WO2015196441A1 - Configuration file acquisition method, apparatus and system - Google Patents
Configuration file acquisition method, apparatus and system Download PDFInfo
- Publication number
- WO2015196441A1 WO2015196441A1 PCT/CN2014/080926 CN2014080926W WO2015196441A1 WO 2015196441 A1 WO2015196441 A1 WO 2015196441A1 CN 2014080926 W CN2014080926 W CN 2014080926W WO 2015196441 A1 WO2015196441 A1 WO 2015196441A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- configuration file
- tftp
- cmts
- device certificate
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/5014—Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
Definitions
- the present invention relates to the field of communications, and in particular, to a method, an apparatus, and a system for acquiring a configuration file.
- FIG. 1 is a schematic diagram of the system architecture of the DOCSIS (Data Over Cable Service Interface Specification).
- the service delivery system includes a server such as a DHCP (Dynamic Host Configuration Protocol) server and a TFTP (Trivial File Transfer Protocol) server.
- a server such as a DHCP (Dynamic Host Configuration Protocol) server and a TFTP (Trivial File Transfer Protocol) server.
- the configuration file of the CM is deployed on the TFTP server.
- the CM needs to obtain the IP (Internet Protocol) address and the TFTP server from the DHCP server through the DHCP protocol.
- the address and the file name of the configuration file are used.
- the configuration file corresponding to the file name is obtained from the TFTP server corresponding to the address of the TFTP server using the TFTP protocol, and the configuration file is configured by using the obtained configuration file.
- the DOCSIS protocol supports several authentication methods:
- the CM is authenticated by the TFTP server. Specifically, the CM carries the IP address or MAC (Media Access Control) address of the CM when sending the TFTP request message to the TFTP server. The TFTP server uses the IP address in the TFTP request message. The address or MAC address verifies the CM.
- IP address or MAC Media Access Control
- the CM is verified by the CMTS. Specifically, the CMTS (Cable Modem Termination System) receives the TFTP request message from the CM, and uses the IP address or MAC address in the TFTP request message to legally apply to the CM. Sexual verification.
- CMTS Cable Modem Termination System
- An embodiment of the present invention provides a method for acquiring a configuration file in a DOCSIS system, including:
- the CMTS receives a DHCP response message sent by the DHCP server to the CM, where the DHCP response message carries a configuration file name identifying a configuration file of the CM, an IP address assigned to the CM, and an address of a TFTP server storing the configuration file.
- the CMTS replaces the address information of the TFTP server in the DHCP response message with the address information of the CMTS, and sends the address information to the CM;
- the CMTS requests the TFTP server to deliver the configuration file
- the CMTS receives a TFTP request message from the CM, where the TFTP request message carries the configuration file name and the device certificate of the CM; after the verification is passed, the configuration file is sent to the CM.
- An embodiment of the present invention provides a method for acquiring a configuration file in a DOCSIS system, including:
- the CM requests an IP address from the DHCP server, and receives a DHCP response message of the DHCP server, where the DHCP response message carries a configuration file name identifying the configuration file, an assigned IP address, and an address information identifying the TFTP server.
- the CM sends a TFTP request message to the TFTP server, where the TFTP request message carries the configuration file name and the device certificate of the CM, where the device certificate of the CM is used by the TFTP server to Verify the legality of the CM; and
- the CM receives a TFTP response message from the TFTP server, and the TFTP response message carries the configuration file.
- An embodiment of the present invention provides a CMTS, including: a network side interface, configured to receive a DHCP response message sent by the DHCP server to the CM, where the DHCP response message carries a configuration file name identifying a configuration file of the CM, an IP address assigned to the CM, and an address identifying the TFTP server. And sending, to the TFTP server, the configuration file according to the address information;
- a first processing unit configured to replace the address information of the TFTP server in the DHCP response message with the address information of the CMTS, and send the information to the CM through a user-side interface
- the user side interface is configured to receive a TFTP request message from the CM, where the TFTP request message carries the configuration file name and a device certificate of the CM;
- a second processing unit configured to verify validity of the CM by using a device certificate of the CM; and send the configuration file to the CM through the user side interface after the verification is passed.
- An embodiment of the present invention provides a CM, including:
- a first network side interface configured to receive a DHCP response message from the network side, where the DHCP response message carries a configuration file name identifying a configuration file of the CM, an IP address assigned to the CM, and an identifier to store the configuration Address information of the network device of the file;
- a processing unit configured to generate a TFTP request message, where the TFTP request message uses the address information as a destination address, and carries the configuration file name and a device certificate of the CM;
- a second network side interface configured to send the TFTP request message to the network device
- a DOCSIS system including a TFTP server, a CMTS, and a CM, where the CM passes the CMTS Connected to the TFTP server;
- the CMTS is configured to receive a DHCP response message sent by the DHCP server to the CM, where the DHCP response message carries a configuration file name identifying a configuration file of the CM, an IP address assigned to the CM, and the TFTP Address information of the server; the address information of the TFTP server in the DHCP response message is replaced with the address information of the CMTS, and then sent to the CM; the TFTP server is requested to deliver the configuration file; a TFTP request message of the CM, where the TFTP request message carries the configuration file name and a device certificate of the CM; verifying the legality of the CM by using the device certificate of the CM; The configuration file is sent to the CM.
- the CM carries its own device in the TFTP request message Certificates, because each CM is shipped with a unique device certificate, the device certificate is used to verify the legality of the CM, so that the legal CM can obtain the configuration file.
- Figure 1 is a schematic diagram of an existing DOCSIS system architecture
- FIG. 2 is a schematic structural diagram of a DOCSIS system according to an embodiment of the present invention.
- FIG. 3 is a flowchart of a method for acquiring a configuration file according to an embodiment of the present invention
- FIG. 4 is a flowchart of a process for negotiating a device certificate and a key option according to an embodiment of the present invention
- FIG. 5 is a schematic diagram of a structure of a CMTS according to an embodiment of the present invention.
- Fig. 6 is a schematic diagram showing the structure of a CM according to an embodiment of the present invention.
- DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The technical solutions in the embodiments of the present invention will be clearly and completely described in the following with reference to the accompanying drawings. It is apparent that the described embodiments are only a part of the embodiments of the invention, and not all of the embodiments. All other embodiments obtained by those of ordinary skill in the art based on the embodiments of the present invention are within the scope of the present invention.
- An embodiment of the present invention provides a DOCSIS system, as shown in FIG. 2, including a CMTS 10, a CM 12, and a service delivery system, wherein the service delivery system includes a DHCP server 16 and a TFTP server 18; and the CM 12 can connect to one or more users.
- Device 14, user device 14 may be a PC, a voice terminal, or the like.
- the CM12 After the CM12 goes online, it needs to request the DHCP server 16 to allocate an IP address, and the CM12 sends a DHCP Request Message to the DHCP server 16, and the sent DHCP request message carries the MAC of the CM12 (Media Access Control). , Media Access Control) address.
- the CMTS10 After receiving the DHCP request message, the CMTS10 will send a DHCP request message to the corresponding The DHCP server 16 and the DHCP server 16 assign an IP address to the CM12.
- the assigned rule may be the correspondence between the MAC address and the IP address of the pre-deployed CM, or the IP address may be assigned to the CM12 from the corresponding IP address pool. Wait.
- the DHCP server 16 carries the assigned IP address, the configuration file name required by the CM12, and the address information of the TFTP server storing the configuration file in a DHCP Response Message (DHCP Response Message) to the CM12.
- the address information of the TFTP server may be an IP address of the TFTP server.
- the CMTS 10 After receiving the DHCP response message from the DHCP server 16, the CMTS 10 can obtain two ways to enable the CM 12 to obtain the configuration file:
- the CMTS 10 modifies the address information of the TFTP server in the DHCP response message to its own address, and sends the modified DHCP response message to the CM12.
- the CM12 since the address information of the TFTP server in the DHCP response message is the address of the CMTS 10, the CM12 sends a TFTP request message to the CMTS 10 after receiving the DHCP response message, and the TFTP request message carries the DHCP response message.
- the CMTS 10 sends a corresponding configuration file.
- the TFTP request message sent by the CMTS 10 may be a TFTP Request message, or may be a TFTP protocol message with similar functions.
- the CMTS 10 sends a TFTP request message to the TFTP server 18 as a proxy of the CM12, requesting the delivery of the configuration file of the CM12.
- the specific procedure of the CMTS 10 requesting the configuration of the CM12 to the TFTP server 18 may be performed before the TFTP request message of the CM12 is received, or after the TFTP request message of the CM12 is received, the specific sequence is not limited in this embodiment.
- the CMTS 10 After receiving the TFTP request message from the CM12, the CMTS 10 verifies the validity of the CM12, and sends the configuration file to the CM12 after the verification is passed.
- the process of requesting the CMTS 10 to send the configuration file of the CM12 to the TFTP server 18 may be that the CMTS 10 sends a TFTP request message to the TFTP server 18, where the sent TFTP request message carries the configuration file name of the CM12, to which TFTP server
- the sending TFTP request message may be determined by the address information of the TFTP server in the received DHCP response message.
- the CMTS 10 can verify the legality of the CM12 in a variety of ways.
- the TFTP request message sent by the CM12 carries the device certificate of the CM12 and the configuration file name, and may also carry the MAC address and the IP address of the CM12.
- the sent TFTP request message may be a TFTP Request message, or may be It is another TFTP protocol message with similar functions. Since the device certificate can uniquely identify a CM, as a means of verification, the CMTS10 A device certificate list may be saved for authenticating the CM. After receiving the TFTP request message of the CM12, the CMTS10 determines whether the device certificate in the message exists in the list. If it exists, the CM12 is legal, otherwise It is illegal.
- the CMTS 10 can also store the correspondence between the MAC address of the CM12 and the device certificate.
- the MAC address of the CM12 can be obtained from the process of requesting the IP address from the CM12 to the DHCP server 16, for example, sending from the CM12. Obtained from the DHCP request message of the DHCP server 16, or obtained from the DHCP response message sent by the DHCP server 16 to the CM12.
- the MAC address and the device certificate can be extracted from the TFTP request message, and the two are compared. If they are consistent, the CM12 is legal. Otherwise it is illegal.
- the CMTS 10 may verify the validity of the CM12 by comparing the MAC address in the device certificate with the MAC address in the DHCP response message or the MAC address in the TFTP request message. Comparison, if consistent, indicates that the CM is legal, otherwise it is illegal.
- the CMTS10 can also directly authenticate the device certificate in the TFTP request message by using the pre-deployed root certificate and the CA (Certificate Authority) certificate.
- the root certificate and CA certificate can be deployed on the CMTS 10 or independently of the CMTS 10.
- the CMTS10 After the CMTS10 verifies the legality of the CM12, if it passes, the corresponding configuration file is sent to the CM12.
- the CMTS 10 forwards the DHCP response message to the CM12.
- the CM12 interacts with the corresponding TFTP server according to the address information of the TFTP server in the DHCP response message to obtain a configuration file.
- the TFTP request message sent by the CM12 to the TFTP server 18 carries the configuration file name and the device certificate of the CM12, and may also carry the MAC address and IP address of the CM12.
- the TFTP server 18 authenticates the legality of the CM12, and sends the corresponding configuration file to the CM12 after the authentication is passed.
- the process of authenticating the legality of the CM 12 by the TFTP server 18 is similar to that of the CMTS 10 except that the execution subject is different and will not be described here. After verifying the legality of the CM, it can ensure that the legal CM obtains the configuration file to avoid being stolen by the illegal CM.
- the embodiment of the present invention can encrypt the configuration file in the process of configuration file transmission, and decrypt the CM to improve the security of the configuration file transmission process.
- the TFTP server/CMTS uses the set encryption algorithm to calculate the MAC address and/or IP address of the CM, obtains the encryption key, encrypts the configuration file with the encryption key, and the CM receives the TFTP response message. After that, the configuration file is decrypted by using the set decryption algorithm to obtain a configuration file.
- the TFTP server/CMTS calculates the password, the MAC address and/or the IP address of the CM based on the set key generation algorithm to obtain the encryption key, and uses the encryption key.
- the configuration file is encrypted, and the configuration file is decrypted by the CM using a set password and a decryption algorithm to obtain a configuration file.
- the TFTP server/CMTS and the CM perform a key exchange before transmitting the configuration file.
- the TFTP server/CMTS is based on the set key exchange algorithm (eg The DH key exchange algorithm generates a shared encryption key.
- the TFTP server/CMTS encrypts the configuration file by using an encryption key, and the CM decrypts the configuration file by using an encryption key.
- the above encryption method can also be used in the process of authenticating the CM transmission device certificate, and the CMTS/TFTP server decrypts the device certificate of the CM to verify the legality of the CM.
- the CM carries its own device certificate in the TFTP request message. Since each CM carries a unique device certificate when it leaves the factory, the device certificate is used to verify the legality of the CM, which can ensure legality.
- the CM gets the configuration file. In the transmission process of the configuration file, the configuration file is encrypted and decrypted by the CM, which can further improve the security of the configuration file transmission.
- An embodiment of the present invention provides a configuration file obtaining method in a DOCSIS system, in which a CMTS is used as a proxy to download a configuration file of a CM from a TFTP server, and the legality of the CM is performed after receiving a TFTP request message of the CM. After the verification is passed, the configuration file is sent to the CM, as shown in Figure 3.
- Step S300 The CMTS forwards the DHCP response message of the DHCP server to the CM.
- the CMTS sends a DHCP request message to the DHCP server to request the DHCP server to assign an IP address.
- the DHCP request message carries the MAC address of the CM.
- the DHCP server assigns the IP address corresponding to the MAC address to the pre-planning.
- the CM sends the assigned IP address to the CM in the DHCP response message, and also carries the configuration file name of the CM configuration file and the address information of the TFTP server storing the configuration file in the DHCP response message.
- the CMTS After receiving the DHCP response message, the CMTS can save the contents of the DHCP response message and forward the DHCP response message to the CM.
- the content saved by the CMTS may be the configuration file name, the address information of the TFTP server, and the MAC address and/or IP address of the CM.
- Step S302 The CMTS sends a TFTP request message to the TFTP server, requesting the configuration file of the CM to be delivered.
- the CMTS proxy CM sends a TFTP request message to the TFTP server, requesting the TFTP server to deliver the CM configuration file.
- the TFTP request message sent by the CMTS carries the configuration file name in the DHCP response message. After receiving the TFTP request message, the TFTP server sends the corresponding configuration file to the CMTS.
- Step S304 The CMTS receives the TFTP request message of the CM, and verifies the validity of the CM.
- the TFTP request message sent by the CM carries the configuration file name and the device certificate of the CM, and the CMTS can use the device certificate of the CM to verify the CM. How to verify the foregoing embodiment has been described, and is not described herein.
- steps S302 and S304 in this embodiment are not limited in sequence.
- Step S306 the verification is passed, and the CMTS sends the configuration file to the CM.
- the CMTS can send the configuration file to the CM through the TFTP response message.
- the configuration file can be encrypted, and the configuration file is decrypted by the CM.
- the specific encryption and decryption process is described in the system embodiment.
- the TFTP request message of the CM can also be implemented by using a series of packets specified by the TFTP protocol, such as RRQ (Read Request), OACK (Option Acknowledge), Data, ACK (Acknowledge, Response). ), as well as ERROR and so on.
- the CM can negotiate the authentication mode with the CMTS through these packets.
- the CM If the CM is implemented through a series of packets specified by the TFTP protocol, the CM needs to extend the packets to carry the device certificate of the CM. If you need to make a configuration file Encryption, you need to further extend this part of the packet to carry the key option.
- the following takes the device certificate and key option that carries the CM as an example. As shown in Figure 4, it includes:
- Step S400 The CMTS receives the RRQ of the CM.
- the RRQ of the CM carries the configuration file name.
- the certificate authentication and encryption options are added.
- the RRQ carrying the certificate authentication and encryption options can be as shown in Table 1:
- Step S402 The CMTS sends an OACK to the CM according to the processing result of the RRQ.
- the Option is returned in the OACK packet. If not, the Option is omitted. The Option is not carried in the OACK packet.
- the CMTS needs to respond to the OACK carrying the new Option, as shown in Table 2:
- Step S404 receiving an OPT of the CM.
- the CM After receiving the OACK packet, the CM sends an OPT if it needs to send the device certificate and the negotiated key. Otherwise, it responds with ACK 0.
- the OPT belongs to the newly added packet, and the OPT carrying the device certificate of the CM may be as shown in Table 3:
- the OPT of the device certificate and the secret item carrying the CM at the same time can be as shown in Table 4: Step S406, the CMTS sends the OPT.
- the CMTS After receiving the OPT packet sent by the CM, the CMTS verifies the device certificate of the CM if it receives the complete device certificate. If the verification fails, the CM will respond with ERROR, and the ERROR message will be used to inform the specific cause of the failure. The verification succeeds in responding to the CM with an OPT message. For the key exchange scenario, the OPT message in response to the CM also needs to send the server's public key to the CM. An example is shown in Table 5:
- the CMTS completes the verification process for the CM, and subsequently encrypts the configuration file with the negotiated key and sends it to the CM.
- the method provided in this embodiment is to verify the validity of the CM by the CMTS.
- the DHCP response message is directly forwarded to the CM by the CMTS, and the address information of the TFTP server is not modified, so that the CM is followed. Will interact with the TFTP server to get the configuration file.
- the TFTP server verifies the legality of the CM by using the device certificate of the CM. For the specific process, refer to the related description of the CMTS in the previous embodiment.
- the CM carries its own device certificate in the TFTP request message. Since each CM carries a unique device certificate when it leaves the factory, the device certificate is used to verify the legality of the CM, and the legal CM can be guaranteed. Get the configuration file.
- the configuration file is encrypted during the transmission of the configuration file and decrypted by the CM, which can further improve the security of the configuration file transmission.
- a CMTS as shown in FIG. 5, including: a network side interface 50, a first processing unit 52, a processing unit 54, and a user side interface 56.
- the network side interface 50 is used to connect to the DHTP server and/or the TFTP server on the network side, and may be a receiver or a module having a receiving function.
- the user side interface 56 is used to connect to the CM, and may be a transceiver or a module having a transceiving function.
- the processing unit 52 and the processing unit 54 can be connected to the network side interface 50 and the user side interface 56 through a series of buses.
- the processing unit 52 and the processing unit 54 can be two independent processors, or can be one processor, or can be One or more processing modules in a processor, and the like.
- the network side interface 50 is configured to receive a DHCP response message sent by the DHCP server to the CM, where the DHCP response message carries a configuration file name identifying the configuration file of the CM, and an IP address allocated to the CM.
- the address and the address information of the TFTP server are determined; and the configuration file is requested to be sent to the TFTP server according to the address information.
- the processing unit 52 is configured to replace the address information of the TFTP server in the DHCP response message with the address information of the CMTS and send the information to the CM through the user side interface 56.
- the processing unit 52 may also not modify the address information of the TFTP server in the DHCP response message. Send the DHCP response message directly to the CM.
- the user side interface 56 is configured to receive a TFTP request message from the CM, where the TFTP request message carries a configuration file name and a device certificate.
- the configuration file is sent to the CM through the user side interface 56.
- the CMTS provided in this embodiment may further include a storage unit 58, which may be used to store a device certificate of a legal CM or a correspondence between a MAC address of a legal CM and a device certificate.
- the processing unit 54 can verify the CM by using the device certificate of the CM. For details on how to verify, refer to the description of the system embodiment.
- the CM carries its own device certificate in the TFTP request message. Since each CM carries a unique device certificate when it leaves the factory, the CMTS can use the device certificate to verify the legality of the CM.
- the CM gets to the configuration file. In the transmission process of the configuration file, the configuration file is encrypted and decrypted by the CM, which can further improve the security of the configuration file transmission.
- an embodiment of the present invention further provides a CM.
- the network includes: a network side interface 60, a processing unit 62, and a network side interface 64.
- the network side interfaces 60 and 64 may be one or more transceivers.
- the processor may be one or more modules having a transceiving function, and the processing unit 62 may be a processor, a processing module in the processor, or the like.
- the network side interface 60 is configured to receive a DHCP response message from the network side, where the DHCP response message carries a configuration file name that identifies a configuration file of the CM, an IP address that is allocated to the CM, and Identifying address information of a network device storing the configuration file; the network device herein may Can be a TFTP server or CMTS.
- the processing unit 62 is configured to generate a TFTP request message, where the TFTP request message uses the address information as a destination address, and carries the configuration file name and the device certificate of the CM.
- the network side interface 64 is configured to send the TFTP request message to the network device.
- the CM provided in this embodiment may add a device certificate to a TFTP request message and send it to a corresponding network device, such as a CMTS or a TFTP server.
- the CM provided in this embodiment may also use the packet specified by the TFTP protocol and the corresponding network device negotiation key option. For details, refer to the description of the foregoing method embodiment.
- the device certificate is used to authenticate the legality of the CM, and the legal CM can obtain the configuration file.
- the program may be stored in a computer readable storage medium, and the storage medium may include: Flash disk, Read-Only Memory (ROM), Random Access Memory (RAM), disk or optical disk.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
配置文件的获取方法、 装置和系统 Configuration file acquisition method, device and system
技术领域 Technical field
本发明涉及通信领域, 尤其涉及配置文件的获取方法、 装置和系统。 The present invention relates to the field of communications, and in particular, to a method, an apparatus, and a system for acquiring a configuration file.
背景技术 Background technique
图 1是 DOCSIS ( Data Over Cable Service Interface Specification, 有线数据传 输业务接口规范)的系统架构示意图。其中,业务发放系统包括 DHCP ( Dynamic Host Configuration Protocol, 动态主机配置协议)月良务器、 TFTP ( Trivial File Transfer Protocol, 简单文件传输协议)服务器等服务器。 按照 DOCSIS协议的规 定, CM ( Cable Modem, 电缆调制解调器) 的配置文件部署到 TFTP服务器上, CM要想上线需要先通过 DHCP协议从 DHCP服务器上获取 IP ( Internet Protocol, 因特网协议)地址、 TFTP服务器的地址以及配置文件的文件名等信息, 然后釆 用 TFTP协议从 TFTP服务器的地址对应的 TFTP服务器上获取文件名对应的配置 文件, 并利用获取的配置文件进行配置。 Figure 1 is a schematic diagram of the system architecture of the DOCSIS (Data Over Cable Service Interface Specification). The service delivery system includes a server such as a DHCP (Dynamic Host Configuration Protocol) server and a TFTP (Trivial File Transfer Protocol) server. According to the provisions of the DOCSIS protocol, the configuration file of the CM (Cable Modem) is deployed on the TFTP server. To get online, the CM needs to obtain the IP (Internet Protocol) address and the TFTP server from the DHCP server through the DHCP protocol. The address and the file name of the configuration file are used. Then, the configuration file corresponding to the file name is obtained from the TFTP server corresponding to the address of the TFTP server using the TFTP protocol, and the configuration file is configured by using the obtained configuration file.
在 CM从 TFTP服务器获取配置文件的过程中, TFTP服务器需要对 CM的合法 性进行验证。 DOCSIS协议支持几种验证方式: In the process of the CM obtaining the configuration file from the TFTP server, the TFTP server needs to verify the validity of the CM. The DOCSIS protocol supports several authentication methods:
1、 由 TFTP服务器对 CM进行验证, 具体是由 CM在向 TFTP服务器发送 TFTP 请求消息时携带 CM的 IP地址或者 MAC ( Media Access Control, 媒体访问控制) 地址, TFTP服务器利用 TFTP请求消息中的 IP地址或者 MAC地址对 CM进行验证。 1. The CM is authenticated by the TFTP server. Specifically, the CM carries the IP address or MAC (Media Access Control) address of the CM when sending the TFTP request message to the TFTP server. The TFTP server uses the IP address in the TFTP request message. The address or MAC address verifies the CM.
2、 由 CMTS对 CM进行验证, 具体是由 CMTS ( Cable Modem Termination System, 线缆调制解调器终端系统)在收到 CM的 TFTP请求消息时, 利用 TFTP 请求消息中的 IP地址或者 MAC地址对 CM的合法性进行验证。 2. The CM is verified by the CMTS. Specifically, the CMTS (Cable Modem Termination System) receives the TFTP request message from the CM, and uses the IP address or MAC address in the TFTP request message to legally apply to the CM. Sexual verification.
然而现在的几种验证方式, 不管是由 TFTP服务器来对 CM进行验证还是由 CMTS来对 CM进行验证, 获取配置文件的过程都存在很大的安全隐患, 主要是 因为 CM的 IP地址和 MAC地址比较容易伪造, 非法的 CM可以伪造合法 CM的 IP 地址和 MAC地址, 利用伪造的 IP地址或者 MAC地址向 TFTP服务器获取到合法 CM的配置文件。 虽然当前有相对安全的传输协议, 如 SFTP ( Secure File Transfer Protocol, 安全文件传输协议)等,但是如果在现有的 DOCSIS系统中直接部署 SFTP服务器, 需要修改其他的服务器, 如 DHCP服务器等, 还需要更改 CMTS的配置, 会影响 现有 DOCSIS系统的兼容性, 对现有 DOCSIS系统改动较大。 However, there are several verification methods, whether it is the TFTP server to verify the CM or the CMTS to verify the CM. The process of obtaining the configuration file has a great security risk, mainly because of the IP address and MAC address of the CM. It is easier to forge. An illegal CM can forge the IP address and MAC address of the legal CM, and obtain the configuration file of the legal CM from the TFTP server by using the forged IP address or MAC address. Although there are currently relatively secure transmission protocols, such as SFTP (Secure File Transfer Protocol), if you deploy an SFTP server directly in an existing DOCSIS system, you need to modify other servers, such as DHCP servers. The need to change the configuration of the CMTS will affect the compatibility of the existing DOCSIS system, and the existing DOCSIS system will be greatly modified.
因此, 如何在不影响现有 DOCSIS系统的前提下保证合法 CM的配置文件不 被非法 CM窃用、 提高网络安全就显得尤为重要了。 Therefore, it is especially important to ensure that the legal CM configuration files are not stolen by illegal CMs and improve network security without affecting the existing DOCSIS system.
发明内容 Summary of the invention
本发明一个实施例提供一种 DOCSIS系统中的配置文件获取方法, 包括: An embodiment of the present invention provides a method for acquiring a configuration file in a DOCSIS system, including:
CMTS接收 DHCP服务器发送给 CM的 DHCP响应消息, 所述 DHCP响应消息 携带有标识所述 CM的配置文件的配置文件名、 分配给所述 CM的 IP地址以及存 储所述配置文件的 TFTP服务器的地址信息; The CMTS receives a DHCP response message sent by the DHCP server to the CM, where the DHCP response message carries a configuration file name identifying a configuration file of the CM, an IP address assigned to the CM, and an address of a TFTP server storing the configuration file. Information
所述 CMTS将所述 DHCP响应消息中的所述 TFTP服务器的地址信息替换成 所述 CMTS的地址信息后发送给所述 CM; The CMTS replaces the address information of the TFTP server in the DHCP response message with the address information of the CMTS, and sends the address information to the CM;
所述 CMTS向所述 TFTP服务器请求下发所述配置文件; The CMTS requests the TFTP server to deliver the configuration file;
所述 CMTS接收来自所述 CM的 TFTP请求消息, 所述 TFTP请求消息携带有 所述配置文件名以及所述 CM的设备证书; 验证通过后将所述配置文件发送给所述 CM。 The CMTS receives a TFTP request message from the CM, where the TFTP request message carries the configuration file name and the device certificate of the CM; after the verification is passed, the configuration file is sent to the CM.
本发明一个实施例提供一种 DOCSIS系统中的配置文件获取方法, 包括: An embodiment of the present invention provides a method for acquiring a configuration file in a DOCSIS system, including:
CM向 DHCP服务器请求 IP地址, 接收所述 DHCP服务器的 DHCP响应消息, 所述 DHCP响应消息携带有标识配置文件的配置文件名、 分配的 IP地址以及标识 TFTP服务器的地址信息; The CM requests an IP address from the DHCP server, and receives a DHCP response message of the DHCP server, where the DHCP response message carries a configuration file name identifying the configuration file, an assigned IP address, and an address information identifying the TFTP server.
所述 CM向所述 TFTP服务器发送 TFTP请求消息, 所述 TFTP请求消息携带有 所述配置文件名以及所述 CM的设备证书, 其中, 所述 CM的设备证书用于所述 TFTP服务器对所述 CM的合法性进行验证; 以及 The CM sends a TFTP request message to the TFTP server, where the TFTP request message carries the configuration file name and the device certificate of the CM, where the device certificate of the CM is used by the TFTP server to Verify the legality of the CM; and
所述 CM接收来自所述 TFTP服务器的 TFTP响应消息, 所述 TFTP响应消 息携带有所述配置文件。 The CM receives a TFTP response message from the TFTP server, and the TFTP response message carries the configuration file.
本发明一个实施例提供一种 CMTS, 包括: 网络侧接口, 用于接收 DHCP服务器发送给 CM的 DHCP响应消息 , 所述 DHCP响应消息携带有标识所述 CM的配置文件的配置文件名、分配给所述 CM的 IP地址以及标识 TFTP服务器的地址信息; 以及根据所述地址信息向所述 TFTP服 务器请求下发所述配置文件; An embodiment of the present invention provides a CMTS, including: a network side interface, configured to receive a DHCP response message sent by the DHCP server to the CM, where the DHCP response message carries a configuration file name identifying a configuration file of the CM, an IP address assigned to the CM, and an address identifying the TFTP server. And sending, to the TFTP server, the configuration file according to the address information;
第一处理单元, 用于将所述 DHCP响应消息中的所述 TFTP服务器的地址信 息替换成所述 CMTS的地址信息后通过用户侧接口发送给所述 CM; a first processing unit, configured to replace the address information of the TFTP server in the DHCP response message with the address information of the CMTS, and send the information to the CM through a user-side interface;
所述用户侧接口, 用于接收来自所述 CM的 TFTP请求消息, 所述 TFTP请求 消息携带有所述配置文件名以及所述 CM的设备证书; The user side interface is configured to receive a TFTP request message from the CM, where the TFTP request message carries the configuration file name and a device certificate of the CM;
第二处理单元, 用于利用所述 CM的设备证书对所述 CM的合法性进行验 证; 以及验证通过后通过所述用户侧接口将所述配置文件发送给所述 CM。 a second processing unit, configured to verify validity of the CM by using a device certificate of the CM; and send the configuration file to the CM through the user side interface after the verification is passed.
本发明一个实施例提供一种 CM, 包括: An embodiment of the present invention provides a CM, including:
第一网络侧接口, 用于接收来自网络侧的 DHCP响应消息, 所述 DHCP响应 消息携带有标识所述 CM的配置文件的配置文件名、 分配给所述 CM的 IP地址以 及标识存储所述配置文件的网络设备的地址信息; a first network side interface, configured to receive a DHCP response message from the network side, where the DHCP response message carries a configuration file name identifying a configuration file of the CM, an IP address assigned to the CM, and an identifier to store the configuration Address information of the network device of the file;
处理单元, 用于生成 TFTP请求消息, 所述 TFTP请求消息以所述地址信息作 为目的地址, 携带有所述配置文件名以及所述 CM的设备证书; a processing unit, configured to generate a TFTP request message, where the TFTP request message uses the address information as a destination address, and carries the configuration file name and a device certificate of the CM;
第二网络侧接口, 用于将所述 TFTP请求消息发送给所述网络设备, 其中, 本发明一个实施例提供一种 DOCSIS系统, 包括 TFTP服务器、 CMTS以及 CM, 其中所述 CM通过所述 CMTS连接到所述 TFTP服务器; a second network side interface, configured to send the TFTP request message to the network device, where an embodiment of the present invention provides a DOCSIS system, including a TFTP server, a CMTS, and a CM, where the CM passes the CMTS Connected to the TFTP server;
所述 CMTS , 用于接收 DHCP服务器发送给所述 CM的 DHCP响应消息, 所述 DHCP响应消息携带有标识所述 CM的配置文件的配置文件名、 分配给所 述 CM的 IP地址以及所述 TFTP服务器的地址信息; 将所述 DHCP响应消息中 的所述 TFTP服务器的地址信息替换成所述 CMTS 的地址信息后发送给所述 CM; 向所述 TFTP服务器请求下发所述配置文件; 接收来自所述 CM的 TFTP 请求消息,所述 TFTP请求消息携带有所述配置文件名以及所述 CM的设备证书; 利用所述 CM的设备证书对所述 CM的合法性进行验证; 以及验证通过后将所 述配置文件发送给所述 CM。 The CMTS is configured to receive a DHCP response message sent by the DHCP server to the CM, where the DHCP response message carries a configuration file name identifying a configuration file of the CM, an IP address assigned to the CM, and the TFTP Address information of the server; the address information of the TFTP server in the DHCP response message is replaced with the address information of the CMTS, and then sent to the CM; the TFTP server is requested to deliver the configuration file; a TFTP request message of the CM, where the TFTP request message carries the configuration file name and a device certificate of the CM; verifying the legality of the CM by using the device certificate of the CM; The configuration file is sent to the CM.
本发明提供的方法、 装置和系统, CM在 TFTP请求消息中携带自己的设备 证书, 由于每个 CM出厂时会携带有唯一的设备证书, 使用设备证书对 CM的 合法性进行验证, 可以保证合法的 CM获取到配置文件。 The method, device and system provided by the invention, the CM carries its own device in the TFTP request message Certificates, because each CM is shipped with a unique device certificate, the device certificate is used to verify the legality of the CM, so that the legal CM can obtain the configuration file.
附图说明 DRAWINGS
述背景技术和实施例时所使用的附图作简单的介绍。 显而易见地, 下面附图中 描述的仅仅是本发明的一部分实施例, 对于本领域普通技术人员来讲, 还可以 根据这些附图和描述得到其他的附图或实施例, 而本发明旨在涵盖所有这些衍 生的附图或实施例。 The drawings used in the background and embodiments are briefly described. Obviously, only a part of the embodiments of the present invention are described in the following drawings, and other drawings or embodiments may be obtained from those of ordinary skill in the art, and the present invention is intended to cover All of these derived figures or embodiments.
图 1为现有的 DOCSIS系统架构示意图; Figure 1 is a schematic diagram of an existing DOCSIS system architecture;
图 2为本发明实施例提供的 DOCSIS系统架构示意图; 2 is a schematic structural diagram of a DOCSIS system according to an embodiment of the present invention;
图 3为本发明实施例提供的配置文件获取方法的流程图; FIG. 3 is a flowchart of a method for acquiring a configuration file according to an embodiment of the present invention;
图 4为本发明实施例提供的设备证书与密匙选项协商过程的流程图; 图 5为本发明实施例 CMTS的结构的示意图; 4 is a flowchart of a process for negotiating a device certificate and a key option according to an embodiment of the present invention; FIG. 5 is a schematic diagram of a structure of a CMTS according to an embodiment of the present invention;
图 6为本发明实施例的 CM的结构的示意图。 具体实施方式 下面将结合附图, 对本发明实施例中的技术方案进行清楚、 完整地描述。 显然, 所描述的实施例仅仅是本发明一部分实施例, 而不是全部的实施例。 基 于本发明中的实施例, 本领域普通技术人员所获得的所有其他实施例, 都属于 本发明保护的范围。 Fig. 6 is a schematic diagram showing the structure of a CM according to an embodiment of the present invention. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The technical solutions in the embodiments of the present invention will be clearly and completely described in the following with reference to the accompanying drawings. It is apparent that the described embodiments are only a part of the embodiments of the invention, and not all of the embodiments. All other embodiments obtained by those of ordinary skill in the art based on the embodiments of the present invention are within the scope of the present invention.
本发明一个实施例提供一种 DOCSIS系统,如图 2所示,包括 CMTS10、CM12、 以及业务发放系统等, 其中业务发放系统包括 DHCP服务器 16以及 TFTP服务器 18等; CM12可以连接一个或多个用户设备 14, 用户设备 14可以是 PC、 语音终端 等。 An embodiment of the present invention provides a DOCSIS system, as shown in FIG. 2, including a CMTS 10, a CM 12, and a service delivery system, wherein the service delivery system includes a DHCP server 16 and a TFTP server 18; and the CM 12 can connect to one or more users. Device 14, user device 14 may be a PC, a voice terminal, or the like.
在图 2中, CM12上线后需要向 DHCP服务器 16请求分配 IP地址, CM12会向 DHCP服务器 16发送的 DHCP请求消息( DHCP Request Message ),所发送的 DHCP 请求消息携带有 CM12的 MAC ( Media Access Control, 媒体访问控制)地址。 In FIG. 2, after the CM12 goes online, it needs to request the DHCP server 16 to allocate an IP address, and the CM12 sends a DHCP Request Message to the DHCP server 16, and the sent DHCP request message carries the MAC of the CM12 (Media Access Control). , Media Access Control) address.
CMTS10接收到 DHCP请求消息后, 会将 DHCP请求消息发送给对应的 DHCP服务器 16, DHCP服务器 16会给 CM12分配一个 IP地址, 分配的规则可以是 预先部署的 CM的 MAC地址与 IP地址的对应关系, 也可以是从对应的 IP地址池中 给 CM12分配一个 IP地址等。 在分配了 IP地址后, DHCP服务器 16会将分配的 IP 地址、 CM12所需的配置文件名以及存储配置文件的 TFTP服务器的地址信息携带 在 DHCP响应消息 ( DHCP Response Message ) 中发送给 CM12。 其中, TFTP服 务器的地址信息可以是 TFTP服务器的 IP地址。 After receiving the DHCP request message, the CMTS10 will send a DHCP request message to the corresponding The DHCP server 16 and the DHCP server 16 assign an IP address to the CM12. The assigned rule may be the correspondence between the MAC address and the IP address of the pre-deployed CM, or the IP address may be assigned to the CM12 from the corresponding IP address pool. Wait. After the IP address is assigned, the DHCP server 16 carries the assigned IP address, the configuration file name required by the CM12, and the address information of the TFTP server storing the configuration file in a DHCP Response Message (DHCP Response Message) to the CM12. The address information of the TFTP server may be an IP address of the TFTP server.
CMTS10接收到 DHCP服务器 16的 DHCP响应消息后, 可以釆取 2种方式来使 得 CM12获取配置文件: After receiving the DHCP response message from the DHCP server 16, the CMTS 10 can obtain two ways to enable the CM 12 to obtain the configuration file:
1 ) CMTS10将 DHCP响应消息中的 TFTP服务器的地址信息修改成自己的地 址, 将修改后的 DHCP响应消息发送给 CM12。 1) The CMTS 10 modifies the address information of the TFTP server in the DHCP response message to its own address, and sends the modified DHCP response message to the CM12.
在这种方式下,由于 DHCP响应消息中的 TFTP服务器的地址信息为 CMTS 10 的地址, 则 CM12收到 DHCP响应消息后会向 CMTS10发送 TFTP请求消息, 该 TFTP请求消息中携带有 DHCP响应消息中的配置文件名,请求 CMTS10下发相应 的配置文件,在本实施例中, CMTS10发送的 TFTP请求消息可以是 TFTP Request Message , 也可以是其他具备类似功能的 TFTP协议消息等。 在这种方式下, CMTS10会作为 CM12的代理向 TFTP服务器 18发送 TFTP请求消息, 请求下发 CM12的配置文件。 CMTS 10向 TFTP服务器 18请求下发 CM12的配置文件的过程 可以是在收到 CM12的 TFTP请求消息之前,也可以是在收到 CM12的 TFTP请求消 息之后,具体顺序本实施例不作限定。 CMTS 10在收到 CM12的 TFTP请求消息后, 会对 CM12的合法性进行验证, 验证通过后会将配置文件下发给 CM12。 In this manner, since the address information of the TFTP server in the DHCP response message is the address of the CMTS 10, the CM12 sends a TFTP request message to the CMTS 10 after receiving the DHCP response message, and the TFTP request message carries the DHCP response message. In the embodiment, the CMTS 10 sends a corresponding configuration file. In this embodiment, the TFTP request message sent by the CMTS 10 may be a TFTP Request message, or may be a TFTP protocol message with similar functions. In this manner, the CMTS 10 sends a TFTP request message to the TFTP server 18 as a proxy of the CM12, requesting the delivery of the configuration file of the CM12. The specific procedure of the CMTS 10 requesting the configuration of the CM12 to the TFTP server 18 may be performed before the TFTP request message of the CM12 is received, or after the TFTP request message of the CM12 is received, the specific sequence is not limited in this embodiment. After receiving the TFTP request message from the CM12, the CMTS 10 verifies the validity of the CM12, and sends the configuration file to the CM12 after the verification is passed.
CMTS 10向 TFTP服务器 18请求下发 CM12的配置文件的过程可以是由 CMTS 10向 TFTP服务器 18发送 TFTP请求消息,所发送的 TFTP请求消息中携带有 CM12的配置文件名, 其中, 向哪个 TFTP服务器发送 TFTP请求消息可以是由收 到的 DHCP响应消息中的 TFTP月良务器的地址信息来确定。 The process of requesting the CMTS 10 to send the configuration file of the CM12 to the TFTP server 18 may be that the CMTS 10 sends a TFTP request message to the TFTP server 18, where the sent TFTP request message carries the configuration file name of the CM12, to which TFTP server The sending TFTP request message may be determined by the address information of the TFTP server in the received DHCP response message.
CMTS 10可以釆用多种方式对 CM12的合法性进行验证。 The CMTS 10 can verify the legality of the CM12 in a variety of ways.
在本发明实施例中, CM12发送的 TFTP请求消息携带有 CM12的设备证书以 及配置文件名, 还可以携带 CM12的 MAC地址、 IP地址等, 所发送的 TFTP请求 消息可以是 TFTP Request Message,也可以是其他具备类似功能的 TFTP协议消息 等。 由于设备证书可以唯一标识一个 CM, 因此, 作为一种验证方式, CMTS10 上可以保存一个设备证书列表, 用于表征合法的 CM, CMTS10在收到 CM12的 TFTP请求消息后, 判断该消息中的设备证书是否存在于该列表中, 如果存在则 表明 CM12是合法的, 否则为非法的。 In the embodiment of the present invention, the TFTP request message sent by the CM12 carries the device certificate of the CM12 and the configuration file name, and may also carry the MAC address and the IP address of the CM12. The sent TFTP request message may be a TFTP Request message, or may be It is another TFTP protocol message with similar functions. Since the device certificate can uniquely identify a CM, as a means of verification, the CMTS10 A device certificate list may be saved for authenticating the CM. After receiving the TFTP request message of the CM12, the CMTS10 determines whether the device certificate in the message exists in the list. If it exists, the CM12 is legal, otherwise It is illegal.
作为另外一种验证方式, CMTS10上还可以保存 CM12的 MAC地址与设备证 书的对应关系, 其中, CM12的 MAC地址可以是从 CM12向 DHCP服务器 16请求 分配 IP地址的过程中获取,比如从 CM12发送给 DHCP服务器 16的 DHCP请求消息 中获取、 或者从 DHCP服务器 16发送给 CM12的 DHCP响应消息中获取等。 有了 CM12的 MAC地址与设备证书的对应关系后, 在收到 CM12的 TFTP请求消息时, 可以从 TFTP请求消息中提取 MAC地址与设备证书, 将两者比较, 若一致则表明 CM12是合法的, 否则为非法的。 As another verification method, the CMTS 10 can also store the correspondence between the MAC address of the CM12 and the device certificate. The MAC address of the CM12 can be obtained from the process of requesting the IP address from the CM12 to the DHCP server 16, for example, sending from the CM12. Obtained from the DHCP request message of the DHCP server 16, or obtained from the DHCP response message sent by the DHCP server 16 to the CM12. After the correspondence between the MAC address of the CM12 and the device certificate, when receiving the TFTP request message of the CM12, the MAC address and the device certificate can be extracted from the TFTP request message, and the two are compared. If they are consistent, the CM12 is legal. Otherwise it is illegal.
如果设备证书本身携带有 MAC地址, 则 CMTS 10对 CM12的合法性进行验证 还可以是将设备证书中的 MAC地址与 DHCP响应消息中的 MAC地址进行比较、 或者和 TFTP请求消息中的 MAC地址进行比较, 如果一致则表明所述 CM是合法 的, 否则为非法的。 If the device certificate itself carries the MAC address, the CMTS 10 may verify the validity of the CM12 by comparing the MAC address in the device certificate with the MAC address in the DHCP response message or the MAC address in the TFTP request message. Comparison, if consistent, indicates that the CM is legal, otherwise it is illegal.
当然了, CMTS10也可以直接利用预部署的根证书和 CA ( Certificate Authority, 证书颁发中心)证书对 TFTP请求消息中的设备证书进行认证。 根证 书和 CA证书可以是部署在 CMTS 10上, 也可以独立于 CMTS 10。 Of course, the CMTS10 can also directly authenticate the device certificate in the TFTP request message by using the pre-deployed root certificate and the CA (Certificate Authority) certificate. The root certificate and CA certificate can be deployed on the CMTS 10 or independently of the CMTS 10.
CMTS10在对 CM12的合法性进行验证后, 如果通过则将对应的配置文件下 发给 CM12。 After the CMTS10 verifies the legality of the CM12, if it passes, the corresponding configuration file is sent to the CM12.
2 ) CMTS10将 DHCP响应消息转发给 CM12。 2) The CMTS 10 forwards the DHCP response message to the CM12.
在这种方式下, CM12会按照 DHCP响应消息中的 TFTP服务器的地址信息和 对应的 TFTP服务器进行交互, 从而获取配置文件。 In this manner, the CM12 interacts with the corresponding TFTP server according to the address information of the TFTP server in the DHCP response message to obtain a configuration file.
在本发明实施例中, CM12向 TFTP服务器 18发送的 TFTP请求消息携带有配 置文件名以及 CM12的设备证书, 还可以携带 CM12的 MAC地址和 IP地址等。 TFTP服务器 18会对 CM12的合法性进行认证,认证通过后会将对应的配置文件发 送给 CM12。 TFTP服务器 18对 CM12的合法性进行认证的过程和 CMTS10类似, 只是执行主体不一样, 在此不再阐述。 经过上述对 CM的合法性进行验证后, 能保障合法的 CM获取到配置文件, 避免被非法 CM盗用。 而为了进一步加强安全性, 本发明实施例还可以在配置文 件传输的过程中对配置文件进行加密, 由 CM进行解密, 从而提高配置文件传输 过程的安全性。 In the embodiment of the present invention, the TFTP request message sent by the CM12 to the TFTP server 18 carries the configuration file name and the device certificate of the CM12, and may also carry the MAC address and IP address of the CM12. The TFTP server 18 authenticates the legality of the CM12, and sends the corresponding configuration file to the CM12 after the authentication is passed. The process of authenticating the legality of the CM 12 by the TFTP server 18 is similar to that of the CMTS 10 except that the execution subject is different and will not be described here. After verifying the legality of the CM, it can ensure that the legal CM obtains the configuration file to avoid being stolen by the illegal CM. In order to further enhance the security, the embodiment of the present invention can encrypt the configuration file in the process of configuration file transmission, and decrypt the CM to improve the security of the configuration file transmission process.
加密解密的方式可以有多种,比如在 TFTP服务器 /CMTS和 CM之间设定加密 There are many ways to encrypt and decrypt, such as setting encryption between TFTP server / CMTS and CM.
/解密算法, 由 TFTP服务器 /CMTS釆用设定的加密算法对 CM的 MAC地址和 /或 IP 地址进行计算,得到加密密匙,利用加密密匙对配置文件进行加密, CM收到 TFTP 响应消息后, 利用设定的解密算法对配置文件进行解密, 从而得到配置文件。 / decryption algorithm, the TFTP server/CMTS uses the set encryption algorithm to calculate the MAC address and/or IP address of the CM, obtains the encryption key, encrypts the configuration file with the encryption key, and the CM receives the TFTP response message. After that, the configuration file is decrypted by using the set decryption algorithm to obtain a configuration file.
也可以在 TFTP服务器 /CMTS和 CM之间设定密码, TFTP服务器 /CMTS基于 设定的密匙生成算法将密码、 CM的 MAC地址和 /或 IP地址进行计算得到加密密 匙, 利用加密密匙对配置文件进行加密, 由 CM釆用设定密码和解密算法对配置 文件进行解密, 从而得到配置文件。 It is also possible to set a password between the TFTP server/CMTS and the CM. The TFTP server/CMTS calculates the password, the MAC address and/or the IP address of the CM based on the set key generation algorithm to obtain the encryption key, and uses the encryption key. The configuration file is encrypted, and the configuration file is decrypted by the CM using a set password and a decryption algorithm to obtain a configuration file.
还可以在 TFTP服务器 /CMTS和 CM之间设置一对密匙对, 由 TFTP服务器 /CMTS和 CM在传输配置文件之前进行一次密匙交换, TFTP服务器 /CMTS基于设 定的密匙交换算法 (如 DH密匙交换算法) 生成共享的加密密匙, TFTP服务器 /CMTS利用加密密匙对配置文件进行加密, CM利用加密密匙对配置文件进行解 密。 It is also possible to set a pair of key pairs between the TFTP server/CMTS and the CM. The TFTP server/CMTS and the CM perform a key exchange before transmitting the configuration file. The TFTP server/CMTS is based on the set key exchange algorithm (eg The DH key exchange algorithm generates a shared encryption key. The TFTP server/CMTS encrypts the configuration file by using an encryption key, and the CM decrypts the configuration file by using an encryption key.
上述加密方式还可以用在 CM传输设备证书进行认证的过程中, 由 CMTS/TFTP服务器解密后提取 CM的设备证书, 对 CM的合法性进行验证。 The above encryption method can also be used in the process of authenticating the CM transmission device certificate, and the CMTS/TFTP server decrypts the device certificate of the CM to verify the legality of the CM.
本发明实施例所提供的系统, CM在 TFTP请求消息中携带自己的设备证书, 由于每个 CM出厂时会携带有唯一的设备证书, 使用设备证书对 CM的合法性进 行验证, 可以保证合法的 CM获取到配置文件。 而在配置文件的传输过程中对配 置文件进行加密, 由 CM解密, 可以进一步提高配置文件传输的安全性。 本发明一个实施例提供一种 DOCSIS系统中的配置文件获取方法, 在该方法 中, 由 CMTS作为代理从 TFTP服务器下载 CM的配置文件, 在收到 CM的 TFTP请 求消息后对 CM的合法性进行验证, 验证通过后将配置文件下发给 CM, 如图 3所 示, 具体包括: In the system provided by the embodiment of the present invention, the CM carries its own device certificate in the TFTP request message. Since each CM carries a unique device certificate when it leaves the factory, the device certificate is used to verify the legality of the CM, which can ensure legality. The CM gets the configuration file. In the transmission process of the configuration file, the configuration file is encrypted and decrypted by the CM, which can further improve the security of the configuration file transmission. An embodiment of the present invention provides a configuration file obtaining method in a DOCSIS system, in which a CMTS is used as a proxy to download a configuration file of a CM from a TFTP server, and the legality of the CM is performed after receiving a TFTP request message of the CM. After the verification is passed, the configuration file is sent to the CM, as shown in Figure 3.
步骤 S300、 CMTS转发 DHCP服务器的 DHCP响应消息给 CM。 CM上电后会通过 CMTS向 DHCP服务器发送 DHCP请求消息, 请求 DHCP服 务器分配 IP地址, DHCP请求消息中会携带有 CM的 MAC地址, DHCP服务器会 按照预先的规划将 MAC地址对应的 IP地址分配给 CM, 将分配的 IP地址携带在 DHCP响应消息中发送给 CM, 同时在 DHCP响应消息中还携带有 CM的配置文件 的配置文件名以及存储该配置文件的 TFTP服务器的地址信息等。 Step S300: The CMTS forwards the DHCP response message of the DHCP server to the CM. After the CM is powered on, the CMTS sends a DHCP request message to the DHCP server to request the DHCP server to assign an IP address. The DHCP request message carries the MAC address of the CM. The DHCP server assigns the IP address corresponding to the MAC address to the pre-planning. The CM sends the assigned IP address to the CM in the DHCP response message, and also carries the configuration file name of the CM configuration file and the address information of the TFTP server storing the configuration file in the DHCP response message.
CMTS收到 DHCP响应消息后, 可以保存 DHCP响应消息中的内容, 将 DHCP 响应消息转发给 CM。 CMTS保存的内容可以是配置文件名、 TFTP服务器的地址 信息和 CM的 MAC地址和 /或 IP地址等。 After receiving the DHCP response message, the CMTS can save the contents of the DHCP response message and forward the DHCP response message to the CM. The content saved by the CMTS may be the configuration file name, the address information of the TFTP server, and the MAC address and/or IP address of the CM.
步骤 S302、 CMTS向 TFTP服务器发送 TFTP请求消息, 请求下发 CM的配置 文件。 Step S302: The CMTS sends a TFTP request message to the TFTP server, requesting the configuration file of the CM to be delivered.
在本实施例中 , CMTS代理 CM向 TFTP服务器发送 TFTP请求消息,请求 TFTP 服务器下发 CM的配置文件。 In this embodiment, the CMTS proxy CM sends a TFTP request message to the TFTP server, requesting the TFTP server to deliver the CM configuration file.
CMTS发送的 TFTP请求消息携带有 DHCP响应消息中的配置文件名, TFTP 服务器收到 TFTP请求消息后, 会将对应的配置文件发送给 CMTS。 The TFTP request message sent by the CMTS carries the configuration file name in the DHCP response message. After receiving the TFTP request message, the TFTP server sends the corresponding configuration file to the CMTS.
步骤 S304、 CMTS接收 CM的 TFTP请求消息, 对 CM的合法性进行验证。 在本实施例中, CM发送的 TFTP请求消息携带有配置文件名以及 CM的设备 证书 , CMTS可以利用 CM的设备证书对 CM进行验证 , 具体如何验证前面实施例 已经描述, 在此不在阐述。 Step S304: The CMTS receives the TFTP request message of the CM, and verifies the validity of the CM. In this embodiment, the TFTP request message sent by the CM carries the configuration file name and the device certificate of the CM, and the CMTS can use the device certificate of the CM to verify the CM. How to verify the foregoing embodiment has been described, and is not described herein.
需要注明的是, 本实施例中的步骤 S302和 S304没有先后顺序的限定。 It should be noted that steps S302 and S304 in this embodiment are not limited in sequence.
步骤 S306、 验证通过, CMTS将配置文件发送给 CM。 Step S306, the verification is passed, and the CMTS sends the configuration file to the CM.
CMTS可以将配置文件通过 TFTP响应消息发送给 CM, 在传输配置文件时, 可以对配置文件进行加密, 由 CM对配置文件进行解密, 具体的加密解密过程在 系统实施例中已经描述。 本实施例中 CM的 TFTP请求消息还可以釆用 TFTP协议规定的一系列报文来 实现, 如 RRQ ( Read Request, 读请求)、 OACK ( Option Acknowledge , 选项应 答)、 Data, ACK ( Acknowledge, 应答)、 以及 ERROR等。 CM可以通过这些报 文与 CMTS协商认证方式, 如果是通过 TFTP协议规定的一系列报文来实现, 则 需要对这些报文进行扩展, 从而携带 CM的设备证书。 如果需要对配置文件进行 加密, 还需要对这部分报文进一步扩展来携带密匙选项, 以下将以携带 CM的设 备证书与密匙选项作为举例, 具体如图 4所示, 包括: The CMTS can send the configuration file to the CM through the TFTP response message. When the configuration file is transmitted, the configuration file can be encrypted, and the configuration file is decrypted by the CM. The specific encryption and decryption process is described in the system embodiment. In this embodiment, the TFTP request message of the CM can also be implemented by using a series of packets specified by the TFTP protocol, such as RRQ (Read Request), OACK (Option Acknowledge), Data, ACK (Acknowledge, Response). ), as well as ERROR and so on. The CM can negotiate the authentication mode with the CMTS through these packets. If the CM is implemented through a series of packets specified by the TFTP protocol, the CM needs to extend the packets to carry the device certificate of the CM. If you need to make a configuration file Encryption, you need to further extend this part of the packet to carry the key option. The following takes the device certificate and key option that carries the CM as an example. As shown in Figure 4, it includes:
步骤 S400、 CMTS接收 CM的 RRQ。 Step S400: The CMTS receives the RRQ of the CM.
CM的 RRQ中携带有配置文件名, 在 RRQ中增加证书认证和加密两种选项, 携带有证书认证和加密选项的 RRQ可以 表 1所示: The RRQ of the CM carries the configuration file name. In the RRQ, the certificate authentication and encryption options are added. The RRQ carrying the certificate authentication and encryption options can be as shown in Table 1:
其中, optl...optN为选项名称, value 1... valueN表示对应的选项值。 Cert、 Encrypt为新增选项的名称, Cert Info、 Encrypt Info表示新增选项的值。 Cert Info 可以携带证书主题等信息, Encrypt Info可以为具体的加密选项 (如加密算法或 者密钥协商算法)。 步骤 S402、 CMTS根据 RRQ的处理结果向 CM发送 OACK。 Where optl...optN is the option name, and value 1... valueN indicates the corresponding option value. Cert, Encrypt are the names of the new options, Cert Info, Encrypt Info indicates the value of the new option. Cert Info can carry information such as certificate subject, and Encrypt Info can be a specific encryption option (such as encryption algorithm or key negotiation algorithm). Step S402: The CMTS sends an OACK to the CM according to the processing result of the RRQ.
如果 CMTS支持 RRQ报文中的 Option选项, 则在 OACK报文中回应 Option选 项, 如果不支持, 则忽略该 Option, OACK报文中不携带该 Option。 If the CMTS supports the Option option in the RRQ packet, the Option is returned in the OACK packet. If not, the Option is omitted. The Option is not carried in the OACK packet.
由于 RRQ中新增了 Cert、 Encrypt选项, 因此, 支持证书认证和加密协商的 Since the Cert and Encrypt options are added to the RRQ, certificate authentication and encryption negotiation are supported.
CMTS需要回应携带新 Option的 OACK, 如表 2所示: The CMTS needs to respond to the OACK carrying the new Option, as shown in Table 2:
表 2 Table 2
如果 CMTS不支持证书认证和加密协商, OACK中不携带 Cert、 Encrypt选项。 步骤 S404、 接收 CM的 OPT。 If the CMTS does not support certificate authentication and encryption negotiation, the CACK and Encrypt options are not carried in the OACK. Step S404, receiving an OPT of the CM.
CM收到 OACK报文后, 如果需要发送设备证书和协商的密匙,则发送 OPT, 否则,回应 ACK 0。 本发明实施例中, OPT属于新增加的报文, 其中携带 CM的设 备证书的 OPT可以如表 3所示: After receiving the OACK packet, the CM sends an OPT if it needs to send the device certificate and the negotiated key. Otherwise, it responds with ACK 0. In the embodiment of the present invention, the OPT belongs to the newly added packet, and the OPT carrying the device certificate of the CM may be as shown in Table 3:
表 3 table 3
CMTS收到 CM发送的 OPT报文后, 如果接收到完整的设备证书, 则对 CM的 设备证书进行校验。 校验失败则给 CM回应 ERROR, 通过 ERROR报文告知具体 失败原因。 校验成功给 CM回应 OPT报文。对于密钥交换的场景, 回应 CM的 OPT 报文还需要发送 Server的公钥给 CM。 示例如表 5所示: After receiving the OPT packet sent by the CM, the CMTS verifies the device certificate of the CM if it receives the complete device certificate. If the verification fails, the CM will respond with ERROR, and the ERROR message will be used to inform the specific cause of the failure. The verification succeeds in responding to the CM with an OPT message. For the key exchange scenario, the OPT message in response to the CM also needs to send the server's public key to the CM. An example is shown in Table 5:
经过上述过程后, CMTS完成对 CM的验证过程, 后续可以釆用协商的密匙 对配置文件进行加密后发送给 CM。 After the above process, the CMTS completes the verification process for the CM, and subsequently encrypts the configuration file with the negotiated key and sends it to the CM.
本实施例提供的方法是由 CMTS对 CM的合法性进行验证, 在另外一个实施 例中也可以是由 CMTS将 DHCP响应消息直接转发给 CM, 不修改其中的 TFTP服 务器的地址信息, 这样 CM后续会和 TFTP服务器进行交互从而获取配置文件。 TFTP服务器会利用 CM的设备证书对 CM的合法性进行验证, 具体过程参见前面 实施例中关于 CMTS的相关描述。 The method provided in this embodiment is to verify the validity of the CM by the CMTS. In another embodiment, the DHCP response message is directly forwarded to the CM by the CMTS, and the address information of the TFTP server is not modified, so that the CM is followed. Will interact with the TFTP server to get the configuration file. The TFTP server verifies the legality of the CM by using the device certificate of the CM. For the specific process, refer to the related description of the CMTS in the previous embodiment.
本实施例提供的方法, 由 CM在 TFTP请求消息中携带自己的设备证书, 由于 每个 CM出厂时会携带有唯一的设备证书, 使用设备证书对 CM的合法性进行验 证, 可以保证合法的 CM获取到配置文件。 而在配置文件的传输过程中对配置文 件进行加密, 由 CM解密, 可以进一步提高配置文件传输的安全性。 本发明一个实施例提供一种 CMTS, 如图 5所示, 包括: 网络侧接口 50、 第 处理单元 52、 处理单元 54、 以及用户侧接口 56。 In the method provided by the embodiment, the CM carries its own device certificate in the TFTP request message. Since each CM carries a unique device certificate when it leaves the factory, the device certificate is used to verify the legality of the CM, and the legal CM can be guaranteed. Get the configuration file. The configuration file is encrypted during the transmission of the configuration file and decrypted by the CM, which can further improve the security of the configuration file transmission. One embodiment of the present invention provides a CMTS, as shown in FIG. 5, including: a network side interface 50, a first processing unit 52, a processing unit 54, and a user side interface 56.
其中, 网络侧接口 50用于连接网络侧的 DHTP服务器和 /或 TFTP服务器, 可 以是接收机或者具备接收功能的模块等。 The network side interface 50 is used to connect to the DHTP server and/or the TFTP server on the network side, and may be a receiver or a module having a receiving function.
用户侧接口 56用于连接 CM, 可以是收发机或者具备收发功能的模块等。 处理单元 52和处理单元 54可以通过一系列总线与网络侧接口 50和用户侧接 口 56相连, 处理单元 52和处理单元 54可以是两个独立的处理器, 也可以是一个 处理器, 还可以是一个处理器中的一个或者多个处理模块等。 The user side interface 56 is used to connect to the CM, and may be a transceiver or a module having a transceiving function. The processing unit 52 and the processing unit 54 can be connected to the network side interface 50 and the user side interface 56 through a series of buses. The processing unit 52 and the processing unit 54 can be two independent processors, or can be one processor, or can be One or more processing modules in a processor, and the like.
在本实施例中, 网络侧接口 50 , 用于接收 DHCP服务器发送给 CM的 DHCP 响应消息, 所述 DHCP响应消息携带有标识所述 CM的配置文件的配置文件名、 分配给所述 CM的 IP地址以及标识 TFTP服务器的地址信息;以及用于根据所述地 址信息向所述 TFTP服务器请求下发所述配置文件。 In this embodiment, the network side interface 50 is configured to receive a DHCP response message sent by the DHCP server to the CM, where the DHCP response message carries a configuration file name identifying the configuration file of the CM, and an IP address allocated to the CM. The address and the address information of the TFTP server are determined; and the configuration file is requested to be sent to the TFTP server according to the address information.
处理单元 52 , 用于将 DHCP响应消息中的 TFTP服务器的地址信息替换成 CMTS的地址信息后通过用户侧接口 56发送给 CM; 处理单元 52也可以不修改 DHCP响应消息中的 TFTP服务器的地址信息,直接将 DHCP响应消息发送给 CM。 The processing unit 52 is configured to replace the address information of the TFTP server in the DHCP response message with the address information of the CMTS and send the information to the CM through the user side interface 56. The processing unit 52 may also not modify the address information of the TFTP server in the DHCP response message. Send the DHCP response message directly to the CM.
用户侧接口 56, 用于接收来自 CM的 TFTP请求消息, 所述 TFTP请求消息携 带有配置文件名以及设备证书。 通过后通过用户侧接口 56将配置文件发送给 CM。 The user side interface 56 is configured to receive a TFTP request message from the CM, where the TFTP request message carries a configuration file name and a device certificate. The configuration file is sent to the CM through the user side interface 56.
本实施例提供的 CMTS还可以包括存储单元 58, 可以用于存储合法 CM的设 备证书或者合法 CM的 MAC地址与设备证书的对应关系等。处理单元 54可以利用 CM的设备证书对 CM进行验证, 具体如何验证, 可以参考系统实施例的描述。 The CMTS provided in this embodiment may further include a storage unit 58, which may be used to store a device certificate of a legal CM or a correspondence between a MAC address of a legal CM and a device certificate. The processing unit 54 can verify the CM by using the device certificate of the CM. For details on how to verify, refer to the description of the system embodiment.
本实施例提供的 CMTS, 由 CM在 TFTP请求消息中携带自己的设备证书, 由 于每个 CM出厂时会携带有唯一的设备证书, CMTS可以使用设备证书对 CM的合 法性进行验证, 可以保证合法的 CM获取到配置文件。 而在配置文件的传输过程 中对配置文件进行加密, 由 CM解密, 可以进一步提高配置文件传输的安全性。 进一步的, 本发明一个实施例还提供一种 CM, 如图 6所示, 包括: 网络侧 接口 60、 处理单元 62和网络侧接口 64, 其中网络侧接口 60、 64可以是一个或者 多个收发机, 也可以是一个或多个具备收发功能的模块等, 处理单元 62可以是 一个处理器, 也可以是处理器中的处理模块等。 In the CMTS provided in this embodiment, the CM carries its own device certificate in the TFTP request message. Since each CM carries a unique device certificate when it leaves the factory, the CMTS can use the device certificate to verify the legality of the CM. The CM gets to the configuration file. In the transmission process of the configuration file, the configuration file is encrypted and decrypted by the CM, which can further improve the security of the configuration file transmission. Further, an embodiment of the present invention further provides a CM. As shown in FIG. 6, the network includes: a network side interface 60, a processing unit 62, and a network side interface 64. The network side interfaces 60 and 64 may be one or more transceivers. The processor may be one or more modules having a transceiving function, and the processing unit 62 may be a processor, a processing module in the processor, or the like.
在本实施例中, 网络侧接口 60 , 用于接收来自网络侧的 DHCP响应消息, 所 述 DHCP响应消息携带有标识所述 CM的配置文件的配置文件名、分配给所述 CM 的 IP地址以及标识存储所述配置文件的网络设备的地址信息;这里的网络设备可 能是 TFTP服务器或者 CMTS等。 In this embodiment, the network side interface 60 is configured to receive a DHCP response message from the network side, where the DHCP response message carries a configuration file name that identifies a configuration file of the CM, an IP address that is allocated to the CM, and Identifying address information of a network device storing the configuration file; the network device herein may Can be a TFTP server or CMTS.
处理单元 62 , 用于生成 TFTP请求消息, 所述 TFTP请求消息以所述地址信息 作为目的地址, 携带有所述配置文件名以及所述 CM的设备证书。 The processing unit 62 is configured to generate a TFTP request message, where the TFTP request message uses the address information as a destination address, and carries the configuration file name and the device certificate of the CM.
网络侧接口 64, 用于将所述 TFTP请求消息发送给所述网络设备。 The network side interface 64 is configured to send the TFTP request message to the network device.
本实施例提供的 CM可以将设备证书添加到 TFTP请求消息中发送给对应的 网络设备, 如 CMTS或者 TFTP服务器等。 The CM provided in this embodiment may add a device certificate to a TFTP request message and send it to a corresponding network device, such as a CMTS or a TFTP server.
本实施例提供的 CM还可以釆用 TFTP协议规定的报文和对应的网络设备协 商密匙选项等, 具体可以参见前面方法实施例的描述。 备利用设备证书对该 CM的合法性进行认证, 可以保证合法的 CM获取到配置文 件。 The CM provided in this embodiment may also use the packet specified by the TFTP protocol and the corresponding network device negotiation key option. For details, refer to the description of the foregoing method embodiment. The device certificate is used to authenticate the legality of the CM, and the legal CM can obtain the configuration file.
本领域普通技术人员可以理解上述实施例的各种方法中的全部或部分步骤 是可以通过程序来指令相关的硬件来完成, 该程序可以存储于一计算机可读存 储介质中,存储介质可以包括:闪存盘、只读存储器( Read-Only Memory, ROM )、 随机存取器 ( Random Access Memory, RAM ), 磁盘或光盘等。 A person of ordinary skill in the art may understand that all or part of the steps of the foregoing embodiments may be performed by a program to instruct related hardware. The program may be stored in a computer readable storage medium, and the storage medium may include: Flash disk, Read-Only Memory (ROM), Random Access Memory (RAM), disk or optical disk.
以上对本发明实施例所提供的方法、 设备和系统进行了详细介绍, 本文中 术人员, 在具体实施方式及应用范围上均会有改变之处, 综上所述, 本说明书 内容不应理解为对本发明的限制。 The methods, devices, and systems provided by the embodiments of the present invention are described in detail above. In the description, the details of the embodiments and the scope of application are changed. In summary, the contents of this specification should not be construed as Limitations of the invention.
Claims
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201480011379.4A CN106464654B (en) | 2014-06-27 | 2014-06-27 | Method, device and system for obtaining configuration file |
| PCT/CN2014/080926 WO2015196441A1 (en) | 2014-06-27 | 2014-06-27 | Configuration file acquisition method, apparatus and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2014/080926 WO2015196441A1 (en) | 2014-06-27 | 2014-06-27 | Configuration file acquisition method, apparatus and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2015196441A1 true WO2015196441A1 (en) | 2015-12-30 |
Family
ID=54936502
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/CN2014/080926 Ceased WO2015196441A1 (en) | 2014-06-27 | 2014-06-27 | Configuration file acquisition method, apparatus and system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN106464654B (en) |
| WO (1) | WO2015196441A1 (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105721212A (en) * | 2016-02-24 | 2016-06-29 | 四川长虹电器股份有限公司 | Method and system of remotely configuring WIFI routing module by CM (Cable modem) module |
| CN105812352A (en) * | 2016-02-23 | 2016-07-27 | 四川长虹电器股份有限公司 | Remote access control list generation and data packet processing method for CM |
| CN109803028A (en) * | 2017-11-16 | 2019-05-24 | 华为技术有限公司 | method and device for configuring service flow |
| CN113596869A (en) * | 2021-06-28 | 2021-11-02 | 网络通信与安全紫金山实验室 | Communication method, communication device, electronic equipment and medium |
| CN114465890A (en) * | 2022-01-28 | 2022-05-10 | 锐捷网络股份有限公司 | Zero configuration method, device, equipment and system |
| EP4106297A1 (en) * | 2021-06-16 | 2022-12-21 | Juniper Networks, Inc. | Policy driven zero touch provisioning of network devices |
| EP4128702A4 (en) * | 2020-03-25 | 2024-05-01 | ARRIS Enterprises LLC | SYSTEMS AND PROCEDURES FOR SECURELY PROVIDING SSH CREDITS |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108200046B (en) * | 2017-12-28 | 2020-12-08 | 新华三技术有限公司 | Registration method and device of terminal equipment, terminal equipment and proxy server |
| CN110233799B (en) * | 2018-03-05 | 2021-10-26 | 华为技术有限公司 | Port configuration method and communication equipment |
| CN110535696A (en) * | 2019-08-21 | 2019-12-03 | 新华三技术有限公司合肥分公司 | Method for configuring network equipment, controller and the network equipment |
| CN111988296A (en) * | 2020-08-12 | 2020-11-24 | 深圳杰微芯片科技有限公司 | Computing power equipment overclocking method, server and storage medium |
| CN114827243B (en) * | 2022-05-18 | 2024-03-22 | 上海电气风电集团股份有限公司 | Configuration file issuing method, tool, electronic device and readable storage medium |
| CN116708168A (en) * | 2023-07-17 | 2023-09-05 | 武汉通用联合科技有限公司 | A switch configuration recovery method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101207607A (en) * | 2006-12-20 | 2008-06-25 | 深圳市同洲电子股份有限公司 | Method for supporting Cable Modem double certificate |
| CN101501670A (en) * | 2006-07-27 | 2009-08-05 | 思科技术公司 | Early authentication in cable modem initialization |
| US20100131971A1 (en) * | 2008-11-22 | 2010-05-27 | Cisco Technology, Inc. | Addressing theft of cable services and breach of cable system and security |
| US8005083B1 (en) * | 2008-10-30 | 2011-08-23 | Juniper Networks, Inc. | Applying differentiated services within a cable network using customer-aware network router |
| CN102577429A (en) * | 2011-11-10 | 2012-07-11 | 华为技术有限公司 | Method, device and system for service provisioning |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7865727B2 (en) * | 2006-08-24 | 2011-01-04 | Cisco Technology, Inc. | Authentication for devices located in cable networks |
| KR101239100B1 (en) * | 2011-01-24 | 2013-03-05 | 사단법인한국디지털케이블연구원 | Test certification system for cable ready digital television based on browser and method thereof |
-
2014
- 2014-06-27 WO PCT/CN2014/080926 patent/WO2015196441A1/en not_active Ceased
- 2014-06-27 CN CN201480011379.4A patent/CN106464654B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101501670A (en) * | 2006-07-27 | 2009-08-05 | 思科技术公司 | Early authentication in cable modem initialization |
| CN101207607A (en) * | 2006-12-20 | 2008-06-25 | 深圳市同洲电子股份有限公司 | Method for supporting Cable Modem double certificate |
| US8005083B1 (en) * | 2008-10-30 | 2011-08-23 | Juniper Networks, Inc. | Applying differentiated services within a cable network using customer-aware network router |
| US20100131971A1 (en) * | 2008-11-22 | 2010-05-27 | Cisco Technology, Inc. | Addressing theft of cable services and breach of cable system and security |
| CN102577429A (en) * | 2011-11-10 | 2012-07-11 | 华为技术有限公司 | Method, device and system for service provisioning |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105812352A (en) * | 2016-02-23 | 2016-07-27 | 四川长虹电器股份有限公司 | Remote access control list generation and data packet processing method for CM |
| CN105812352B (en) * | 2016-02-23 | 2019-07-19 | 四川长虹电器股份有限公司 | Remote Visit and Control list generation and data package processing method for CM |
| CN105721212B (en) * | 2016-02-24 | 2019-06-21 | 四川长虹电器股份有限公司 | Realize the system and method for CM module Remote configuration WIFI routing module |
| CN105721212A (en) * | 2016-02-24 | 2016-06-29 | 四川长虹电器股份有限公司 | Method and system of remotely configuring WIFI routing module by CM (Cable modem) module |
| CN109803028A (en) * | 2017-11-16 | 2019-05-24 | 华为技术有限公司 | method and device for configuring service flow |
| EP3703343A4 (en) * | 2017-11-16 | 2020-10-28 | Huawei Technologies Co., Ltd. | METHOD AND DEVICE FOR CONFIGURING THE SERVICE FLOW |
| EP4128702A4 (en) * | 2020-03-25 | 2024-05-01 | ARRIS Enterprises LLC | SYSTEMS AND PROCEDURES FOR SECURELY PROVIDING SSH CREDITS |
| US12112177B2 (en) | 2021-06-16 | 2024-10-08 | Juniper Networks, Inc. | Policy driven zero touch provisioning of network devices |
| EP4106297A1 (en) * | 2021-06-16 | 2022-12-21 | Juniper Networks, Inc. | Policy driven zero touch provisioning of network devices |
| CN113596869A (en) * | 2021-06-28 | 2021-11-02 | 网络通信与安全紫金山实验室 | Communication method, communication device, electronic equipment and medium |
| CN113596869B (en) * | 2021-06-28 | 2024-06-07 | 网络通信与安全紫金山实验室 | Communication method, device, electronic device and medium |
| CN114465890B (en) * | 2022-01-28 | 2024-04-16 | 锐捷网络股份有限公司 | Zero configuration method, device, equipment and system |
| CN114465890A (en) * | 2022-01-28 | 2022-05-10 | 锐捷网络股份有限公司 | Zero configuration method, device, equipment and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106464654A (en) | 2017-02-22 |
| CN106464654B (en) | 2020-01-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2015196441A1 (en) | Configuration file acquisition method, apparatus and system | |
| CN109561066B (en) | Data processing method and device, terminal and access point computer | |
| EP3518458B1 (en) | Method and device for secure communications over a network using a hardware security engine | |
| CN101127600B (en) | A method for user access authentication | |
| JP6668183B2 (en) | Communication device, communication method, communication system and program | |
| US7844818B2 (en) | Authentication apparatus and method for home network devices | |
| CN107528692B (en) | Method and system for registering an intelligent electronic device with a certification authority | |
| US8418242B2 (en) | Method, system, and device for negotiating SA on IPv6 network | |
| CN112714053B (en) | Communication connection method and device | |
| CN111783068A (en) | Device authentication method, system, electronic device and storage medium | |
| WO2010067812A1 (en) | Self-authentication communication equipment and equipment authentication system | |
| CN105050081A (en) | Method, device and system for connecting network access device to wireless network access point | |
| CN111737723B (en) | A business processing method, device and equipment | |
| WO2013004112A1 (en) | Method and device for data transmission | |
| WO2016106560A1 (en) | Remote access implementation method, device and system | |
| CN106789476B (en) | A gateway communication method and system | |
| CN102984045A (en) | Access method of Virtual Private Network and Virtual Private Network client | |
| CN104753872B (en) | authentication method, authentication platform, service platform, network element and system | |
| CN101471767B (en) | Method, equipment and system for distributing cipher key | |
| CN101827106A (en) | DHCP safety communication method, device and system | |
| JP5953991B2 (en) | COMMUNICATION CONTROL METHOD, COMMUNICATION CONTROL DEVICE, COMMUNICATION DEVICE, AND PROGRAM | |
| EP2663049B1 (en) | Authentication method based on dhcp, dhcp server and client | |
| JP4336874B2 (en) | Configuration information providing system, configuration information management server, access authentication server, client, and program | |
| CN112235320B (en) | A password-based video networking multicast communication method and device | |
| JP2013243583A (en) | Image forming system, image forming apparatus, authentication server, client pc, and control method and program of image forming apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14895606 Country of ref document: EP Kind code of ref document: A1 |
|
| NENP | Non-entry into the national phase |
Ref country code: DE |
|
| 122 | Ep: pct application non-entry in european phase |
Ref document number: 14895606 Country of ref document: EP Kind code of ref document: A1 |