CN105681268B - Data transferring method and device - Google Patents

Data transferring method and device Download PDF

Info

Publication number
CN105681268B
CN105681268B CN201410677400.6A CN201410677400A CN105681268B CN 105681268 B CN105681268 B CN 105681268B CN 201410677400 A CN201410677400 A CN 201410677400A CN 105681268 B CN105681268 B CN 105681268B
Authority
CN
China
Prior art keywords
access
user equipment
area network
lgw
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410677400.6A
Other languages
Chinese (zh)
Other versions
CN105681268A (en
Inventor
李锐
钟小武
廖俊锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing ZTE New Software Co Ltd
Original Assignee
Nanjing ZTE New Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing ZTE New Software Co Ltd filed Critical Nanjing ZTE New Software Co Ltd
Priority to CN201410677400.6A priority Critical patent/CN105681268B/en
Priority to PCT/CN2015/079517 priority patent/WO2016078375A1/en
Publication of CN105681268A publication Critical patent/CN105681268A/en
Application granted granted Critical
Publication of CN105681268B publication Critical patent/CN105681268B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了一种数据传送方法及装置,其中,该方法包括:本地区域网网关LGW根据用户设备的认证信息为该用户设备分配IP地址,并保存该IP地址和该IP地址能够访问的区域网、以及与该区域网的接入网网关建立安全连接的方式的对应关系;该LGW通过安全隧道在该用户设备和该用户设备的IP地址对应的该区域网之间进行数据传送,其中,该安全隧道是根据建立该安全连接的方式建立的。通过本发明,解决了相关技术中并没有考虑不同用户访问不同区域网的问题,不同用户根据分配的IP地址访问不同的区域网。

The present invention discloses a data transmission method and device, wherein the method includes: the local area network gateway LGW assigns an IP address to the user equipment according to the authentication information of the user equipment, and saves the IP address and the area that the IP address can access network, and the way of establishing a secure connection with the access network gateway of the area network; the LGW performs data transmission between the user equipment and the area network corresponding to the IP address of the user equipment through a secure tunnel, wherein, The secure tunnel is established according to the method for establishing the secure connection. Through the present invention, the problem that different users access different area networks is not considered in the related art is solved, and different users access different area networks according to assigned IP addresses.

Description

数据传送方法及装置Data transmission method and device

技术领域technical field

本发明涉及通信领域,具体而言,涉及一种数据传送方法及装置。The present invention relates to the communication field, in particular, to a data transmission method and device.

背景技术Background technique

LTE提出异构网络(Heterogeneous Network,简称为HN)的概念,从而演进了一些新技术,3GPP(3rd Generation Partnership Project:第三代合作项目)也对此技术进行专门的研究,比如本地业务交换本地IP接入(Local IP Access,简称为LIPA),以及数据分流(SIPTO:Selected IP Traffic Offload,可选IP业务分流)等,将本地或者低价值的数据业务直接交换,分流到Internet,而不是再送回到核心网转发,避免大量低价值的业务对核心网的冲击。LTE proposes the concept of heterogeneous network (Heterogeneous Network, HN for short), thus evolving some new technologies, and 3GPP (3rd Generation Partnership Project: third-generation cooperation project) also conducts special research on this technology, such as local service switching local IP access (Local IP Access, referred to as LIPA), and data offload (SIPTO: Selected IP Traffic Offload, optional IP service offload), etc., directly exchange local or low-value data services and offload them to the Internet instead of sending them again Go back to the core network forwarding to avoid the impact of a large number of low-value services on the core network.

LIPA是基于家庭级基站(Home eNodeB,简称为HeNB)网络提出的,其核心思想是将本地网络的通信数据直接从HeNB就分流出去,从而减轻了核心网络的负荷和传输成本。LIPA技术可以进一步演化为区域网的概念,即在一个有限的区域部署一个本地的无线网络,无线网络用户在认证后访问本地区域网络资源,也可以访问Internet资源,访问本地网络不需要计费或者另外计费,用户可以不更换终端访问企业内网,只需要换一个访问节点名称(Access Point Name,简称为APN)即可。LIPA is proposed based on the Home eNodeB (HeNB for short) network. Its core idea is to offload the communication data of the local network directly from the HeNB, thereby reducing the load and transmission cost of the core network. LIPA technology can further evolve into the concept of local area network, that is, a local wireless network is deployed in a limited area. Wireless network users can access local area network resources after authentication, and can also access Internet resources. Access to the local network does not require billing or In addition to billing, the user can access the intranet without changing the terminal, and only needs to change the Access Point Name (APN for short).

用户终端(User Equipment,简称为UE)都是基于标准的IP数据,移动用户接入到区域本地网后,需要严格的限制权限。如多家公司共享一个HeNB,A公司用户绝对不能访问B公司网络,同理B公司员工也不能访问A公司网络。另外在一家公司内,普通员工不能访问财务等敏感部门,只有高级授权用户才能访问,对于一些临时来访客户,在满足客户基本需求前提下,需要尽可能限制客户的可访问资源。User Equipment (UE for short) is based on standard IP data, and after a mobile user accesses a regional local network, it needs to strictly limit permissions. If multiple companies share one HeNB, the users of company A must not access the network of company B, and the employees of company B cannot access the network of company A in the same way. In addition, in a company, ordinary employees cannot access sensitive departments such as finance, and only senior authorized users can access them. For some temporary visiting customers, it is necessary to limit the customer's accessible resources as much as possible under the premise of meeting the basic needs of customers.

发明人发现,区域内部有线网络组网复杂,需要隔离内部用户,把不同用户划分到不同的区域网中,例如,划分到不同的虚拟本地网络(Virtual Local Area Network,简称为VLAN)。但是,在相关技术中并没有考虑不同用户访问不同区域网的问题。The inventors found that the intra-area wired network is complicated, and it is necessary to isolate internal users and divide different users into different area networks, for example, into different virtual local area networks (VLAN for short). However, the problem of different users accessing different regional networks has not been considered in related technologies.

发明内容Contents of the invention

本发明提供了一种数据传送方法及装置,以至少解决相关技术中并没有考虑不同用户访问不同区域网的问题。The present invention provides a data transmission method and device to at least solve the problem that different users access different area networks which are not considered in the related art.

根据本发明的一个方面,提供了一种数据传送方法,包括:本地区域网网关LGW根据接收到的配置信息为所述用户设备分配IP地址,并保存所述IP地址和所述IP地址能够访问的区域网、以及与所述区域网的接入网网关建立安全连接的方式的对应关系;所述LGW通过安全隧道在所述用户设备和所述用户设备的IP地址对应的所述区域网之间进行数据传送,其中,所述安全隧道是根据建立所述安全连接的方式建立的。According to one aspect of the present invention, a data transmission method is provided, including: the local area network gateway LGW assigns an IP address to the user equipment according to the received configuration information, and saves the IP address and the IP address can be accessed The corresponding relationship between the local area network and the way of establishing a secure connection with the access network gateway of the local area network; the LGW is connected between the user equipment and the local area network corresponding to the IP address of the user equipment through a secure tunnel Data transmission between the secure tunnels, wherein the secure tunnel is established according to the manner in which the secure connection is established.

进一步地,在所述LGW保存所述对应关系之前,所述方法还包括:所述LGW将用于认证所述用户设备的认证信息转发给认证服务器;所述LGW接收所述认证服务器返回的所述配置信息,其中,所述返回的信息中包括:为所述用户设备分配的接入IP地址、以及所述IP地址能够接入的区域网、以及与所述区域网的接入网网关建立安全连接的方式。Further, before the LGW saves the corresponding relationship, the method further includes: the LGW forwards the authentication information used to authenticate the user equipment to an authentication server; the LGW receives the authentication information returned by the authentication server. The above configuration information, wherein the returned information includes: the access IP address allocated for the user equipment, the area network that the IP address can access, and the access network gateway established with the area network The way to connect securely.

进一步地,在所述LGW将用于认证所述用户设备的认证信息转发给认证服务器之前,所述方法还包括:所述LGW接收来自核心网的所述认证信息,其中,所述认证信息是所述用户设备选择区域网接入点名称之后输入的。Further, before the LGW forwards the authentication information used to authenticate the user equipment to an authentication server, the method further includes: the LGW receives the authentication information from the core network, where the authentication information is It is input after the user equipment selects the name of the access point of the local area network.

进一步地,与所述区域网的接入网网关建立连接的方式包括以下至少之一:IPSec方式、SSL方式、TLS方式。Further, the way of establishing the connection with the access network gateway of the regional network includes at least one of the following: IPSec way, SSL way, TLS way.

进一步地,所述方法还包括:所述LGW接收到所述用户设备不在服务范围的通知;所述LGW删除所述对应关系。Further, the method further includes: the LGW receiving a notification that the user equipment is out of service range; and the LGW deleting the corresponding relationship.

根据本发明的另一方面,提供了一种数据传送装置,应用于本地区域网网关LGW,包括:分配模块,用于根据接收到的配置信息为所述用户设备分配IP地址,并保存所述IP地址和所述IP地址能够访问的区域网、以及与所述区域网的接入网网关建立安全连接的方式的对应关系;数据传送模块,用于通过安全隧道在所述用户设备和所述用户设备的IP地址对应的所述区域网之间进行数据传送,其中,所述安全隧道是根据建立所述安全连接的方式建立的。According to another aspect of the present invention, a data transmission device is provided, which is applied to a local area network gateway LGW, including: an allocation module, configured to allocate an IP address to the user equipment according to the received configuration information, and store the The corresponding relationship between the IP address and the local area network that the IP address can access, and the way to establish a secure connection with the access network gateway of the local network; the data transmission module is used to communicate between the user equipment and the Data transmission is performed between the area networks corresponding to the IP address of the user equipment, wherein the secure tunnel is established according to the manner of establishing the secure connection.

进一步地,所述装置还包括:转发模块,用于将用于认证所述用户设备的所述配置转发给认证服务器;第一接收模块,用于接收所述认证服务器返回的信息,其中,所述返回的信息中包括:为所述用户设备分配的接入IP地址、以及所述IP地址能够接入的区域网、以及与所述区域网的接入网网关建立安全连接的方式。Further, the apparatus further includes: a forwarding module, configured to forward the configuration used to authenticate the user equipment to an authentication server; a first receiving module, configured to receive information returned by the authentication server, wherein the The returned information includes: the access IP address allocated for the user equipment, the area network that the IP address can access, and the way to establish a secure connection with the access network gateway of the area network.

进一步地,所述装置还包括:第二接收模块,用于接收来自核心网的所述认证信息,其中,所述认证信息是所述用户设备选择区域网接入点名称之后输入的。Further, the apparatus further includes: a second receiving module, configured to receive the authentication information from the core network, wherein the authentication information is input after the user equipment selects the name of the area network access point.

进一步地,与所述区域网的接入网网关建立连接的方式包括以下至少之一:IPSec方式、SSL方式、TLS方式。Further, the way of establishing the connection with the access network gateway of the regional network includes at least one of the following: IPSec way, SSL way, TLS way.

进一步地,所述装置还包括:第三接收模块,用于接收到所述用户设备不在服务范围的通知;删除模块,用于删除所述对应关系。Further, the apparatus further includes: a third receiving module, configured to receive a notification that the user equipment is out of service range; a deleting module, configured to delete the corresponding relationship.

通过本发明,采用本地区域网网关LGW根据接收到的配置信息为所述用户设备分配IP地址,并保存所述IP地址和所述IP地址能够访问的区域网、以及与所述区域网的接入网网关建立安全连接的方式的对应关系;所述LGW通过安全隧道在所述用户设备和所述用户设备的IP地址对应的所述区域网之间进行数据传送,其中,所述安全隧道是根据建立所述安全连接的方式建立的,解决了相关技术中并没有考虑不同用户访问不同区域网的问题,不同用户根据分配的IP地址访问不同的区域网。According to the present invention, the local area network gateway LGW is used to assign an IP address to the user equipment according to the received configuration information, and save the IP address, the area network that the IP address can access, and the connection with the area network The corresponding relationship between the ways in which the network access gateway establishes a secure connection; the LGW performs data transmission between the user equipment and the area network corresponding to the IP address of the user equipment through a secure tunnel, wherein the secure tunnel is It is established according to the way of establishing the secure connection, which solves the problem in the related art that different users access different area networks, and different users access different area networks according to the assigned IP addresses.

附图说明Description of drawings

此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The accompanying drawings described here are used to provide a further understanding of the present invention and constitute a part of the application. The schematic embodiments of the present invention and their descriptions are used to explain the present invention and do not constitute improper limitations to the present invention. In the attached picture:

图1是根据本发明实施例的数据传送方法的流程图;Fig. 1 is a flowchart of a data transmission method according to an embodiment of the present invention;

图2是根据本发明实施例的数据传送装置的框图;2 is a block diagram of a data transmission device according to an embodiment of the present invention;

图3是根据本发明优选实施例的数据传送装置的框图一;FIG. 3 is a first block diagram of a data transmission device according to a preferred embodiment of the present invention;

图4是根据本发明优选实施例的数据传送装置的框图二;FIG. 4 is a second block diagram of a data transmission device according to a preferred embodiment of the present invention;

图5是根据本发明优选实施例的数据传送装置的框图三;Fig. 5 is a third block diagram of a data transmission device according to a preferred embodiment of the present invention;

图6是根据本发明实施例的区域网组网示意图;FIG. 6 is a schematic diagram of a regional network according to an embodiment of the present invention;

图7是根据本发明实施例的UE接入区域网的示意图。Fig. 7 is a schematic diagram of a UE accessing an area network according to an embodiment of the present invention.

具体实施方式Detailed ways

下文中将参考附图并结合实施例来详细说明本发明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。Hereinafter, the present invention will be described in detail with reference to the drawings and examples. It should be noted that, in the case of no conflict, the embodiments in the present application and the features in the embodiments can be combined with each other.

在本实施例中提供了一种数据传送方法,图1是根据本发明实施例的数据传送方法的流程图,如图1所示,该流程包括如下步骤:A data transmission method is provided in this embodiment. FIG. 1 is a flowchart of a data transmission method according to an embodiment of the present invention. As shown in FIG. 1, the process includes the following steps:

步骤S102,本地区域网网关LGW根据接收到的配置信息为该用户设备分配IP地址,并保存该IP地址和该IP地址能够访问的区域网、以及与该区域网的接入网网关建立安全连接的方式的对应关系;Step S102, the local area network gateway LGW assigns an IP address to the user equipment according to the received configuration information, and saves the IP address and the local area network that the IP address can access, and establishes a secure connection with the access network gateway of the local area network The corresponding relationship of the way;

步骤S104,LGW通过安全隧道在该用户设备和该用户设备的IP地址对应的该区域网之间进行数据传送,其中,该安全隧道是根据建立该安全连接的方式建立的。In step S104, the LGW transmits data between the user equipment and the area network corresponding to the IP address of the user equipment through a secure tunnel, wherein the secure tunnel is established according to the method of establishing the secure connection.

通过上述步骤,通过安全隧道在用户设备和该用户设备的IP地址对应的区域网之间进行数据传送,从而可以根据IP地址和该IP地址能够访问的区域网、以及与该区域网的接入网网关建立安全连接的方式的对应关系控制用户设备的访问权限,解决了相关技术中并没有考虑不同用户访问不同区域网的问题,不同用户根据分配的IP地址访问不同的区域网。Through the above steps, data transmission is performed between the user equipment and the local area network corresponding to the IP address of the user equipment through a secure tunnel, so that the IP address and the local area network that can be accessed by the IP address, and the access to the local area network The corresponding relationship between the ways in which the network gateway establishes a secure connection controls the access authority of the user equipment, and solves the problem that different users access different area networks in the related art, and different users access different area networks according to the assigned IP addresses.

为了更加安全,该配置信息可以是在认证完成之后发送的,对用户设备的认证可以有多种方式,例如,在而一个可选的实施方式中,在LGW保存该对应关系之前,该LGW还可以将用于认证该用户设备的认证信息转发给认证服务器;该LGW接收该认证服务器返回的该配置信息,其中,该返回的信息中包括:为该用户设备分配的接入IP地址、以及该IP地址能够接入的区域网、以及与该区域网的接入网网关建立安全连接的方式。In order to be more secure, the configuration information can be sent after the authentication is completed. There are many ways to authenticate the user equipment. For example, in an optional implementation, before the LGW saves the correspondence, the LGW also The authentication information used to authenticate the user equipment may be forwarded to the authentication server; the LGW receives the configuration information returned by the authentication server, wherein the returned information includes: the access IP address allocated for the user equipment, and the The local area network that the IP address can access, and the way to establish a secure connection with the access network gateway of the local network.

在LGW将用于认证该用户设备的认证信息转发给认证服务器之前,该LGW还可以接收来自核心网的该认证信息,其中,该认证信息是该用户设备选择区域网接入点名称之后输入的。Before the LGW forwards the authentication information used to authenticate the user equipment to the authentication server, the LGW may also receive the authentication information from the core network, where the authentication information is input after the user equipment selects the name of the local area network access point .

与区域网的接入网网关建立连接的方式可以有很多种,在一个可选的实施例中,与该区域网的接入网网关建立连接的方式可以包括以下至少之一:IPSec方式、SSL方式、TLS方式。There can be many ways to establish a connection with the access network gateway of the local area network. In an optional embodiment, the manner to establish a connection with the access network gateway of the local area network can include at least one of the following: IPSec mode, SSL mode, TLS mode.

在一个可选的实施例中,用户设备不在服务范围的情况下,LGW接收到该用户设备不在服务范围的通知,并删除该对应关系,释放了资源,节约了储存空间。In an optional embodiment, when the user equipment is out of the service range, the LGW receives a notification that the user equipment is out of the service range, and deletes the corresponding relationship, releasing resources and saving storage space.

本发明实施例还提供了一种数据传送装置,应用于本地区域网网关LGW,该装置用于实现上述实施例及优选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。The embodiment of the present invention also provides a data transmission device, which is applied to a local area network gateway LGW. The device is used to implement the above-mentioned embodiments and preferred implementation modes, and those that have already been described will not be repeated. As used below, the term "module" may be a combination of software and/or hardware that realizes a predetermined function. Although the devices described in the following embodiments are preferably implemented in software, implementations in hardware, or a combination of software and hardware are also possible and contemplated.

图2是根据本发明实施例的数据传送装置的框图,如图2所示,包括:分配模块22和数据传送模块24,下面对各个模块进行简要说明。Fig. 2 is a block diagram of a data transmission device according to an embodiment of the present invention. As shown in Fig. 2 , it includes: an allocation module 22 and a data transmission module 24, each module will be briefly described below.

分配模块22,用于根据接收到的配置信息为该用户设备分配IP地址,并保存该IP地址和该IP地址能够访问的区域网、以及与该区域网的接入网网关建立安全连接的方式的对应关系;Assignment module 22, configured to assign an IP address to the user equipment according to the received configuration information, and store the IP address and the local area network that the IP address can access, and the way to establish a secure connection with the access network gateway of the local network corresponding relationship;

数据传送模块24,用于通过安全隧道在该用户设备和该用户设备的IP地址对应的该区域网之间进行数据传送,其中,该安全隧道是根据建立该安全连接的方式建立的。The data transmission module 24 is configured to transmit data between the user equipment and the local area network corresponding to the IP address of the user equipment through a secure tunnel, wherein the secure tunnel is established according to the method of establishing the secure connection.

图3是根据本发明优选实施例的数据传送装置的框图一,如图3所示,该装置还包括:Fig. 3 is a block diagram one of a data transmission device according to a preferred embodiment of the present invention. As shown in Fig. 3, the device also includes:

转发模块32,用于将用于认证该用户设备的认证信息转发给认证服务器;A forwarding module 32, configured to forward the authentication information used to authenticate the user equipment to an authentication server;

第一接收模块34,用于接收该认证服务器返回的该配置信息,其中,该返回的信息中包括:为该用户设备分配的接入IP地址、以及该IP地址能够接入的区域网、以及与该区域网的接入网网关建立安全连接的方式。The first receiving module 34 is configured to receive the configuration information returned by the authentication server, wherein the returned information includes: the access IP address allocated for the user equipment, and the local area network that the IP address can access, and The way to establish a secure connection with the access network gateway of the local area network.

图4是根据本发明优选实施例的数据传送装置的框图二,如图4所示,该装置还包括:Fig. 4 is a block diagram two of a data transmission device according to a preferred embodiment of the present invention. As shown in Fig. 4, the device also includes:

第二接收模块42,用于接收来自核心网的该认证信息,其中,该认证信息是该用户设备选择区域网接入点名称之后输入的。The second receiving module 42 is configured to receive the authentication information from the core network, where the authentication information is input after the user equipment selects the name of the local area network access point.

在一个可选的实施例中,可以通过以下至少之一确定与该区域网的接入网网关建立连接的方式:IPSec方式、SSL方式、TLS方式。In an optional embodiment, at least one of the following ways to establish a connection with the access network gateway of the area network can be determined: IPSec way, SSL way, TLS way.

图5是根据本发明优选实施例的数据传送装置的框图三,如图5所示,该装置还包括:Fig. 5 is a block diagram three of a data transmission device according to a preferred embodiment of the present invention. As shown in Fig. 5, the device also includes:

第三接收模块52,用于接收到该用户设备不在服务范围的通知;The third receiving module 52 is configured to receive a notification that the user equipment is not within the service range;

删除模块54,用于删除该对应关系。The deletion module 54 is configured to delete the corresponding relationship.

下面结合可选实施例对本发明实施例进行进一步说明。The embodiments of the present invention will be further described below in conjunction with optional embodiments.

LIPA引入了一个本地网关(Local Gateway,简称为LGW)的网络逻辑节点,HeNB数据汇聚到LGW后再做分流处理,实际应用中,LGW和HeNB可以是同一物理实体,也可以为单独物理实体。LIPA introduces a network logical node of Local Gateway (LGW for short), and HeNB data is aggregated to LGW and then distributed. In practical applications, LGW and HeNB can be the same physical entity or separate physical entities.

用户接入区域网,用户在UE上选择接入区域网APN,输入用户名密码,核心网将区域网的用户认证信息给LGW,LGW转发给认证服务器认证。When the user accesses the area network, the user selects the access area network APN on the UE, enters the user name and password, the core network sends the user authentication information of the area network to the LGW, and the LGW forwards it to the authentication server for authentication.

用户鉴权,LGW在区域网内部部署,访问LGW的认证服务器也在区域网内。LGW将UE请求数据发送给认证服务器,认证协议一般为标准的Radius协议(但不限于Radius协议),LGW发送给认证服务器的认证信息包括身份唯一标识(Identity,简称为UE ID),一般为全球用户识别卡(Universal Subscriber Identity Module,简称为USIM)的国际移动用户识别码(International Mobile Subscriber Identification Number,简称为IMSI)号,或者手机号码、UE接入APN的用户名、密码等。For user authentication, the LGW is deployed inside the LAN, and the authentication server that accesses the LGW is also inside the LAN. The LGW sends the UE request data to the authentication server. The authentication protocol is generally the standard Radius protocol (but not limited to the Radius protocol). The authentication information sent by the LGW to the authentication server includes the unique identity (Identity, referred to as UE ID), generally the global The International Mobile Subscriber Identification Number (IMSI) number of the Universal Subscriber Identity Module (USIM), or the mobile phone number, the user name and password for the UE to access the APN, etc.

接入权限分配,认证服务器收到认证请求后,返回给UE和LGW预先规划的信息,返回用户接入本地网络的用户IP、接入网关IP、接入权限、认证方式,加密算法等。Access authority allocation, after the authentication server receives the authentication request, it returns the pre-planned information to the UE and LGW, and returns the user IP, access gateway IP, access authority, authentication method, encryption algorithm, etc. for the user to access the local network.

接入网关处理,区域网接入网关需要对接入的报文做过滤处理,对于敏感访问区域,推荐使用强鉴权和加密处理。如在LGW和接入网关之间建立IP安全(IP Security,简称为IPSec)隧道或者安全套接层/传输层安全(Secure Sockets Layer/Transport LayerSecurity,简称为SSL/TLS)等,IPSec隧道内,只有特定范围的报文(指定范围的IP、协议、端口)才能访问区域网,其余报文直接丢弃。Access gateway processing. The LAN access gateway needs to filter the incoming packets. For sensitive access areas, it is recommended to use strong authentication and encryption. For example, an IP Security (IP Security, IPSec for short) tunnel or Secure Sockets Layer/Transport Layer Security (Secure Sockets Layer/Transport Layer Security, SSL/TLS for short) is established between the LGW and the access gateway. In the IPSec tunnel, only Only messages in a specific range (IP, protocol, and port in a specified range) can access the LAN, and the rest of the messages are discarded directly.

用户UE访问本地网络,UE访问区域网络,LGW在转发数据时,先查询UE访问本地网络对应的网关IP,接入权限,认证方式和加密算法等。如果是IPSec方式,LGW和认证服务器分配的的接入网关之间建立IPSec隧道,如果是其余安全接入方式(如SSL/TLS),LGW根据协议和接入网关之间建立对应的安全连接。对于UE发送给区域网的报文,LGW加密发送给接入网关,接入网关解密后再转发给内部网络。对于区域网到UE的报文,接入网关加密后转发给LGW,LGW解密后,根据UE的IP转发给对应的UE。The user UE accesses the local network, and the UE accesses the regional network. When the LGW forwards data, it first queries the gateway IP, access authority, authentication method, and encryption algorithm corresponding to the UE's access to the local network. If it is an IPSec method, an IPSec tunnel is established between the LGW and the access gateway assigned by the authentication server; if it is another secure access method (such as SSL/TLS), the LGW establishes a corresponding secure connection with the access gateway according to the protocol. For the message sent by the UE to the area network, the LGW encrypts it and sends it to the access gateway, and the access gateway decrypts it and then forwards it to the internal network. For the message from the area network to the UE, the access gateway encrypts it and forwards it to the LGW. After the LGW decrypts it, it forwards it to the corresponding UE according to the UE's IP.

释放资源,当UE切换或离开基站时,LGW同步删除之前保留的UE和安全隧道映射表。To release resources, when the UE switches or leaves the base station, the LGW deletes the previously reserved UE and security tunnel mapping table synchronously.

对于某些大写字楼,每一楼层可能有多家规模较小的公司,因为占地面积小,这些公司会共用一个基站(大部分都是Femto级别的小站),所以室内的网络部署可能是公共方如物业公司提供。物业公司提供的多家公司的共享网络,则需要隔离不同公司的访问权限,如A公司员工不能访问B公司的网络,同理B公司的员工不能访问A公司的网络。For some large office buildings, there may be many smaller companies on each floor. Because of the small footprint, these companies will share a base station (most of them are Femto-level small stations), so the indoor network deployment may be Public parties such as property companies provide. For the shared network of multiple companies provided by the property management company, the access rights of different companies need to be isolated. For example, employees of company A cannot access the network of company B, and employees of company B cannot access the network of company A similarly.

物业公司在部署HeNB和LGW时,可以考虑LGW和不同公司的网关之间建立安全隧道,不同公司用户通过安全隧道访问公司内网。When the property management company deploys the HeNB and LGW, it can consider establishing a secure tunnel between the LGW and the gateways of different companies, and users of different companies can access the company intranet through the secure tunnel.

对于某大型企业,部门较多,一些公共部门宣传广告部门每个用户都可以访问,但是类似财务部门则只能限制某些高级用户才能接入。LGW可以和不同部门的接入服务器协商规则,如访问公共宣传资料,直接明文访问不加密;访问财务等其它敏感部门,需要LGW和接入网关之间做认证加密处理。For a large enterprise, there are many departments. Some public departments can access to every user in the publicity and advertising departments, but similar financial departments can only restrict access to certain advanced users. LGW can negotiate rules with access servers of different departments, such as access to public promotional materials, direct plain text access without encryption; access to other sensitive departments such as finance requires authentication and encryption between LGW and the access gateway.

图6是根据本发明实施例的区域网组网示意图,如图6所示,区域网是在一个有限的区域部署一个本地的无线网络,可以是不同公司,或者不同楼层的网络,用户接入区域网内部不需要更换UE,也不需要基站更改频段,只需要修改接入的APN。Fig. 6 is a schematic diagram of an area network network according to an embodiment of the present invention. As shown in Fig. 6, an area network is a local wireless network deployed in a limited area, which may be a network of different companies or different floors. There is no need to replace the UE inside the regional network, nor does the base station need to change the frequency band, only the APN to be accessed needs to be modified.

区域网需要核心网支持本地交换等功能,区域网认证服务器放置在区域网内,UE的接入权限,IP、接入网关、认证方式、加密算法等都由区域网认证服务器来分配,推荐不同公司或者不同楼层使用不同接入网关隔离。The local area network needs the core network to support local switching and other functions. The local area network authentication server is placed in the local area network. The UE's access rights, IP, access gateway, authentication method, encryption algorithm, etc. are all allocated by the area network authentication server. Different recommendations Companies or different floors use different access gateways to isolate.

图7是根据本发明实施例的UE接入区域网的示意图,如图7所示,UE选择区域网APN,用户输入认证信息后,核心网将区域网的用户认证信息给LGW,LGW转发给认证服务器认证。Fig. 7 is a schematic diagram of a UE accessing an area network according to an embodiment of the present invention. As shown in Fig. 7, the UE selects the APN of the area network, and after the user inputs the authentication information, the core network sends the user authentication information of the area network to the LGW, and the LGW forwards it to the Authentication server authentication.

用户接入认证包括以下步骤:User access authentication includes the following steps:

S702,LGW把认证数据发送给认证服务器,认证服务器认证用户信息,认证通过后,分配UE的接入IP、接入权限和认证方式,主要包括UE的用户IP、接入网关、认证方式、加密算法等信息;S702, the LGW sends the authentication data to the authentication server, and the authentication server authenticates the user information, and after the authentication is passed, allocates the UE's access IP, access authority and authentication method, mainly including the UE's user IP, access gateway, authentication method, and encryption algorithm and other information;

S704,LGW收到认证信息后,将用户IP分配给对应UE,保存对应UE的IP,按照认证服务器分配的认证方式、加密算法等与接入网关建立安全连接;S704. After receiving the authentication information, the LGW assigns the user IP to the corresponding UE, saves the IP of the corresponding UE, and establishes a secure connection with the access gateway according to the authentication method and encryption algorithm assigned by the authentication server;

S706,LGW接收到UE发送给区域网的数据,查询保存的UE和IP和安全隧道的对应关系,如果需要加密,则根据协商的秘钥将数据加密发送给接入网关,接入网关把报文解密,发送给内部网络;如果有区域网内部报文发送给UE,接入网关根据协商的秘钥加密报文,发送给LGW,LGW解密后根据IP转发给不同UE;S706. The LGW receives the data sent by the UE to the area network, and queries the stored correspondence between the UE, the IP, and the security tunnel. If encryption is required, the LGW encrypts the data and sends it to the access gateway according to the negotiated secret key, and the access gateway sends the data to the access gateway. The text is decrypted and sent to the internal network; if there is a local area network internal message sent to the UE, the access gateway encrypts the message according to the negotiated secret key and sends it to the LGW. After the LGW decrypts it, it forwards it to different UEs according to the IP;

S708,如果是同LGW下UE数据互传,则直接在LGW转发,不需要认证加密处理。如果UE切换,离开基站,或者掉电等,基站检测出UE不在服务范围后通知LGW删除之前对应的UE和、IP对应关系,也拆除预先建立的隧道连接;S708, if the UE data is transmitted between the same LGW, it is directly forwarded in the LGW without authentication and encryption processing. If the UE switches, leaves the base station, or loses power, etc., the base station will notify the LGW to delete the corresponding UE and IP correspondence before detecting that the UE is not in the service range, and also remove the pre-established tunnel connection;

S710,UE访问本地网络。S710, the UE accesses the local network.

本可选实施例中的LGW需要实现的以下功能,需要说明的是,以下的功能可以通过不同的模块实现。The LGW in this optional embodiment needs to implement the following functions. It should be noted that the following functions can be implemented by different modules.

认证功能,LGW需要封装认证信息报文给认证服务器,完成UE接入的认证功能。For the authentication function, the LGW needs to encapsulate the authentication information message to the authentication server to complete the authentication function for UE access.

安全连接功能,LGW需要和接入网关之间建立安全的连接,保证用户数据可靠传送。For the secure connection function, the LGW needs to establish a secure connection with the access gateway to ensure reliable transmission of user data.

UE和IP、安全隧道映射列表,LGW需要保存每个接入区域网UE对应的IP和安全隧道的映射关系,将UE的数据在协商好的安全隧道发送,发给对应的接入网关。接收区域网到UE的数据包时,将数据包解密转发给对应的UE。UE and IP, security tunnel mapping list, LGW needs to save the mapping relationship between each access area network UE's corresponding IP and security tunnel, send the UE's data in the negotiated security tunnel, and send it to the corresponding access gateway. When receiving the data packet from the area network to the UE, the data packet is decrypted and forwarded to the corresponding UE.

显然,本领域的技术人员应该明白,上述的本发明的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。Obviously, those skilled in the art should understand that each module or each step of the above-mentioned present invention can be realized by a general-purpose computing device, and they can be concentrated on a single computing device, or distributed in a network formed by multiple computing devices Alternatively, they may be implemented in program code executable by a computing device so that they may be stored in a storage device to be executed by a computing device, and in some cases, in an order different from that shown here The steps shown or described are carried out, or they are separately fabricated into individual integrated circuit modules, or multiple modules or steps among them are fabricated into a single integrated circuit module for implementation. As such, the present invention is not limited to any specific combination of hardware and software.

以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. For those skilled in the art, the present invention may have various modifications and changes. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included within the protection scope of the present invention.

Claims (8)

1.一种数据传送方法,其特征在于,包括:1. A data transmission method, characterized in that, comprising: 本地区域网网关LGW根据接收到的配置信息为用户设备分配IP地址,并保存所述IP地址和所述IP地址能够访问的区域网、以及与所述区域网的接入网网关建立安全连接的方式的对应关系;The local area network gateway LGW assigns an IP address to the user equipment according to the received configuration information, and saves the IP address, the area network that the IP address can access, and the information for establishing a secure connection with the access network gateway of the area network. The corresponding relationship of the method; 所述LGW通过安全隧道在所述用户设备和所述用户设备的IP地址对应的所述区域网之间进行数据传送,其中,所述安全隧道是根据建立所述安全连接的方式建立的;The LGW performs data transmission between the user equipment and the area network corresponding to the IP address of the user equipment through a security tunnel, wherein the security tunnel is established according to the method of establishing the security connection; 其中,在所述LGW保存所述对应关系之前,所述方法还包括:所述LGW将用于认证所述用户设备的认证信息转发给认证服务器;所述LGW接收所述认证服务器返回的所述配置信息,其中,所述返回的信息中包括:为所述用户设备分配的接入IP地址、以及所述IP地址能够接入的区域网、以及与所述区域网的接入网网关建立安全连接的方式。Wherein, before the LGW saves the corresponding relationship, the method further includes: the LGW forwards the authentication information used to authenticate the user equipment to an authentication server; the LGW receives the authentication information returned by the authentication server. Configuration information, wherein the returned information includes: the access IP address allocated for the user equipment, the area network that the IP address can access, and the establishment of security with the access network gateway of the area network The way you connect. 2.根据权利要求1所述的方法,其特征在于,在所述LGW将用于认证所述用户设备的认证信息转发给认证服务器之前,所述方法还包括:2. The method according to claim 1, wherein before the LGW forwards the authentication information used to authenticate the user equipment to an authentication server, the method further comprises: 所述LGW接收来自核心网的所述认证信息,其中,所述认证信息是所述用户设备选择区域网接入点名称之后输入的。The LGW receives the authentication information from the core network, where the authentication information is input after the user equipment selects the name of the access point of the area network. 3.根据权利要求1至2中任一项所述的方法,其特征在于,与所述区域网的接入网网关建立连接的方式包括以下至少之一:3. The method according to any one of claims 1 to 2, wherein the manner of establishing a connection with the access network gateway of the area network includes at least one of the following: IPSec方式、SSL方式、TLS方式。IPSec method, SSL method, TLS method. 4.根据权利要求1至2中任一项所述的方法,其特征在于,所述方法还包括:4. The method according to any one of claims 1 to 2, characterized in that the method further comprises: 所述LGW接收到所述用户设备不在服务范围的通知;The LGW receives a notification that the user equipment is out of service range; 所述LGW删除所述对应关系。The LGW deletes the corresponding relationship. 5.一种数据传送装置,其特征在于,应用于本地区域网网关LGW,包括:5. A data transmission device, characterized in that it is applied to a local area network gateway LGW, comprising: 分配模块,用于根据接收到的配置信息为用户设备分配IP地址,并保存所述IP地址和所述IP地址能够访问的区域网、以及与所述区域网的接入网网关建立安全连接的方式的对应关系;An allocation module, configured to allocate an IP address to the user equipment according to the received configuration information, and store the IP address, the area network that the IP address can access, and the information for establishing a secure connection with the access network gateway of the area network The corresponding relationship of the method; 数据传送模块,用于通过安全隧道在所述用户设备和所述用户设备的IP地址对应的所述区域网之间进行数据传送,其中,所述安全隧道是根据建立所述安全连接的方式建立的;A data transmission module, configured to transmit data between the user equipment and the local area network corresponding to the IP address of the user equipment through a security tunnel, wherein the security tunnel is established according to the method of establishing the security connection of; 其中,所述装置还包括:转发模块,用于将用于认证所述用户设备的认证信息转发给认证服务器;第一接收模块,用于接收所述认证服务器返回的所述配置信息,其中,所述返回的信息中包括:为所述用户设备分配的接入IP地址、以及所述IP地址能够接入的区域网、以及与所述区域网的接入网网关建立安全连接的方式。Wherein, the apparatus further includes: a forwarding module, configured to forward the authentication information used to authenticate the user equipment to an authentication server; a first receiving module, configured to receive the configuration information returned by the authentication server, wherein, The returned information includes: the access IP address assigned to the user equipment, the area network that the IP address can access, and the way to establish a secure connection with the access network gateway of the area network. 6.根据权利要求5所述的装置,其特征在于,所述装置还包括:6. The device according to claim 5, further comprising: 第二接收模块,用于接收来自核心网的所述认证信息,其中,所述认证信息是所述用户设备选择区域网接入点名称之后输入的。The second receiving module is configured to receive the authentication information from the core network, wherein the authentication information is input after the user equipment selects the name of the area network access point. 7.根据权利要求5至6中任一项所述的装置,其特征在于,与所述区域网的接入网网关建立连接的方式包括以下至少之一:7. The device according to any one of claims 5 to 6, wherein the manner of establishing a connection with the access network gateway of the area network includes at least one of the following: IPSec方式、SSL方式、TLS方式。IPSec method, SSL method, TLS method. 8.根据权利要求5至6中任一项所述的装置,其特征在于,所述装置还包括:8. The device according to any one of claims 5 to 6, wherein the device further comprises: 第三接收模块,用于接收到所述用户设备不在服务范围的通知;A third receiving module, configured to receive a notification that the user equipment is not within the service range; 删除模块,用于删除所述对应关系。A deletion module, configured to delete the corresponding relationship.
CN201410677400.6A 2014-11-21 2014-11-21 Data transferring method and device Active CN105681268B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201410677400.6A CN105681268B (en) 2014-11-21 2014-11-21 Data transferring method and device
PCT/CN2015/079517 WO2016078375A1 (en) 2014-11-21 2015-05-21 Data transmission method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410677400.6A CN105681268B (en) 2014-11-21 2014-11-21 Data transferring method and device

Publications (2)

Publication Number Publication Date
CN105681268A CN105681268A (en) 2016-06-15
CN105681268B true CN105681268B (en) 2019-09-24

Family

ID=56013215

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410677400.6A Active CN105681268B (en) 2014-11-21 2014-11-21 Data transferring method and device

Country Status (2)

Country Link
CN (1) CN105681268B (en)
WO (1) WO2016078375A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108076162B (en) * 2016-11-18 2021-07-16 中兴通讯股份有限公司 A kind of mobile terminal networking method and device
CN106792688A (en) * 2016-12-15 2017-05-31 中磊电子(苏州)有限公司 For the method for network traffics route
CN106982427B (en) * 2017-04-14 2020-08-18 北京佰才邦技术有限公司 Connection establishment method and device
CN116015733B (en) * 2022-12-03 2026-04-10 公安部第三研究所 An access control system and method based on authentication and resource access management
CN116055220B (en) * 2023-03-20 2023-08-01 睿至科技集团有限公司 Internet of things terminal safety protection management and control method and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101483606A (en) * 2009-02-26 2009-07-15 中国网络通信集团公司 Internal data switch control method for home gateway and home gateway therefor
CN102098237A (en) * 2011-01-27 2011-06-15 大唐移动通信设备有限公司 Gateway equipment, method for using gateway equipment and information transmission method and equipment
WO2011053040A3 (en) * 2009-11-02 2011-10-27 Lg Electronics Inc. Nat traversal for local ip access
CN102256329A (en) * 2010-05-19 2011-11-23 中兴通讯股份有限公司 Path selection method and device
CN102396250A (en) * 2009-04-17 2012-03-28 松下电器产业株式会社 Apparatus for management of local ip access in segmented mobile communication system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101286919B (en) * 2007-04-11 2010-11-10 杭州华三通信技术有限公司 Method and device for implementing inter-access between virtual private networks by conversion of network addresses
CN101448264A (en) * 2008-12-22 2009-06-03 杭州华三通信技术有限公司 Access control method and system of access subscribers
CN102056141B (en) * 2009-11-04 2013-11-06 中兴通讯股份有限公司 System and method for realizing local access
CN102457931B (en) * 2010-10-22 2016-06-29 中兴通讯股份有限公司 A kind of data route control method and system
CN102833682B (en) * 2011-06-14 2018-04-27 中兴通讯股份有限公司 Information acquisition method, apparatus and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101483606A (en) * 2009-02-26 2009-07-15 中国网络通信集团公司 Internal data switch control method for home gateway and home gateway therefor
CN102396250A (en) * 2009-04-17 2012-03-28 松下电器产业株式会社 Apparatus for management of local ip access in segmented mobile communication system
WO2011053040A3 (en) * 2009-11-02 2011-10-27 Lg Electronics Inc. Nat traversal for local ip access
CN102256329A (en) * 2010-05-19 2011-11-23 中兴通讯股份有限公司 Path selection method and device
CN102098237A (en) * 2011-01-27 2011-06-15 大唐移动通信设备有限公司 Gateway equipment, method for using gateway equipment and information transmission method and equipment

Also Published As

Publication number Publication date
WO2016078375A1 (en) 2016-05-26
CN105681268A (en) 2016-06-15

Similar Documents

Publication Publication Date Title
US11963242B2 (en) Communication method and apparatus
CN101321383B (en) Communication system and method, household base station gateway and home subscriber server
CN110087236B (en) Protocol for establishing a secure communication session with an anonymous host over a wireless network
KR102332020B1 (en) Communication method and communication device
US11617075B2 (en) Terminal information transfer method and relevant products
KR102769532B1 (en) Method, device and system for generating and managing application keys in a communication network for encrypted communication with service applications
CN111869182B (en) Method for authenticating equipment, communication system, communication equipment
US8914520B2 (en) System and method for providing enterprise integration in a network environment
TW201703556A (en) Network security architecture
CN114205925B (en) Control devices and storage media
KR101936662B1 (en) Access node device for forwarding data packets
JP2006502647A (en) Method and system for establishing a connection through an access network
CN111818516A (en) Authentication method, device and equipment
JP2011024065A (en) Cryptographic communication system and gateway device
CN107615732A (en) Session is received to virtual network service
CN105681268B (en) Data transferring method and device
CN109788474A (en) A kind of method and device of message protection
US20120257565A1 (en) Mobile network traffic management
CN112105016A (en) System and method for wireless network access protection and security architecture
CN106231605A (en) For dynamic creation and the method for deletion vWLAN in shared fixed access network
WO2017167249A1 (en) Private network access method, device and system
CN116233953A (en) Data transmission method, device, equipment and storage medium
US20250227465A1 (en) Communication method and communication apparatus
CN111147273A (en) A method for realizing data security and related equipment
US20160337859A1 (en) System, methods and apparatuses for providing network access security control

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20190717

Address after: 210012 Nanjing, Yuhuatai District, South Street, Bauhinia Road, No. 68

Applicant after: Nanjing Zhongxing Software Co., Ltd.

Address before: 518057 Nanshan District science and technology, Guangdong Province, South Road, No. 55, No.

Applicant before: ZTE Corporation

GR01 Patent grant
GR01 Patent grant