[go: up one dir, main page]

CN108243261A - Access control method and access device for a dual-stack terminal - Google Patents

Access control method and access device for a dual-stack terminal Download PDF

Info

Publication number
CN108243261A
CN108243261A CN201611207827.5A CN201611207827A CN108243261A CN 108243261 A CN108243261 A CN 108243261A CN 201611207827 A CN201611207827 A CN 201611207827A CN 108243261 A CN108243261 A CN 108243261A
Authority
CN
China
Prior art keywords
double stack
dual
stack terminal
ipv6
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611207827.5A
Other languages
Chinese (zh)
Inventor
欧历云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201611207827.5A priority Critical patent/CN108243261A/en
Publication of CN108243261A publication Critical patent/CN108243261A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/686Types of network addresses using dual-stack hosts, e.g. in Internet protocol version 4 [IPv4]/Internet protocol version 6 [IPv6] networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

公开了一种双栈终端的接入控制方法及接入设备。本发明方法包括:接入设备转发为双栈终端分配IPv4地址的报文;在双栈终端认证成功之前,接入设备丢弃为双栈终端分配IPv6地址的报文;在双栈终端认证成功之后,接入设备转发为双栈终端分配IPv6地址的报文。本发明能够解决双栈终端接入网络时延长的问题。

Disclosed are an access control method and access equipment for a dual-stack terminal. The method of the present invention includes: the access device forwards the message for assigning the IPv4 address to the dual-stack terminal; before the authentication of the dual-stack terminal is successful, the access device discards the message for assigning the IPv6 address to the dual-stack terminal; after the authentication of the dual-stack terminal is successful , the access device forwards the packet for assigning an IPv6 address to the dual-stack terminal. The invention can solve the problem of prolongation when the dual-stack terminal accesses the network.

Description

一种双栈终端的接入控制方法及接入设备Access control method and access device for a dual-stack terminal

技术领域technical field

本发明涉及互联网技术领域,尤其涉及一种双栈终端的接入控制方法及接入设备。The invention relates to the technical field of the Internet, in particular to an access control method and access equipment for a dual-stack terminal.

背景技术Background technique

双栈(英文:dual stack,DS)技术是互联网协议第四版(英文:Internet Protocolversion 4,IPv4)网络向互联网协议第六版(英文:Internet Protocol version 6,IPv6)网络的过渡技术。双栈技术中,在终端设备和网络设备上既安装IPv4协议栈又安装IPv6协议栈。双栈终端能够通过IPv4地址访问IPv4网络,并能够通过IPv6地址访问IPv6网络。Dual stack (English: dual stack, DS) technology is the transition technology from Internet Protocol version 4 (English: Internet Protocol version 4, IPv4) network to Internet Protocol version 6 (English: Internet Protocol version 6, IPv6) network. In the dual-stack technology, both the IPv4 protocol stack and the IPv6 protocol stack are installed on the terminal equipment and network equipment. Dual-stack terminals can access IPv4 networks through IPv4 addresses, and can access IPv6 networks through IPv6 addresses.

强制门户(英文:captive portal)认证是无线局域网(英文:wireless localarea network,WLAN)的认证方式之一。如果部署了强制门户认证,双栈终端在完成认证后才能访问网络资源。WLAN可能不支持IPv6的强制门户认证。Captive portal (English: captive portal) authentication is one of the authentication methods of wireless local area network (English: wireless local area network, WLAN). If captive portal authentication is deployed, dual-stack terminals can access network resources only after authentication is completed. The WLAN may not support captive portal authentication for IPv6.

在网络不支持IPv6的强制门户认证时,双栈终端可以自动尝试用IPv4地址访问网络,以实现双栈终端的接入。但是,由于双栈终端通常先尝试用IPv6地址访问网络,在使用IPv6地址访问网络失败时,才会切换到IPv4方式。因此双栈终端接入网络的时延长,影响用户访问体验。When the network does not support IPv6 captive portal authentication, the dual-stack terminal can automatically try to use the IPv4 address to access the network, so as to realize the access of the dual-stack terminal. However, because the dual-stack terminal usually tries to access the network with the IPv6 address first, it will switch to the IPv4 mode when the access to the network with the IPv6 address fails. Therefore, it takes longer for a dual-stack terminal to access the network, which affects user access experience.

发明内容Contents of the invention

本申请提供一种双栈终端的接入控制方法及接入设备,用以解决双栈终端接入网络时延长的问题。The present application provides an access control method and access equipment for a dual-stack terminal, which are used to solve the problem of delay when the dual-stack terminal accesses a network.

第一方面,本申请提供一种双栈终端的接入控制方法,所述双栈终端支持IPv4协议栈和IPv6协议栈,该方法包括:接入设备转发为所述双栈终端分配IPv4地址的报文。在所述双栈终端认证成功之前,所述接入设备丢弃为所述双栈终端分配IPv6地址的报文;在所述双栈终端认证成功之后,所述接入设备转发为所述双栈终端分配IPv6地址的报文。In the first aspect, the present application provides an access control method for a dual-stack terminal, where the dual-stack terminal supports the IPv4 protocol stack and the IPv6 protocol stack, and the method includes: the access device forwards the information for assigning the IPv4 address to the dual-stack terminal message. Before the authentication of the dual-stack terminal is successful, the access device discards the packet for assigning an IPv6 address to the dual-stack terminal; after the authentication of the dual-stack terminal is successful, the access device forwards the packet to the dual-stack A packet for assigning an IPv6 address to a terminal.

由于双栈终端仅能获取到IPv4地址,从而使得双栈终端只能使用IPv4地址访问网络。避免了在网络需要使用IPv4的认证方式认证双栈终端时,双栈终端仍然优先尝试用IPv6地址访问网络。因此降低了双栈终端接入网络的时延。Since the dual-stack terminal can only obtain the IPv4 address, the dual-stack terminal can only use the IPv4 address to access the network. This avoids that when the network needs to use the IPv4 authentication method to authenticate the dual-stack terminal, the dual-stack terminal still preferentially tries to access the network with the IPv6 address. Therefore, the time delay for the dual-stack terminal to access the network is reduced.

在一种可能的实现方式中,为所述双栈终端分配IPv6地址的报文包括以下一个或多个:所述双栈终端向DHCP服务器发送的请求IPv6地址的DHCP报文;所述DHCP服务器向所述双栈终端发送的携带有所述双栈终端的IPv6地址的DHCP报文;路由器向所述双栈终端发送的携带有所述双栈终端的IPv6地址前缀的路由公告报文。In a possible implementation manner, the packet for assigning an IPv6 address to the dual-stack terminal includes one or more of the following: a DHCP packet requesting an IPv6 address sent by the dual-stack terminal to a DHCP server; A DHCP message carrying the IPv6 address of the dual-stack terminal sent to the dual-stack terminal; a routing advertisement message carrying the IPv6 address prefix of the dual-stack terminal sent by the router to the dual-stack terminal.

在一种可能的实现方式中,在所述双栈终端认证成功之前,所述方法还包括:所述接入设备截获DNS服务器向所述双栈终端发送的DNS应答报文;所述DNS应答报文中包括所述双栈终端请求的域名的IPv4地址和所述域名的IPv6地址;所述接入设备删除所述DNS应答报文中的IPv6地址后,将所述DNS应答报文发送给所述双栈终端。In a possible implementation manner, before the authentication of the dual-stack terminal is successful, the method further includes: the access device intercepts the DNS response message sent by the DNS server to the dual-stack terminal; the DNS response The message includes the IPv4 address of the domain name requested by the dual-stack terminal and the IPv6 address of the domain name; after the access device deletes the IPv6 address in the DNS response message, it sends the DNS response message to The dual-stack terminal.

由于接入设备进一步地删除了DNS应答报文中的IPv6地址,使得双栈终端仅能获取到域名的IPv4地址,因而只能使用IPv4地址访问网络。进一步地保证了在网络需要使用IPv4的认证方式认证双栈终端时,双栈终端首先使用IPv4地址访问网络。因此降低了双栈终端接入网络的时延。Since the access device further deletes the IPv6 address in the DNS response message, the dual-stack terminal can only obtain the IPv4 address of the domain name, and thus can only use the IPv4 address to access the network. It is further ensured that when the network needs to use the IPv4 authentication method to authenticate the dual-stack terminal, the dual-stack terminal first uses the IPv4 address to access the network. Therefore, the time delay for the dual-stack terminal to access the network is reduced.

第二方面,本申请提供一种接入设备,该接入设备包括:收发器和处理器;其中,所述处理器用于:In a second aspect, the present application provides an access device, where the access device includes: a transceiver and a processor; wherein the processor is configured to:

用所述收发器转发为所述双栈终端分配IPv4地址的报文,其中,所述双栈终端支持IPv4协议栈和IPv6协议栈;Using the transceiver to forward the message for assigning an IPv4 address to the dual-stack terminal, wherein the dual-stack terminal supports an IPv4 protocol stack and an IPv6 protocol stack;

在所述双栈终端认证成功之前,丢弃所述收发器接收到的为所述双栈终端分配IPv6地址的报文;以及,Before the authentication of the dual-stack terminal is successful, discarding the packet received by the transceiver for assigning an IPv6 address to the dual-stack terminal; and,

在所述双栈终端认证成功之后,用所述收发器转发为所述双栈终端分配IPv6地址的报文。After the dual-stack terminal is successfully authenticated, the transceiver is used to forward a message for assigning an IPv6 address to the dual-stack terminal.

在一种可能的实现方式中,为所述双栈终端分配IPv6地址的报文包括以下一个或多个:所述双栈终端向DHCP服务器发送的请求IPv6地址的DHCP报文;所述DHCP服务器向所述双栈终端发送的携带有所述双栈终端的IPv6地址的DHCP报文;路由器向所述双栈终端发送的携带有所述双栈终端的IPv6地址前缀的路由公告报文。In a possible implementation manner, the packet for assigning an IPv6 address to the dual-stack terminal includes one or more of the following: a DHCP packet requesting an IPv6 address sent by the dual-stack terminal to a DHCP server; A DHCP message carrying the IPv6 address of the dual-stack terminal sent to the dual-stack terminal; a routing advertisement message carrying the IPv6 address prefix of the dual-stack terminal sent by the router to the dual-stack terminal.

在一种可能的实现方式中,在所述双栈终端认证成功之前,所述处理器还用于:用所述收发器截获DNS服务器向所述双栈终端发送的DNS应答报文;所述DNS应答报文中包括所述双栈终端请求的域名的IPv4地址和所述域名的IPv6地址;以及,删除所述DNS应答报文中的IPv6地址后,用所述收发器将所述DNS应答报文发送给所述双栈终端。In a possible implementation manner, before the authentication of the dual-stack terminal succeeds, the processor is further configured to: use the transceiver to intercept a DNS response message sent by the DNS server to the dual-stack terminal; The DNS response message includes the IPv4 address of the domain name requested by the dual-stack terminal and the IPv6 address of the domain name; and, after deleting the IPv6 address in the DNS response message, use the transceiver to send the DNS response The message is sent to the dual-stack terminal.

由于该接入设备解决问题的原理以及有益效果可以参见上述第一方面和第一方面的各可能的双栈终端的接入控制方法的实施方式以及所带来的有益效果,因此该接入设备的实施可以参见上述第一方面和第一方面的各可能的双栈终端的接入控制方法的实施,重复之处不再赘述。Since the principle and beneficial effect of the access device to solve the problem can refer to the above-mentioned first aspect and the implementation of each possible dual-stack terminal access control method in the first aspect and the beneficial effects brought by it, the access device For implementation, reference may be made to the implementation of the first aspect and the implementation of each possible access control method for a dual-stack terminal in the first aspect, and repeated descriptions will not be repeated.

第三方面,本申请提供一种双栈终端的接入设备,所述双栈终端支持IPv4协议栈和IPv6协议栈,该接入设备包括:In a third aspect, the present application provides an access device for a dual-stack terminal, where the dual-stack terminal supports an IPv4 protocol stack and an IPv6 protocol stack, and the access device includes:

转发模块,用于转发为所述双栈终端分配IPv4地址的报文;A forwarding module, configured to forward a packet for assigning an IPv4 address to the dual-stack terminal;

处理模块,用于在所述双栈终端认证成功之前,丢弃为所述双栈终端分配IPv6地址的报文,并且在所述双栈终端认证成功之后,转发为所述双栈终端分配IPv6地址的报文。A processing module, configured to discard the packet for assigning an IPv6 address to the dual-stack terminal before the authentication of the dual-stack terminal is successful, and forward the packet to assign an IPv6 address to the dual-stack terminal after the authentication of the dual-stack terminal is successful message.

在一种可能的实现方式中,为所述双栈终端分配IPv6地址的报文包括以下一个或多个:所述双栈终端向DHCP服务器发送的请求IPv6地址的DHCP报文;所述DHCP服务器向所述双栈终端发送的携带有所述双栈终端的IPv6地址的DHCP报文;路由器向所述双栈终端发送的携带有所述双栈终端的IPv6地址前缀的路由公告报文。In a possible implementation manner, the packet for assigning an IPv6 address to the dual-stack terminal includes one or more of the following: a DHCP packet requesting an IPv6 address sent by the dual-stack terminal to a DHCP server; A DHCP message carrying the IPv6 address of the dual-stack terminal sent to the dual-stack terminal; a routing advertisement message carrying the IPv6 address prefix of the dual-stack terminal sent by the router to the dual-stack terminal.

在一种可能的实现方式中,所述接入设备,还包括:In a possible implementation manner, the access device further includes:

截获模块,用于在所述双栈终端认证成功之前,截获DNS服务器向所述双栈终端发送的DNS应答报文;所述DNS应答报文中包括所述双栈终端请求的域名的IPv4地址和所述域名的IPv6地址;An intercepting module, configured to intercept the DNS response message sent by the DNS server to the dual-stack terminal before the authentication of the dual-stack terminal is successful; the DNS response message includes the IPv4 address of the domain name requested by the dual-stack terminal and the IPv6 address of said domain name;

所述处理模块,还用于删除所述DNS应答报文中的IPv6地址后,将所述DNS应答报文发送给所述双栈终端。The processing module is further configured to send the DNS response message to the dual-stack terminal after deleting the IPv6 address in the DNS response message.

由于该接入设备解决问题的原理以及有益效果可以参见上述第一方面和第一方面的各可能的双栈终端的接入控制方法的实施方式以及所带来的有益效果,因此该接入设备的实施可以参见上述第一方面和第一方面的各可能的双栈终端的接入控制方法的实施,重复之处不再赘述。Since the principle and beneficial effect of the access device to solve the problem can refer to the above-mentioned first aspect and the implementation of each possible dual-stack terminal access control method in the first aspect and the beneficial effects brought by it, the access device For implementation, reference may be made to the implementation of the first aspect and the implementation of each possible access control method for a dual-stack terminal in the first aspect, and repeated descriptions will not be repeated.

第四方面,本申请提供一种存储介质,所述存储介质为计算机可读存储介质,所述计算机可读存储介质存储有程序,程序包括指令,所述指令当被具有处理器的电子设备执行时使所述电子设备执行上述第一方面和第一方面的各可能实现方式的双栈终端的接入控制方法。In a fourth aspect, the present application provides a storage medium, the storage medium is a computer-readable storage medium, the computer-readable storage medium stores a program, the program includes instructions, and the instructions are executed by an electronic device with a processor At this time, the electronic device is made to execute the access control method for a dual-stack terminal in the first aspect and each possible implementation manner of the first aspect.

附图说明Description of drawings

为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简要介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings that need to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present invention. For Those of ordinary skill in the art can also obtain other drawings based on these drawings without any creative effort.

图1为强制门户认证的组网架构示意图;Figure 1 is a schematic diagram of a network architecture for captive portal authentication;

图2为本发明一些实施例提供的双栈终端的接入控制方法的流程示意图;FIG. 2 is a schematic flowchart of a dual-stack terminal access control method provided by some embodiments of the present invention;

图3(a)为应用本发明一些实施例所提供的双栈终端的接入控制方案的认证流程在认证前的处理示意图;Fig. 3 (a) is a schematic diagram of processing before authentication of the authentication process of the access control scheme for dual-stack terminals provided by some embodiments of the present invention;

图3(b)为应用本发明一些实施例所提供的双栈终端的接入控制方案的认证流程在认证中的示意图;FIG. 3(b) is a schematic diagram of the authentication process of the access control scheme for dual-stack terminals provided by some embodiments of the present invention;

图3(c)为应用本发明一些实施例所提供的双栈终端的接入控制方案的认证流程在认证后的示意图;Fig. 3(c) is a schematic diagram after authentication of the authentication process of the access control scheme for dual-stack terminals provided by some embodiments of the present invention;

图4为本发明一些实施例提供的双栈终端的接入设备的结构示意图;FIG. 4 is a schematic structural diagram of an access device of a dual-stack terminal provided by some embodiments of the present invention;

图5为本发明一些实施例提供的接入设备的结构示意图。Fig. 5 is a schematic structural diagram of an access device provided by some embodiments of the present invention.

具体实施方式Detailed ways

如果网络仅部署了IPv4的强制门户认证而不支持IPv6的强制门户认证,双栈终端仍然优先使用IPv6地址访问网络,导致的接入网络时延长。本发明实施例提供一种双栈终端的接入控制方法及接入设备,用以解决双栈终端接入网络时延长的问题,改善用户访问体验。If the network only deploys IPv4 captive portal authentication but does not support IPv6 captive portal authentication, dual-stack terminals still preferentially use IPv6 addresses to access the network, resulting in prolonged access to the network. Embodiments of the present invention provide an access control method and an access device for a dual-stack terminal, which are used to solve the problem of delay when a dual-stack terminal accesses a network and improve user access experience.

本发明实施例所提供的双栈终端的接入控制方案限制双栈终端在认证成功前只能获取到IPv4地址而无法获取到IPv6地址,从而使得双栈终端只能使用IPv4地址访问网络。双栈终端使用IPv4地址访问网络,触发IPv4的强制门户认证,因而降低了双栈终端接入网络的时延。The access control scheme of the dual-stack terminal provided by the embodiment of the present invention restricts the dual-stack terminal to only obtain the IPv4 address but not the IPv6 address before the authentication is successful, so that the dual-stack terminal can only use the IPv4 address to access the network. Dual-stack terminals use IPv4 addresses to access the network, triggering IPv4 captive portal authentication, thus reducing the delay for dual-stack terminals to access the network.

为了更清楚地说明本发明实施例所能够解决的技术问题,下面将首先简要对强制门户认证进行介绍。In order to more clearly illustrate the technical problems that can be solved by the embodiments of the present invention, the captive portal authentication will be briefly introduced below.

图1示出了强制门户认证的组网架构示意图。如图1所示,该示例性架构中包括有:终端101、接入设备102、重定向设备103、强制门户认证服务器104以及认证授权计费(AAA)服务器105。AAA服务器105例如为远程用户拨号认证服务(英文:Remote AuthenticationDial In User Service,RADIUS)服务器。强制门户认证服务器104和AAA服务器105可以为相互独立的物理设备,也可以由同一物理设备实现。FIG. 1 shows a schematic diagram of a network architecture for captive portal authentication. As shown in FIG. 1 , the exemplary architecture includes: a terminal 101 , an access device 102 , a redirection device 103 , a captive portal authentication server 104 and an Authentication Authorization Accounting (AAA) server 105 . The AAA server 105 is, for example, a remote authentication dial in user service (English: Remote Authentication Dial In User Service, RADIUS) server. The captive portal authentication server 104 and the AAA server 105 may be independent physical devices, or may be implemented by the same physical device.

本申请所涉及到的终端可以包括有具有通信功能的手持设备、车载设备、可穿戴设备、计算设备等等。终端101上可以安装有访问网络的客户端系统,比如超文本传输协议(英文:HyperText Transfer Protocol,HTTP)或网络协议(英文:Hyper Text TransferProtocol over Secure Socket Layer,HTTPS)的浏览器、应用(英文:application,APP)等,用以发起访问网络请求。The terminals involved in this application may include handheld devices with communication functions, vehicle-mounted devices, wearable devices, computing devices, and the like. A client system for accessing the network can be installed on the terminal 101, such as a hypertext transfer protocol (English: HyperText Transfer Protocol, HTTP) or a network protocol (English: Hyper Text Transfer Protocol over Secure Socket Layer, HTTPS) browser, application (English: : application, APP), etc., to initiate a network access request.

本申请涉及到的接入设备可以包括交换机、路由器、WLAN中的接入点(英文:access point,AP)等等。接入设备可以包括有与终端直接(有线或无线)相连的网络设备,比如图1所示出的与终端101直接相连的接入设备102,以及位于接入层的与终端非直接相连的网络设备。比如接入设备102和重定向设备103在同一物理设备中,重定向设备103与终端非直接相连。The access device involved in this application may include a switch, a router, an access point (English: access point, AP) in a WLAN, and the like. The access device may include a network device directly (wired or wirelessly) connected to the terminal, such as the access device 102 directly connected to the terminal 101 shown in FIG. 1 , and a network indirectly connected to the terminal at the access layer equipment. For example, the access device 102 and the redirection device 103 are in the same physical device, and the redirection device 103 is not directly connected to the terminal.

重定向设备103可以包括交换机、路由器、WLAN中的无线控制器等等。重定向设备103主要用于将来自未认证终端的访问网络请求重定向到强制门户认证服务器。强制门户认证服务器104主要用于提供门户服务以及推送认证页面,并在接收到终端在认证页面输入的认证信息后,与接入设备交换认证信息。AAA服务器105主要用于与接入设备通信,交换认证信息,完成对终端的认证。The redirecting device 103 may include a switch, a router, a wireless controller in a WLAN, and the like. The redirecting device 103 is mainly used to redirect the network access request from the unauthenticated terminal to the captive portal authentication server. The captive portal authentication server 104 is mainly used to provide portal services and push authentication pages, and exchange authentication information with the access device after receiving the authentication information input by the terminal on the authentication page. The AAA server 105 is mainly used to communicate with the access device, exchange authentication information, and complete authentication of the terminal.

基于图1所示的示例架构,终端101发起访问网络请求后,接入设备102接收该终端101的访问网络请求后转发该请求。如果终端101未认证,重定向设备103将终端101的访问网络请求重定向到强制门户认证服务器104。Based on the example architecture shown in FIG. 1 , after the terminal 101 initiates a network access request, the access device 102 receives the terminal 101's network access request and forwards the request. If the terminal 101 is not authenticated, the redirection device 103 redirects the network access request of the terminal 101 to the captive portal authentication server 104 .

进而,如图1所示,重定向设备103将未认证终端101的访问网络请求重定向到强制门户认证服务器104之后,强制门户认证服务器104会向终端101推送认证页面,由终端101在认证页面中输入用户名、密码等认证信息后提交给强制门户认证服务器104(①),强制门户认证服务器104进而与重定向设备103交换用户的认证信息(②),由重定向设备103与AAA服务器105通信(③),完成对终端101的认证。Furthermore, as shown in FIG. 1 , after the redirection device 103 redirects the access network request of the unauthenticated terminal 101 to the captive portal authentication server 104, the captive portal authentication server 104 will push the authentication page to the terminal 101, and the terminal 101 will open the authentication page on the authentication page. After entering the authentication information such as user name and password, submit it to the captive portal authentication server 104 (①), the captive portal authentication server 104 then exchanges the authentication information of the user with the redirection device 103 (②), and the redirection device 103 and the AAA server 105 Communication (③), the authentication of the terminal 101 is completed.

由于强制门户认证通过终端发起的访问网络请求来触发认证过程,终端完成认证后才能够访问网络资源,因而如果对于部署了强制门户认证的网络,终端需要先获取IP地址,从而发起访问网络请求。在IPv4网络到IPv6网络的过渡阶段,终端获取IP地址的情形包括有以下两种:Because the captive portal authentication triggers the authentication process through the network access request initiated by the terminal, the terminal can only access network resources after the authentication is completed. Therefore, if the captive portal authentication is deployed on the network, the terminal needs to obtain an IP address first to initiate a network access request. During the transition from an IPv4 network to an IPv6 network, there are two situations in which a terminal obtains an IP address:

对于支持IPv4协议栈的终端而言,由于IPv4地址可通过动态主机配置协议(英文:Dynamic Host Configuration Protocol,DHCP)进行配置,因而支持IPv4协议栈的终端可以通过DHCP服务器获取IPv4地址;For a terminal supporting the IPv4 protocol stack, since the IPv4 address can be configured through a Dynamic Host Configuration Protocol (English: Dynamic Host Configuration Protocol, DHCP), a terminal supporting the IPv4 protocol stack can obtain an IPv4 address through a DHCP server;

对于支持IPv4协议栈和Ipv6协议栈的双栈终端而言,一方面,双栈终端可以通过DHCP服务器获取IPv4地址。另一方面,由于IPv6地址可通过有状态(英文:stateful)地址分配方式(比如使用动态主机配置协议第六版(DHCPv6)协议)进行配置或者通过无状态(英文:stateless)地址分配方式(比如使用互联网控制信息协议第六版(Internet ControlManagemet Protocol Version 6,ICMPv6)协议)进行配置(具体使用哪个IPv6地址分配方式可以由网络管理员进行配置)。因而双栈终端还可以通过DHCP服务器或者网络中的路由器获取IPv6地址,其中,双栈终端通过网络中的路由器获取IPv6地址的方式属于无状态地址分配方式。For a dual-stack terminal supporting both the IPv4 protocol stack and the IPv6 protocol stack, on the one hand, the dual-stack terminal can obtain an IPv4 address through a DHCP server. On the other hand, since the IPv6 address can be configured through a stateful (English: stateful) address allocation method (such as using the Dynamic Host Configuration Protocol Version 6 (DHCPv6) protocol) or through a stateless (English: stateless) address allocation method (such as Use the Internet Control Management Protocol Version 6 (Internet Control Management Protocol Version 6, ICMPv6) protocol) for configuration (the specific IPv6 address allocation method to be used can be configured by the network administrator). Therefore, the dual-stack terminal can also obtain the IPv6 address through the DHCP server or the router in the network, wherein the way in which the dual-stack terminal obtains the IPv6 address through the router in the network belongs to the stateless address allocation method.

具体比如,图1所示架构中可进一步包括有DHCP服务器,用于为终端配置IPv4地址;或者图1所示架构中可进一步包括有DHCP服务和/或路由器,用于为双栈终端配置Ipv4地址以及IPv6地址。在一些实际场景中,DHCP服务器可以不单独配置,比如可以在重定向设备103上使能DHCP协议。Specifically, for example, the architecture shown in Figure 1 may further include a DHCP server for configuring an IPv4 address for the terminal; or the architecture shown in Figure 1 may further include a DHCP service and/or router for configuring IPv4 for a dual-stack terminal. addresses as well as IPv6 addresses. In some practical scenarios, the DHCP server may not be configured separately, for example, the DHCP protocol may be enabled on the redirection device 103 .

可以看到,由于双栈终端可以获取到IPv6地址以及IPv4地址,并会优先使用IPv6地址发起访问网络请求,因而如果网络仅部署了IPv4的强制门户认证而不支持IPv6的强制门户认证,双栈终端在使用IPv6地址访问网络失败时,才会切换到IPv4方式,从而导致接入网络的时延长,用户访问体验差。It can be seen that since dual-stack terminals can obtain IPv6 addresses and IPv4 addresses, and will preferentially use IPv6 addresses to initiate network access requests, if the network only deploys IPv4 captive portal authentication but does not support IPv6 captive portal authentication, the dual-stack When the terminal fails to use the IPv6 address to access the network, it will switch to the IPv4 mode, resulting in prolonged access to the network and poor user access experience.

为了解决上述问题,本发明实施例提供了一种双栈终端的接入控制方法及接入设备。下面将结合附图对本发明实施例进行描述。In order to solve the above problems, an embodiment of the present invention provides an access control method and access device for a dual-stack terminal. Embodiments of the present invention will be described below in conjunction with the accompanying drawings.

图2示出了本发明实施例提供的双栈终端的接入控制方法的流程示意图,该流程具体可通过硬件、软件编程或软硬件的结合来实现。FIG. 2 shows a schematic flow diagram of a method for access control of a dual-stack terminal provided by an embodiment of the present invention. The flow can be specifically implemented by hardware, software programming, or a combination of software and hardware.

接入设备可被配置为执行如图2所示的流程,比如基于图1所示的强制门户认证的组网架构示例,接入设备102可被配置执行如图2所示的流程。接入设备中用以执行本发明实施例所提供的双栈终端的接入控制方案的功能模块具体可以通过硬件、软件编程以及软硬件的组合来实现,硬件可包括一个或多个信号处理和/或专用集成电路。The access device may be configured to execute the process shown in FIG. 2 . For example, based on the network architecture example of captive portal authentication shown in FIG. 1 , the access device 102 may be configured to execute the process shown in FIG. 2 . The functional modules used in the access device to implement the access control scheme for dual-stack terminals provided by the embodiments of the present invention can be specifically implemented through hardware, software programming, and a combination of software and hardware. The hardware can include one or more signal processing and / or ASIC.

如图2所示,该流程具体包括有以下处理过程:As shown in Figure 2, the process specifically includes the following processing procedures:

一方面,为了使得双栈终端能够获取到IPv4地址,接入设备转发为双栈终端分配IPv4地址的报文(201)。On the one hand, in order to enable the dual-stack terminal to obtain an IPv4 address, the access device forwards a message for assigning an IPv4 address to the dual-stack terminal (201).

接入设备转发为双栈终端分配IPv4地址的报文,可包括有:接入设备向DHCP服务器转发双栈终端发送的请求IPv4地址的DHCP报文,以及接入设备向双栈终端发送DHCP服务器发送的携带有双栈终端的IPv4地址的DHCP应答报文;进而,双栈终端将能够正常获取到IPv4地址。The access device forwards the packet for assigning an IPv4 address to the dual-stack terminal, which may include: the access device forwards the DHCP message sent by the dual-stack terminal to the DHCP server requesting an IPv4 address, and the access device sends the DHCP server packet to the dual-stack terminal. The sent DHCP response message carrying the IPv4 address of the dual-stack terminal; furthermore, the dual-stack terminal will be able to obtain the IPv4 address normally.

其中,上述请求IPv4地址的DHCP报文以及携带有双栈终端的Ipv4地址的DHCP报文可以表示为IPv4协议下的DHCPv4报文。Wherein, the aforementioned DHCP message requesting an IPv4 address and the DHCP message carrying the IPv4 address of the dual-stack terminal may be expressed as a DHCPv4 message under the IPv4 protocol.

另一方面,为了达到限制双栈终端只能使用IPv4地址访问网络的目的,避免在网络需要使用IPv4的认证方式认证双栈终端时,双栈终端优先使用IPv6地址访问网络所导致的接入时延长的问题,在双栈终端认证成功之前,接入设备丢弃为双栈终端分配IPv6地址的报文(202)。On the other hand, in order to achieve the purpose of restricting dual-stack terminals to only use IPv4 addresses to access the network, to avoid access failures caused by dual-stack terminals preferentially using IPv6 addresses to access the network when the network needs to use IPv4 authentication methods to authenticate dual-stack terminals. In the extended problem, before the authentication of the dual-stack terminal succeeds, the access device discards the packet (202) for assigning the IPv6 address to the dual-stack terminal.

接入设备所丢弃的为双栈终端分配IPv6地址的报文可以包括有以下一个或多个:双栈终端向DHCP服务器发送的请求IPv6地址的DHCP报文;DHCP服务器向双栈终端发送的携带有双栈终端的IPv6地址的DHCP报文;路由器向双栈终端发送的携带有双栈终端的IPv6地址前缀的路由公告(英文:Router Advertisement,RA)报文。The packet discarded by the access device for assigning an IPv6 address to the dual-stack terminal may include one or more of the following: a DHCP packet sent by the dual-stack terminal to the DHCP server to request an IPv6 address; A DHCP message with the IPv6 address of the dual-stack terminal; a routing announcement (English: Router Advertisement, RA) message carrying the prefix of the IPv6 address of the dual-stack terminal sent by the router to the dual-stack terminal.

比如,在本发明的一些实施例中,如果网络被配置为使用有状态地址分配方式分配IPv6地址,由于有状态地址分配方式主要通过DHCPv6协议来实现IPv6地址配置,因而,接入设备接收到双栈终端发送的请求IPv6地址的DHCP报文时,可以对该DHCP报文进行丢弃处理,从而使得双栈终端无法获取到IPv6地址,进而只能使用所获取到的IP v4地址访问网络。For example, in some embodiments of the present invention, if the network is configured to use a stateful address allocation method to allocate IPv6 addresses, since the stateful address allocation method mainly implements IPv6 address configuration through the DHCPv6 protocol, the access device receives the dual When a DHCP packet requesting an IPv6 address is sent by a dual-stack terminal, the DHCP packet can be discarded, so that the dual-stack terminal cannot obtain an IPv6 address, and can only use the obtained IPv4 address to access the network.

又比如,在本发明的一些实施例中,如果接入设备未能及时对双栈终端所发送的请求IPv6地址的DHCP报文进行丢弃处理,而导致DHCP服务器接收到该DHCP报文并向双栈终端发送携带有双栈终端的IPv6地址的DHCP报文,则接入设备可以丢弃DHCP服务器发送的携带有双栈终端的IPv6地址的DHCP报文,从而使得双栈终端无法获取到IPv6地址;For another example, in some embodiments of the present invention, if the access device fails to discard the DHCP message requesting an IPv6 address sent by the dual-stack terminal in time, resulting in the DHCP server receiving the DHCP message and sending If the stack terminal sends a DHCP message carrying the IPv6 address of the dual-stack terminal, the access device can discard the DHCP message carrying the IPv6 address of the dual-stack terminal sent by the DHCP server, so that the dual-stack terminal cannot obtain the IPv6 address;

又比如,在本发明的一些实施例中,如果网络被配置为使用无状态地址分配方式分配IPv6地址,由于无状态地址分配方式主要通过ICMPv6协议来实现IPv6地址配置,ICMPv6协议支持网络节点的地址自动配置,具体可以由路由器在RA报文中携带IPv6地址前缀信息为终端分配IPv6地址前缀,终端通过接收路由器公告的地址前缀,结合自己的接口将可以得到一个全球单播地址,因而,接入设备在接收到路由器发送的携带有IPv6地址前缀的RA报文时,可以对该RA报文进行丢弃处理,从而使得双栈终端无法获取到IPv6地址。For another example, in some embodiments of the present invention, if the network is configured to use the stateless address allocation method to allocate IPv6 addresses, since the stateless address allocation method mainly implements IPv6 address configuration through the ICMPv6 protocol, the ICMPv6 protocol supports the address of the network node Automatic configuration. Specifically, the router can carry the IPv6 address prefix information in the RA message to assign an IPv6 address prefix to the terminal. The terminal can obtain a global unicast address by receiving the address prefix advertised by the router and combining its own interface. Therefore, access When a device receives an RA packet carrying an IPv6 address prefix from a router, it can discard the RA packet, so that a dual-stack terminal cannot obtain an IPv6 address.

其中,请求IPv6地址的DHCP报文以及携带有双栈终端的Ipv6地址的DHCP报文均可以认为是IPv6协议对应的DHCPv6报文。Wherein, both the DHCP message requesting the IPv6 address and the DHCP message carrying the IPv6 address of the dual-stack terminal can be regarded as a DHCPv6 message corresponding to the IPv6 protocol.

网络使用哪种地址分配方式分配IPv6地址可以由网络管理员进行配置,本申请对此将不作详述。Which address allocation method the network uses to allocate IPv6 addresses can be configured by the network administrator, which will not be described in detail in this application.

可以看到,通过上面两方面的处理,在认证成功前,双栈终端将仅能获取到IPv4地址,从而使得双栈终端只能使用IPv4地址访问网络,从而能够避免在网络需要使用IPv4的认证方式认证双栈终端时,由于双栈终端优先使用IPv6地址访问网络而导致双栈终端接入网络时延长的问题。It can be seen that through the above two aspects of processing, before the authentication is successful, the dual-stack terminal will only be able to obtain an IPv4 address, so that the dual-stack terminal can only use the IPv4 address to access the network, thereby avoiding the need to use IPv4 authentication on the network When dual-stack terminals are authenticated in this way, due to the dual-stack terminals preferentially using IPv6 addresses to access the network, the time for dual-stack terminals to access the network is prolonged.

具体比如,在本发明的一些实施例中,如果网络中部署了强制门户认证,双栈终端需要通过发起访问网络请求从而进入认证过程,完成认证后才能访问网络资源。由于接入设备在认证前能够丢弃掉为双栈终端分配IPv6地址的报文,从而使得双栈终端只能获取到IP v4地址而无法获取到IPv6地址,进而双栈终端将直接使用IPv4地址访问网络,触发IPv4的强制门户认证,实现双栈终端的接入。因此,避免了在网络不支持IPv6的强制门户认证时,双栈终端仍然优先使用IPv6地址访问网络,降低了双栈终端接入网络的时延。Specifically, in some embodiments of the present invention, if captive portal authentication is deployed in the network, the dual-stack terminal needs to initiate an access network request to enter the authentication process, and can access network resources only after the authentication is completed. Because the access device can discard the packet that assigns an IPv6 address to the dual-stack terminal before authentication, the dual-stack terminal can only obtain the IPv4 address but not the IPv6 address, and the dual-stack terminal will directly use the IPv4 address to access the The network triggers IPv4 captive portal authentication to realize the access of dual-stack terminals. Therefore, it is avoided that when the network does not support IPv6 captive portal authentication, the dual-stack terminal still preferentially uses the IPv6 address to access the network, reducing the time delay for the dual-stack terminal to access the network.

进而,为了保证双栈终端在认证成功后能够访问IPv4和IPv6的网络资源,、在双栈终端认证成功之后,接入设备可以转发为双栈终端分配IPv6地址的报文(203),使得认证成功后的双栈终端能够获取到IPv6地址,进而访问IPv6的网络资源。Furthermore, in order to ensure that the dual-stack terminal can access IPv4 and IPv6 network resources after the authentication is successful, after the dual-stack terminal is authenticated successfully, the access device can forward the message (203) that assigns the IPv6 address to the dual-stack terminal, so that the authentication A successful dual-stack terminal can obtain an IPv6 address, and then access IPv6 network resources.

在双栈终端认证成功之前,接入设备丢弃其接收到的任何为双栈终端分配IPv6地址的报文。在双栈终端认证成功之后,接入设备不再甄别为双栈终端分配IPv6地址的报文,并为这类报文执行丢弃动作,而是执行正常的转发过程。因此在双栈终端认证成功之后,接入设备转发其接收到的这类报文(为双栈终端分配IPv6地址的报文)。Before the authentication of the dual-stack terminal succeeds, the access device discards any received packets for assigning IPv6 addresses to the dual-stack terminal. After the dual-stack terminal is successfully authenticated, the access device no longer screens the packets that assign IPv6 addresses to the dual-stack terminal and discards such packets, but performs the normal forwarding process. Therefore, after the dual-stack terminal is successfully authenticated, the access device forwards the received message (a message for assigning an IPv6 address to the dual-stack terminal).

接入设备可以在双栈终端认证成功之前开启丢弃为双栈终端分配IPv6地址的报文的功能,在双栈终端认证成功之后关闭该功能,而执行正常的报文转发功能,从而能够正常转发为双栈终端分配IPv6地址的报文,使得认证成功后的双栈终端能够获取到IPv6地址。The access device can enable the function of discarding packets that allocate IPv6 addresses for dual-stack terminals before the dual-stack terminal authentication is successful, and disable this function after the dual-stack terminal authentication is successful, and perform the normal packet forwarding function, so that it can be forwarded normally A packet for assigning an IPv6 address to a dual-stack terminal, so that the dual-stack terminal after successful authentication can obtain an IPv6 address.

可以看到,通过上述处理过程,能够在基本不改造和升级现有IPv4网络下,使得双栈终端顺利完成认证接入网络,满足双栈终端先认证后上网的入网策略要求,提升双栈终端用户的接入体验。It can be seen that through the above processing process, the dual-stack terminal can successfully complete authentication and access the network without basically modifying and upgrading the existing IPv4 network, meeting the network access policy requirements of the dual-stack terminal first authenticated and then accessing the Internet, and improving the dual-stack terminal User access experience.

进一步地,IPv6协议提供了两种IPv6地址类型,一种是全球单播地址(英文:Global Unicast Address,GUA),可用来访问网络中路由可达的任何IPv6节点设备,一种是本地链路地址(英文:Link-Local Address,LLA),仅用于本地链路通信,可以由双栈终端自己生成。双栈终端在使用支持双栈的客户端访问网络时,可以根据DNS服务器返回的DNS应答报文中携带的地址决定使用IPv4地址还是IPv6地址访问网络。Further, the IPv6 protocol provides two types of IPv6 addresses, one is a global unicast address (English: Global Unicast Address, GUA), which can be used to access any IPv6 node device with a reachable route in the network, and the other is a local link The address (English: Link-Local Address, LLA) is only used for local link communication and can be generated by the dual-stack terminal itself. When a dual-stack terminal uses a client that supports dual-stack to access the network, it can decide whether to use an IPv4 address or an IPv6 address to access the network according to the address carried in the DNS response message returned by the DNS server.

因而,考虑到双栈终端在认证成功前如果获取到所需访问域名的IPv6地址,则可能会使用自己生成的本地链路地址访问域名的IPv6地址的情况,在本发明的一些实施例中,为了避免上述可能情况的发生,还可以进一步地限制双栈终端在认证成功前无法获取到所请求访问的域名的IPv6地址,从而保证双栈终端只能使用IPv4地址访问网络。Therefore, considering that if the dual-stack terminal obtains the IPv6 address of the domain name to be accessed before the authentication is successful, it may use the local link address generated by itself to access the IPv6 address of the domain name, in some embodiments of the present invention, In order to avoid the above possible situation, it is also possible to further restrict the dual-stack terminal from obtaining the IPv6 address of the requested domain name before the authentication is successful, so as to ensure that the dual-stack terminal can only use the IPv4 address to access the network.

由于域名系统(英文:Domain Name System,DNS)服务器在接收到双栈终端发送的DNS解析请求报文后,会向双栈终端返回携带有双栈终端请求的域名的IPv4地址和该域名的IPv6地址的DNS应答报文,因而,在本发明的一些实施例中,在双栈终端认证成功之前,接入设备还可以截获DNS服务器向双栈终端发送的DNS应答报文,删除该DNS应答报文中的IPv6地址,再将删除IPv6地址后的DNS应答报文发送给双栈终端,从而使得双栈终端只能获取到所请求域名的IPv4地址,进而只能使用IPv4地址访问网络。After receiving the DNS resolution request message sent by the dual-stack terminal, the Domain Name System (English: Domain Name System, DNS) server will return to the dual-stack terminal the IPv4 address carrying the domain name requested by the dual-stack terminal and the IPv6 address of the domain name. Therefore, in some embodiments of the present invention, before the dual-stack terminal authentication is successful, the access device can also intercept the DNS response message sent by the DNS server to the dual-stack terminal, and delete the DNS response message. The IPv6 address in the article, and then send the DNS response message after deleting the IPv6 address to the dual-stack terminal, so that the dual-stack terminal can only obtain the IPv4 address of the requested domain name, and then can only use the IPv4 address to access the network.

在本发明的一些实施例中,双栈终端发起DNS解析请求,向DNS服务器请求解析域名对应的IP地址,DNS服务器查询域名解析地址后会返回包含A记录和AAAA记录的DNS应答报文给双栈终端,其中,A记录是用来将域名解析到IPv4地址的DNS记录,AAAA记录是用来将域名解析到IPv6地址的DNS记录;接入设备获取该DNS应答报文后,可以保留该DNS应答报文中的A记录,而删除AAAA记录,再发送给双栈终端,以使双栈终端无法获取到AAAA记录,进而无法获知域名的IPv6地址。In some embodiments of the present invention, the dual-stack terminal initiates a DNS resolution request and requests the DNS server for the IP address corresponding to the domain name resolution. After the DNS server queries the domain name resolution address, it will return a DNS response message containing the A record and the AAAA record to the dual-stack terminal. Stack terminal, where the A record is the DNS record used to resolve the domain name to an IPv4 address, and the AAAA record is the DNS record used to resolve the domain name to an IPv6 address; after the access device obtains the DNS response message, it can keep the DNS Reply to the A record in the message, delete the AAAA record, and then send it to the dual-stack terminal, so that the dual-stack terminal cannot obtain the AAAA record, and thus cannot obtain the IPv6 address of the domain name.

其中,为了适应部署纯IPv6的DNS较困难的情况,双栈终端可以通过IPv4的DNS服务器完成IPv6地址解析,上述DNS解析请求报文以及DNS应答报文可以是IPv4协议下的DNSv4报文。Among them, in order to adapt to the difficult situation of deploying pure IPv6 DNS, the dual-stack terminal can complete IPv6 address resolution through the IPv4 DNS server, and the above-mentioned DNS resolution request message and DNS response message can be DNSv4 messages under the IPv4 protocol.

可以看到,通过本发明实施例中提供的双栈终端的接入控制方案,接入设备在双栈终端认证成功前,丢弃为双栈终端分配IPv6地址的报文,并针对性的修改DNS应答报文,删除其中域名的IPv6地址,从而能够强制双栈终端在认证成功前只能使用IPv4地址访问网络,保证了在网络需要使用IPv4的认证方式认证双栈终端时,双栈终端首先使用IPv4地址访问网络,触发IPv4的强制门户认证,因而降低了双栈终端接入网络的时延。It can be seen that, through the access control scheme of the dual-stack terminal provided in the embodiment of the present invention, the access device discards the message for assigning an IPv6 address for the dual-stack terminal before the dual-stack terminal is successfully authenticated, and modifies the DNS in a targeted manner. In the reply message, the IPv6 address of the domain name is deleted, so that the dual-stack terminal can only use the IPv4 address to access the network before the authentication is successful, ensuring that when the network needs to use the IPv4 authentication method to authenticate the dual-stack terminal, the dual-stack terminal first uses Accessing the network with an IPv4 address triggers IPv4 captive portal authentication, thereby reducing the delay for dual-stack terminals to access the network.

作为一个示例,图3(a)、图3(b)以及图3(c)分别示出了本发明一些实施例所提供的双栈终端的接入控制方案在应用中的处理流程示例。其中,图3(a)示出了认证前的处理流程示例,图3(b)示出了认证中的处理流程示例,图3(c)示出了认证后的处理流程示例。As an example, FIG. 3( a ), FIG. 3( b ) and FIG. 3( c ) respectively show examples of processing procedures in application of the access control scheme for dual-stack terminals provided by some embodiments of the present invention. 3( a ) shows an example of a processing flow before authentication, FIG. 3( b ) shows an example of a processing flow during authentication, and FIG. 3( c ) shows an example of a processing flow after authentication.

如图所示,接入设备包括有与双栈终端301直接相连的无线接入点302以及与双栈终端301非直接相连的无线控制器303。其中,无线接入点302用以执行本发明实施例所提供的双栈终端的接入控制方案,无线控制器303为重定向设备。As shown in the figure, the access device includes a wireless access point 302 directly connected to the dual-stack terminal 301 and a wireless controller 303 indirectly connected to the dual-stack terminal 301 . Wherein, the wireless access point 302 is used to execute the access control solution of the dual-stack terminal provided by the embodiment of the present invention, and the wireless controller 303 is a redirection device.

如图3(a)所示,在双栈终端301认证通过前,无线接入点302丢弃双栈终端301的DHCPv6报文,但正常向无线控制器303转发双栈终端301的DHCPv4报文,从而使得双栈终端301无法获得IPv6地址,只能获得IPv4地址;或者,在双栈终端301认证通过前,无线接入点302丢弃网络中路由器发送的RA报文,从而使得双栈终端301无法获得IPv6地址;As shown in Figure 3(a), before the dual-stack terminal 301 passes the authentication, the wireless access point 302 discards the DHCPv6 message of the dual-stack terminal 301, but normally forwards the DHCPv4 message of the dual-stack terminal 301 to the wireless controller 303, Therefore, the dual-stack terminal 301 cannot obtain an IPv6 address, but can only obtain an IPv4 address; or, before the dual-stack terminal 301 is authenticated, the wireless access point 302 discards the RA message sent by the router in the network, so that the dual-stack terminal 301 cannot Obtain an IPv6 address;

如图3(b)所示,在双栈终端301的认证过程中,无线接入点302拦截DNS服务器向双栈终端301发送的DNSv4应答报文,删除其中的AAAA记录(域名的IPv6地址)后发送给双栈终端301,从而使得双栈终端301只能获得A记录(域名的IPv4地址),根据A记录得到域名的IPv4地址而无法得到域名的IPv6地址,进而使得双栈终端301无法使用本地链路地址类型的IPv6地址访问网络;As shown in Figure 3(b), during the authentication process of the dual-stack terminal 301, the wireless access point 302 intercepts the DNSv4 response message sent by the DNS server to the dual-stack terminal 301, and deletes the AAAA record (the IPv6 address of the domain name) in it. Afterwards, it is sent to the dual-stack terminal 301, so that the dual-stack terminal 301 can only obtain the A record (the IPv4 address of the domain name), and the IPv4 address of the domain name can not be obtained according to the A record, and the IPv6 address of the domain name cannot be obtained, so that the dual-stack terminal 301 cannot be used An IPv6 address of the link-local address type accesses the network;

通过上述过程,双栈终端301将只能获取到IPv4地址并只能获取到域名的IPv4地址,进而保证了双栈终端301只能使用IPv4地址访问网络,进而能够在网络不支持IPv6的强制门户认证时,直接触发IPv4的强制门户认证,实现双栈终端的接入。Through the above process, the dual-stack terminal 301 will only be able to obtain the IPv4 address and only the IPv4 address of the domain name, thereby ensuring that the dual-stack terminal 301 can only use the IPv4 address to access the network, and then be able to use the captive portal where the network does not support IPv6 During authentication, IPv4 captive portal authentication is directly triggered to realize the access of dual-stack terminals.

在双栈终端301顺利通过IPv4的强制门户认证后,双栈终端301便可以正常上网,通过IPv4地址访问IPv4的网络资源,并可以获取IPv6地址,通过IPv6地址访问IPv6的网络资源,无线接入点302与无线控制器303正常转发数据流量,如图3(c)所示。After the dual-stack terminal 301 successfully passes the IPv4 captive portal authentication, the dual-stack terminal 301 can access the Internet normally, access IPv4 network resources through the IPv4 address, and obtain an IPv6 address, access IPv6 network resources through the IPv6 address, and wirelessly access Node 302 and wireless controller 303 normally forward data traffic, as shown in Figure 3(c).

综上所述,在本发明实施例中提供的双栈终端的接入控制方案中,接入设备转发为双栈终端分配IPv4地址的报文;在双栈终端认证成功之前,丢弃为双栈终端分配IPv6地址的报文,并且在双栈终端认证成功之后,转发为双栈终端分配IPv6地址的报文,从而使得双栈终端在认证前无法获取到IPv6地址,由于双栈终端仅能获取到IPv4地址,因而双栈终端只能使用IPv4地址访问网络。接入设备还进一步地截获DNS服务器返回的DNS应答报文并删除其中所携带的域名的IPv6地址,使得双栈终端仅能获取到域名的IPv4地址,因而进一步保证了双栈终端只能使用IPv4地址访问网络。通过上述的一系列措施保证了双栈终端在认证成功前只能使用IPv4地址访问网络,因此在网络需要使用IPv4的认证方式认证双栈终端时,双栈终端能够首先使用IPv4地址访问网络,从而能够降低双栈终端接入网络的时延。To sum up, in the access control scheme of the dual-stack terminal provided in the embodiment of the present invention, the access device forwards the packet for assigning an IPv4 address to the dual-stack terminal; The terminal assigns an IPv6 address message, and after the dual-stack terminal is successfully authenticated, forwards the message of assigning an IPv6 address to the dual-stack terminal, so that the dual-stack terminal cannot obtain the IPv6 address before authentication, because the dual-stack terminal can only obtain the IPv6 address. to an IPv4 address, so a dual-stack terminal can only use an IPv4 address to access the network. The access device further intercepts the DNS response message returned by the DNS server and deletes the IPv6 address of the domain name carried in it, so that the dual-stack terminal can only obtain the IPv4 address of the domain name, thus further ensuring that the dual-stack terminal can only use IPv4 address to access the network. Through the above series of measures, the dual-stack terminal can only use the IPv4 address to access the network before the authentication is successful. Therefore, when the network needs to use the IPv4 authentication method to authenticate the dual-stack terminal, the dual-stack terminal can first use the IPv4 address to access the network, thereby It can reduce the time delay for dual-stack terminals to access the network.

基于相同的技术构思,本发明实施例还提供了一种双栈终端的接入设备,该接入设备可执行本发明前述实施例所描述的方法流程,该接入设备中用以执行本发明前述实施例所描述的方法流程的功能模块可以通过硬件、软件编程以及软硬件的组合来实现,硬件可包括一个或多个信号处理和/或专用集成电路。Based on the same technical concept, the embodiment of the present invention also provides an access device for a dual-stack terminal, which can execute the method flow described in the foregoing embodiments of the present invention, and the access device is used to implement the present invention The functional modules of the method procedures described in the foregoing embodiments may be implemented by hardware, software programming, and a combination of software and hardware, and the hardware may include one or more signal processing and/or application-specific integrated circuits.

图4示出了本发明一些实施例所提供的双栈终端的接入设备的结构示意图,如图4所示,该接入设备包括:Fig. 4 shows a schematic structural diagram of an access device of a dual-stack terminal provided by some embodiments of the present invention. As shown in Fig. 4, the access device includes:

转发模块401,用于转发为双栈终端分配IPv4地址的报文;A forwarding module 401, configured to forward a message for assigning an IPv4 address to a dual-stack terminal;

处理模块402,用于在双栈终端认证成功之前,丢弃为双栈终端分配IPv6地址的报文,并且在双栈终端认证成功之后,转发为双栈终端分配IPv6地址的报文。The processing module 402 is configured to discard the packet for assigning an IPv6 address to the dual-stack terminal before the authentication of the dual-stack terminal is successful, and forward the packet for assigning the IPv6 address to the dual-stack terminal after the authentication of the dual-stack terminal is successful.

为所述双栈终端分配IPv6地址的报文包括以下一个或多个:双栈终端向DHCP服务器发送的请求IPv6地址的DHCP报文;DHCP服务器向双栈终端发送的携带有双栈终端的IPv6地址的DHCP报文;路由器向双栈终端发送的携带有双栈终端的IPv6地址前缀的路由公告报文。The message for assigning an IPv6 address to the dual-stack terminal includes one or more of the following: a DHCP message for requesting an IPv6 address sent by the dual-stack terminal to the DHCP server; The DHCP message of the address; the routing announcement message carrying the IPv6 address prefix of the dual-stack terminal sent by the router to the dual-stack terminal.

在本发明的一些实施例中,接入设备还包括:In some embodiments of the present invention, the access device further includes:

截获模块403,用于在所述双栈终端认证成功之前,截获DNS服务器向双栈终端发送的DNS应答报文。其中,DNS应答报文中包括双栈终端请求的域名的IPv4地址和该域名的IPv6地址。The intercepting module 403 is configured to intercept the DNS response message sent by the DNS server to the dual-stack terminal before the authentication of the dual-stack terminal succeeds. Wherein, the DNS response message includes the IPv4 address of the domain name requested by the dual-stack terminal and the IPv6 address of the domain name.

截获模块403,还用于删除DNS应答报文中的IPv6地址后,将该DNS应答报文发送给双栈终端。The intercepting module 403 is further configured to delete the IPv6 address in the DNS response message, and then send the DNS response message to the dual-stack terminal.

基于同一发明构思,本发明一些实施例所提供的双栈终端的接入设备解决问题的原理以及有益效果可以参见上述图2所示方法的实施方式以及所带来的有益效果,该双栈终端的接入设备的实施可以参见上述方法实施例的实施,重复之处不再赘述。Based on the same inventive concept, the problem-solving principles and beneficial effects of the dual-stack terminal access device provided by some embodiments of the present invention can be referred to the implementation of the method shown in Figure 2 above and the beneficial effects brought by it. The dual-stack terminal For the implementation of the access device, reference may be made to the implementation of the foregoing method embodiments, and repeated descriptions will not be repeated.

基于相同的技术构思,本发明一些实施例还提供了一种双栈终端的接入设备,该双栈终端的接入设备可用于执行本发明前述实方法施例所描述的双栈终端的接入控制流程。Based on the same technical concept, some embodiments of the present invention also provide an access device for a dual-stack terminal, which can be used to implement the access device for a dual-stack terminal described in the foregoing embodiments of the present invention into the control process.

图5示出了本发明一些实施例提供的双栈终端的接入设备的结构示意图,如图5所示,该接入设备可包括:收发器501和处理器502。FIG. 5 shows a schematic structural diagram of an access device of a dual-stack terminal provided by some embodiments of the present invention. As shown in FIG. 5 , the access device may include: a transceiver 501 and a processor 502 .

收发器501和处理器502之间可以通过总线连接,也可以以其它方式连接。The transceiver 501 and the processor 502 may be connected through a bus or in other ways.

收发器501可以包括有用于与其他网络设备相连的接口。例如,可包括与用户设备相连的接口,与强制门户认证服务器相连的接口以及与其它服务设备相连的接口。接口可以是有线接口,无线接口或其组合。有线接口例如可以为以太网接口。以太网接口可以是光接口,电接口或其组合。无线接口例如可以为无线局域网(英文:wireless local areanetwork,WLAN)接口,蜂窝网络接口或其组合。The transceiver 501 may include interfaces for connecting with other network devices. For example, it may include an interface connected to user equipment, an interface connected to a captive portal authentication server, and an interface connected to other service devices. The interface can be a wired interface, a wireless interface or a combination thereof. The wired interface can be, for example, an Ethernet interface. The Ethernet interface can be an optical interface, an electrical interface or a combination thereof. The wireless interface may be, for example, a wireless local area network (English: wireless local area network, WLAN) interface, a cellular network interface or a combination thereof.

处理器502可以为中央处理器(英文:central processing unit,CPU),或者是CPU和硬件芯片的组合。上述硬件芯片可以是以下一种或多种的组合:专用集成电路(英文:application-specific integrated circuit,ASIC),现场可编程逻辑门阵列(英文:field-programmable gate array,FPGA),复杂可编程逻辑器件(英文:complexprogrammable logic device,CPLD)、通用阵列逻辑(英文:generic array logic,缩写:GAL)和网络处理器(英文:network processor,NP)。The processor 502 may be a central processing unit (English: central processing unit, CPU), or a combination of a CPU and a hardware chip. The aforementioned hardware chip may be one or more of the following combinations: application-specific integrated circuit (English: application-specific integrated circuit, ASIC), field-programmable logic gate array (English: field-programmable gate array, FPGA), complex programmable Logic device (English: complex programmable logic device, CPLD), general array logic (English: generic array logic, abbreviation: GAL) and network processor (English: network processor, NP).

接入设备还可以包括存储器。存储器中存储程序以指令处理器工作。存储器可包括易失性存储器(英文:volatile memory),例如随机存取存储器(英文:random-accessmemory,RAM);存储器也可以包括非易失性存储器(英文:non-volatile memory),例如只读存储器(英文:read-only memory,ROM),快闪存储器(英文:flash memory),硬盘(英文:hard disk drive,HDD)或固态硬盘(英文:solid-state drive,SSD);存储器还可包括上述种类存储器的组合。The access device may also include memory. Programs are stored in the memory to instruct the processor to work. The memory may include a volatile memory (English: volatile memory), such as a random-access memory (English: random-access memory, RAM); the memory may also include a non-volatile memory (English: non-volatile memory), such as a read-only Memory (English: read-only memory, ROM), flash memory (English: flash memory), hard disk (English: hard disk drive, HDD) or solid-state hard disk (English: solid-state drive, SSD); The memory can also include A combination of the above types of memory.

处理器502用于:Processor 502 is used for:

用收发器501转发为双栈终端分配IPv4地址的报文;Use the transceiver 501 to forward the message for assigning an IPv4 address to the dual-stack terminal;

在双栈终端认证成功之前,丢弃收发器501接收到的为双栈终端分配IPv6地址的报文;以及,在双栈终端认证成功之后,用收发器501转发为双栈终端分配IPv6地址的报文。Before the dual-stack terminal authentication is successful, discard the packet received by the transceiver 501 to allocate an IPv6 address for the dual-stack terminal; arts.

为双栈终端分配IPv6地址的报文包括以下一个或多个:双栈终端向DHCP服务器发送的请求IPv6地址的DHCP报文;DHCP服务器向双栈终端发送的携带有双栈终端的IPv6地址的DHCP报文;路由器向双栈终端发送的携带有双栈终端的IPv6地址前缀的路由公告报文。The message for assigning an IPv6 address to the dual-stack terminal includes one or more of the following: a DHCP message sent by the dual-stack terminal to the DHCP server requesting an IPv6 address; a message carrying the IPv6 address of the dual-stack terminal sent by the DHCP server to the dual-stack terminal DHCP message: a routing advertisement message carrying the IPv6 address prefix of the dual-stack terminal sent by the router to the dual-stack terminal.

在所述双栈终端认证成功之前,处理器502还用于:Before the authentication of the dual-stack terminal succeeds, the processor 502 is further configured to:

用收发器501截获DNS服务器向双栈终端发送的DNS应答报文;其中,DNS应答报文中包括双栈终端请求的域名的IPv4地址和该域名的IPv6地址;Use the transceiver 501 to intercept the DNS response message sent by the DNS server to the dual-stack terminal; wherein, the DNS response message includes the IPv4 address of the domain name requested by the dual-stack terminal and the IPv6 address of the domain name;

以及,删除DNS应答报文中的IPv6地址后,用收发器501将该DNS应答报文发送给双栈终端。And, after deleting the IPv6 address in the DNS response message, the transceiver 501 is used to send the DNS response message to the dual-stack terminal.

基于相同的技术构思,本发明一些实施例所提供的双栈终端的接入设备解决问题的原理以及有益效果可以参见上述图2所示方法的实施方式以及所带来的有益效果,该双栈终端的接入设备的实施可以参见上述方法实施例的实施,重复之处不再赘述。Based on the same technical concept, the principles and beneficial effects of the problem-solving principles and beneficial effects of the dual-stack terminal access device provided by some embodiments of the present invention can be referred to the implementation of the method shown in Figure 2 above and the beneficial effects brought about. For the implementation of the access device of the terminal, reference may be made to the implementation of the foregoing method embodiments, and repeated descriptions will not be repeated.

基于相同的技术构思,本发明实施例还提供了一种存储介质,所述存储介质为计算机可读存储介质,所述计算机可读存储介质存储有程序,程序包括指令,所述指令当被具有处理器的电子设备执行时使所述电子设备执行本发明前述实施例所描述的双栈终端的接入控制方法流程,具体可参见前述实施例的描述,本申请在此将不再赘述。Based on the same technical concept, an embodiment of the present invention also provides a storage medium, the storage medium is a computer-readable storage medium, the computer-readable storage medium stores a program, the program includes instructions, and the instructions are When the electronic device of the processor executes, the electronic device executes the flow of the access control method for the dual-stack terminal described in the foregoing embodiments of the present invention. For details, refer to the description of the foregoing embodiments, which will not be repeated in this application.

显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的范围。这样,倘若本发明的这些修改和变型属于本发明权利要求的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention, the present invention is also intended to include these modifications and variations.

Claims (9)

1. a kind of connection control method of double stack terminals, which is characterized in that double stack terminals support Internet protocol fourth edition IPv4 protocol stacks and Internet protocol sixth version IPv6 protocol stacks, this method include:
Message of the access device forwarding for double stack terminal distribution IPv4 addresses;
Before double stack terminal authentication successes, the access device is discarded as the report of double stack terminal distribution IPv6 addresses Text;
After double stack terminal authentication successes, report of the access device forwarding for double stack terminal distribution IPv6 addresses Text.
2. the method as described in claim 1, which is characterized in that the message packet for double stack terminal distribution IPv6 addresses Include following one or more:
The DHCP message of request IPv6 addresses that double stack terminals are sent to dynamic host configuration protocol DHCP server;
The DHCP message for the IPv6 addresses for carrying double stack terminals that the Dynamic Host Configuration Protocol server is sent to double stack terminals;
The route announcement message for the IPv6 address prefixes for carrying double stack terminals that router is sent to double stack terminals.
3. the method as described in claim 1, which is characterized in that before double stack terminal authentication successes, the method is also Including:
The access device intercepts and captures the DNS response messages that domain name system DNS server is sent to double stack terminals;The DNS Response message includes the IPv4 addresses of domain name of double stack terminal requests and the IPv6 addresses of domain name;
After the access device deletes the IPv6 addresses in the DNS response messages, the DNS response messages are sent to described Double stack terminals.
4. a kind of access device, which is characterized in that including:Transceiver and processor, wherein,
The processor is used for:
The message for double stack terminal distribution Internet protocol fourth edition IPv4 addresses is forwarded with the transceiver, wherein, it is described double Stack terminal supports IPv4 protocol stacks and Internet protocol sixth version IPv6 protocol stacks;
Before the double stack terminal authentications success, it is double stack terminal distribution IPv6 to abandon the transceiver and receive The message of location;And
After double stack terminal authentication successes, with report of the transceiver forwarding for double stack terminal distribution IPv6 addresses Text.
5. access device as claimed in claim 4, which is characterized in that the report for double stack terminal distribution IPv6 addresses Text includes following one or more:
The DHCP message of request IPv6 addresses that double stack terminals are sent to Dynamic Host Configuration Protocol server;
The DHCP message for the IPv6 addresses for carrying double stack terminals that the Dynamic Host Configuration Protocol server is sent to double stack terminals;
The route announcement message for the IPv6 address prefixes for carrying double stack terminals that router is sent to double stack terminals.
6. access device as claimed in claim 4, which is characterized in that before double stack terminal authentication successes, the place Reason device is additionally operable to:
Dns server is intercepted and captured to the DNS response messages of double stack terminals transmissions with the transceiver;The DNS response messages Include the IPv4 addresses of domain name of double stack terminal requests and the IPv6 addresses of domain name;And it deletes the DNS and answers After answering the IPv6 addresses in message, the DNS response messages are sent to double stack terminals with the transceiver.
7. a kind of access device of double stack terminals, which is characterized in that double stack terminals support IPv4 protocol stacks and IPv6 agreements Stack, the access device include:
Forwarding module, for forwarding the message for double stack terminal distribution IPv4 addresses;
Processing module, for before double stack terminal authentication successes, being discarded as double stack terminal distribution IPv6 addresses Message, and after double stack terminal authentication successes, forward the message for double stack terminal distribution IPv6 addresses.
8. access device as claimed in claim 7, which is characterized in that the report for double stack terminal distribution IPv6 addresses Text includes following one or more:
The DHCP message of request IPv6 addresses that double stack terminals are sent to Dynamic Host Configuration Protocol server;
The DHCP message for the IPv6 addresses for carrying double stack terminals that the Dynamic Host Configuration Protocol server is sent to double stack terminals;
The route announcement message for the IPv6 address prefixes for carrying double stack terminals that router is sent to double stack terminals.
9. access device as claimed in claim 7, which is characterized in that the access device further includes:
Interception module, for before double stack terminal authentication successes, intercepting and capturing what dns server was sent to double stack terminals DNS response messages, the DNS response messages include IPv4 addresses and the domain name of the domain names of double stack terminal requests After deleting the IPv6 addresses in the DNS response messages, it is whole to be sent to double stacks by IPv6 addresses for the DNS response messages End.
CN201611207827.5A 2016-12-23 2016-12-23 Access control method and access device for a dual-stack terminal Pending CN108243261A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611207827.5A CN108243261A (en) 2016-12-23 2016-12-23 Access control method and access device for a dual-stack terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611207827.5A CN108243261A (en) 2016-12-23 2016-12-23 Access control method and access device for a dual-stack terminal

Publications (1)

Publication Number Publication Date
CN108243261A true CN108243261A (en) 2018-07-03

Family

ID=62703671

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611207827.5A Pending CN108243261A (en) 2016-12-23 2016-12-23 Access control method and access device for a dual-stack terminal

Country Status (1)

Country Link
CN (1) CN108243261A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110535983A (en) * 2019-09-24 2019-12-03 锐捷网络股份有限公司 Message forwarding method and device
CN112822218A (en) * 2021-02-28 2021-05-18 新华三信息安全技术有限公司 Access control method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101692674A (en) * 2009-10-30 2010-04-07 杭州华三通信技术有限公司 Method and equipment for double stack access
CN102801685A (en) * 2011-05-23 2012-11-28 中兴通讯股份有限公司 Web authentication method and system
CN102904863A (en) * 2011-07-28 2013-01-30 中兴通讯股份有限公司 Method and gateway for controlling accessing of host of IPoE (IP over Ethernet) dual-stack user
CN104243454A (en) * 2014-08-28 2014-12-24 杭州华三通信技术有限公司 IPv6 message filtering method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101692674A (en) * 2009-10-30 2010-04-07 杭州华三通信技术有限公司 Method and equipment for double stack access
CN102801685A (en) * 2011-05-23 2012-11-28 中兴通讯股份有限公司 Web authentication method and system
CN102904863A (en) * 2011-07-28 2013-01-30 中兴通讯股份有限公司 Method and gateway for controlling accessing of host of IPoE (IP over Ethernet) dual-stack user
CN104243454A (en) * 2014-08-28 2014-12-24 杭州华三通信技术有限公司 IPv6 message filtering method and device

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110535983A (en) * 2019-09-24 2019-12-03 锐捷网络股份有限公司 Message forwarding method and device
CN110535983B (en) * 2019-09-24 2022-08-16 锐捷网络股份有限公司 Message forwarding method and device
CN112822218A (en) * 2021-02-28 2021-05-18 新华三信息安全技术有限公司 Access control method and device

Similar Documents

Publication Publication Date Title
CN103812960B (en) Network Address Translation for Applications of Subscriber-Aware Services
US8189567B2 (en) Method and nodes for registering a terminal
US10142159B2 (en) IP address allocation
JP5711754B2 (en) Smart client routing
JP5967173B2 (en) Network relay device, method for setting operation mode of packet relay processing unit included in network relay device, and computer program
CN101577675B (en) Method and device for protecting neighbor table in IPv6 network
US10289504B2 (en) Access control method and system, and access point
EP3582523B1 (en) Extending subscriber services to roaming wireless user equipment
CN110995886B (en) Network address management method, device, electronic equipment and medium
CN114938362A (en) Method for determining domain name system server, method, device and system for processing request
WO2007009367A1 (en) A method for duplicate address detection in the two-layer access network supporting ipv6 and a system thereof
CN104104742A (en) User plane traffic handling using network address translation and request redirection
CN101656725A (en) Method for implementing safety access and access equipment
CN104821904B (en) Network repeater and relaying data packets method
KR20110060895A (en) Methods and gateways for providing multiple Internet access
EP2677716A1 (en) Access control method, access device and system
WO2015184853A1 (en) Authentication method and apparatus for ipv6 stateless auto-configuration
US11533382B2 (en) Providing user subscription nomadicity in wireline broadband networks
CN108243261A (en) Access control method and access device for a dual-stack terminal
CN114765601A (en) Address prefix obtaining method and device
CN106878291B (en) Message processing method and device based on prefix safety table entry
CN109962917A (en) Authentication information processing method and device, system and storage medium
WO2024000975A1 (en) Session establishment system and method, electronic device, and storage medium
CN104955025B (en) A kind of address resource method for releasing and device, system
CN107707685B (en) A wireless router access control method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180703