WO2018050007A1 - Procédé et appareil pour accéder à un réseau local par un terminal utilisateur, et support de stockage informatique - Google Patents

Procédé et appareil pour accéder à un réseau local par un terminal utilisateur, et support de stockage informatique Download PDF

Info

Publication number
WO2018050007A1
WO2018050007A1 PCT/CN2017/100636 CN2017100636W WO2018050007A1 WO 2018050007 A1 WO2018050007 A1 WO 2018050007A1 CN 2017100636 W CN2017100636 W CN 2017100636W WO 2018050007 A1 WO2018050007 A1 WO 2018050007A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
local network
packet
access
subnet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2017/100636
Other languages
English (en)
Chinese (zh)
Inventor
翟来国
徐法禄
林愈银
李睿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Publication of WO2018050007A1 publication Critical patent/WO2018050007A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Definitions

  • the present disclosure relates to the field of communications technologies, and in particular, to a method and apparatus for accessing a local network by a user terminal and a computer storage medium.
  • a private network (non-Internet) deployed near the carrier's mobile network base station is collectively referred to as a local network.
  • the uplink packet sent by the user equipment (UE) to the mobile network passes through LTE (Long Term Evolution), the mobile network base station eNB, and the backhaul network (Backhaul).
  • LTE Long Term Evolution
  • the mobile network base station eNB the backhaul network
  • the core network EPC enter the Internet, such as the backbone network and the metropolitan area network, and then enter the enterprise firewall from the Internet.
  • the VPN gateway is authenticated, access the server of the intranet, and the mobile network sends a report to the user terminal.
  • the path of the text is the opposite.
  • the way in which the user terminal accesses the local network is entered from the public network, that is, the Internet when entering the enterprise network, and there are many problems of the access path node and the network delay.
  • a method for a user terminal to access a local network comprising:
  • the S1-U uplink packet is disassembled, and the source IP address and the source port number in the user IP packet are converted into the device IP address and the mapped port number, and the cost network packet is re-encapsulated. Forwarding the local network packet to the next hop address of the subnet where the destination address is located.
  • a device for a user terminal to access a local network comprising:
  • the local network packet identification module is configured to receive the user plane S1-U uplink packet, and identify and intercept the local network access packet in the S1-U uplink packet;
  • a local network access processing module configured to determine a user type of the user terminal corresponding to the local network access message, and verify local network access of the user terminal according to the user type and the destination address in the local network access message Privilege, if the authentication is passed, the S1-U upstream packet is disassembled, the source IP address and the source port number in the user IP packet are converted into the device IP address and the mapped port number, and the cost network report is re-encapsulated. And forwarding the local network packet to a next hop address of a subnet where the destination address is located.
  • An apparatus for a user terminal to access a local network wherein the processor and the memory storing the processor-executable instructions perform the following operations when the instructions are executed by the processor:
  • the S1-U uplink packet is disassembled, and the source IP address and the source port number in the user IP packet are converted into the device IP address and the mapped port number, and the cost network packet is re-encapsulated. Forwarding the local network packet to the next hop address of the subnet where the destination address is located.
  • a computer storage medium having stored therein one or more programs executable by a computer, the one or more programs being executed by the computer to cause the computer to perform the method.
  • the method and device for accessing the local network by the user terminal by receiving the S1-U uplink packet, identify and intercept the local network access packet in the uplink packet of the S1-U, and the intercepted local network access packet is not sent to the core network.
  • the access path node is reduced, the user type of the user terminal corresponding to the local network access message is determined, and the local network access authority of the user terminal is verified according to the user type and the destination address in the local network access message; if the verification is passed, the S1 is determined.
  • the -U uplink packet is disassembled, and the source IP address and source port number in the user IP packet are translated into the device IP address and the mapped port number, and the local network packet is re-encapsulated, and the local network packet is forwarded to the local network packet.
  • the next hop address of the subnet where the destination address is located is forwarded only by the local network access packets that pass the authentication, ensuring the security of the local network information, so that the user terminal can quickly and securely access the local network.
  • 1 is an application environment diagram of a method for a user terminal to access a local network in an embodiment
  • Figure 2 is a diagram showing the internal structure of the server of Figure 1 in an embodiment
  • FIG. 3 is a flow chart of a method for a user terminal to access a local network in an embodiment
  • 5 is a flow chart of local network access authority verification in an embodiment
  • FIG. 6 is a flowchart of determining, according to an embodiment, whether a user access right meets an access right corresponding to a destination subnet type
  • FIG. 7 is a flow chart of initiating a user type modification request in an embodiment
  • FIG. 8 is a flow chart of modifying a user type according to a decision algorithm in an embodiment
  • FIG. 9 is a timing diagram of querying a local network domain name by a user terminal in a specific embodiment
  • FIG. 10 is a sequence diagram of an uplink packet of a user terminal accessing a local network DMZ subnet in a specific embodiment
  • FIG. 11 is a sequence diagram of a user terminal accessing a local network DMZ downlink message in a specific embodiment
  • FIG. 12 is a timing diagram of a local network DMZ visitor authorization in a specific embodiment
  • FIG. 13 is a timing diagram of a user terminal accessing a local line message in a local network in a specific embodiment
  • FIG. 14 is a timing diagram of a downlink message received by a user terminal in an intranet of a local network in a specific embodiment
  • 15 is a timing diagram of a local network intranet authorization in a specific embodiment
  • 16 is a structural block diagram of an apparatus for a user terminal to access a local network in an embodiment
  • 17 is a structural block diagram of an apparatus for a user terminal to access a local network in another embodiment
  • FIG. 18 is a structural block diagram of a local network access processing module in an embodiment
  • 19 is a structural block diagram of an apparatus for accessing a local network by a user terminal in still another embodiment
  • 20 is a structural block diagram of an apparatus for a user terminal to access a local network in still another embodiment
  • 21 is a structural block diagram of a first verification unit in an embodiment
  • 22 is a structural block diagram of a local network access processing module in an embodiment
  • FIG. 23 is a structural block diagram of a local network access authorization module in an embodiment
  • 24 is a structural block diagram of an apparatus for a user terminal to access a local network in still another embodiment
  • 25 is a schematic diagram of an internal structure of a mobile network base station after a user equipment accesses a local network device in an embodiment
  • 26 is a structural block diagram of a system for a user terminal to access a local network in an embodiment
  • FIG. 27 is a schematic diagram showing the internal structure of a system in which a user terminal accesses a local network in an embodiment
  • FIG. 28 is a schematic diagram showing the internal structure of a system in which a user terminal accesses a local network in another embodiment.
  • the application environment includes a terminal 110, an eNodeB eNB 120, a server 130, and an enterprise DMZ zone 140.
  • the enterprise intranet 150 wherein the enterprise DMZ zone 140 includes a VPN gateway 141, a reverse proxy server 142, and a firewall 143.
  • the enterprise intranet 150 includes a blocked choke router 151, a public server 152, and an APP application server 153.
  • the devices in the application environment may be Increase or decrease according to the actual deployment.
  • the terminal 110 is a device that can communicate using a mobile communication network, including but not limited to an intelligent terminal, a mobile communication industrial device, an Internet of Things (IoT) device, and the like.
  • a mobile communication network including but not limited to an intelligent terminal, a mobile communication industrial device, an Internet of Things (IoT) device, and the like.
  • IoT Internet of Things
  • the user terminal accesses the local network, it directly accesses the enterprise network through the user terminal authority verification from the mobile network base station side.
  • the uplink packet and the downlink packet do not need to pass through the backhaul network Backhaul, the core network EPC, and the Internet, and can be quickly and securely connected. Access to the local network.
  • the application environment can be applied to various scenarios, such as intranet access scenarios of mobile mobile office, wireless interconnection between industrial devices, industrial device data belonging to enterprise private data, large amount of data, high real-time requirements, wireless transmission of data to enterprises The scene of the network.
  • Wireless transmission of commercial premises to the network server of the mall such as large shopping malls, VR (Virtual Reality) and AR (Augmented Reality) promotion activities launched by merchants, large amount of data transmission, high real-time requirements, and wireless transmission of data to the mall network Server requirements.
  • Large-scale events or exhibitions where a large amount of video is wirelessly transmitted to the server in the venue.
  • the internal structure of server 130 in FIG. 1 is as shown in FIG. 2, which includes a processor, storage medium, memory, and network interface connected by a system bus.
  • the storage medium of the server 130 stores an operating system, a database, and a device for the user terminal to access the local network, and the database is used to store data, such as a user record table, etc., and the device is used to implement a user suitable for the server 130.
  • the processor of the server 130 is used to provide computing and control capabilities to support the operation of the entire server 130.
  • the memory of the server 130 is a device for the user terminal in the storage medium to access the local network. Run the provisioning environment.
  • the network interface of the server 130 is used to communicate with the base station eNB 120, the enterprise network, and the operator Backhaul through a network connection, such as receiving an uplink message sent by the base station eNB 120.
  • Server 130 typically employs a high performance web server.
  • a method for a user terminal to access a local network is provided, which is applied to the application environment, and includes the following steps:
  • Step S110 Receive an uplink packet of the user plane S1-U, and identify and intercept the local network access packet in the uplink packet of the S1-U.
  • the terminal when the terminal needs to access the local network, the terminal sends an air interface packet encapsulating the user packet to the base station, where the source IP address of the user packet, that is, the IP packet, is the UE PDN IP, and the UE PDN IP is the user terminal UE in the mobile network.
  • the IP address assigned by the mobile network after registration is completed.
  • the base station After receiving the air interface packet, the base station extracts the user packet and sends it to the S1-U tunnel packet for transmission.
  • the solution needs to obtain the source IP address as the user identifier, and identify different user terminals by using the source IP address.
  • the mobile network base station and the core network use a tunnel to transmit user packets.
  • the mobile network base station and the core network each assign a unique S1-U tunnel identifier TEID (Tunnel Endpoint Identifier) to each user terminal.
  • the tunnel identifier assigned by the base station is called The mobile network base station tunnel identifier, and the tunnel network assigned tunnel identifier may be referred to as a core network tunnel identifier.
  • the downlink packets sent to the mobile network base station are packaged into S1-U (S1 User Plane) user plane packets carrying the mobile network base station TEID.
  • S1-U S1 User Plane
  • the mobile network base station tunnel identification TEID distinguishes different users. , packaged into an air interface message and sent to the corresponding user terminal.
  • the uplink packet sent by the mobile network base station eNB to the core network needs to be packaged into an S1-U packet carrying the core network tunnel identifier, and the core network receives the user according to the core network tunnel identifier, and sends the packet to the Internet after processing.
  • the local network packet identification message in the uplink packet of the user plane S1-U can be identified and intercepted by the local network packet identification module deployed on the base station or the server. If the local network packet identification module is deployed in the base station, the local network access packet can be identified and intercepted before the base station sends the S1-U uplink packet, so that only the identified local network access packet is sent to the subsequent The processing module reduces the pressure on the subsequent processing modules. If the local network packet identification module is deployed in the server, the local network access packet is not sent by the server during the process of sending the S1-U uplink packet to the core network by the server. To the core network.
  • the local network access packet is a packet matching the local network access packet feature rule.
  • the local network access packet feature list is configured to compare and analyze the user packets in the S1-U uplink packet one by one.
  • Local network access message In the configured local network access packet feature list, each record contains subnet segments and associations.
  • the protocol number, port number, etc. allow the protocol number and port number fields to be optional.
  • a local network access message feature list record is: "address: 10.1.0.0, subnet mask: 255.255.0.0, protocol number: 6, port number: 443, the above address: 10.1.0.0, subnet mask :255.255.0.0", in the description, the subnet 10.1.0.0/16 is often used instead.
  • the destination address, protocol number, and destination port number are extracted from the user packets in the S1-U upstream packet and then accessed with the local network.
  • the feature list is compared. Only the feature match is the local network access message. If the user accesses the https message of hr.ttt.com.cn (ip address is 10.1.2.1), the destination address 10.1.2.1 matches 10.1.0.0/.
  • the intercepted local network access messages are not sent to the core network, and only non-local network access messages are sent to the core network.
  • Step S120 Determine a user type of the user terminal corresponding to the local network access message, and verify the local network access right of the user terminal according to the user type and the destination address in the local network access message.
  • different user types have different access rights.
  • the types of specific user types and corresponding rights can be customized according to requirements.
  • different types of user types can be set according to the division of the local network area.
  • the user type of the user terminal can be determined according to the network segment where the user terminal is located, such as a high-privileged user that can set a fixed IP address, and different fixed rights are assigned to different user terminals.
  • the local network access authorization module applies for a request according to the user type.
  • the authorization decision algorithm can be based on the authorization decision algorithm in real time.
  • the current network communication status parameter, the area of the visited local network, and the like, the user terminal authorizes the corresponding dynamic user type with different rights, updates the user type in real time according to the current network communication status, and can control the user terminal to access the local network in real time. quantity. You can also obtain the user type of the user terminal by searching the user record table. If there is no user record corresponding to the user terminal in the user record table, you need to apply for the authorized user type to the local network access authorization module.
  • the verification is passed only if the local network access right of the user terminal matches the permission required by the destination address in the local network access message accessed.
  • the local network can be divided into different areas, such as the DMZ area (Demilitarized Zone, also known as the quarantine area) and the internal network. Access to different areas requires different access rights.
  • the local network access authorization module may apply for a request according to the user type, and adopt different authorization decision algorithms, so that access of different areas sets different access rules according to the privacy of the content. Flexible and convenient.
  • the authorization is decided, the user can be authenticated by the VPN gateway. Only when the user is authenticated as an internal user, the user can apply for a specific user type to further ensure the security of the user type authorization.
  • Step S130 If the verification succeeds, the S1-U uplink packet is disassembled, and the source IP address and the source port number in the user IP packet are converted into the device IP address and the mapped port number, and the cost network packet is re-encapsulated. Forward the local network packet to the next hop address of the subnet where the destination address is located.
  • the source IP address and the source port number carried in the user packet are extracted and converted into the device IP address and the mapped port number.
  • the IP address of the device is the IP address of the device in the local network.
  • the number of device IP addresses can be set according to the number of network cards of the device. Each network card can also be configured with multiple device IP addresses.
  • the source IP address assigned by the mobile network to the user terminal is uniformly converted into the device IP address to ensure the correct IP address transmitted in the local network.
  • the source port number carried in the user packet needs to be converted to the mapping port number. Since the source port number carried in the previous user packet may carry the same port number for different user terminals, the port needs to be reassigned under a local network address. No., to ensure that the combination of each device IP address + mapping port number is not repeated during the transmission process, thus ensuring the correctness of data transmission.
  • the access path of the user terminal 110 to the APP application server 153 is as shown by the route 160 in FIG. 1 , after the access path node base station eNB 120 , the server 130 , the VPN gateway 141 , the firewall 143 , and the choke router 151 .
  • the APP application server 153 When the APP application server 153 is reached, the backhaul network, the core network EPC, and the Internet do not need to be passed in the middle, so that the access path node is greatly reduced, the network delay is reduced, and the transmission rate is increased.
  • the local network access packet in the uplink packet of the S1-U is identified and intercepted by receiving the uplink packet of the S1-U, and the intercepted local network access packet is not sent to the core network, and the access path node is reduced.
  • the user type of the user terminal corresponding to the local network access packet is determined, and the local network access authority of the user terminal is verified according to the user type and the destination address in the local network access message; if the verification is passed, the S1-U uplink packet is removed.
  • the solution translates the source IP address and the source port number of the user IP packet into the device IP address and the mapped port number, and re-encapsulates the local network packet to forward the local network packet to the subnet where the destination address is located. For the next hop address, only the local network access packets that pass the authentication are forwarded, ensuring the security of the local network information, so that the user terminal can quickly and securely access the local network.
  • the method further includes:
  • step S210 the S1-U uplink packet is received, and the domain name system DNS query message of the local network domain name in the S1-U uplink packet is identified and intercepted.
  • the local network IP address corresponding to the local network server domain name (such as hr.ttt.com.cn) needs to be obtained first. If the IP address of the local network server that needs to be accessed has been obtained in advance, such as For frequent access to a fixed local network, the local network IP address can be pre-stored, and the pre-stored local network IP address is directly carried in the sending network access message. However, in general, you need to obtain the IP address corresponding to the network domain name through DNS query packets.
  • the local network packet identification module deployed in the base station or the server can identify and intercept the DNS query message of the local network domain name in the S1-U uplink packet.
  • the local network domain name query message is a standard DNS query message sent by the user terminal to the public network DNS server.
  • the local network packet identification module analyzes the domain name in the DNS query packet and matches each domain name record in the configured local network domain name list to check whether the matching succeeds.
  • the local network domain name query message is identified.
  • each record complies with the FQDN (Fully Qualified Domain Name) rule. If ttt.com.cn is a record in the local network domain name list, if the domain name in the DNS query message is hr.ttt.con.cn or ims.ttt.com.cn, the matching is successful.
  • Step S220 The DNS response packet carrying the local network IP address is configured according to the DNS query message of the local network domain name, and the DNS response packet is returned to the terminal, and the local network IP address is carried as the destination address in the local network access packet.
  • the local network IP address corresponding to the domain name may be obtained according to the local network domain name configuration information, and a DNS query response message may be constructed, or may be forwarded to an external dedicated local network domain name DNS server to obtain a local network IP address corresponding to the domain name, and the DNS is constructed. Query response message.
  • the local network IP address corresponding to each local network domain name is configured in the local network domain name configuration information, such as hr.ttt.com.cn corresponding address 10.1.2.1, and ims.tt.com.cn corresponding address 10.1.3.2.
  • you need to configure the lifetime of the domain name record that is, TTL (Time To Live).
  • the DNS response packet is returned to the terminal, where the DNS response packet carries the local network domain name and the corresponding local network IP address, and the subsequent terminal sends the local network IP address as the destination address when sending the local network access message corresponding to the local network domain name. .
  • step S120 includes:
  • Step S121 Extract the user identifier carried in the local network access packet, determine the user type corresponding to the user identifier, and determine the subnet and subnet type where the destination address is located.
  • the user identifier is a source IP address, and can be obtained according to the correspondence between the source IP address and the user type.
  • the correspondence between the source IP address and the user type may be pre-stored in the form of a table, a text, or the like, thereby obtaining a corresponding user type by looking up a table or checking a string.
  • the corresponding subnet is determined according to the IP address segment where the destination address is located, and different subnets correspond to their respective subnet types.
  • the subnet type can be classified according to the information security importance of the local network. For example, it is divided into a DMZ subnet and an intranet subnet.
  • the intranet subnet needs higher access rights to access. Different subnet types have corresponding user types with access rights, and can customize the correspondence between subnet types and user types with access rights. By assigning different user types with different access rights for different subnet types, the flexible control of access rights is improved.
  • step S122 it is determined whether the user access right corresponding to the user type meets the access authority corresponding to the subnet type of the destination address. If yes, the process proceeds to step S123.
  • the user access rights corresponding to the user type match the access rights corresponding to the subnet type of the destination address, and the next step is entered. Otherwise, the local network access packet is discarded.
  • Step S123 Determine whether the subnet where the destination address is located is a subnet that is allowed to access, and if yes, the local network access authority is verified, otherwise the local network access permission fails to pass the verification.
  • the subnet where the destination address is located is a subnet that is allowed to be accessed, and a different subnet list may be assigned to different types of users in advance, and the local network is determined by means of table lookup. Whether the subnet where the destination address is located in the access packet is the subnet that is allowed to access. If yes, the local network access permission is verified. Otherwise, the local network access permission is not verified.
  • the guest authority and the subnet authority are double-verified, and the access rights of different user types are flexibly and conveniently controlled to ensure the security of local network access.
  • the method further includes: if the user access right corresponding to the user type does not meet the access right corresponding to the subnet type of the destination address, updating the user type of the user terminal according to the authorization decision algorithm.
  • the local network access authorization module may apply for the change of the user type, and the local network access authorization module receives the user type change request.
  • the user type of the user terminal is updated according to the user type change request and the authorization decision algorithm.
  • different user type change requests may be generated according to the subnet type of the destination address and the current user type.
  • Different user type change requests may correspond to different authorization decision algorithms, and the determination of the authorization decision algorithm may be customized according to requirements, such as the number of authorized persons and the current online number according to different subnet types configured, and the total traffic threshold and current online traffic.
  • Factors such as determining whether to grant a user type change request to the corresponding user type.
  • the access permission corresponding to the subnet type of the destination address can be applied to the user type with the corresponding permission to achieve dynamic permission change.
  • the type of the user that meets the access authority corresponding to the subnet type of the destination address can be modified to an unprivileged user, and the access authority can be flexibly controlled according to the authorization decision algorithm.
  • the method before the step of disassembling the S1-U uplink packet in step S130, the method further includes: determining, according to the current access state, whether to provide a forwarding permission for the local network access packet, if the local network access packet is forwarded. If the permission is obtained, the step of disassembling the S1-U uplink packet is performed. If the local network access packet does not obtain the forwarding permission, the local network access packet is discarded.
  • the current access status includes information such as the uplink and downlink access rate limit, the access duration, and the total access traffic of the user, and determines whether to provide a forwarding permission for the local network access message according to the current access status. Only when a forwarding permission is obtained can a forwarding report, and different subnet types can correspond to different forwarding permission grant policies.
  • the forwarding license further flexibly controls the access traffic, access duration, and the like of the local network.
  • the DMZ authorized guest user accesses the DMZ subnet, and provides a guest forwarding permission for the local network access processing module according to information such as the uplink and downlink access rate limit, the access duration, and the total access traffic of the guest user.
  • the authorized intranet user accesses the internal network subnet, and provides an authorization forwarding permission for the local network access processing module according to the user's uplink and downlink access rate limit.
  • the controlled authorized user accesses the local network VPN gateway, and provides a controlled forwarding permission for the local network access processing module according to the uplink and downlink access rate limit, the access duration, and the total access traffic of the controlled authorized user.
  • the step of determining the user type of the user terminal corresponding to the local network access message in step S120 includes: querying the user record table according to the user identifier of the user terminal carried in the local network access message, if the user identifier is in the In the user record table, the user type recorded in the user record table is obtained. If the user ID is not in the user record table, the user type is a non-privileged user.
  • different types of user record tables may be generated according to the user type, and the records are identified by the record table identifier. If the user type is updated, the user record table is updated synchronously. Therefore, if the user type with permission is obtained last time, the user record of the permission can be obtained directly through the user record table in the next access, and the user type without permission is not required to be re-applied to quickly obtain the access right.
  • the valid time corresponding to the user record in the user record table is obtained, and it is determined that the user record is deleted when the user does not access the local network within the valid time range. In one embodiment, if the user access right expires, the corresponding period of the user is set.
  • step S122 includes at least one of the following steps:
  • Step S122a If the subnet type of the destination address is a DMZ subnet, and the user type is a DMZ authorized guest user, it is determined that the user access right corresponding to the user type matches the access right corresponding to the subnet type of the destination address.
  • the DMZ zone provides isolation between the external network and the internal network, and is protected by external routers and firewalls.
  • Most devices deployed in the DMZ zone also have certain anti-attack capabilities, also known as bastion hosts.
  • the internal network is protected by an internal router, the choke router (blocking router) in Figure 1, and the firewall.
  • the internal network does not allow external direct access. Only some of the bastion hosts in the DMZ zone are allowed to access.
  • the external network users must be authenticated by the VPN gateway before they can access.
  • the VPN gateway can be used as a bastion host. Most of them are deployed in the DMZ zone. They can also lease the carrier's VPN gateway. They can transit through the bastion host in the DMZ zone and access the internal network.
  • the DMZ area server can also be deployed with a reverse proxy server. Most of the external public servers are deployed on the internal network. When the user accesses the external public service, the DMZ reverse proxy server accesses the external public server deployed on the internal network. Public servers provide better protection.
  • the DMZ authorized guest user indicates that the user with the DMZ subnet access rights has the subnet type of the DMZ subnet, and the user type is the DMZ authorized guest user. Access rights corresponding to the network type.
  • step S122b if the subnet type of the destination address is an intranet subnet and the user type is a controlled authorized user, the user access right corresponding to the user type does not meet the access authority corresponding to the subnet type of the destination address, and the S1-U is determined.
  • the uplink packet is disassembled, and the source IP address and the source port number of the user IP packet are converted into the device IP address and the mapped port number, and the local network packet is re-encapsulated to forward the local network packet to the VPN gateway.
  • the controlled authorized user indicates that the user has access to the VPN gateway of the local network. If the user type is a controlled authorized user, the user needs to apply for the user identity authentication to the VPN gateway before obtaining the internal user identity, and the S1-U uplink packet is sent. Disassemble, convert the source IP address and source port number in the user IP packet to the device IP address and the mapped port number, and re-encapsulate the local network packet to forward the local network packet to the VPN gateway.
  • Step S122c If the subnet type of the destination address is an intranet subnet and the user type is an authorized intranet user, it is determined that the user access right corresponding to the user type matches the access permission corresponding to the subnet type of the destination address.
  • the authorized intranet user indicates that the user has the access permission of the intranet subnet, and only the internal user is authorized by the intranet authorization decision algorithm to access the intranet subnet of the local network.
  • This program does not limit user access The way to authenticate users inside the local network.
  • the subnet type is divided into a DMZ subnet and an intranet subnet
  • the user type includes a DMZ authorized guest user, a controlled authorized user, and an authorized intranet user, and is specifically determined by the subnet type and user type of the destination address. Whether the access rights corresponding to the subnet type of the destination address are met, and flexible access control for each different subnet is achieved.
  • the method further includes at least one of the following steps:
  • Step S310 If the subnet type of the destination address is a DMZ subnet, and the user type is a non-DMZ authorized guest user, the DMZ authorizes the guest user to apply.
  • Step S320 If the subnet type of the destination address is an intranet subnet, and the user identity is known as the internal user, the controlled authorized user is invited to apply.
  • a user who does not pass the VPN authentication cannot confirm the identity of the user and can only send the certificate to the VPN gateway for authentication. Only the controlled authorized user can initiate the application and cannot authorize the intranet user to apply.
  • step S330 if the subnet type of the destination address is an intranet subnet, and the user identity is an internal user and the user type is a controlled authorized user, the intranet user is authorized to apply.
  • the user can be authorized to apply for an intranet only after the user is identified as an internal user.
  • the user type application request sent by the subnet type, the current user type, and the current user identity of the destination address is controlled, so that the user type application request can be generated hierarchically.
  • the step of updating the user type of the user terminal according to the authorization decision algorithm includes the following: At least one of the steps:
  • Step S410 If the DMZ authorized guest user application is received, the DMZ guest authorization algorithm is used to authorize the DMZ guest authorization, and the DMZ guest authorization information is generated according to the configuration, and the user type authorized by the DMZ guest is modified as the DMZ authorized guest user.
  • the DMZ visitor authorization information may include a user identifier and a corresponding user type.
  • the DMZ guest authorization information may be transmitted to the DMZ authorized guest record table to update the DMZ authorized guest user. Record the table, add or change user records, and set the user type of the user record to the DMZ authorized guest user.
  • the initiating guest user access control message is sent at the same time as the user record is updated, carrying the initiated policy and related information.
  • the uplink rate control and the downlink rate control are mandatory policies, and the access duration and total access traffic are available. selected.
  • Step S420 If the controlled authorized user application is received, the controlled authorization algorithm is given according to the controlled authorization decision algorithm, and the controlled authorization information is generated according to the configuration, and the user type controlled by the authorized authorization is modified as the controlled authorized user.
  • the controlled authorization information may include a user identifier and a corresponding user type.
  • the controlled authorization information can be passed to the controlled authorized user record table, the controlled authorized user record table is updated, the user record is added or changed, and the user type recorded by the user is set as the controlled authorized user.
  • the uplink rate control and the downlink rate control are mandatory policies, and the access duration and total access traffic are optional.
  • Step S430 If the application for the authorized intranet user is received, the intranet authorization is given according to the intranet authorization decision algorithm, and the intranet authorization information is generated according to the configuration, and the user type authorized by the intranet is modified as the intranet authorized user.
  • the intranet authorization information may include a user identifier and a corresponding user type.
  • the intranet authorization information can be transmitted to the intranet authorized user record table, the intranet authorized user record table is updated, the user record is added or changed, and the user type recorded by the user is set as an intranet authorized user.
  • the access control function of the authorized user of the intranet is activated, and the local network access control module stops the original controlled authorized user access control function.
  • the user record table is divided into a DMZ authorized guest user record table, a controlled authorized user record table, and an intranet authorized user record table, and the method further includes: modifying the user of the corresponding type of the user record table according to the update of the user type recording.
  • the DMZ authorized guest user record table includes a user identifier, user mobile network base station information, and visitor authorization information. Visitor authorization information, including the subnet list and next hop address allowed, the user uplink access rate, the user downlink access rate, the user access duration, and the total access quota of the user.
  • the controlled authorized user record table includes user identification, user mobile network base station information, and controlled authorization information. Controlled authorization information, including user uplink access rate, user downlink access rate, user access duration, and user access total traffic quota.
  • the intranet authorized user record table includes the user identifier, the user mobile network base station information, and the intranet authorization information. Intranet authorization information, including the list of subnets allowed to access and the next hop address, user uplink access rate, and user downlink access speed. Rate and other information.
  • the user record table records the mobile network base station IP address and the mobile network base station user information, the mobile network base station user information including the mobile network base station IP address and the mobile network base station tunnel identity TEID.
  • the user identifier in the user record table is the IP address of the mobile terminal in the mobile network, that is, the IP address of the mobile network base station, and the mobile network base station user information includes the IP address of the mobile network base station eNB and the mobile network base station tunnel identifier of the user terminal. TEID, the two are related.
  • the DMZ authorizes the guest user record table, including the user identifier, the user mobile network base station information, and the DMZ visitor authorization information.
  • the controlled authorized user record table includes user identification, user mobile network base station information, and controlled authorization information. Controlled authorization information, including user uplink access rate, user downlink access rate, user access duration, and user access total traffic quota.
  • the intranet authorized user record table includes the user ID, the user mobile network base station information, and the intranet authorization information. Intranet authorization information, including the list of subnets allowed to access, the next hop address, the user uplink access rate, and the user downlink access rate.
  • the method further includes: receiving a local network downlink packet, and restoring the device IP address and the mapping port number carried in the local network downlink packet to a source IP address and a source port number of the user terminal, according to the user.
  • the mobile network base station tunnel identifier of the terminal is packaged into an S1-U downlink message and sent to the mobile network base station.
  • the local network downlink packet is a response packet sent by the local network to the user terminal, where the device IP address and the mapping port number are carried, and the source IP address and the source port number of the user terminal need to be converted to the user terminal.
  • the method further includes:
  • the application request carries the number of bytes to be forwarded when applying for the corresponding type of downlink forwarding permission. If the application is successful, the local network downlink packet is disassembled, and the IP address and mapping port number of the device carried therein are obtained, and converted into a user source. The IP address and source port number are re-encapsulated into S1-U downlink packets and forwarded to the base station eNB. After receiving the S1-U downlink packet, the base station eNB converts the packet into an air interface and sends the packet to the user terminal. If no application is successful, the local network downlink packet is discarded to control the downlink packets of the local network.
  • the method before step S110, the method further includes: performing configuration of each parameter and rule in advance.
  • the configured parameters and rules include: local network access packet characteristics, local network domain name rules, local network subnets and routing rules, VPN gateway configuration, local network access control rules, etc., providing parameter configuration interface functions for other modules. .
  • the method for accessing the local network by the user terminal is implemented by a new module, where the newly added module includes a local network packet identification module, a local network domain name proxy module, a local network access processing module, and local network access control. Module, local network access authorization module and user information management module.
  • the user terminal queries the local network domain name timing diagram as shown in Figure 9.
  • the local network domain name proxy module constructs a DNS query response, which is described as follows:
  • the UE sends an air interface packet carrying a user packet, that is, a DNS query message to the eNB, to query the local network domain name.
  • the eNB After receiving the user packet, the eNB receives the S1-U uplink packet and sends it to the local network packet identification module.
  • the local network packet identification module analyzes the content of the S1-U packet by packet, and identifies the DNS query packet.
  • the 404 local network packet identification module identifies the DNS query packet of the local network domain name according to the configured local network domain name rule
  • the local network packet identification module forwards the DNS query message of the local network domain name to the local network domain name proxy module, and other DNS query messages continue to be sent to the core network;
  • the local network domain name proxy module constructs a DNS query response packet, and carries a local network IP address
  • the local network domain name proxy module acquires the user mobile network base station information from the user information management module;
  • the local network domain name proxy module packs the DNS query response packet into an S1-U packet, and sends the packet to the eNB;
  • the eNB receives the S1-U packet, and extracts the user packet, that is, the DNS query response packet, and sends the packet to the UE.
  • timing diagram 10 of an uplink message of a user terminal accessing a local network DMZ subnet is described as follows:
  • the UE sends a user uplink packet from the air interface.
  • the 502 eNB After receiving the user packet, the 502 eNB receives the S1-U uplink packet and sends the packet.
  • the local network packet identification module identifies the local network access packet according to the configured local network access packet characteristics and compares the packet by packet.
  • the local network packet identification module forwards the local network access packet to the local network access processing module
  • the local network access processing module checks the destination subnet and identifies that it is a DMZ subnet
  • the local network access processing module checks whether it is in the DMZ authorized guest user record table
  • a local network access processing module for a visitor who is not in the DMZ authorized guest user record table, may initiate a DMZ authorized guest user carrying the user identifier to apply for the DMZ visitor authorization information to the user information management module;
  • the local network access processing module checks whether the DMZ authorized guest user checks whether the subnet where the destination address is located is in the list of allowed subnets, and the packets are directly discarded when the unauthorized visitor or the unauthorized subnet is accessed.
  • the local network access processing module acquires a guest uplink forwarding permission from the local network access control module, and carries the number of bytes to be forwarded;
  • the local network access processing module unpacks the packet, performs port address translation, and re-encapsulates the local network packet. If the forwarding permission is not obtained, the packet is directly discarded.
  • the local network access processing module sends the packaged local network packet to the next hop address corresponding to the subnet where the destination address is located.
  • the local network DMZ server returns a response message to the UE, and also needs to apply for a guest downlink forwarding permission when forwarding.
  • FIG. 11 is an example of a sequence diagram of the user terminal accessing the local network DMZ downlink message, and the specific description is as follows:
  • the local network access processing module receives the packet of the local network DMZ, that is, the user downlink packet;
  • the local network access processing module acquires a guest downlink forwarding permission from the local network access control module, and carries the number of bytes to be forwarded;
  • the local network access processing module unpacks the packet, performs port address translation, and re-encapsulates the packet into an S1-U downlink user packet. If the forwarding permission is not obtained, the packet is directly discarded.
  • the local network access processing module sends the packaged S1-U downlink user packet to the eNB;
  • the 605 receives the S1-U packet, and sends the user downlink packet from the air interface to the UE.
  • the user terminal needs to apply for the guest authorization.
  • the application process can be triggered in the local network domain name response process or in the local network DMZ access process.
  • the local network DMZ guest authorization timing diagram 12 An example is described as follows:
  • the user information management module initiates a DMZ authorized guest application to the local network access authorization module;
  • the local network access authorization module grants DMZ visitor authorization according to the DMZ guest authorization decision algorithm, and generates DMZ visitor authorization information according to the configuration;
  • the local network access authorization module returns a DMZ authorized guest user to apply for a response
  • the user information management module checks the authorization result, saves the DMZ guest authorization information, and adds the authorized guest record table;
  • the user information management module sends a DMZ authorized guest user access control message to the local network access control module, and carries the initiated policy and related information, where the uplink rate control and the downlink rate control are mandatory policies, and the access duration and total access traffic are available. selected.
  • the user terminal accesses the intranet subnet of the local network and needs to perform intranet identity authentication.
  • the specific process of intranet identity authentication can be customized according to requirements. This solution is not limited.
  • the local network access authorization module gives controlled authorization, and the packet is forwarded to the VPN gateway, which is called controlled forwarding. At this time, the user is a controlled authorized user; the local network access authorization module knows that the user identity is an internal user.
  • the intranet authorization decision algorithm is given to the intranet authorization, the packet is allowed to be forwarded to the authorized subnet, which is called authorization forwarding. At this time, the user is changed to the authorized intranet user.
  • the timing diagram of the user terminal accessing the online line message in the local network is as shown in FIG. 13, and the specific description is as follows:
  • the UE sends a user uplink message from the air interface.
  • the eNB After receiving the 802 eNB, the eNB receives the S1-U uplink packet and sends the packet.
  • the local network packet identification module identifies the local network access packet according to the configured local network access packet characteristics and compares the packets by packet;
  • the local identification module forwards the local network access message to the local network access processing module
  • the 805 local network access processing module checks the destination subnet and identifies that it is an intranet subnet;
  • the local network access processing module checks the controlled authorized user record table and the intranet authorized user record table;
  • the local network access processing module sends a user type update request carrying the user identifier to the user information management module for the user who does not exist in the record table, and obtains the user authorization information;
  • the local network access processing module confirms whether the user type is a controlled authorized user or an authorized intranet user, so as to perform different policy processing subsequently;
  • the local network access processing module checks whether the subnet where the destination address is located belongs to the authorized subnet list, and if not, directly discards the packet. If it belongs, the next step is entered;
  • the local network access processing module obtains the controlled uplink forwarding permission from the local network access control module to the controlled network user, carries the number of forwarding bytes, and obtains the authorized uplink forwarding permission to the local network access control module for the authorized intranet user. Carry the number of forwarded bytes.
  • the local network access processing module unpacks the packet, performs port address translation, and re-encapsulates the network packet. If the packet is not forwarded, the packet is directly discarded.
  • the local network access processing module sends the packaged local network packet to the VPN gateway for the controlled authorized user, and sends the next hop address corresponding to the subnet where the destination address is located for the authorized intranet user.
  • the local network subnet server or the VPN gateway returns a response packet to the UE, and the downlink forwarding permission is also required to be forwarded.
  • the process is slightly different according to different user types, and the user terminal accesses the downlink sequence of the intranet of the local network. As shown in Figure 14, the detailed description is as follows:
  • the local network access processing module receives the local network packet from the local network intranet or the VPN gateway, that is, the user downlink packet;
  • the local network access processing module checks whether the user record type is a controlled authorized user or an authorized intranet user;
  • the local network access processing module obtains the controlled downlink forwarding permission from the local network access control module to the controlled network user, carries the number of forwarding bytes, and obtains the authorized downlink forwarding permission to the local network access control module for the authorized intranet user. Carry the number of forwarded bytes.
  • the local network access processing module unpacks the packet, performs port address translation, and re-encapsulates the packet into an S1-U downlink user packet. If the forwarding permission is not obtained, the packet is directly discarded.
  • the 905 local network access processing module sends the packetized S1-U downlink user packet to the eNB.
  • the 906 eNB receives the S1-U packet and sends the user downlink packet from the air interface to the UE.
  • the local network access authorization module grants an authorization to the internal identity user according to the intranet authorization decision algorithm, and the intranet authorization decision algorithm can combine the current authorized intranet access number, the configured authorized intranet accessor threshold, and the current authorized intranet. Factors such as the total rate of access, the configured total intranet access rate threshold, and so on.
  • the type of the controlled authorized user record is still maintained; the user who decides to grant the intranet authorization will be changed from the original controlled authorized user type to the authorized intranet user type. Even if the intranet identity user authenticated by the local network, if the local network access authorization module does not give the intranet authorization, it is still the controlled authorized user type.
  • FIG. 15 is a timing diagram of the intranet authorization of the local network.
  • the user terminal notifies the VPN gateway of the user terminal, that is, the IP address of the user terminal on the mobile network, and the VPN gateway notifies the local network access authorization module.
  • the details are as follows:
  • the user information management module accesses the authorization mode to the local network.
  • the block initiates a controlled authorization user application
  • the local network access authorization module gives controlled authorization according to the controlled authorization decision algorithm, and generates controlled authorization information according to the configuration
  • the local network access authorization module returns a controlled authorized user to apply for a response
  • the user information management module checks the controlled authorization result, saves it as the controlled authorized user information, and adds it to the controlled authorized user record table;
  • the user information management module sends a controlled access authorization user access control message to the local network access control module, and carries the initiated policy and related information, where the uplink rate control and the downlink rate control are mandatory policies, and the access duration and total access traffic are available. selected;
  • the user terminal and the local network intranet authentication system perform intranet authentication. This step is not limited.
  • the user terminal sends the user ID to the VPN gateway. This step is optional.
  • the 1008 VPN gateway notifies the local network access authorization module to carry the user identifier. This step is optional.
  • the local network access authorization module learns that the user has passed the intranet authentication, and the user identity is an internal user
  • the local network access authorization module gives an intranet authorization according to an intranet authorization decision algorithm, and generates intranet authorization information according to the configuration;
  • the local network access authorization module sends a notification to the user information management module to authorize the intranet user to carry the authorization information;
  • the user information management module modifies the user from the controlled authorized user record to the authorized intranet user record, saves the authorization information, and joins the internal network authorized user record table, and deletes from the controlled authorized user record table;
  • the user information management module notifies the local network access control module to activate the access control function of the authorized user of the intranet, and the local network access control module stops the original controlled authorized user access control function.
  • an apparatus for accessing a local network by a user terminal including:
  • the local network packet identification module 520 is configured to receive the S1-U uplink packet, and identify and intercept the local network access packet in the S1-U uplink packet.
  • the local network access processing module 530 is configured to determine a user type of the user terminal corresponding to the local network access message, and verify the local network access permission of the user terminal according to the user type and the destination address in the local network access message, if the verification is passed. Then, the S1-U uplink packet is disassembled, and the source IP address and the source port number in the user IP packet are converted into the device IP address and the mapped port number, and the local network packet is re-encapsulated, and the local network packet is locally encapsulated. The network packet is forwarded to the next hop address of the subnet where the destination address is located.
  • the local network message identification module 520 is further configured to receive the S1-U uplink message, and identify and intercept the DNS query message of the local network domain name in the S1-U uplink message. As shown in FIG. 17, the device further includes:
  • the local network domain name proxy module 540 is configured to construct a DNS response packet carrying the local network IP address according to the DNS query message of the local network domain name, and return the DNS response packet to the terminal, and the local network IP address is carried as the destination address in the local network. Access to the message.
  • the local network access processing module 530 includes:
  • the information determining unit 531 is configured to extract a user identifier carried in the local network access packet, determine a user type corresponding to the user identifier, and determine a subnet and a subnet type where the destination address is located.
  • the first verification unit 532 is configured to determine whether the user access right corresponding to the user type meets the access authority corresponding to the subnet type of the destination address, and if yes, enter the second verification unit.
  • the second verification unit 533 is configured to determine whether the subnet where the destination address is located is a subnet that is allowed to access, and if yes, the local network access authority is verified, otherwise the local network access authority fails to pass the verification.
  • the apparatus further includes:
  • the local network access control module 550 is configured to determine, according to the current access status, whether to provide a forwarding permission for the local network access message, and if the local network access message obtains the forwarding permission, enter the local network access processing module to uplink the S1-U. If the local network access packet is not forwarded, the local network access packet is discarded.
  • the device further includes:
  • the local network access authorization module 560 is configured to update the user type of the user terminal according to the authorization decision algorithm if the user access right corresponding to the user type does not meet the access right corresponding to the subnet type of the destination address.
  • the local network access processing module 530 is further configured to query the user record table according to the user identifier of the user terminal carried in the local network access message, and obtain the user record if the user identifier is in the user record table.
  • the user type recorded in the table. If the user ID is in the user record table, the user type is a non-privileged user.
  • the local network is divided into a DMZ zone and an intranet.
  • the subnet type is divided into a DMZ subnet and an intranet subnet.
  • the user types include DMZ authorized guest users, controlled authorized users, and authorized intranet users.
  • the first verification unit 532 includes at least one of the following units:
  • the DMZ subnet verification unit 532a is configured to determine, if the subnet type of the destination address is a DMZ subnet, and the user type is a DMZ authorized guest user, determine that the user access right corresponding to the user type matches the access permission corresponding to the subnet type of the destination address. .
  • the internal network subnet first verification unit 532b is configured to determine that the user access type corresponding to the user type does not meet the destination address if the subnet type of the destination address is an intranet subnet and the user type is a controlled authorized user.
  • the access rights corresponding to the network type are used to disassemble the S1-U uplink packet, convert the source IP address and the source port number in the user IP packet to the device IP address and the mapping port number, and re-encapsulate the cost network packet. Forward local network packets to the VPN gateway.
  • the intranet subnet second verification unit 532c is configured to: if the subnet type of the destination address is an intranet subnet, and the user type is an authorized intranet user, determine that the user access right corresponding to the user type matches the subnet type of the destination address. Access rights.
  • the local network access processing module 530 further includes:
  • the authorization application unit includes at least one of the following units:
  • the DMZ authorization application unit 534a is configured to initiate a DMZ authorized guest application if the subnet type of the destination address is a DMZ subnet and the user type is a non-DMZ authorized guest user.
  • the controlled authorization application unit 534b is configured to initiate a controlled authorized user application if the subnet type of the destination address is an intranet subnet and the user identity is known as an internal user.
  • the authorized intranet application unit 534c is configured to initiate an authorized intranet user to apply if the subnet type of the destination address is an intranet subnet and the user identity is an internal user and the user type is a controlled authorized user.
  • the local network access authorization module 560 includes at least one of the following units:
  • the DMZ authorization unit 560a is configured to: when receiving the DMZ authorized guest user application, grant the DMZ guest authorization according to the DMZ guest authorization decision algorithm, and generate DMZ guest authorization information according to the configuration, and modify the user type authorized by the DMZ guest to be the DMZ authorized guest user. .
  • the controlled authorization unit 560b is configured to, according to the controlled authorization decision algorithm, grant controlled authorization according to the controlled authorization decision algorithm, and generate controlled authorization information according to the configuration, and modify the type of the user through the controlled authorization to be controlled. Authorized user.
  • the authorized intranet unit 560c is configured to, if receiving an application for authorizing the intranet user, grant the intranet authorization according to the intranet authorization decision algorithm, and generate the intranet authorization information according to the configuration, and modify the type of the user authorized by the intranet. Authorize users for the intranet.
  • the user record table is divided into a DMZ authorized guest user record table, a controlled authorized user record table, and an intranet authorized user record table.
  • the device further includes:
  • the user information management module 570 is configured to modify the user record of the corresponding type of user record table according to the update of the user type.
  • an apparatus for accessing a local network by a user terminal including a processor and a memory storing executable instructions of the processor, when the instructions are executed by the processor, performing the following operations:
  • the user type of the user terminal corresponding to the local network access packet is determined, and the local network access right of the user terminal is verified according to the user type and the destination address in the local network access message.
  • the S1-U upstream packet is disassembled, and the source IP address and source port number in the user IP packet are translated into the device IP address and the mapped port number, and the local network packet is re-encapsulated.
  • the network packet is forwarded to the next hop address of the subnet where the destination address is located.
  • the S1-U uplink packet is received, and the DNS query packet of the local network domain name in the S1-U uplink packet is identified and intercepted.
  • a DNS response packet carrying the local network IP address is configured according to the DNS query packet of the local network domain name, and the DNS response packet is returned to the terminal, and the local network IP address is carried as the destination address in the local network access packet.
  • the user type of the user terminal corresponding to the local network access message is determined by the processor, and the local network access permission of the user terminal is verified according to the user type and the destination address in the local network access message.
  • the operations include:
  • the local network access permission is verified, otherwise the local network access permission Did not pass verification.
  • the local network is divided into a DMZ zone and an intranet
  • the subnet type of the destination address is divided into a DMZ subnet and an intranet subnet
  • the user types include a DMZ authorized guest user, a controlled authorized user, and an authorized intranet user.
  • the user access right corresponding to the user type matches the access permission corresponding to the subnet type of the destination address.
  • the subnet type of the destination address is the intranet subnet and the user type is the controlled authorization user
  • the user access right corresponding to the user type does not match the access permission corresponding to the subnet type of the destination address, and the S1-U is uplinked.
  • the packet is disassembled, and the source IP address and the source port number in the user IP packet are converted into the device IP address and the mapped port number, and the local network packet is re-encapsulated to forward the local network packet to the VPN gateway.
  • the user access right corresponding to the user type matches the access permission corresponding to the subnet type of the destination address.
  • a mobile network base station comprising the user terminal of any of the above embodiments accessing a local network.
  • the device that accesses the local network by the user terminal is deployed on the mobile network base station, and no new equipment is needed, and only the mobile network base station eNB needs to perform software upgrade.
  • FIG. 25 a schematic diagram of an internal structure after a user terminal accesses a local network device is deployed in a mobile network base station in a specific embodiment.
  • a system for a user terminal to access a local network includes a base station eNB 610 and a server 620, and the server includes the user terminal according to any one of the foregoing embodiments to access a local network.
  • Device 621 includes the user terminal according to any one of the foregoing embodiments to access a local network.
  • the device that accesses the local network by the user terminal is deployed on the server, and no modification is needed to the existing base station, so that the transparent deployment is implemented.
  • FIG. 27 the internal structure of a system in which a user terminal accesses a local network in this embodiment is shown.
  • a system for a user terminal to access a local network includes a base station eNB and a server.
  • the base station eNB is configured to receive an S1-U uplink packet, and identify and intercept the local network in the S1-U uplink packet.
  • the access packet is sent to the server, and the server is configured to determine the user type of the user terminal corresponding to the local network access packet, and determine the local network access permission of the user terminal according to the user type, such as If the local network access permission is to allow access to the subnet where the destination address of the local network access packet is located, the S1-U upstream packet is disassembled, and the source IP address and source port number in the user IP packet are converted to the device IP address. Address and map the port number, and re-encapsulate the local network packet to forward the local network packet to the next hop address of the subnet where the destination address is located.
  • the local network packet identification module is deployed on the mobile network base station, and other modules are deployed on one server, and only the packets conforming to the local network packet characteristics and the local network domain name characteristics are forwarded to the server for processing, and the new device can be reduced. Processing overhead.
  • FIG. 28 the internal structure of a system in which a user terminal accesses a local network in this embodiment is shown.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).
  • the local network access packet in the S1-U uplink packet is identified and intercepted by receiving the S1-U uplink packet, and the intercepted local network access packet is not sent to the core network to reduce access.
  • the path node determines the user type of the user terminal corresponding to the local network access packet, and verifies the local network access authority of the user terminal according to the user type and the destination address in the local network access packet; if the verification succeeds, the S1-U is uplinked.
  • the source IP address and the source port number in the packet are translated into the device IP address and the mapped port number, and the local network packet is re-encapsulated to forward the local network packet to the next hop address of the subnet where the destination address is located. Only the local network access packets that pass the authentication will be forwarded, ensuring the security of the local network information, so that the user terminal can quickly and securely access the local network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé et un appareil pour accéder à un réseau local par un terminal utilisateur, et un support de stockage informatique, le procédé comprenant les étapes suivantes : recevoir un paquet de liaison montante S1-U de plan utilisateur, et identifier et intercepter un paquet d'accès au réseau local dans le paquet de liaison montante S1-U ; déterminer un type d'utilisateur d'un terminal utilisateur correspondant au paquet d'accès au réseau local, et vérifier une autorisation d'accès au réseau local du terminal utilisateur en fonction du type d'utilisateur et d'une adresse de destination dans le paquet d'accès au réseau local ; et si la vérification réussit, désassembler le paquet de liaison montante S1-U, convertir une adresse IP source et un numéro de port source d'un paquet IP utilisateur, respectivement, en une adresse IP de dispositif et un numéro de port mis en correspondance, réencapsuler le paquet dans un paquet de réseau local, et transmettre le paquet de réseau local à une adresse de saut suivant d'un sous-réseau auquel appartient l'adresse de destination. De cette manière, un accès au réseau local peut être accompli de manière sécurisée directement à partir d'un côté station de base d'un réseau mobile, de telle sorte que des nœuds sur un trajet d'accès sont considérablement réduits, la latence de réseau est réduite, et le taux de transmission est augmenté.
PCT/CN2017/100636 2016-09-13 2017-09-06 Procédé et appareil pour accéder à un réseau local par un terminal utilisateur, et support de stockage informatique Ceased WO2018050007A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610822884.8 2016-09-13
CN201610822884.8A CN107819732B (zh) 2016-09-13 2016-09-13 用户终端访问本地网络的方法和装置

Publications (1)

Publication Number Publication Date
WO2018050007A1 true WO2018050007A1 (fr) 2018-03-22

Family

ID=61601445

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/100636 Ceased WO2018050007A1 (fr) 2016-09-13 2017-09-06 Procédé et appareil pour accéder à un réseau local par un terminal utilisateur, et support de stockage informatique

Country Status (2)

Country Link
CN (1) CN107819732B (fr)
WO (1) WO2018050007A1 (fr)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109889381A (zh) * 2019-02-18 2019-06-14 国家计算机网络与信息安全管理中心 基于堡垒机的自动化配置管理方法及装置
CN111885219A (zh) * 2020-07-28 2020-11-03 杭州迪普科技股份有限公司 一种基于sip媒体协商的通信方法、装置和nat设备
CN112105074A (zh) * 2019-06-17 2020-12-18 中国移动通信集团浙江有限公司 基于mec的访问流量分流系统及方法
US11310758B2 (en) 2018-04-05 2022-04-19 Samsung Electronics Co., Ltd. Method and apparatus for providing local area data network service based on non-subscription model in wireless communication system
RU2777722C2 (ru) * 2018-04-05 2022-08-08 Самсунг Электроникс Ко., Лтд. Способ и устройство для обеспечения услуги локальной сети передачи данных на основе модели без подписки в системе беспроводной связи
CN116192411A (zh) * 2021-11-26 2023-05-30 千寻位置网络有限公司 基准站网络、基准站网络节点公网安全接入方法及装置

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109379333B (zh) * 2018-09-10 2021-04-13 安徽师范大学 基于网络层的安全传输方法
CN111355817B (zh) * 2018-12-20 2022-08-23 中国移动通信集团辽宁有限公司 域名解析方法、装置、安全服务器及介质
CN111865876B (zh) * 2019-04-29 2021-10-15 华为技术有限公司 网络的访问控制方法和设备
CN110611665B (zh) * 2019-08-30 2022-01-25 杭州希益丰新业科技有限公司 一种电力二次系统远动运维的安全运维网关的方法
CN110708301B (zh) * 2019-09-24 2022-06-24 贝壳找房(北京)科技有限公司 一种用户请求处理方法、装置、电子设备和存储介质
CN112347460B (zh) * 2020-10-29 2024-07-30 富联裕展科技(深圳)有限公司 用户权限管理方法、电子装置及存储介质
CN112752300B (zh) * 2020-12-29 2022-09-20 锐捷网络股份有限公司 本地分流的实现方法及装置
CN113973302B (zh) * 2021-09-15 2024-07-09 杭州阿里云飞天信息技术有限公司 数据识别方法、设备、存储介质和通信系统
CN114022331A (zh) * 2021-10-15 2022-02-08 金茂数字科技有限公司 一种智慧物联数据平台
CN114285819A (zh) * 2021-12-29 2022-04-05 深圳市共进电子股份有限公司 访客网络访问内网方法、装置、计算机设备及介质
CN119579214B (zh) * 2024-11-21 2025-09-30 深圳市迈戈科技股份有限公司 一种用于电商生态管理系统的综合数据处理方法

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101841886A (zh) * 2010-04-15 2010-09-22 中兴通讯股份有限公司 一种lipa数据流的传输方法及系统
CN101990313A (zh) * 2009-08-06 2011-03-23 中兴通讯股份有限公司 实现本地ip访问控制的方法、通知方法及系统
CN102056142A (zh) * 2009-11-09 2011-05-11 中兴通讯股份有限公司 一种建立本地ip访问下行数据通道的方法及系统
CN102172078A (zh) * 2008-10-01 2011-08-31 爱立信电话股份有限公司 用于使家庭基站能够在上行链路数据分组的本地与远程传输之间选择的方法
CN102932953A (zh) * 2012-09-20 2013-02-13 中国联合网络通信集团有限公司 Pdp上下文激活方法、设备及系统

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9008055B2 (en) * 2004-04-28 2015-04-14 Kdl Scan Designs Llc Automatic remote services provided by a home relationship between a device and a server
US8856387B2 (en) * 2008-04-24 2014-10-07 Qualcomm Incorporated Local IP access scheme
CN101932074B (zh) * 2009-06-25 2013-01-23 华为技术有限公司 一种家庭基站本地ip接入的控制方法及装置
CN101616076B (zh) * 2009-07-28 2013-01-23 武汉理工大学 一种基于用户连接信息的细粒度网络访问控制方法
WO2011069092A1 (fr) * 2009-12-04 2011-06-09 Interdigital Patent Holdings, Inc. Accès ip local étendu pour une passerelle de convergence dans un réseau hybride
US20130003698A1 (en) * 2011-07-01 2013-01-03 Interdigital Patent Holdings, Inc. Method and apparatus for managing service continuity
CN102281337A (zh) * 2011-07-29 2011-12-14 赛尔网络有限公司 目的地址访问控制方法和系统
CN104168165B (zh) * 2014-07-02 2017-11-17 北京交通大学 基于gprs网络和一体化标识网络的访问控制方法和装置

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102172078A (zh) * 2008-10-01 2011-08-31 爱立信电话股份有限公司 用于使家庭基站能够在上行链路数据分组的本地与远程传输之间选择的方法
CN101990313A (zh) * 2009-08-06 2011-03-23 中兴通讯股份有限公司 实现本地ip访问控制的方法、通知方法及系统
CN102056142A (zh) * 2009-11-09 2011-05-11 中兴通讯股份有限公司 一种建立本地ip访问下行数据通道的方法及系统
CN101841886A (zh) * 2010-04-15 2010-09-22 中兴通讯股份有限公司 一种lipa数据流的传输方法及系统
CN102932953A (zh) * 2012-09-20 2013-02-13 中国联合网络通信集团有限公司 Pdp上下文激活方法、设备及系统

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11310758B2 (en) 2018-04-05 2022-04-19 Samsung Electronics Co., Ltd. Method and apparatus for providing local area data network service based on non-subscription model in wireless communication system
RU2777722C2 (ru) * 2018-04-05 2022-08-08 Самсунг Электроникс Ко., Лтд. Способ и устройство для обеспечения услуги локальной сети передачи данных на основе модели без подписки в системе беспроводной связи
US11792760B2 (en) 2018-04-05 2023-10-17 Samsung Electronics Co., Ltd. Method and apparatus for providing local area data network service based on non-subscription model in wireless communication system
CN109889381A (zh) * 2019-02-18 2019-06-14 国家计算机网络与信息安全管理中心 基于堡垒机的自动化配置管理方法及装置
CN109889381B (zh) * 2019-02-18 2022-03-18 国家计算机网络与信息安全管理中心 基于堡垒机的自动化配置管理方法及装置
CN112105074A (zh) * 2019-06-17 2020-12-18 中国移动通信集团浙江有限公司 基于mec的访问流量分流系统及方法
CN111885219A (zh) * 2020-07-28 2020-11-03 杭州迪普科技股份有限公司 一种基于sip媒体协商的通信方法、装置和nat设备
CN111885219B (zh) * 2020-07-28 2023-04-07 杭州迪普科技股份有限公司 一种基于sip媒体协商的通信方法、装置和nat设备
CN116192411A (zh) * 2021-11-26 2023-05-30 千寻位置网络有限公司 基准站网络、基准站网络节点公网安全接入方法及装置

Also Published As

Publication number Publication date
CN107819732B (zh) 2021-07-13
CN107819732A (zh) 2018-03-20

Similar Documents

Publication Publication Date Title
CN107819732B (zh) 用户终端访问本地网络的方法和装置
EP3981137B1 (fr) Mise en application de politique de réseau dans le plan de données à l'aide d'adresses ip
US11362987B2 (en) Fully qualified domain name-based traffic control for virtual private network access control
EP3850797B1 (fr) Connexion à un réseau local domestique par l'intermédiaire d'un réseau de communication mobile
US9729578B2 (en) Method and system for implementing a network policy using a VXLAN network identifier
CN107332812B (zh) 网络访问控制的实现方法及装置
US10237230B2 (en) Method and system for inspecting network traffic between end points of a zone
US11228558B2 (en) Method and apparatus for isolating transverse communication between terminal devices in intranet
US12401642B2 (en) User defined network access that supports address rotation
US11019032B2 (en) Virtual private networks without software requirements
US20250310308A1 (en) Centralized management control lists for private networks
WO2016078375A1 (fr) Procédé et dispositif de transmission de données
CN114884771B (zh) 基于零信任理念的身份化网络构建方法、装置和系统
CN110830317B (zh) 一种上网行为管理系统、设备及方法
CN102447710A (zh) 一种用户访问权限控制方法及系统
WO2016078325A1 (fr) Procédé et dispositif de transmission de données
CN116545665A (zh) 一种安全引流方法、系统、设备及介质
US20210336851A1 (en) Globally-Distributed Secure End-To-End Identity-Based Overlay Network
US20210051076A1 (en) A node, control system, communication control method and program
CN109962831B (zh) 虚拟客户终端设备、路由器、存储介质和通信方法
US12341772B2 (en) Management of private networks over multiple local networks
US20230413353A1 (en) Inter-plmn user plane integration
US20240388581A1 (en) User defined network access that supports address rotation
US20250132953A1 (en) Methods and systems for network segmentation
CN121098722A (zh) 一种多租户环境的网络分配方法、装置、设备及介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17850209

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17850209

Country of ref document: EP

Kind code of ref document: A1