[ invention ]
The invention aims to overcome the defects of the prior art, and provides an access method for preventing a terminal of an unregistered client from being falsified into legal communication under NAT, which aims to solve the problem that the prior art cannot effectively find and detect equipment accessed to a network through NAT form to be falsified into legal equipment.
In order to achieve the above object, the present invention provides an admittance method for preventing an unregistered terminal from being falsified into legal communication under NAT, which specifically includes the following steps:
s1, starting up a terminal of a client under NAT or periodically requesting a key from an access system through a secure encryption communication method, generating a new key by the access system according to the request, returning key content and a key ID to the terminal, and transferring to step S2 after execution is completed;
s2, when a terminal of the registered client initiates access to the service server, the client program calculates the IP address of the service server and the service port of the service server by using the secret key to generate a check code, and the step S3 is carried out after the execution is finished;
s3, the terminal of the registered client uses the key ID and the generated check code in the data stream of the access service server, and the step S4 is carried out after the execution is finished;
s4, judging whether the connection is NAT data flow or not, if so, turning to step S5;
s5, the access system analyzes the intercepted NAT data stream, judges whether a key ID and a check code exist, executes the step S6 if the key ID and the check code exist, and executes the step S8 if the key ID and the check code do not exist;
s6, the access system searches the key content through the key ID, calculates the check codes for the target IP and the port by using the key, and then goes to the step S7 after the execution is finished;
s7, the admission system judges whether the check code in the data stream is consistent with the calculated check code, if so, the data stream is released, and if not, the step S8 is carried out;
s8, the access system blocks the current data flow.
Preferably, in step S1, before requesting a key from an admission system, it is first determined whether the client is a NAT environment, and the specific steps are as follows: after the terminal of the registered client under NAT is started, the terminal local IP is sent to the admittance system by a safe encryption communication method, the admittance system judges whether the terminal local IP is in NAT environment or not according to whether the received terminal local IP is consistent with the opposite terminal IP of communication, and sends the judging result back to the client, and if the terminal is in NAT environment, the client requests a secret key from the admittance system.
Preferably, the NAT list is also established while sending the determination back to the client.
Preferably, in step S1, the admission system generates a new key according to the request of the client, establishes a key list at the same time, returns the key content and the key ID to the terminal, periodically executes the process, periodically updates the key, and goes to step S2 after the execution is completed.
Preferably, in step S4, whether or not the source IP is a NAT data stream is checked by determining whether or not the source IP is in the NAT list.
Preferably, in step S4, if the source IP is not a NAT data flow, it is determined whether the source IP is on a release list, if so, the release is performed, and if not, the process proceeds to step S8.
The invention has the beneficial effects that: the invention uses the secret key consistent with both sides to encrypt and decrypt the data flow between the client and the server, thereby effectively solving the problem that the illegal terminal in the NAT access equipment falsifies legal communication to avoid the control of the admission.
The features and advantages of the present invention will be described in detail by way of example with reference to the accompanying drawings.
[ detailed description ] of the invention
When a terminal in NAT environment communicates with a service server, it is necessary to distinguish between a terminal of a registered client and a terminal of an unregistered client according to a data flow in communication, and to prevent the terminal of the unregistered client from being falsified into legal communication so as to make a system enter a network. Referring to fig. 1, the invention relates to an admittance method for preventing a terminal of an unregistered client from being falsified into legal communication under NAT, which comprises the following specific steps:
s1, after the terminal of the client under the NAT is started, the terminal local IP is sent to an admittance system through a secure encryption communication method, the admittance system judges whether the terminal local IP is in NAT environment or not according to whether the received terminal local IP is consistent with the opposite terminal IP of the communication, the judging result is sent back to the client, and an NAT list is established at the same time. And if the client judges that the Network Address Translation (NAT) environment exists, the client requests a key from the access system, the access system generates a new key according to the request, simultaneously establishes a key list, and returns the key content and the key ID to the terminal. The process also needs to be executed periodically to update the key periodically, and the process goes to step S2 after the execution is completed.
S2, when the terminal of the registered client initiates access to the service server, the client program calculates the IP address of the service server and the service port of the service server by using the secret key to generate a check code, and the step S3 is carried out after the execution is completed.
S3, the terminal of the registered client uses the key ID and the generated check code in the data stream of the current access service server, and the step S4 is carried out after the execution is completed.
S4, for the connection, whether the source IP is the NAT data flow is confirmed by judging whether the source IP is in an internal NAT list, and if so, the step S5 is carried out. If not, judging whether the source IP device is a device in the legal list pool, if yes, releasing, otherwise, turning to step S8.
S5, the access system analyzes the intercepted NAT data stream, judges whether a secret key ID and a check code exist, and executes the step S6 if the secret key ID and the check code exist, and otherwise, the step S8 is executed.
S6, the access system searches the key content through the key ID, calculates the check codes for the target IP and the port by using the key, and then goes to the step S7 after the execution is finished.
S7, the admission system judges whether the check code in the data stream is consistent with the calculated check code, if so, the data stream is released, and if not, the step S8 is carried out.
S8, the access system blocks the current data flow.
The above embodiments are illustrative of the present invention, and not limiting, and any simple modifications of the present invention fall within the scope of the present invention.