SS, the AAA server may determine, according to the service type field in the MS/SS identity, that the MS/SS needs to perform network configuration. Of course, the AAA server may also determine the MS by itself. Whether the SS needs to perform network configuration; when the AAA server sends an authentication success message to the MS/SS, the authentication success message carries a command ASN-GW to start a pre-configured message to the MS/SS;
  • the authentication success message carries a message that the ASN-GW is enabled to enable the hotline function on the MS/SS, where the function of the hotline function is: causing the ASN-GW to prohibit the user terminal from other than the network configuration process.
  • Business data is passed;
  • the steps of establishing a TLS tunnel between the MS/SS and the OMADM server mainly include:
  • the MS/SS is based on the process of mutual authentication between the IP address of the OMA DM server and the OMA DM server.
  • the specific steps include:
  • Step 301 The MS/SS sends a ClientHello (Client Negotiation) message to the OMA DM server to indicate that the TLS handshake process starts.
  • the ClientHello message requests the OMA DM server to negotiate a TLS-related security service, where the message is by version number, random number, and session. ID, cipher suite, compression method, etc.
  • Step 306 the OMADM server sends a ServerHelloDone (Server Negotiation Complete) message to notify the MS/SS that the OMA DM server has completed the negotiation process; the ServerHelloDone message itself does not carry any information, and the MS/SS only successfully receives the message. After entering the interaction of subsequent messages;
  • ServerHelloDone Server Negotiation Complete
  • Step 307 The MS/SS authenticates the digital certificate of the OMA DM server by using the CA certificate, that is, whether the authentication OMA DM server is legal, and the OMA DM server authenticates the TLS key through the RSA algorithm;
  • Step 308 the MS/SS sends its own digital certificate to the OMA DM server through a Certificate (Certificate) message, and the same trusted CA certificate;
  • Step 309 if the RSA public key is relatively long and cannot be placed in the Certificate message in step 308, the MS/SS then distributes the RSA public key to the OMADM server through a ClientKeyExchange (Client Public Key Exchange) message;
  • ClientKeyExchange Client Public Key Exchange
  • Step 314 the OMA DM server sends a Finished message to the MS/SS, checking Whether the TLS negotiation option activated in step 313 is valid.
  • a TLS tunnel can be established between the MS/SS and the OMA DM server by the steps shown in FIG.
  • Step 404 After the MS/SS authentication is performed, the OMA DM server performs an indication of network configuration on the OMA DM server, and returns an execution result to the OMA DM server.
  • the MS/SS communicates directly, and the network layout between the AAA server and the configuration server does not have to be considered in the process of networking, so that the networking is more flexible. Live, reducing the cost of networking; since the configuration data between the MS/SS and the OMA DM server is transmitted through the TLS tunnel, communication security between the MS/SS and the OMA DM server is guaranteed;
  • the authentication process used in the embodiment is the same as the original authentication process of the WiMAX network in the prior art, which reduces the maintenance and allocation of the network, and separately counts the pre-configured data traffic, so that the charging method of the WiMAX network is more reasonable.
  • Step 501 Determine whether the MS/SS needs to update a network configuration.
  • the OMA DM server may determine whether the MS/SS needs to update the network configuration, but also may be configured by the MS/SS according to the updated user terminal network sent by the AAA server, the DHCP server, or the ASN-GW. Time to determine if you need to update your network configuration.
  • the MS/SS can determine whether it needs to update the network configuration according to the time of updating the network configuration of the user terminal, the MS/SS can directly obtain the time to update the network configuration of the user (when the time of updating the network configuration expires), and the OMA DM
  • the server saves the process that the OMA DM server sends a request to update the network configuration message to the MS/SS compared to whether the MS/SS needs to update the network configuration, thereby saving network resources.
  • the present invention solves the problem that the configuration data sent by the configuration server cannot pass through a firewall or a device having a NAT function, so that the configuration server cannot perform network configuration on the user terminal, in the prior art, in the presence of a device having a firewall or a NAT function.
  • Embodiments provide a user terminal and a configuration server. The present invention is described in detail below with reference to the accompanying drawings and embodiments.
  • the user terminal is an MS/SS
  • the configuration server is an OMA DM server
  • the configuration server performs network configuration on the user terminal through the WiMAX network.
  • the MS/SS includes:
  • the obtaining unit 601 is configured to obtain an IP address of the OMA DM server, where the IP address of the OMA DM server can be obtained by using an authentication success message sent by the AAA server, or when the MS/SS applies for an IP address to the DHCP server, The server or the ASN-GW obtains the IP address information of the OMA DM server added in the Option field of the DHCP message.
  • the obtaining unit 601 is further configured to acquire a time for updating the network configuration of the user terminal, where the time for updating the network configuration of the user terminal can be The authentication success message sent by the AAA server is obtained.
  • the MS/SS requests the IP address from the DHCP server
  • the DHCP server or the ASN-GW adds the time address of the network configuration of the user terminal added in the Option field of the DHCP message. Information is obtained.
  • the MS/SS can detect whether it needs to update the network configuration, so as to initiate the process of updating the network configuration in time, and send a request to the MS/SS to update the network configuration message by the OMA DM server, the MS/SS Compared with the process of initiating the update of the network configuration after receiving the request message, the network resources are saved, and the speed of updating the network configuration to the MS/SS is improved.
  • a tunnel creation unit 603, configured to establish a TLS tunnel between the MS/SS and the OMA DM server according to the IP address;
  • the configuration unit 605 is configured to obtain the configuration data through the established secure transport layer protocol tunnel, and configure the parameters of the user terminal according to the obtained configuration data.
  • the specific configuration process is shown in FIG. 4, and details are not described herein.
  • the configuration data sending unit 608 is configured to send configuration data to the MS/SS through the TLS tunnel, and the specific configuration process is shown in FIG. 4, and details are not described herein again.
  • the user terminal and the configuration server provided by the embodiment of the present invention, because the user terminal actively initiates establishment of a secure transport layer protocol tunnel according to the IP address of the configuration server, and transmits the configuration data through the secure transport layer protocol tunnel Therefore, the prior art is overcome when the configuration data sent by the configuration server is not present in a firewall or a device having a NAT function.
  • the method and apparatus for network configuration of a user terminal provided by the present invention can be applied to a WiMAX network, and the MS/SS is configured by the framework provided by the OMA.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Cette invention se rapporte à un procédé de configuration de réseau pour un terminal d'utilisateur, le terminal d'utilisateur étant appliqué dans un réseau d'interopérabilité mondiale pour un accès hyperfréquence. Le procédé consiste à : acquérir une adresse IP d'un serveur de configuration, établir un tunnel de sécurité de couche de transport (TLS) entre le terminal d'utilisateur et le serveur de configuration sur la base de l'adresse IP (101) ; acquérir des données de configuration par l'intermédiaire du tunnel TLS établi, et configurer des paramètres du terminal d'utilisateur sur la base des données de configuration acquises (102).
PCT/CN2008/073466 2007-12-25 2008-12-11 Procédé et dispositif de configuration de réseau pour un terminal d'utilisateur Ceased WO2009082910A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2007103015846A CN101197721B (zh) 2007-12-25 2007-12-25 对用户终端进行网络配置的方法和装置
CN200710301584.6 2007-12-25

Publications (1)

Publication Number Publication Date
WO2009082910A1 true WO2009082910A1 (fr) 2009-07-09

Family

ID=39547885

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/073466 Ceased WO2009082910A1 (fr) 2007-12-25 2008-12-11 Procédé et dispositif de configuration de réseau pour un terminal d'utilisateur

Country Status (2)

Country Link
CN (1) CN101197721B (fr)
WO (1) WO2009082910A1 (fr)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101197721B (zh) * 2007-12-25 2010-07-07 华为技术有限公司 对用户终端进行网络配置的方法和装置
CN101351046B (zh) * 2008-08-29 2014-02-19 华为终端有限公司 终端设备软件组件激活方法、终端设备及设备管理服务器
CN101631331B (zh) * 2009-08-10 2012-11-21 华为技术有限公司 一种终端管理方法和设备
CN101998378A (zh) * 2009-08-24 2011-03-30 中兴通讯股份有限公司 Wimax系统中提供多种网络服务的方法及系统
CN101790155A (zh) * 2009-12-30 2010-07-28 中兴通讯股份有限公司 一种更新移动终端安全算法的方法、装置及系统
EP4007328B1 (fr) 2016-07-06 2025-01-01 Huawei Technologies Co., Ltd. Procédé et appareil de configuration de connexion de réseau
DE102017214071A1 (de) * 2017-08-11 2019-02-14 Robert Bosch Gmbh Verfahren und Vorrichtung zum Laden eines Elektrofahrzeuges
CN113507498B (zh) * 2021-06-02 2025-01-24 浪潮软件股份有限公司 一种政务大厅设备数据交换方法和系统
CN119966597B (zh) * 2023-11-09 2025-11-04 中国联合网络通信集团有限公司 公网防护方法、装置、设备及存储介质

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7096273B1 (en) * 2001-04-25 2006-08-22 Cisco Technology, Inc. DHCP over mobile IP
CN101197721A (zh) * 2007-12-25 2008-06-11 华为技术有限公司 对用户终端进行网络配置的方法和装置

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100596229C (zh) * 2006-03-08 2010-03-24 华为技术有限公司 告知目标网络地址绑定结果的方法及移动用户终端
CN101043706B (zh) * 2006-03-23 2011-03-09 华为技术有限公司 终端进入空闲模式、网络重入的方法

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7096273B1 (en) * 2001-04-25 2006-08-22 Cisco Technology, Inc. DHCP over mobile IP
CN101197721A (zh) * 2007-12-25 2008-06-11 华为技术有限公司 对用户终端进行网络配置的方法和装置

Also Published As

Publication number Publication date
CN101197721A (zh) 2008-06-11
CN101197721B (zh) 2010-07-07

Similar Documents

Publication Publication Date Title
US12439358B2 (en) Determination of trust relationship of non-3GPP access networks in 5GC
CN101616410B (zh) 一种蜂窝移动通信网络的接入方法和系统
EP1330073B1 (fr) Méthode et dispositif pour contrôler l'accès d'un terminal sans fil dans un réseau de communication
CN108063689B (zh) 使用装置管理协议的wi-fi热点的安全在线注册和供应
US8266681B2 (en) System and method for automatic network logon over a wireless network
US9450951B2 (en) Secure over-the-air provisioning solution for handheld and desktop devices and services
RU2556468C2 (ru) Способ аутентификации доступа терминала и оборудование, расположенное на территории абонента
JP5934364B2 (ja) Soap−xml技術を使用したwi−fiホットスポットのための安全なオンラインサインアップ及び提供のためのモバイルデバイス及び方法
WO2009082910A1 (fr) Procédé et dispositif de configuration de réseau pour un terminal d'utilisateur
US20180198786A1 (en) Associating layer 2 and layer 3 sessions for access control
US20200137056A1 (en) Client device re-authentication
CN114097261B (zh) 网络切片特定凭证的动态分配
WO2019017837A1 (fr) Procédé de gestion de sécurité de réseau et appareil
WO2009000206A1 (fr) Procédé et système de commande d'accès de nœud initial b
US10284562B2 (en) Device authentication to capillary gateway
US20180310172A1 (en) Method And Apparatus For Extensible Authentication Protocol
WO2014176964A1 (fr) Procédé de gestion de communication et système de communication
US20250279901A1 (en) Communication method and communication apparatus
CN101621433B (zh) 接入设备的配置方法、装置及系统
WO2023011158A1 (fr) Procédé et appareil de gestion de certificat
EP4124084B1 (fr) Procédé de commande d'accès et dispositif de communication
CN1652535B (zh) 网络层地址管理方法
WO2025026183A1 (fr) Procédé de communication et appareil de communication
TW201709694A (zh) 家庭基站及ip配置的方法
JPWO2023007135A5 (fr)

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08866380

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08866380

Country of ref document: EP

Kind code of ref document: A1