The network management model of Simple Network Management Protocol (SNMP) includes a management station, a managed device, a management information base and a management protocol. The network management of SNMP includes two basic processes:
1. The management station performs reading and/or writing operations on the management information base in the managed device via the management protocol.
2. The managed device feeds the state information in its management information base back to the management station via the management protocol.
When the management station performs reading and/or writing operations on the managed device via the management protocol, it is required to perform identity authentication and access control authorization on the operating user, so as to ensure the validity of user operations.
A method, in the related art, for user identity authentication with a management protocol includes that the management protocol SNMPv3 itself provides the user authentication technique. The User-based Security Model (USM) of the SNMPv3 provides the identity authentication, message encryption and timestamp check. The message header of the SNMPv3 carries the parameters required by the USM, such as a username, authentication information, etc. When a transmitting end sends a message, the authentication information for the message is calculated by an authentication algorithm internal to the SNMPv3, and the resultant authentication information is filled into the message header. After the message is received by a receiving end, the same authentication algorithm is used to calculate the authentication information of the message, which is compared with the original authentication information carried in the message. If the comparison result represents being identical, then the authentication for the sending user passes.
During implementing the present invention, the inventors find that the above method in the related art has the following disadvantages:
1. This method is an authentication mechanism dedicated to SNMPv3, whereas this mechanism may not interoperate well with the existing protocols and facilities, thereby departing from the present development trends of the technique.
2. This method employs an authentication manner with an internal management protocol, and this authentication manner is fixed and with poor extensibility, and is inconvenient in supporting new authentication methods.
A method for user identity authentication in another management protocol in the related art includes that: in the Secure Shell (SSH) bearing of the Network Configuration Protocol (Netconf, an XML-based network configuration protocol), the user authentication manner of the SSH is used directly. The SSH protocol includes three parts. The Netconf/SSH client first establishes an SSH transmission connection by using the SSH transmission protocol, and then executes the SSH user authentication protocol to authenticate the user of the Netconf protocol. Then the client initiates the SSH connection service. The subsequent Netconf messages are borne in the SSH connection service.
During implementing the present invention, the inventors find that the above conventional method has the following disadvantages. This method authenticate the Netconf user with the user authentication mechanism internal to the SSH protocol. However, the SSH user and the Netconf user may not be matched. For example, if the data of multiple users is carried on one SSH connection, it is not appropriate to authenticate the users with this method unless the NETCONF protocol is modified significantly. Accordingly, this method may not be applied extensively.