CN105591848A - Authentication method and device of IPv6 stateless automatic configuration - Google Patents
Authentication method and device of IPv6 stateless automatic configuration Download PDFInfo
- Publication number
- CN105591848A CN105591848A CN201410557797.5A CN201410557797A CN105591848A CN 105591848 A CN105591848 A CN 105591848A CN 201410557797 A CN201410557797 A CN 201410557797A CN 105591848 A CN105591848 A CN 105591848A
- Authority
- CN
- China
- Prior art keywords
- message
- entity
- access
- user terminal
- access information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000012545 processing Methods 0.000 claims description 10
- 230000005540 biological transmission Effects 0.000 claims description 6
- 238000000638 solvent extraction Methods 0.000 claims description 4
- 238000004891 communication Methods 0.000 abstract description 2
- 230000003993 interaction Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 238000003780 insertion Methods 0.000 description 4
- 230000037431 insertion Effects 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 230000006872 improvement Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000009958 sewing Methods 0.000 description 2
- 241000969130 Atthis Species 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明提供一种IPv6无状态自动配置的认证方法及装置,涉及通信领域,解决IPv6无状态自动配置的ND接入,由于没有专门的选项从而无法进行开机认证的问题。其中所述IPv6无状态自动配置的认证方法,应用于接入实体中,包括:获取插入有接入信息选项的路由器请求RS消息;利用邻居发现ND协议将所述RS消息发送给宽带远程接入服务器BRAS实体,由所述BRAS实体对所述RS消息进行认证;接收所述BRAS实体返回的路由器通告RA消息,其中所述RA消息携带有所述接入信息选项及所述BRAS实体分配的具有IPv6地址前缀的网络参数。这样实现用户终端的IPv6无状态自动配置认证,解决所述的无状态自动配置在认证上的局限性。
The invention provides an authentication method and device for IPv6 stateless automatic configuration, relates to the communication field, and solves the problem that the ND access of IPv6 stateless automatic configuration cannot perform power-on authentication because there is no special option. Wherein the authentication method of the IPv6 stateless automatic configuration is applied to the access entity, including: obtaining the router request RS message inserted with the access information option; using the neighbor discovery ND protocol to send the RS message to the broadband remote access The server BRAS entity, which authenticates the RS message by the BRAS entity; receives the Router Advertisement RA message returned by the BRAS entity, wherein the RA message carries the access information option and the information allocated by the BRAS entity Network parameters for IPv6 address prefixes. In this way, the IPv6 stateless automatic configuration authentication of the user terminal is realized, and the limitation of the stateless automatic configuration in authentication is solved.
Description
Technical field
The present invention relates to the communications field, particularly relate to a kind of IPv6 (sixth version of Internet protocol) nothingState is authentication method and the device of configuration automatically.
Background technology
Along with IPv4 (InternetProtocol, the abbreviation of IP, the 4th edition of Internet protocol) address resourceThe problems such as exhaustion, IPv6 (abbreviation of InternetProtocolVersion6, the sixth version of Internet protocol)To progressively replace IPv4. IPv6 has the characteristic of plug and play, without any artificial interference, and a nodeAdd in network and can obtain IPv6 address prefix, DNS (abbreviation of DomainNameservice, territoryName service) network parameter such as address. Realize by two kinds of modes: by DHCPv6 (DynamicHostThe abbreviation of ConfigurationProtocolforIPv6) agreement has state automatically to configure; Pass through NDP(abbreviation of NeighborDiscoveryProtocol, Neighbor Discovery Protocol) agreement is carried out stateless and is automatically joinedPut.
BRAS (abbreviation of BroadbandRemoteAccessServer, Broadband Remote Access Server)A kind of IAD towards broad band network application. It is the bridge between broadband access network and backbone network, carriesFor basic access means and the management function of broadband access network. It is positioned at the edge of network, provides broadband to connectEnter service, realize converging and forwarding of multiple business, can meet different user to transmission capacity and bandwidth usageTherefore the requirement of rate is the nucleus equipment that broadband user accesses. First BRAS carries out for the user of accessCertification, certification is by allowing user to access broadband network, and authentification failure refusal user accesses broadband network.
The different authentication mode of BRAS access way is also different. BRAS is divided into PPPoX (BasedontheThe abbreviation of arbitrarytwolayerprotocolpointtopoint, the abbreviation of PointtoPointProtocol,Point-to-point based on any two-layer protocol) and IPoX (the IP access based on two-layer protocol, RP agreementCommon message. ) (X represents it can is that Ethernet Ethernet can be also ATM (AsynchronousThe abbreviation of TransferMode, asynchronous transfer mode), or other two-layer protocols). PPPoX accesses PPPItself provides authentication protocol agreement; IPoX access is according to the agreement different authentication mode difference of access, rightIn the DHCP of IPv4 (abbreviation of DynamicHostConfigurationProtocol, DynamicHost configurationAgreement) access provides WEB to authenticate and DHCP option authenticates.
The BRAS access of IPv6 is also divided into PPPoX and IPoX mode. The certification of PPPoX access is exactlyThe authentication protocol that ppp protocol own provides. DHCPv6 (having the state automatically to configure) mode of IPoX connectsEnter, WEB certification and option authentication mode (also calling off machine certification) can be provided; ND (the nothing of IPoXState configures automatically) mode accesses, and WEB authentication mode is provided.
WEB identifying procedure: first by network parameter distributorship agreement (DHCP, DHCPv6, ND(abbreviation of NeighborDiscoveryProtocol, neighbours find) distributed network parameters, the network of distributionIP address in parameter is limited, can only access the WEB server due to certification, can not access the Internet;In the time that user accesses WEB website, BRAS is redirected to the WEB clothes for authenticating the webpage of accessBusiness device; User's login username and password, authenticate to certification WEB server, and certification is by rear useThe limited IP address that family is distributed becomes non-limited, and user immediately can access the Internet, authentification failure userThe limited IP address of distributing is still limited, and user can not access the Internet.
Can adopt WEB mode to authenticate for personal computer terminal, this for TV set-top boxCan not carry out the terminal of WEB access and obviously can not carry out WEB certification. This application scenarios forDHCP and DHCPv6 agreement adopt option certification conventionally. Option certification refers to the association in log on parameterIn view message, insert the option that represents username and password information, before distribution network address parameter, useUsername and password in option goes certification, authentication success distributed network parameters, and authentification failure is distribution network notParameter, the terminal of authentification failure is owing to not having distributed network parameters can not access broadband network.
Automatically the ND configuring for IPv6 stateless accesses the certification of cannot starting shooting, so foregoing descriptionIn the scene that can not authenticate by WEB, have no idea to authenticate (if terminal is Set Top Box), thereby limitedThe stateless of IPv6 is the broadband access application scenarios of configuration automatically.
Summary of the invention
The object of the present invention is to provide a kind of IPv6 stateless authentication method and device of configuration automatically, separateThe certainly IPv6 stateless ND access of configuration automatically, thereby owing to not having special option to start shootingThe problem of certification.
In order to solve the problems of the technologies described above, a kind of IPv6 stateless that the embodiment of the present invention provides configures automaticallyAuthentication method, be applied to access entity in, described authentication method comprises:
Obtain the router solicitation RS message that is inserted with access information option;
Utilize Neighbor Discovery agreement that described RS message is sent to Broadband Remote Access Server BRASEntity, is authenticated described RS message by described BRAS entity;
Receive the router advertisement RA message that described BRAS entity returns, wherein said RA message is carriedThere is the network parameter with IPv6 address prefix of described access information option and described BRAS entity partitioning.
Further, described access entity is the access device of first user terminal, correspondingly, described in obtainThe step that is inserted with the router solicitation RS message of access information option comprises:
Obtain and monitor the described RS message of described first user terminal;
The described first user terminal listening to and the access information of described access device corresponding ports;
Insert in described RS message the access information listening to as access information option.
Further, described network parameter also comprises: domain name service dns address, correspondingly, described in connectThe step of receiving the router advertisement RA message that described BRAS entity returns comprises:
Receive the described RA message that described BRAS entity returns, described in judging and comprising in described RA messageWhen access information option, delete described access information option;
According to the described IPv6 address prefix and the described dns address that distribute, send the described RA after deletingMessage is to described first user terminal.
Further, described access entity is while comprising the user terminal of described first user terminal, described in obtainThe step of getting the router solicitation RS message that is inserted with access information option comprises:
Obtain the RS message of described user terminal;
Directly insert described RS message using what construct in advance as access information option.
Further, described in, obtain the step being inserted with after the router solicitation RS message of access information optionSuddenly, also comprise:
The overtime timer that the time to returning to described RA message of obtaining is carried out timing.
Further, step when the described BRAS entity of described reception returns router advertisement RA messageAlso comprise:
If do not receive the described RA message of returning in described overtime timer Preset Time, recover ShenThe state of the described user terminal before please authenticating.
Further, the described Neighbor Discovery agreement of utilizing sends to broad band remote to connect described RS messageEnter server B RAS entity, the step described RS message being authenticated by described BRAS entity comprises:
Described access information option is configured to ND option, and described ND option is encapsulated into described RSIn message, and send described RS message and authenticate to described BRAS entity.
Further, the step that described BRAS entity authenticates comprises:
Receive described RS message, and parse described access information option;
According to described access information option, described access entity is authenticated, obtain authentication result;
Described authentication result for certification by time, distribute and encapsulate described network parameter and/or described accessInformation option, to described RA message, sends described RA message to described access entity.
Accordingly, in order to solve the problems of the technologies described above, the present invention also provides a kind of IPv6 stateless automatically to joinThe authenticate device of putting, is applied in access entity, and described authenticate device comprises:
The first acquisition module, for obtaining the router solicitation RS message that is inserted with access information option;
Sending module, for utilizing Neighbor Discovery agreement to send to broad band remote to connect described RS messageEnter server B RAS entity, by described BRAS entity, described RS message is authenticated;
Receiver module, the router advertisement RA message of returning for receiving described BRAS entity, Qi ZhongsuoThat states that RA message carries described access information option and described BRAS entity partitioning has an IPv6 addressThe network parameter of prefix.
Further, when described access entity is the access device of first user terminal, described first obtains mouldPiece comprises:
The first acquiring unit, for obtaining and monitor the described RS message of described first user terminal;
Second acquisition unit, for the described first user terminal and the described access device corresponding ports that listen toAccess information;
The first processing unit, for inserting described RS using the access information listening to as access information optionIn message.
Further, described network parameter also comprises: domain name service dns address, described receiver module bagDraw together:
The first Neighbor Discovery unit, the described RA message of returning for receiving described BRAS entity,Judge while comprising described access information option in described RA message, delete described access information option;
Transmitting element, for according to distribute described IPv6 address prefix and described dns address, transmission is deletedDescribed RA message after removing is to described first user terminal.
Further, described access entity is while comprising the user terminal of described first user terminal, describedOne acquisition module comprises:
The 3rd acquiring unit, for obtaining the RS message of described user terminal;
The second processing unit, for direct inserting described RS as access information option and disappear structure in advanceBreath.
Wherein said IPv6 stateless is the authenticate device of configuration automatically, also comprises:
The second acquisition module, carries out the overtime timing of timing for the time to returning to described RA message of obtainingDevice.
Wherein said IPv6 stateless is the authenticate device of configuration automatically, also comprises:
Processing module, if for not receiving the described RA returning in described overtime timer Preset TimeMessage, recovers the state of the described user terminal before application authentication.
Further, described sending module comprises:
The 2nd ND unit, for described access information option is configured to ND option, and by described NDOption is encapsulated in described RS message, and sends described RS message and authenticate to described BRAS entity.The beneficial effect of technique scheme of the present invention is as follows:
In the solution of the present invention, by sending to getting the RS message that is inserted with access information optionAfter BRAS entity authenticates, receive carrying that described BRAS entity returns and have before IPv6 addressThe RA message of the network parameter of sewing, completes certification and address assignment. Realize like this IPv6 of user terminalStateless configures certification automatically, solves described stateless and is automatically configured in the limitation in certification.
Brief description of the drawings
Fig. 1 is the IPv6 stateless basic step signal of the authentication method of configuration automatically of the embodiment of the present inventionFigure;
Fig. 2 is that the access entity of the embodiment of the present invention inserts access letter while being access device in RS messageThe schematic diagram of breath;
Fig. 3 is the interaction figure of the concrete enforcement of the access entity of the embodiment of the present invention while being access device;
Fig. 4 is the flow chart of steps that the BRAS entity of the embodiment of the present invention authenticates;
Fig. 5 is the access entity of the embodiment of the present invention and the process chart of BRAS entity;
Fig. 6 is the IPv6 stateless structural representation of the authenticate device of configuration automatically of the embodiment of the present invention;
Fig. 7 is that the present invention of the embodiment of the present invention accesses entity and the each unit of BRAS entity composition;
Fig. 8 be the embodiment of the present invention certification by time access the interaction of entity and BRAS entity;
Fig. 9 is the interaction of the obstructed out-of-date access entity of the certification of the embodiment of the present invention and BRAS entity;
Figure 10 is that networking instance graph is disposed in the concrete enforcement of the embodiment of the present invention.
Detailed description of the invention
For making the technical problem to be solved in the present invention, technical scheme and advantage clearer, below in conjunction with attachedFigure and specific embodiment are described in detail.
The present invention is directed to the ND access that in prior art, Set Top Box IPv6 stateless configures automatically cannot start shootingThe problem of certification, the invention provides a kind of IPv6 stateless authentication method and device of configuration automatically, passes throughRS at the insertion access information option of access device repeating authenticates to BRAS entity, or usesFamily terminal is directly initiated stateless and is automatically configured, and sends and the RS message of the access information of insertion is issuedBRAS entity authenticates, and certification is by rear distribution address. The IPv6 that realizes like this user terminal is ill-manneredState configures certification automatically, solves described stateless and is automatically configured in the limitation in certification.
As shown in Figures 1 to 5, in the authentication method that the IPv6 stateless of the embodiment of the present invention configures automatically,Be applied in access entity, comprise:
Entity of the present invention comprises two entities (access entity and BRAS entity). Wherein access entity toolBody can be the access device (for example switch) of user terminal (for example Set Top Box) or user terminal.BRAS is broadband access Resource Management Point and the authentication points of user terminal, is responsible for network parameter and distributes and userThe certification of terminal.
Step 101, obtains the router solicitation RS message that is inserted with access information option;
Wherein said RS (abbreviation of Routersrequest, router solicitation) message.
Wherein said access information option refers to accessing position information option, if access device be switch justBe to monitor RS message, at which port receive to forward to be accessing position information, accessing position information is rawBecome option insert in RS message and forward. If access device is Set Top Box, each Set Top Box has differenceNumbering (the specifically Set Top Box at which or which family), needs typing in advance in numbering certificate server, pushes up at machineWhen box application, insert numbering in RS message, certificate server is relatively resolved the information of insertion and record in advanceThe difference entering, after certification is passed through, distributes address.
Step 102, utilizes Neighbor Discovery agreement that described RS message is sent to broad band remote access clothesBusiness device BRAS entity, is authenticated described RS message by described BRAS entity;
Wherein automatically configure by sending RS message initiation stateless.
Step 103, receives the router advertisement RA message that described BRAS entity returns, wherein saidRA message carries having before IPv6 address of described access information option and described BRAS entity partitioningThe network parameter of sewing.
Wherein said RA (abbreviation of RouterAdvertisement, router advertisement) message.
When wherein said ND (neighbours' discovery) agreement, a key protocol of IPv6, is some association of IPv4Upgrading and improvement that view integrates at IPv6, as the ARP (letter of AddressResolutionProtocolClaim address resolution protocol), ICMP (abbreviation of InternetControlMessageProtocol, InternetInternet Control Message Protocol) router find and ICMP redirected etc. ND agreement specifically comprises: prefix discovery,The unreachable monitoring of neighbours, the automatic configuration of repeat to address (RA) monitoring and address etc.
In ND message, comprise Option Field, can fill one or more option, carry out address such as working asAutomatically, while configuration, issue dns server address by ND option. ND has defined some standard option,Also the privately owned option of definable is expanded the function of ND as required, this shows that ND has wellAutgmentability.
RS message step 101 being got by step 102 sends to BRAS entity to carry out, by instituteState BRAS entity described RS message is authenticated, then step 103 is returned to the certification of BRAS entityAfter RA message, so just can carry access information, IPv6 stateless by the support of expansion ND optionAutomatically configuration can realize start certification, and solve described stateless and be automatically configured in the limitation in certification,The mode of plurality of distribution address is not only provided, and has facilitated configuration to use.
As shown in Figure 2, because access entity can be the access device of subscriber equipment, therefore the invention processIn the authentication method that the IPv6 stateless of example configures automatically, described access entity is connecing of first user terminalEnter equipment, correspondingly, step 101 comprises:
Step 201, obtains and monitors the described RS message of described first user terminal;
Step 202, the described first user terminal listening to and the access of described access device corresponding ports letterBreath;
Step 203, inserts in described RS message the access information listening to as access information option.
In the authentication method that the IPv6 stateless of another embodiment of the present invention configures automatically, described network ginsengNumber also comprises: domain name service dns address, and correspondingly, step 103 comprises:
Step 21, receives the described RA message that described BRAS entity returns, and judges described RA messageIn while comprising described access information option, delete described access information option;
Step 22, according to the described IPv6 address prefix and the described dns address that distribute, sends after deletionDescribed RA message to described first user terminal.
Wherein said network parameter includes but not limited to: IPv6 address prefix and domain name service dns address,Can also there be other network parameters.
In the time that access entity is the access device of first user terminal, monitor the RS forwarding by step 201Message, the port being connected with first user terminal by access device due to meeting receives or forwards, then logicalCross step 202 and step 203 in the time forwarding, after access information option is inserted in RS message, then willRS message sends to BRAS entity authentication, receives by step 21 recognizing that described BRAS entity returnsCard access RA message, deletes described access information option, and final step 22 is transmitted to RA message to instituteState first user terminal. Thereby carry access information by the support of expansion ND option, IPv6 stateless is automaticConfiguration can realize start certification, solves described stateless and is automatically configured in the limitation in certification, not onlyThe mode of plurality of distribution address is provided, and has facilitated configuration to use.
The interaction of concrete enforcement when as shown in Figure 3, concrete access entity of the present invention is access deviceSpecific as follows.
Step 301: starting up of terminal sends RS message while startup, application IPv6 address, the interface ID of terminalFor 221:97ff:fe85:9204.
Step 302: switch switch1 listens to RS message on port port5. By switchName and user terminal connect the port producing authentication information of switch, are specially " switch1:port5 ", certificationInformation structuring becomes ND option, is encapsulated in RS message. Switch forwards the RS message after encapsulation.
Step 303:BRAS receives RS message, parses authentication information, is specially " switch1:port5 ".BRAS is encapsulated into authentication information in authentication message, to send to certificate server.
Step 304: certificate server is received authentication message, parses authentication information. According to authentication information,Be specially switch1:port5 ", certificate server certification is passed through, and responds BRAS authentication success message.
Step 305:BRAS receives authentication success message, and distributing IP v6 address prefix, is specially 2001: :/64,Prefix and authentication information option are encapsulated in RA message and to terminal and are sent.
Step 306: switch listens to RA message is deleted authentication information option from RA message,Forward the RA message of deleting after authentication information option.
Step 307: user terminal is received RA message, parses prefix 2001: :/64, and according to user terminalInterface ID generate IPv6 address, the concrete IPv6 address generating is 2001::221:97ff:fe85:9204/64.
So far, after user terminal start certification, IPv6 address has been arrived in application. Only address for example of this deployment examplesApplication, the application of other network parameters is similar.
In the time that access entity is user terminal, therefore the IPv6 stateless of the embodiment of the present invention configures automaticallyIn authentication method, described access entity is while comprising the user terminal of described first user terminal, step 101Comprise:
Step 31, obtains the RS message of described user terminal;
Step 32, directly inserts described RS message using what construct in advance as access information option.
The access information wherein listening to and construct in advance access information and all refer to an access positional information.
Wherein said user terminal refers to the first user terminal being connected with access device, also can refer to independenceSubscriber equipment, also can refer to and without the subscriber equipment of access function equipment connection, insert access information choosingThe RS message of item can be both to send by the user terminal of isolated user terminal or connection access device,Also can be the access device transmission by connecting user terminal, according to user's option and installment in advance.
In the time that access entity is user terminal, because user terminal need to be asked application authentication, so correspondingNeed the message that judges request whether to have response, therefore the IPv6 stateless of the embodiment of the present invention configures automaticallyAuthentication method in, also comprise after step 101:
Step 41, the overtime timer that the time to returning to described RA message of obtaining is carried out timing.
Return to the timing of the time of RA message by overtime timer, determine whether application requestThere is response, improved like this accuracy of certification.
Concrete, in the authentication method that the IPv6 stateless of another embodiment of the present invention configures automatically, holdWhen row step 103, also comprise:
Step 51, if be to receive the described RA message of returning in described overtime timer Preset Time,Recover the state of the described user terminal before application authentication.
If receive RA message being greater than Preset Time length, also think invalid message, discard processing.
Wherein said Preset Time can obtain according to many experiments, and also user sets according to demand,The time span of any guarantee data validity all belongs to protection scope of the present invention.
Concrete, in the authentication method that the IPv6 stateless of another embodiment of the present invention configures automatically, stepRapid 103 comprise:
Step 61, is configured to ND option by described access information option, and by described ND option encapsulationIn described RS message, and send described RS message and authenticate to described BRAS entity.
Wherein access information is inserted in the ND option of expansion, send RS message and carry out to BRAS entityCertification, configures start certification automatically thereby can realize IPv6 stateless, solves described stateless automaticBe configured in the limitation in certification, the mode of plurality of distribution address is not only provided, and facilitated configuration to makeWith.
As shown in Figure 4, concrete, the IPv6 stateless of another embodiment of the present invention is recognizing of configuration automaticallyIn card method, the step that described BRAS entity authenticates comprises:
Step 401, receives described RS message, and parses described access information option;
The implementor name that wherein access information can be specially switch adds interface name, if user opens accessService, the name that operator's switch that typing user terminal accesses on certificate server is corresponding and accessPort. When typing on the authentication information certificate server that certificate server is received, certification is passed through, otherwiseCertification is not passed through.
Step 402, authenticates described access entity according to described access information option, obtains certification knotReally;
Step 403, described authentication result for certification by time, distribute and encapsulate described network parameter and/Or described access information option is to described RA message, sends described RA message to described access entity.
To user end certification, if authentication information is kept at this locality, can authenticate this locality; Also can beAuthentication information sends to special certificate server (as RADIUS (RemoteAuthenticationDialInThe abbreviation of UserService, remote customer dialing authentication system) server) go to authenticate.
In the time that described authentication result is authentification failure, mourns in silence and do not process.
As shown in Figure 5, the access entity of the embodiment of the present invention sends certification to BRAS entity, and passes throughThe handling process that BRAS entity authentication passes through is exemplified below.
Step 501, while accessing entity as terminal, sends RS message initiation stateless and automatically configures and obtainNetwork parameter inserts access information option in RS, opens and obtains network parameter overtime timer; OrAccess entity, as access device, is monitored the RS message forwarding, and inserts access information option.
Step 502, BRAS entity receives RS message, parses access information option, according to accessInformation option authenticates.
Step 503, BRAS entity is authenticated and passes through user by access information option, distributing IP v6 addressPrefix and other network parameters, be encapsulated in RA message, and RA message is sent to user.
Step 504, access entity is monitored RA message. Access entity, as terminal, parses IPv6 addressPrefix and other network parameters, apply these network parameters, and delete and obtain network parameter overtime timer;Or access entity is deleted the access information option in RA message as access device, and forward processAfter RA message.
Accordingly, in order to solve the problems of the technologies described above, as shown in Figure 6, the embodiment of the present invention provides a kind of IPv6Stateless is the authenticate device of configuration automatically, is applied in access entity, comprising:
The first acquisition module 601, for obtaining the router solicitation RS message that is inserted with access information option;Sending module 602, for utilizing Neighbor Discovery agreement to send to broad band remote to connect described RS messageEnter server B RAS entity, by described BRAS entity, described RS message is authenticated;
Receiver module 603, the router advertisement RA message of returning for receiving described BRAS entity, itsDescribed in RA message carry the IPv6 that has of described access information option and described BRAS entity partitioningThe network parameter of address prefix.
The RS message the first acquisition module 601 being got by sending module 602 sends to BRAS realBody is carried out, and by described BRAS entity, described RS message is authenticated, and then receiver module 603 returnsRA message after the certification of BRAS entity, so just can carry access by the support of expansion ND optionInformation, the automatic configuration of IPv6 stateless can realize start certification, solves described stateless and automatically configuresLimitation in certification, not only provides the mode of plurality of distribution address, and has facilitated configuration to use.
In the authenticate device that the IPv6 stateless of another embodiment of the present invention configures automatically, described access is realWhen body is the access device of first user terminal, described the first acquisition module 601 comprises:
The first acquiring unit, for obtaining and monitor the described RS message of described first user terminal;
Second acquisition unit, for the described first user terminal and the described access device corresponding ports that listen toAccess information;
The first processing unit, for inserting described RS using the access information listening to as access information optionIn message.
In the authenticate device that the IPv6 stateless of another embodiment of the present invention configures automatically, described network ginsengNumber also comprises: domain name service dns address, and described receiver module 603 comprises:
The first Neighbor Discovery unit, the described RA message of returning for receiving described BRAS entity,Judge while comprising described access information option in described RA message, delete described access information option;
Transmitting element, for according to distribute described IPv6 address prefix and described dns address, transmission is deletedDescribed RA message after removing is to described first user terminal.
In the authenticate device that the IPv6 stateless of another embodiment of the present invention configures automatically, described access is realBody is while comprising the user terminal of described first user terminal, and described the first acquisition module comprises:
The 3rd acquiring unit, for obtaining the RS message of described user terminal;
The second processing unit, for direct inserting described RS as access information option and disappear structure in advanceBreath.
The IPv6 stateless of another embodiment of the present invention is the authenticate device of configuration automatically, also comprises:
The second acquisition module, carries out the overtime timing of timing for the time to returning to described RA message of obtainingDevice.
The IPv6 stateless of the another embodiment of the present invention automatically authenticate device of configuration also comprises:
Processing module, if for not receiving the described RA returning in described overtime timer Preset TimeMessage, recovers the state of the described user terminal before application authentication.
In the authenticate device that the IPv6 stateless of another embodiment of the present invention configures automatically, described transmission mouldPiece 602 comprises:
The 2nd ND unit, for described access information option is configured to ND option, and by described NDOption is encapsulated in described RS message, and sends described RS message and authenticate to described BRAS entity.As shown in Figure 7, a ND unit of the present invention and the 2nd ND unit can be same access entitiesND unit, and access entity 701 comprises access information administrative unit and ND unit; BRAS entity 702Comprise the ND unit of authentication unit and BRAS entity.
The access information of described authentication information managing Single Component Management access entity 701, described authentication informationCan configure in the following manner, include but not limited to: human configuration authentication information is also saved in storage;Uniqueness information (as MAC (abbreviation of MediaAccessControl)) by certification entity generatesAuthentication information.
The authentication unit effect of described BRAS is to user end certification, if authentication information is kept atThis locality, authentication unit can be carried out this locality; Also can authentication information send to special certificate server (asRADIUS (abbreviation of RemoteAuthenticationDialInUserService, recognize by remote customer dialingCard system) server) go to authenticate.
As shown in Figure 8, the interaction flow between each unit when the concrete authentication success of the present invention for example asUnder.
Step 801: if access entity 701 is access devices of user terminal, the ND of access entity is mono-Unit listens to the RS message of forwarding; If access entity 701 is user terminals, the ND of access entity is mono-Unit initiates stateless and automatically configures and obtain network parameter, and network parameter overtime timer is obtained in startup.
Step 802: the ND unit of access entity authenticates to authentication information managing unit requests.
Step 803: the ND unit of authentication information managing unit notice access entity accesses entity 701Authentication information.
Step 804: the ND unit of access entity is configured to authentication information the authentication information choosing of ND messageItem is encapsulated in RS message, and RS message is sent to BRAS entity 702.
The access information of described authentication information managing Single Component Management access entity, described authentication information is passableConfiguration, includes but not limited to: human configuration authentication information is also saved in storage in the following manner; Pass throughUniqueness information (as the MAC) producing authentication information of certification entity.
Thereby ND agreement has good autgmentability by the option information of expansion ND, described certification letterBreath option is realized by the option of expansion ND message.
RS message is received in the ND unit of step 805:BRAS entity, parses authentication information, andAuthentication information notification authentication unit.
The authentication unit user end certification of step 806:BRAS entity 702 by and notify BRAS realThe ND unit of body.
Step 807: after user end certification passes through, the ND unit of BRAS entity obtains network parameter envelopeInstall in the response message RA message of RS message, and send it back user terminal.
Wherein said user terminal refers to the first user terminal of access device, independently user terminal or itsHe with without the user terminal of access function equipment connection.
Step 808: the ND unit of access entity receives RA message. If access entity 701 is to useThe access device of family terminal, checks in RA message whether comprise authentication information option, if comprised,Authentication information option is deleted. If access entity 701 is user terminals, resolves RA message and obtain netNetwork message application, cancel and obtain network parameter overtime timer.
As shown in Figure 9, the each list when authentification failure between each unit when the concrete authentication success of the present inventionInteraction flow between unit is exemplified below.
Step 901: if access entity 701 is access devices of user terminal, the ND of access entity is mono-Unit listens to the RS message of forwarding; If access entity 701 is user terminals, the ND of access entity is mono-Unit initiates stateless and automatically configures and obtain network parameter, and network parameter overtime timer is obtained in startup.
Step 902: the ND unit of access entity authenticates to authentication information managing unit requests.
Step 903: the ND unit of authentication information managing unit notice access entity accesses entity 701Authentication information.
The access information of described authentication information managing Single Component Management access entity, described authentication information is passableConfiguration, includes but not limited to: human configuration authentication information is also saved in storage in the following manner; Pass throughUniqueness information (as the MAC) producing authentication information of certification entity.
Step 904: the ND unit of access entity is configured to authentication information the authentication information choosing of ND messageItem is encapsulated in RS message, and RS message is sent to BRAS entity 702.
Thereby ND agreement has good autgmentability by the option information of expansion ND, described certification letterBreath option is realized by the option of expansion ND message.
RS message is received in the ND unit of step 905:BRAS entity, parses authentication information, andAuthentication information notification authentication unit.
The authentication unit user end certification failure of step 906:BRAS entity 702, and notify BRASThe ND unit of entity. Mourning in silence in the ND unit of BRAS entity, does not send the RA message of response.
Step 907: if access entity 701 is access devices of user terminal, the ND of access entity is mono-Unit is left intact. If access entity 701 is user terminals, when obtaining network parameter timer expiry,Application IPv6 address prefix and the failure of other network address, return to the front state of application user terminal.
Wherein said user terminal refers to the first user terminal of access device, independently user terminal or itsHe with without the user terminal of access function equipment connection.
As shown in figure 10, terminal connects the switch of operator's Access Network, and terminal is by ND protocol configurationIPv6 address prefix. Switch is that access entity 701 carries out insertion and the deletion of authentication information option. FortuneBRAS in battalion's business network is terminal distribution IPv6 address prefix by ND agreement, distribute address itBefore, authenticate to the certificate server of operator according to authentication information option.
It should be noted that, device provided by the invention is application above-mentioned IP v6 stateless recognizing of configuration automaticallyThe device of card method, all embodiment of the authentication method that above-mentioned IP v6 stateless configures automatically are all suitable forIn this device, and all can reach same or analogous beneficial effect.
The above is the preferred embodiment of the present invention, it should be pointed out that the common skill for the artArt personnel, not departing under the prerequisite of principle of the present invention, can also make some improvements and modifications,These improvements and modifications also should be considered as protection scope of the present invention.
Claims (15)
1. an IPv6 stateless authentication method for configuration automatically, is applied in access entity, and its feature existsIn, comprising:
Obtain the router solicitation RS message that is inserted with access information option;
Utilize Neighbor Discovery agreement that described RS message is sent to Broadband Remote Access Server BRASEntity, is authenticated described RS message by described BRAS entity;
Receive the router advertisement RA message that described BRAS entity returns, wherein said RA message is carriedThere is the network parameter with IPV6 address prefix of described access information option and described BRAS entity partitioning.
2. authentication method according to claim 1, is characterized in that, described access entity is firstThe access device of user terminal, correspondingly, described in obtain the router solicitation that is inserted with access information optionThe step of RS message comprises:
Obtain and monitor the described RS message of described first user terminal;
The described first user terminal listening to and the access information of described access device corresponding ports;
Insert in described RS message the access information listening to as access information option.
3. authentication method according to claim 2, is characterized in that, described network parameter also comprises:Domain name service dns address, correspondingly, the router advertisement RA that the described BRAS entity of described reception returnsThe step of message comprises:
Receive the described RA message that described BRAS entity returns, described in judging and comprising in described RA messageWhen access information option, delete described access information option;
According to the described IPv6 address prefix and the described dns address that distribute, send the described RA after deletingMessage is to described first user terminal.
4. authentication method according to claim 2, is characterized in that, described access entity is for comprisingWhen the user terminal of described first user terminal, described in obtain the router solicitation that is inserted with access information optionThe step of RS message comprises:
Obtain the RS message of described user terminal;
Directly insert described RS message using what construct in advance as access information option.
5. authentication method according to claim 4, is characterized in that, described in obtain and be inserted with accessStep after the router solicitation RS message of information option, also comprises:
The overtime timer that the time to returning to described RA message of obtaining is carried out timing.
6. authentication method according to claim 5, is characterized in that, the described BRAS of described receptionStep when router advertisement RA message that entity returns also comprises:
If do not receive the described RA message of returning in described overtime timer Preset Time, recover ShenThe state of the described user terminal before please authenticating.
7. according to the authentication method described in claim 1 to 6 any one, it is characterized in that described utilizationDescribed RS message is sent to Broadband Remote Access Server BRAS entity by Neighbor Discovery agreement, byThe step that described BRAS entity authenticates described RS message comprises:
Described access information option is configured to ND option, and described ND option is encapsulated into described RSIn message, and send described RS message and authenticate to described BRAS entity.
8. authentication method according to claim 7, is characterized in that, described BRAS entity carries outThe step of certification comprises:
Receive described RS message, and parse described access information option;
According to described access information option, described access entity is authenticated, obtain authentication result;
Described authentication result for certification by time, distribute and encapsulate described network parameter and/or described accessInformation option, to described RA message, sends described RA message to described access entity.
9. an IPv6 stateless authenticate device for configuration automatically, is applied in access entity, and its feature existsIn, comprising:
The first acquisition module, for obtaining the router solicitation RS message that is inserted with access information option;
Sending module, for utilizing Neighbor Discovery agreement to send to broad band remote to connect described RS messageEnter server B RAS entity, by described BRAS entity, described RS message is authenticated;
Receiver module, the router advertisement RA message of returning for receiving described BRAS entity, Qi ZhongsuoThat states that RA message carries described access information option and described BRAS entity partitioning has an IPv6 addressThe network parameter of prefix.
10. authenticate device according to claim 9, is characterized in that, described access entity is firstWhen the access device of user terminal, described the first acquisition module comprises:
The first acquiring unit, for obtaining and monitor the described RS message of described first user terminal;
Second acquisition unit, for the described first user terminal and the described access device corresponding ports that listen toAccess information;
The first processing unit, for inserting described RS using the access information listening to as access information optionIn message.
11. authenticate devices according to claim 10, is characterized in that, described network parameter also wrapsDraw together: domain name service dns address, described receiver module comprises:
The first Neighbor Discovery unit, the described RA message of returning for receiving described BRAS entity,Judge while comprising described access information option in described RA message, delete described access information option;
Transmitting element, for according to distribute described IPv6 address prefix and described dns address, transmission is deletedDescribed RA message after removing is to described first user terminal.
12. authenticate devices according to claim 10, is characterized in that, described access entity is bagWhile drawing together the user terminal of described first user terminal, described the first acquisition module comprises:
The 3rd acquiring unit, for obtaining the RS message of described user terminal;
The second processing unit, for direct inserting described RS as access information option and disappear structure in advanceBreath.
13. authenticate devices according to claim 12, is characterized in that, also comprise:
The second acquisition module, carries out the overtime timing of timing for the time to returning to described RA message of obtainingDevice.
14. authenticate devices according to claim 13, is characterized in that, also comprise:
Processing module, if for not receiving the described RA returning in described overtime timer Preset TimeMessage, recovers the state of the described user terminal before application authentication.
15. according to the authenticate device described in claim 9 to 14 any one, it is characterized in that describedSend module to comprise:
The 2nd ND unit, for described access information option is configured to ND option, and by described NDOption is encapsulated in described RS message, and sends described RS message and authenticate to described BRAS entity.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410557797.5A CN105591848A (en) | 2014-10-20 | 2014-10-20 | Authentication method and device of IPv6 stateless automatic configuration |
| PCT/CN2015/072585 WO2015184853A1 (en) | 2014-10-20 | 2015-02-09 | Authentication method and apparatus for ipv6 stateless auto-configuration |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410557797.5A CN105591848A (en) | 2014-10-20 | 2014-10-20 | Authentication method and device of IPv6 stateless automatic configuration |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105591848A true CN105591848A (en) | 2016-05-18 |
Family
ID=54766083
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410557797.5A Pending CN105591848A (en) | 2014-10-20 | 2014-10-20 | Authentication method and device of IPv6 stateless automatic configuration |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN105591848A (en) |
| WO (1) | WO2015184853A1 (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107071926A (en) * | 2016-12-02 | 2017-08-18 | 北京中创信测科技股份有限公司 | A kind of method of completion S1 MME Interface User IPv6 addresses |
| CN113660357A (en) * | 2021-08-17 | 2021-11-16 | 烽火通信科技股份有限公司 | Method and device for automatically acquiring IP address by IPv6 dual-stack system |
| WO2024131381A3 (en) * | 2022-12-21 | 2024-08-08 | 中兴通讯股份有限公司 | Configuration method and system, and client, address configuration module, and medium |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10785229B2 (en) * | 2018-08-29 | 2020-09-22 | GM Global Technology Operations LLC | Enhanced network access control (eNAC) framework |
| CN111541797A (en) * | 2020-04-23 | 2020-08-14 | 深圳市吉祥腾达科技有限公司 | Eco-based IPV6 implementation method |
| CN113114795B (en) * | 2021-03-30 | 2022-07-08 | 烽火通信科技股份有限公司 | IPv6 address allocation method and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1859444A (en) * | 2006-03-03 | 2006-11-08 | 华为技术有限公司 | Automatic configurating method for host address in IPV6 network |
| CN1897589A (en) * | 2005-07-13 | 2007-01-17 | 上海贝尔阿尔卡特股份有限公司 | Access apparatus, routing equipment and method for supporting IPv6 stateless address configuration in telecommunication network |
| CN101179603A (en) * | 2006-11-09 | 2008-05-14 | 上海贝尔阿尔卡特股份有限公司 | Method and device for controlling user network access in IPv6 network |
| US20090285215A1 (en) * | 2008-05-13 | 2009-11-19 | Futurewei Technologies, Inc. | Internet Protocol Version Six (IPv6) Addressing and Packet Filtering in Broadband Networks |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102340546B (en) * | 2010-07-16 | 2015-10-14 | 中国电信股份有限公司 | IPv6 address distribution method and system |
| CN103384282B (en) * | 2013-07-31 | 2017-06-20 | 北京华为数字技术有限公司 | The method and BRAS of a kind of acquisition IPV6ND addresses |
-
2014
- 2014-10-20 CN CN201410557797.5A patent/CN105591848A/en active Pending
-
2015
- 2015-02-09 WO PCT/CN2015/072585 patent/WO2015184853A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1897589A (en) * | 2005-07-13 | 2007-01-17 | 上海贝尔阿尔卡特股份有限公司 | Access apparatus, routing equipment and method for supporting IPv6 stateless address configuration in telecommunication network |
| CN1859444A (en) * | 2006-03-03 | 2006-11-08 | 华为技术有限公司 | Automatic configurating method for host address in IPV6 network |
| CN101179603A (en) * | 2006-11-09 | 2008-05-14 | 上海贝尔阿尔卡特股份有限公司 | Method and device for controlling user network access in IPv6 network |
| US20090285215A1 (en) * | 2008-05-13 | 2009-11-19 | Futurewei Technologies, Inc. | Internet Protocol Version Six (IPv6) Addressing and Packet Filtering in Broadband Networks |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107071926A (en) * | 2016-12-02 | 2017-08-18 | 北京中创信测科技股份有限公司 | A kind of method of completion S1 MME Interface User IPv6 addresses |
| CN107071926B (en) * | 2016-12-02 | 2020-07-03 | 北京中创信测科技股份有限公司 | Method for complementing S1-MME interface user IPv6 address |
| CN113660357A (en) * | 2021-08-17 | 2021-11-16 | 烽火通信科技股份有限公司 | Method and device for automatically acquiring IP address by IPv6 dual-stack system |
| CN113660357B (en) * | 2021-08-17 | 2023-10-27 | 烽火通信科技股份有限公司 | Method and device for automatically acquiring IP address by IPv6 dual stack system |
| WO2024131381A3 (en) * | 2022-12-21 | 2024-08-08 | 中兴通讯股份有限公司 | Configuration method and system, and client, address configuration module, and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2015184853A1 (en) | 2015-12-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101883158B (en) | Method and client for acquiring VLAN (Virtual Local Area Network) IDs (Identifiers) and network protocol addresses | |
| US6070246A (en) | Method and system for secure cable modem initialization | |
| CN102572830B (en) | Method and customer premise equipment (CPE) for terminal access authentication | |
| CN100388739C (en) | Method and system for realizing DHCP address safety distribution | |
| US6754622B1 (en) | Method for network address table maintenance in a data-over-cable system using destination reachibility | |
| US20100107223A1 (en) | Network Access Method, System, and Apparatus | |
| CN103039038B (en) | Method and system for efficient use of a telecommunications network and connections between the telecommunications network and customer premises equipment | |
| CN105591848A (en) | Authentication method and device of IPv6 stateless automatic configuration | |
| CN104521189B (en) | Method, device and system for obtaining services by network terminal | |
| CN101471966B (en) | System and device for preventing IP address from leakage | |
| CN101471936B (en) | Method, device and system for establishing IP conversation | |
| US20110202670A1 (en) | Method, device and system for identifying ip session | |
| CN102170395A (en) | Data transmission method and network equipment | |
| EP2838242B1 (en) | Method and apparatus for preventing network-side media access control address from being counterfeited | |
| CN102171986A (en) | A method and a gateway for providing multiple internet access | |
| US20070162616A1 (en) | Method and system for implementing automated service provisioning on a ppp access terminal | |
| EP2765743A1 (en) | Layer 2 inter-connecting method, apparatus and system based on ipv6 | |
| CN101009635A (en) | A message forwarding method for the dynamic host configuration protocol and its network device | |
| CN107710634B (en) | Communication means and equipment based on optical network system | |
| CN105338125A (en) | Message processing method and device | |
| CN100362800C (en) | A method of triggering a user terminal to go online through a data message | |
| CN101141492B (en) | Method and system for implementing DHCP address safety allocation | |
| CN101527671A (en) | Method, equipment and system for realizing IPv6 conversation | |
| CN101436969A (en) | Network access method, apparatus and system | |
| CN115086276A (en) | An address management method, device, equipment and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160518 |
|
| WD01 | Invention patent application deemed withdrawn after publication |