[go: up one dir, main page]

CN101179603A - Method and device for controlling user network access in IPv6 network - Google Patents

Method and device for controlling user network access in IPv6 network Download PDF

Info

Publication number
CN101179603A
CN101179603A CNA2006101181404A CN200610118140A CN101179603A CN 101179603 A CN101179603 A CN 101179603A CN A2006101181404 A CNA2006101181404 A CN A2006101181404A CN 200610118140 A CN200610118140 A CN 200610118140A CN 101179603 A CN101179603 A CN 101179603A
Authority
CN
China
Prior art keywords
access
message
network
user
user network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2006101181404A
Other languages
Chinese (zh)
Other versions
CN101179603B (en
Inventor
温海波
马松伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Communications (Shanghai) Co., Ltd.
Original Assignee
Alcatel Lucent Shanghai Bell Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alcatel Lucent Shanghai Bell Co Ltd filed Critical Alcatel Lucent Shanghai Bell Co Ltd
Priority to CN2006101181404A priority Critical patent/CN101179603B/en
Publication of CN101179603A publication Critical patent/CN101179603A/en
Application granted granted Critical
Publication of CN101179603B publication Critical patent/CN101179603B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明的提出主要是为了实现IPv6中一个用户网络一个IP地址前缀的要求,也为了更有效地对用户网络进行认证,防止地址盗用。本发明提供的方案中,接入设备在转发给路由器的RS消息中附加用户网络的特征信息以及该接入设备的地址信息用于路由器执行接入认证。采用本发明提供的方案,不仅实现了一个用户网络一个IP地址前缀的目的,也更有力地执行了对用户网络的接入认证,在更大程度上杜绝了地址盗用。

Figure 200610118140

The present invention is proposed mainly to realize the requirement of one IP address prefix for one user network in IPv6, and to more effectively authenticate the user network and prevent address theft. In the solution provided by the present invention, the access device adds the feature information of the user network and the address information of the access device to the RS message forwarded to the router for the router to perform access authentication. Adopting the scheme provided by the invention not only achieves the purpose of one IP address prefix for one user network, but also more effectively implements access authentication to the user network, and prevents address theft to a greater extent.

Figure 200610118140

Description

IPv6网络中用于控制用户网络接入的方法和装置 Method and device for controlling user network access in IPv6 network

技术领域 technical field

本发明涉及IPv6网络,尤其涉及IPv6网络中用于对用户网络进行接入认证的方法及装置。The invention relates to an IPv6 network, in particular to a method and a device for performing access authentication on a user network in the IPv6 network.

背景技术 Background technique

IPv6(互联网协议第六版)是下一代互联网的核心协议,解决了IPv4所暴露的诸多缺陷,如地址稀缺、路由表庞大、对移动设备支持不足等。IPv6定义了有状态地址自动配置和无状态地址自动配置机制。IPv6 (Internet Protocol Version 6) is the core protocol of the next-generation Internet, which solves many defects exposed by IPv4, such as scarcity of addresses, huge routing tables, and insufficient support for mobile devices. IPv6 defines stateful address autoconfiguration and stateless address autoconfiguration mechanisms.

无状态地址自动配置不要求在用户终端(如,用户网络中的一台计算机)上进行人为的配置,简化了对路由器的配置要求,且无需额外的服务器;相对地,有状态地址自动配置需要动态主机分配协议服务器。基于无状态地址自动配置,用户终端通过将其相应的接口标识与路由器广播的IPv6地址前缀合并来生成自身的IP地址。本发明主要针对无状态地址自动配置的情形。Stateless address autoconfiguration does not require manual configuration on the user terminal (such as a computer in the user network), simplifies the configuration requirements for routers, and does not require additional servers; in contrast, stateful address autoconfiguration requires Dynamic Host Allocation Protocol server. Based on the stateless address autoconfiguration, the user terminal generates its own IP address by combining its corresponding interface identifier with the IPv6 address prefix broadcast by the router. The present invention is mainly aimed at the situation of stateless address automatic configuration.

在现有的IPv6接入网中,接入设备多为二层(链路层)设备,由于接入设备转发至路由器的路由器请求消息不包含接入设备相应的端口标识,使得对用户网络的接入认证并不基于与该用户网络一一对应的端口标识。此外,如果选择由接入设备来分配IP地址,则需要将普遍属于二层设备的接入设备升级为三层(IP层)设备,导致运营商的成本上升;再者,由于二层接入设备将接收到的路由器广播消息(Router Advertisement message,以下称为RA消息)广播给多个用户网络,使得IPv6地址前缀到达多个用户网络,不能够有效实现IPv6标准中对一个用户网络对应一个IP地址前缀的要求,也容易产生地址盗用。In the existing IPv6 access network, most of the access devices are Layer 2 (link layer) devices. Since the router request message forwarded by the access device to the router does not contain the corresponding port identifier of the access device, the user network Access authentication is not based on port identifications that correspond one-to-one to the user network. In addition, if the access device is selected to allocate IP addresses, it is necessary to upgrade the access device, which is generally a layer 2 device, to a layer 3 (IP layer) device, resulting in an increase in the cost of the operator; The device broadcasts the received router advertisement message (Router Advertisement message, hereinafter referred to as RA message) to multiple user networks, so that the IPv6 address prefix reaches multiple user networks, which cannot effectively implement the IPv6 standard for one user network to correspond to one IP address. Address prefix requirements are also prone to address theft.

因此,如何在保留原有二层接入设备的基础上,充分实现IPv6网络的用户网络与IP地址前缀一一对应的特性并实现对用户网络的有效接入认证成为人们普遍关心的问题。Therefore, how to fully realize the one-to-one correspondence between user networks and IP address prefixes in IPv6 networks and realize effective access authentication for user networks on the basis of retaining the original layer-2 access devices has become a common concern.

发明内容 Contents of the invention

在对本发明的技术方案进行说明之前,先对下文中可能出现的如下概念进行解释:Before explaining the technical solution of the present invention, the following concepts that may appear below are explained first:

IPv6网络:基于IPv6协议的通信网络;IPv6 network: communication network based on IPv6 protocol;

节点:包括用户终端、接入设备、路由器等;Nodes: including user terminals, access devices, routers, etc.;

接口:节点处用于与物理链路相连的装置,譬如,一台计算机(一种用户终端)的网卡;Interface: a device used at a node to connect to a physical link, for example, a network card of a computer (a user terminal);

链路层地址:接口的链路层标识,如:以太网中,计算机网卡的MAC地址;Link layer address: the link layer identifier of the interface, such as: the MAC address of the computer network card in Ethernet;

链路本地地址:格式前缀为1111 1110 10,用于同一链路的相邻节点间通信,如单条链路上没有路由器时主机间的通信。用户终端可以利用链路本地地址来和与之处于同一用户网络中的其它用户终端进行通信;Link-local address: The format prefix is 1111 1110 10, which is used for communication between adjacent nodes on the same link, such as communication between hosts when there is no router on a single link. The user terminal can use the link-local address to communicate with other user terminals in the same user network;

用户网络:作为IPv6协议的一个重要特性,也作为本发明的一个技术目的,为每个用户网络(包括一个或多个用户终端)提供一个区别于其它用户网络的IPv6地址前缀。通常,一个用户网络经由物理链路连接到接入设备上一个与其一一对应的端口;User network: as an important feature of the IPv6 protocol and also as a technical purpose of the present invention, each user network (including one or more user terminals) is provided with an IPv6 address prefix different from other user networks. Usually, a user network is connected to a port corresponding to it on the access device via a physical link;

端口:在接入设备上用于与用户网络经由物理链路一一对应地相连的部分;Port: the part used on the access device to connect with the user network via a physical link in one-to-one correspondence;

端口标识:至少在一个接入设备中具有唯一性的端口特征信息。在端口标识仅在局部(一个接入设备控制范围内)具有唯一性时,需要与该接入设备的地址信息(譬如,其二层地址)来共同在全局(路由器的一个接口所对应的部分,以下如无特别说明,“全局”均照此解释)唯一地标识该用户网络;而在端口标识具有全局唯一性时,无需接入设备的地址信息就可以在全局范围内唯一地标识该用户网络。Port ID: Port feature information that is unique in at least one access device. When the port identifier is only unique locally (within the control range of an access device), it needs to be shared with the address information of the access device (for example, its Layer 2 address) in the global (the part corresponding to an interface of the router) , unless otherwise specified below, "global" shall be interpreted accordingly) to uniquely identify the user network; and when the port identifier is globally unique, the user can be uniquely identified globally without the address information of the access device network.

本发明为解决现有技术中的前述问题而提出,旨在提供一种新的接入控制方法及其装置,基于IPv6地址自动配置,结合用户网络的端口(即接入设备的用户网络端口)标识对用户网终进行接入认证,保证不同用户网络拥有各自的IPv6地址前缀。The present invention is proposed to solve the aforementioned problems in the prior art, and aims to provide a new access control method and its device, based on IPv6 address automatic configuration, combined with the port of the user network (ie, the user network port of the access device) The identification performs access authentication on user networks to ensure that different user networks have their own IPv6 address prefixes.

为实现上述目的,根据本发明的第一方面,提供了一种在IPv6网络的接入设备中用于辅助控制用户终端接入的方法,其特征在于,基于IPv6无状态地址自动配置,根据所述用户终端所属用户网络的特征信息来辅助控制该用户终端的接入。该方法具体包括以下步骤:接收来自一个用户终端的接入请求消息,该用户终端属于一个用户网络;通过在所述接入请求消息附加该用户网络的特征信息,以生成一个新的接入请求消息;发送该新的接入请求消息给一个网络控制器;基于所述网络控制器的接入响应来辅助控制该用户终端的接入。In order to achieve the above object, according to the first aspect of the present invention, a method for assisting in controlling user terminal access in an IPv6 network access device is provided, which is characterized in that, based on IPv6 stateless address automatic configuration, according to the The feature information of the user network to which the user terminal belongs is used to assist in controlling the access of the user terminal. The method specifically includes the following steps: receiving an access request message from a user terminal, the user terminal belonging to a user network; adding characteristic information of the user network to the access request message to generate a new access request message; sending the new access request message to a network controller; assisting in controlling the access of the user terminal based on the access response of the network controller.

根据本发明的第二方面,提供了一种在IPv6网络的接入设备中用于辅助控制用户终端接入的接入辅助控制装置,其特征在于,基于IPv6无状态地址自动配置,根据所述用户终端所属用户网络的特征信息来辅助控制该用户终端的接入。具体包括:接收装置,用于接收来自一个用户终端的接入请求消息,该用户终端属于一个用户网络;生成装置,通过在所述接入请求消息附加该用户网络的特征信息,以生成一个新的接入请求消息;发送装置,用于发送该新的接入请求消息给一个网络控制器;辅助控制装置,用于基于所述网络控制器的接入响应来辅助控制该用户终端的接入。According to the second aspect of the present invention, there is provided an access auxiliary control device for assisting in controlling user terminal access in an IPv6 network access device, which is characterized in that it is based on IPv6 stateless address automatic configuration, according to the The feature information of the user network to which the user terminal belongs is used to assist in controlling the access of the user terminal. Specifically comprising: a receiving device, configured to receive an access request message from a user terminal, the user terminal belonging to a user network; a generating device, by adding characteristic information of the user network to the access request message to generate a new an access request message; sending means for sending the new access request message to a network controller; auxiliary control means for assisting in controlling the access of the user terminal based on the access response of the network controller .

根据本发明的第三方面,提供了一种在IPv6网络的网络控制器中用于控制用户终端接入的方法,其特征在于,基于IPv6无状态地址自动配置,根据所述用户终端所属用户网络的特征信息来对该用户终端进行接入控制。该方法包括以下步骤:接收其下属的一个接入设备转发的来自一个用户终端的新的接入请求消息,所述新的接入请求消息包含该用户终端所属用户网络的特征信息;基于所述接入请求消息来提供相应的接入响应。According to a third aspect of the present invention, there is provided a method for controlling user terminal access in a network controller of an IPv6 network, characterized in that, based on IPv6 stateless address automatic configuration, according to the user network to which the user terminal belongs feature information to perform access control on the user terminal. The method includes the following steps: receiving a new access request message from a user terminal forwarded by a subordinate access device, the new access request message including characteristic information of the user network to which the user terminal belongs; based on the Access Request message to provide the corresponding Access Response.

其中,根据网络控制器的接入响应方式以及网络服务器与网络控制器之间的位置关系,根据本发明的第三方面,至少有四种情形需要讨论,将在以下结合附图和具体实施方式进行详述。Among them, according to the access response mode of the network controller and the positional relationship between the network server and the network controller, according to the third aspect of the present invention, there are at least four situations to be discussed, which will be described below in conjunction with the accompanying drawings and specific embodiments to elaborate.

根据本发明的第四个方面,提供了一种在IPv6网络的网络控制器中用于控制用户终端接入的接入控制装置,其特征在于,基于IPv6无状态地址自动配置,根据用户终端所属用户网络的特征信息来对该用户终端进行接入控制。具体包括:第一接收装置,用于接收其下属的一个接入设备转发的来自一个用户终端的新的接入请求消息,所述新的接入请求消息包含该用户终端所属用户网络的特征信息;响应装置,用于基于所述接入请求消息来提供相应的接入响应。According to the fourth aspect of the present invention, there is provided an access control device for controlling user terminal access in a network controller of an IPv6 network, which is characterized in that, based on IPv6 stateless address automatic configuration, according to the The characteristic information of the user network is used to control the access of the user terminal. Specifically, it includes: a first receiving device, configured to receive a new access request message from a user terminal forwarded by an access device subordinate to it, the new access request message includes characteristic information of the user network to which the user terminal belongs ; Response means, configured to provide a corresponding access response based on the access request message.

采用本发明提供的方法及装置,可以有效地实现IPv6协议下的用户网络的接入认证,保证每个用户网络拥有各自的IP地址前缀。By adopting the method and device provided by the invention, the access authentication of the user network under the IPv6 protocol can be effectively realized, and each user network can be guaranteed to have its own IP address prefix.

附图说明 Description of drawings

下面结合附图对本发明进行详细描述:The present invention is described in detail below in conjunction with accompanying drawing:

图1为根据本发明的一个具体实施方式的IPv6网络的接入网示意图;Fig. 1 is the access network schematic diagram of the IPv6 network according to a specific embodiment of the present invention;

图2为根据本发明的一个具体实施方式的在IPv6网络的接入设备中用于辅助控制用户终端接入的方法流程图;FIG. 2 is a flow chart of a method for assisting in controlling user terminal access in an access device of an IPv6 network according to a specific embodiment of the present invention;

图3示出了根据本发明的一个具体实施方式的由接入设备或路由器在路由器请求消息或路由器广播消息中附加的选项;FIG. 3 shows options added by an access device or a router in a router solicitation message or a router broadcast message according to a specific embodiment of the present invention;

图4为根据本发明的一个具体实施方式的在IPv6网络的接入设备中用于辅助控制用户终端接入的接入辅助控制装置框图;4 is a block diagram of an auxiliary access control device for assisting in controlling user terminal access in an access device of an IPv6 network according to a specific embodiment of the present invention;

图5为根据本发明的一个具体实施方式的在IPv6网络的网络控制器(如,路由器)中用于控制用户终端接入的方法流程图;5 is a flowchart of a method for controlling user terminal access in a network controller (such as a router) of an IPv6 network according to a specific embodiment of the present invention;

图6为根据本发明的一个具体实施方式的在IPv6网络的网络控制器(如,路由器)中用于控制用户终端接入的接入控制装置框图;6 is a block diagram of an access control device for controlling user terminal access in a network controller (such as a router) of an IPv6 network according to a specific embodiment of the present invention;

图7综合性地示出了根据本发明的一个具体实施方式的用于对用户网络进行接入控制的方法流程;FIG. 7 comprehensively shows the flow of a method for controlling access to a user network according to a specific embodiment of the present invention;

图8示出了根据本发明的一个优选实施例的各网络节点对路由器请求消息和路由器广播消息的处理方法。Fig. 8 shows a method for processing router solicitation messages and router broadcast messages by each network node according to a preferred embodiment of the present invention.

具体实施方式 Detailed ways

标准的无状态地址自动配置通过如下过程实现:Standard stateless address autoconfiguration is implemented through the following process:

i.用户终端在接口被激活后,生成一个链路本地地址,此时该链路本地地址属于实验状态;i. After the interface is activated, the user terminal generates a link-local address. At this time, the link-local address belongs to the experimental state;

ii.基于邻居发现机制,用户终端验证该链路本地地址在该用户网络内的唯一性,并在确认该链路本地地址的唯一性后将其分配给所述接口;ii. Based on the neighbor discovery mechanism, the user terminal verifies the uniqueness of the link-local address within the user network, and assigns it to the interface after confirming the uniqueness of the link-local address;

iii.路由器广播消息(RA消息)发现阶段,RA消息可以周期性地由路由器广播,通常,为避免等待时间过长,用户终端会主动发起路由器请求消息(Router Solicitation message,以下称RS消息)来请求路由器发送RA消息,以获得IP地址前缀分配;iii. In the router broadcast message (RA message) discovery phase, the RA message can be periodically broadcast by the router. Usually, in order to avoid too long waiting time, the user terminal will actively initiate a router solicitation message (Router Solicitation message, hereinafter referred to as the RS message) to Request routers to send RA messages to obtain IP address prefix allocation;

iv.将路由器经由接入设备发来的IP地址前缀与相应的接口标识合并,最终生成其IP地址。在该地址分配给该接口使用之前,该地址也要进行地址唯一性检测。iv. Combine the IP address prefix sent by the router via the access device with the corresponding interface identifier to finally generate its IP address. Before the address is assigned to the interface, the address must also be checked for uniqueness.

其中,接口在满足包括但不限于以下条件中的任何一个时即被激活:Among them, the interface is activated when any of the following conditions are met, including but not limited to:

Figure A20061011814000121
系统启动后接口被初始化;
Figure A20061011814000121
The interface is initialized after the system starts;

Figure A20061011814000122
在临时的接口故障后或临时的接口禁用后,接口被重新初始化;
Figure A20061011814000122
The interface is reinitialized after a temporary interface failure or after a temporary interface disable;

Figure A20061011814000123
接口第一次连接到一个用户网络。
Figure A20061011814000123
The interface is connected to a user network for the first time.

在现有标准中的IPv6无状态地址自动配置方案中,包含IP地址前缀的路由广播消息的发送有两种方式:In the IPv6 stateless address automatic configuration scheme in the existing standard, there are two ways to send the routing broadcast message containing the IP address prefix:

-路由器周期性地经由其广播接口主动地向各个接入设备广播RA消息,具体地,利用ICMPv6对包含IP地址前缀的RA消息进行封装并发送至一个属于其下辖的各个接入设备的多播地址(multicastaddress);-The router actively broadcasts RA messages to each access device through its broadcast interface periodically, specifically, uses ICMPv6 to encapsulate the RA message containing the IP address prefix and sends it to a multiple access devices under its jurisdiction broadcast address (multicastaddress);

-用户网络中的一个用户终端经由接入设备向路由器发送RS消息,所述RS消息的发送间隔和发送次数通常都受预定数值的限制,譬如:发送间隔大于等于RTR_SOLICITATION_INTERVAL(4秒);发送次数小于等于MAX_RTR_SOLICITATIONS(3次)。在接收到路由器请求消息后,路由器不必等到下一个预定的路由器广播消息发送时刻,而应立即发送RA消息,其中,RS消息来自于路由器的哪个接口,路由器就将RA消息经由哪个接口发送出去。- A user terminal in the user network sends an RS message to the router via the access device, and the sending interval and sending times of the RS message are usually limited by a predetermined value, for example: the sending interval is greater than or equal to RTR_SOLICITATION_INTERVAL (4 seconds); the sending times Less than or equal to MAX_RTR_SOLICITATIONS (3 times). After receiving the router solicitation message, the router does not have to wait until the next scheduled router broadcast message sending time, but should send the RA message immediately, wherein, which interface of the router the RS message comes from, the router will send the RA message through which interface.

图1为根据本发明的一个具体实施方式的IPv6网络的接入网示意图。图中所示网络包括多个用户网络(每个用户网络中可以有多个用户终端)、接入设备3、路由器4以及AAA(认证、授权、计费)服务器5,在本实施例中,路由器与AAA服务器相互独立。接入设备3上的端口a、b、c分别与用户网络I、II、III对应。为简明起见,未在图中示出用户网络中接入所需的用户端设备(譬如,桥式用户端设备即Bridged CPE)。与接入设备一样,所述用户端设备同样不需要升级为三层设备。FIG. 1 is a schematic diagram of an access network of an IPv6 network according to a specific embodiment of the present invention. The network shown in the figure includes multiple user networks (each user network may have multiple user terminals), an access device 3, a router 4, and an AAA (authentication, authorization, accounting) server 5. In this embodiment, The router and the AAA server are independent of each other. Ports a, b, and c on the access device 3 correspond to user networks I, II, and III, respectively. For the sake of brevity, the user end equipment (for example, Bridged CPE) required for access in the user network is not shown in the figure. Like the access device, the client device also does not need to be upgraded to a layer-3 device.

本发明的技术方案可以通过在现有的接入设备中配置本发明提供的接入辅助控制装置1并在现有的网络控制器(譬如,路由器)中配置本发明提供的接入控制装置2来实现。The technical solution of the present invention can be configured by configuring the auxiliary access control device 1 provided by the present invention in the existing access equipment and configuring the access control device 2 provided by the present invention in the existing network controller (such as a router) to fulfill.

图2为根据本发明的一个具体实施方式的在IPv6网络的接入设备中用于辅助控制用户终端接入的方法流程图。以下参照图2并结合图1对该方法进行详述。Fig. 2 is a flowchart of a method for assisting in controlling user terminal access in an access device of an IPv6 network according to a specific embodiment of the present invention. The method will be described in detail below with reference to FIG. 2 and in combination with FIG. 1 .

如前所述,当一个用户网络(以用户网络I为例)中的用户终端希望获得IPv6地址前缀时,可以经由接入设备3向路由器4发送接入请求消息,在本实施例中,所述接入请求消息为IPv6标准中定义的RS消息,相应地,所述接入应答消息为RA消息。As mentioned above, when a user terminal in a user network (taking user network 1 as an example) wishes to obtain an IPv6 address prefix, it can send an access request message to router 4 via access device 3. In this embodiment, the The access request message is an RS message defined in the IPv6 standard, and correspondingly, the access response message is an RA message.

基于无状态地址自动配置,当接口被激活后,用户设备需先得到该接口的链路本地地址,并基于邻居发现机制通过重复地址检测来确定该链路本地地址是否已被使用,在检测结果表明该地址唯一之后,再将该地址分配给该接口。此后,通过该接口向接入设备上的相应端口发送RS消息,容易理解,无论该用户网络中的哪个用户设备发送RS消息,都会经由该用户网络与接入设备间的物理链路到达该端口。Based on stateless address automatic configuration, when the interface is activated, the user equipment needs to obtain the link-local address of the interface first, and determine whether the link-local address has been used based on the neighbor discovery mechanism through duplicate address detection. After indicating that the address is unique, assign the address to the interface. Thereafter, the RS message is sent to the corresponding port on the access device through the interface. It is easy to understand that no matter which user equipment in the user network sends the RS message, it will reach the port via the physical link between the user network and the access device. .

在步骤S10中,接入设备3接收由一个用户网络(以用户网络I为例)中的一个用户设备(如,用户网络I中的一台笔记本电脑)发来的RS消息;In step S10, the access device 3 receives an RS message sent by a user equipment (such as a notebook computer in the user network 1) in a user network (taking the user network 1 as an example);

前已述及,现有技术中,接入设备转发给路由器的RS消息中不包括能够唯一标识用户网络的信息,这直接或间接地影响了用户网络认证的有效性以及IPv6地址前缀分配的针对性(所谓针对性即每个用户网络能够拥有其专有的IP地址前缀,而该IP地址前缀不会被其它用户网络中的用户盗用),因此,作为本发明的最重要的发明点,在步骤S11中,接入设备3在即将发给路由器4的RS消息中添加该用户网络的特征信息,具体地,所述用户网络的特征信息包括以下几种情形:As mentioned above, in the prior art, the RS message forwarded by the access device to the router does not include information that can uniquely identify the user network, which directly or indirectly affects the validity of the user network authentication and the allocation of IPv6 address prefixes. (the so-called pertinence is that each user network can have its exclusive IP address prefix, and this IP address prefix will not be embezzled by users in other user networks), therefore, as the most important invention point of the present invention, in In step S11, the access device 3 adds the feature information of the user network to the RS message to be sent to the router 4. Specifically, the feature information of the user network includes the following situations:

-当端口标识具有全局唯一性时,所述用户网络的特征信息可以只包括该用户网络所对应的端口的端口标识;- when the port identifier has global uniqueness, the characteristic information of the user network may only include the port identifier of the port corresponding to the user network;

-当端口标识不具备全局唯一性时(譬如,仅在一个接入设备处有唯一性),所述用户网络的特征信息包括该用户网络所对应的端口的端口标识(仅能在该接入设备控制范围内唯一标识该用户网络)以及该用户网络所属的接入设备的特征信息譬如其链路层地址,这样,“端口标识-接入设备链路层地址”对就能在全局唯一地标识该用户网络;- When the port identifier does not have global uniqueness (for example, uniqueness only at one access device), the feature information of the user network includes the port identifier of the port corresponding to the user network (only available at this access device) The user network is uniquely identified within the control range of the device) and the characteristic information of the access device to which the user network belongs, such as its link-layer address, so that the pair of "port identifier-access device link-layer address" can be globally unique identify the user network;

-如果在接入网中从接入设备3到路由器4的网段使用了虚拟局域网(VLAN)技术,则所述用户网络的特征信息可以不包含接入设备3的二层地址,因为VLAN可以用来标识一个“接入设备,路由器”对。- if the network segment from the access device 3 to the router 4 uses virtual local area network (VLAN) technology in the access network, then the feature information of the user network may not include the layer 2 address of the access device 3, because the VLAN can Used to identify an "access device, router" pair.

为更清楚地说明此发明点,请参看图3,图3示出了根据本发明的一个具体实施例的由接入设备在RS消息中附加的选项(option),所述选项包含相应用户网络的特征信息,以下结合图3详述本实施例。为了适应标准中对RS消息的限定,所述选项包括以下五个域:To illustrate this invention point more clearly, please refer to FIG. 3, which shows an option (option) added by an access device in an RS message according to a specific embodiment of the present invention, and the option includes the corresponding user network The characteristic information of the present embodiment will be described in detail below in conjunction with FIG. 3 . In order to adapt to the definition of the RS message in the standard, the option includes the following five fields:

类型(type):8比特,用于标识所述选项的类型;Type (type): 8 bits, used to identify the type of the option;

长度(length):8比特的无符号整数。标识该选项(包括“类型”、“长度”域在内)的长度为8个字节的整数倍,在此,“长度”域为零则视为无效,即,节点会将接收到的包含一个长度为零的选项的邻居发现消息分组(ND Packet,RS、RA消息均属于邻居发现消息)自动丢弃;Length (length): 8-bit unsigned integer. The length of this option (including the "Type" and "Length" fields) is an integer multiple of 8 bytes. Here, if the "Length" field is zero, it is considered invalid, that is, the node will receive the A neighbor discovery message packet (ND Packet, RS, RA message belongs to the neighbor discovery message) with a length of zero option is automatically discarded;

预留部分(reserved):预留的一个16比特域;Reserved (reserved): a reserved 16-bit field;

接入设备地址(access node address):Access device address (access node address):

a.根据本发明的一个优选实施例,考虑端口标识不能在全局唯一地标识用户网络的情形,所述特征信息包含接入设备地址,与下面要说明的端口标识一起在路由器4处(或在AAA服务器5处)用于对该用户网络I的认证。此外,路由器4在接收到RS消息后,通过提取并存储其中的接入设备地址信息,可以保证其在此后生成RA消息后,将RA消息有目的地发往确定的接入设备3;a. According to a preferred embodiment of the present invention, consider the situation that the port identification cannot globally uniquely identify the user network, the feature information includes the access device address, together with the port identification to be explained below at the router 4 place (or at AAA server 5 place) is used for the authentication of this user network 1. In addition, after receiving the RS message, the router 4 can ensure that it generates an RA message and then sends the RA message to the determined access device 3 by extracting and storing the address information of the access device;

b.根据本发明的一个具体实施方式,由于端口标识有能力在全局唯一地标识用户网络I,接入设备3向上转发的RS消息可不包括所述接入设备地址,则,当路由器3生成RA消息后,将会把RA消息发送给一个多播地址(所有其辖下的接入设备均能接收到),由于只有接入设备3才能正确解析用户网络I相对应的端口标识,因此仍能避免地址前缀的盗用;b. According to a specific embodiment of the present invention, since the port identifier has the ability to globally uniquely identify the user network 1, the RS message forwarded upward by the access device 3 may not include the address of the access device, then, when the router 3 generates an RA After receiving the message, the RA message will be sent to a multicast address (all the access devices under it can receive it). Since only the access device 3 can correctly resolve the corresponding port identifier of the user network I, it can still Avoid the theft of address prefixes;

c.根据本发明的另一个具体实施方式,端口标识不具备全局唯一性,即,在不同的接入设备中,其对应的端口标识完全相同。那么,当接入设备3向路由器4转发的RS消息的所述选项中不包含接入设备地址时,路由器4仍会在认证通过后以广播的方式发送RA消息,假设由与接入设备3一样工作在路由器4下的接入设备6(未示出)负责接入的一个用户网络IV在接入设备6上的对应端口的端口标识与用户网络I对应的端口a的端口标识相同,那么当广播的包含分配给用户网络I的IP地址前缀的RA消息到达接入设备6时,接入设备6有能力对该RA消息进行解析,进而将其转发给在它看来与该端口标识相对应的用户网络IV,则用户网络IV中的用户设备在访问网络时将可能会涉及IP地址前缀的盗用。c. According to another specific implementation manner of the present invention, the port identifier does not have global uniqueness, that is, in different access devices, the corresponding port identifiers are completely the same. Then, when the option of the RS message forwarded by the access device 3 to the router 4 does not include the address of the access device, the router 4 will still broadcast the RA message after passing the authentication. The same port identification of the corresponding port on the access device 6 of a user network IV that is responsible for access by the access device 6 (not shown) that works under the router 4 is the same as the port identification of the port a corresponding to the user network 1, then When the broadcast RA message containing the IP address prefix assigned to the user network 1 arrives at the access device 6, the access device 6 has the ability to analyze the RA message, and then forward it to corresponding to the user network IV, the user equipment in the user network IV may involve the theft of IP address prefixes when accessing the network.

端口标识(Port ID):32比特的端口标识至少能在一个接入设备的控制范围内(如,图1中的接入设备3的控制范围包括用户网络I,II,III)唯一地标识一个用户网络。举例来说,在采用数字用户线(DSL)技术的接入网内,每条DSL线路被赋予一个在该接入设备下独有的32比特的标识(即,DSL端口号)。路由器4将端口标识用于对该用户网络I的接入认证。Port ID (Port ID): The 32-bit port ID can uniquely identify an access device within the control range of at least one access device (for example, the control range of access device 3 in Figure 1 includes user networks I, II, and III). user network. For example, in an access network using Digital Subscriber Line (DSL) technology, each DSL line is assigned a unique 32-bit identifier (ie, DSL port number) under the access device. The router 4 uses the port identifier for access authentication of the user network I.

在待转发给路由器4的RS消息中添加如图3所示的选项后,生成了一个新的RS消息,接着,进到步骤S12.After adding the option shown in Figure 3 in the RS message to be forwarded to router 4, a new RS message is generated, and then, proceed to step S12.

在步骤S12中,接入设备3将生成的所述新的RS消息(至少包含用户网络I所对应的端口标识)发送给其所属的路由器4。In step S12, the access device 3 sends the generated new RS message (including at least the port identifier corresponding to the user network 1) to the router 4 to which it belongs.

此后,路由器4将负责对用户网络I的接入认证。如果认证成功,则向接入设备3(本实施例中,RS消息包含接入设备3的地址)发送RA消息(路由器4根据认证结果进行响应将在此后对本发明的第三、第四方面进行介绍时详述),于是在步骤S13中,接入设备3判断是否接收到来自路由器4的RA消息,其中包含分配给用户网络I的IP地址前缀以及用户网络I的相应端口标识。Thereafter, the router 4 will be responsible for the access authentication to the user network 1. If the authentication is successful, then send the RA message to the access device 3 (in this embodiment, the RS message includes the address of the access device 3) (the router 4 responds according to the authentication result and will carry out the third and fourth aspects of the present invention hereafter Introduced in detail), so in step S13, the access device 3 judges whether the RA message from the router 4 is received, which includes the IP address prefix assigned to the user network 1 and the corresponding port identifier of the user network 1.

步骤S13中判断结果为接收到来自路由器4的RA消息In step S13, the judgment result is that the RA message from router 4 is received

进到步骤S14。由于RA消息中包含用户网络I对应的端口标识,使得接入设备3在步骤S14中能够有目的地将RA消息发送给相应的(RA消息中包含的端口标识所对应的)用户网络I,并为用户网络I打开相应的端口。用户网络I中的各用户设备接收到该RA消息后,通过提取其中的IP地址前缀,将其与各自的接口标识组合,生成128位IP地址。应当理解,在来自一个用户网络中的一个用户设备的RS消息在路由器或AAA服务器处通过认证后,路由器4经由接入设备3将IP地址前缀信息发送给该用户网络,该用户网络中的所有用户终端即可得知该IP地址前缀信息。这种方式尤其适用于以下情形:用户网络中的用户设备之间相互友好且属于同一个机构(家庭、企业等)。Go to step S14. Since the RA message contains the port identifier corresponding to the user network 1, the access device 3 can purposefully send the RA message to the corresponding user network 1 (corresponding to the port identifier included in the RA message) in step S14, and Open the corresponding port for user network I. After receiving the RA message, each user equipment in the user network 1 extracts the IP address prefix therein and combines it with their respective interface identifiers to generate a 128-bit IP address. It should be understood that after the RS message from a user equipment in a user network is authenticated at the router or the AAA server, the router 4 sends the IP address prefix information to the user network via the access device 3, and all users in the user network The user terminal can learn the IP address prefix information. This method is especially applicable to the following situation: the user equipments in the user network are friendly to each other and belong to the same organization (family, enterprise, etc.).

来自路由器4的RA消息中通常包括用户网络I所对应的端口的端口标识,而用户设备并不需要所述端口标识。因此优选地,接入设备3在接收到来自路由器4的RA消息后,在将其发送给相应用户网络之前,从中删除该用户网络的特征信息即该端口标识,具体可以通过将所述选项从RA消息中删除。应当理解,如果接入设备3不删除所述端口标识而直接将RA消息发给用户网络I,并不会影响用户网络I中的用户设备获取其所需要的IP地址前缀信息,对于RA消息中无法识别的端口标识部分,用户设备可以不作处理。The RA message from the router 4 usually includes the port identifier of the port corresponding to the user network 1, but the user equipment does not need the port identifier. Therefore, preferably, after the access device 3 receives the RA message from the router 4, before sending it to the corresponding user network, it deletes the characteristic information of the user network, that is, the port identifier. Specifically, the option can be changed from Deleted from the RA message. It should be understood that if the access device 3 directly sends the RA message to the user network 1 without deleting the port identifier, it will not affect the user equipment in the user network 1 to obtain the required IP address prefix information. For the RA message The user equipment may not process the unrecognized part of the port identifier.

步骤S13中判断结果为未接收到来自路由器4的RA消息In step S13, the judgment result is that the RA message from router 4 has not been received

如果接入设备3在转发RS消息给路由器4后未接收到来自路由器4的RA消息,则说明认证失败,路由器不会为该用户网络I分配IPv6地址前缀。根据本发明的一个具体实施例,为兼容标准,基于本发明的路由器4在认证失败后不发送RA消息给接入设备3,而在转发RS消息后,接入设备3又进入了与接收到来自用户网络I的RS消息之前相同的一般状态,等待下一个来自某个用户网络的RS消息。If the access device 3 does not receive the RA message from the router 4 after forwarding the RS message to the router 4, it means that the authentication fails, and the router will not distribute the IPv6 address prefix for the user network 1. According to a specific embodiment of the present invention, in order to be compatible with the standard, the router 4 based on the present invention does not send an RA message to the access device 3 after the authentication fails, and after forwarding the RS message, the access device 3 enters the The same general state before the RS message from user network I, waiting for the next RS message from some user network.

图4为根据本发明的一个具体实施方式的在IPv6网络的接入设备中用于辅助控制用户终端接入的接入辅助控制装置框图。以下参照图4并结合图1对该装置进行详述。所述接入辅助控制装置1具体包括接收装置10、生成装置11、发送装置12、辅助控制装置13。其中所述辅助控制装置13包括判断装置131以及受控发送装置132,优选地,还包括删除装置133。Fig. 4 is a block diagram of an auxiliary access control device for assisting in controlling user terminal access in an access device of an IPv6 network according to a specific embodiment of the present invention. The device will be described in detail below with reference to FIG. 4 in conjunction with FIG. 1 . The auxiliary access control device 1 specifically includes a receiving device 10 , a generating device 11 , a sending device 12 , and an auxiliary control device 13 . The auxiliary control device 13 includes a judging device 131 and a controlled sending device 132 , preferably, also includes a deleting device 133 .

如前所述,当用户网络I中的用户终端希望获得IPv6地址前缀时,可以经由接入设备3向路由器4发送接入请求消息,在本实施例中,所述接入请求消息为IPv6标准中定义的RS消息,相应地,所述接入应答消息为RA消息。As mentioned above, when a user terminal in the user network 1 wishes to obtain an IPv6 address prefix, it can send an access request message to the router 4 via the access device 3. In this embodiment, the access request message is an IPv6 standard IPv6 address prefix. The RS message defined in , correspondingly, the access response message is an RA message.

基于无状态地址自动配置,当接口被激活后,用户设备需先得到该接口的链路本地地址,并基于邻居发现机制通过重复地址检测来确定该链路本地地址是否已被使用,在检测结果表明该地址唯一之后,再将该地址分配给该接口。此后,通过该接口向接入设备上的相应端口发送RS消息,容易理解,无论该用户网络中的哪个用户设备发送RS消息,都会经由该用户网络与接入设备间的物理链路到达该端口。Based on stateless address automatic configuration, when the interface is activated, the user equipment needs to obtain the link-local address of the interface first, and determine whether the link-local address has been used based on the neighbor discovery mechanism through duplicate address detection. After indicating that the address is unique, assign the address to the interface. Thereafter, the RS message is sent to the corresponding port on the access device through the interface. It is easy to understand that no matter which user equipment in the user network sends the RS message, it will reach the port via the physical link between the user network and the access device. .

所述接收装置10接收由用户网络I中的一个用户设备(如,用户网络I中的一台笔记本电脑)发来的RS消息。The receiving device 10 receives an RS message sent by a user equipment in the user network 1 (eg, a laptop computer in the user network 1).

前已述及,现有技术中,接入设备转发给路由器的RS消息中不包括能够唯一标识用户网络的信息,这直接或间接地影响了用户网络认证的有效性以及IPv6地址前缀分配的针对性(所谓针对性即每个用户网络能够拥有其专有的IPv6地址前缀,而该IPv6地址前缀不会被其它用户网络中的用户盗用),因此,作为本发明的最重要的发明点,接入设备3中的所述生成装置11在该RS消息中添加该用户网络的特征信息,具体地,所述用户网络的特征信息包括以下几种情形:As mentioned above, in the prior art, the RS message forwarded by the access device to the router does not include information that can uniquely identify the user network, which directly or indirectly affects the validity of the user network authentication and the allocation of IPv6 address prefixes. (the so-called pertinence is that each user network can have its exclusive IPv6 address prefix, and this IPv6 address prefix will not be embezzled by users in other user networks), therefore, as the most important invention point of the present invention, then The generating means 11 in the entry device 3 adds the characteristic information of the user network to the RS message. Specifically, the characteristic information of the user network includes the following situations:

-当端口标识具有全局唯一性时,所述用户网络的特征信息可以只包括该用户网络所对应的端口的端口标识;- when the port identifier has global uniqueness, the characteristic information of the user network may only include the port identifier of the port corresponding to the user network;

-当端口标识不具全局唯一性时(譬如,仅在一个接入设备处具有唯一性),所述用户网络的特征信息包括该用户网络所对应的端口的端口标识(仅能在该接入设备控制范围内唯一标识该用户网络)以及该用户网络所属的接入设备的特征信息譬如其链路层地址,这样,“端口标识-接入设务链路层地址”对就能在全局唯一地标识该用户网络;- When the port identifier is not globally unique (for example, unique only at one access device), the characteristic information of the user network includes the port identifier of the port corresponding to the user network (only available at the access device within the scope of control) and the characteristic information of the access device to which the user network belongs, such as its link-layer address, so that the pair of "port identifier-access device link-layer address" can be globally unique identify the user network;

-如果在接入网中从接入设备3到路由器4的网段使用了虚拟局域网(VLAN)技术,则所述用户网络的特征信息可以不包含接入设备3的二层地址,因为VLAN可以用来标识一个“接入设备,路由器”对。- if the network segment from the access device 3 to the router 4 uses virtual local area network (VLAN) technology in the access network, then the feature information of the user network may not include the layer 2 address of the access device 3, because the VLAN can Used to identify an "access device, router" pair.

其中,关于接入设备3在待转发的RS消息中附加的选项的说明请参看上文中结合图3的描述。For the description of the options added by the access device 3 in the RS message to be forwarded, please refer to the above description in conjunction with FIG. 3 .

该生成装置11在待转发给路由器4的RS消息中添加如图3所示的选项后,生成了一个新的RS消息,并将其传递给所述发送装置12;After adding the option shown in Figure 3 in the RS message to be forwarded to the router 4 by the generating means 11, a new RS message is generated and delivered to the sending means 12;

发送装置12将生成的所述新的RS消息(至少包含用户网络I所对应的端口标识)发送给其所属的路由器4。The sending device 12 sends the generated new RS message (including at least the port identifier corresponding to the user network 1) to the router 4 to which it belongs.

此后,路由器4将负责对用户网络I的接入认证。如果认证成功,则向接入设备3(本实施例中,RS消息包含接入设备3的地址)发送RA消息(路由器4根据认证结果进行响应将在此后对本发明的第三、第四方面进行介绍时详述),于是辅助控制装置13中的判断装置131判断是否接收到了来自路由器4的RA消息,其中包含分配给用户网络I的IP地址前缀以及用户网络I的相应端口标识。所述RA消息可以由所述接收装置10负责接收,并在接收到该RA消息后通知所述判断装置131。Thereafter, the router 4 will be responsible for the access authentication to the user network 1. If the authentication is successful, then send the RA message to the access device 3 (in this embodiment, the RS message includes the address of the access device 3) (the router 4 responds according to the authentication result and will carry out the third and fourth aspects of the present invention hereafter Details during introduction), so the judging device 131 in the auxiliary control device 13 judges whether the RA message from the router 4 is received, which includes the IP address prefix assigned to the user network 1 and the corresponding port identifier of the user network 1. The receiving device 10 may be responsible for receiving the RA message, and notify the judging device 131 after receiving the RA message.

判断装置131的判断结果为接收到来自路由器4的RA消息The judging result of judging means 131 is that the RA message from router 4 is received

由于RA消息中包含用户网络I对应的端口标识,使得所述受控发送装置132能够有目的地将RA消息发送给相应的(RA消息中包含的端口标识所对应的)用户网络I,并为用户网络I打开相应的端口。用户网络I中的各用户设备接收到该RA消息后,通过提取其中的IP地址前缀,将其与各自的接口标识组合,即可生成128位IP地址。应当理解,在来自一个用户网络中的一个用户设备的RS消息在路由器或AAA服务器处通过认证后,路由器4经由接入设备3将IP地址前缀信息发送给该用户网络,该用户网络中的所有用户终端即可得知该IP地址前缀信息。这种方式尤其适用于以下情形:用户网络中的用户设备之间相互友好且属于同一个机构(家庭、企业等)。Since the RA message contains the port identifier corresponding to the user network 1, the controlled sending device 132 can purposely send the RA message to the corresponding user network 1 (corresponding to the port identifier included in the RA message), and for User network 1 opens the corresponding port. After receiving the RA message, each user equipment in the user network 1 can generate a 128-bit IP address by extracting the IP address prefix and combining it with their respective interface identifiers. It should be understood that after the RS message from a user equipment in a user network is authenticated at the router or the AAA server, the router 4 sends the IP address prefix information to the user network via the access device 3, and all users in the user network The user terminal can learn the IP address prefix information. This method is especially applicable to the following situation: the user equipments in the user network are friendly to each other and belong to the same organization (family, enterprise, etc.).

来自路由器4的RA消息中通常包括用户网络I所对应的端口的端口标识,而用户设备并不需要所述端口标识,因此优选地,所述辅助控制装置13还包括删除装置133,该删除装置133在接入设备3接收到来自路由器4的RA消息后,在将其发送给相应用户网络之前,从中删除该用户网络的特征信息即该端口标识,具体可以通过将图3所示的所述选项从RA消息中删除。应当理解,如果接入设备3不删除所述端口标识而直接将RA消息发给用户网络I,并不会影响用户网络I中的用户设备获取其所需要的IP地址前缀信息,对于RA消息中无法识别的端口标识部分,用户设备可以不处理。The RA message from the router 4 usually includes the port identifier of the port corresponding to the user network 1, but the user equipment does not need the port identifier, so preferably, the auxiliary control device 13 also includes a deletion device 133, which deletes the device 133 After the access device 3 receives the RA message from the router 4, before sending it to the corresponding user network, delete the characteristic information of the user network, that is, the port identifier. Specifically, the option is removed from the RA message. It should be understood that if the access device 3 directly sends the RA message to the user network 1 without deleting the port identifier, it will not affect the user equipment in the user network 1 to obtain the required IP address prefix information. For the RA message The user equipment may not process the unrecognized part of the port identifier.

判断装置131的判断结果为未接收到来自路由器4的RA消息The judging result of judging means 131 is that the RA message from router 4 has not been received

如果接入设备3在转发RS消息给路由器4后未接收到来自路由器4的RA消息,则说明认证失败,路由器不会为该用户网络I分配IPv6地址前缀。根据本发明的一个具体实施例,为兼容标准,基于本发明的路由器4在认证失败后不发送RA消息给接入设备3,而在转发RS消息后,接入设备3又进入了与接收到来自用户网络I的RS消息之前相同的一般状态,等待下一个来自某个用户网络的RS消息。If the access device 3 does not receive the RA message from the router 4 after forwarding the RS message to the router 4, it means that the authentication fails, and the router will not distribute the IPv6 address prefix for the user network 1. According to a specific embodiment of the present invention, in order to be compatible with the standard, the router 4 based on the present invention does not send an RA message to the access device 3 after the authentication fails, and after forwarding the RS message, the access device 3 enters the The same general state before the RS message from user network I, waiting for the next RS message from some user network.

图5为根据本发明的一个具体实施方式的在IPv6网络的网络控制器(如,路由器)中用于控制用户终端接入的方法流程图。以下结合图5并参照图1对本发明提供的所述方法进行详述。在本实施例中,接入请求消息仍以RS消息为例,接入应答消息仍以RA消息为例。Fig. 5 is a flowchart of a method for controlling user terminal access in a network controller (eg, a router) of an IPv6 network according to a specific embodiment of the present invention. The method provided by the present invention will be described in detail below in conjunction with FIG. 5 and with reference to FIG. 1 . In this embodiment, the RS message is still used as an example for the access request message, and the RA message is still used as an example for the access response message.

在步骤S20中,路由器4接收由接入设备3转发的RS消息,其中接入设备在该RS消息中附加的选项请参看图3及上文对图3的说明。用户网络I对应的端口标识与接入设备3的地址信息一起唯一地标识了用户网络I。这为对用户网络的有效认证提供了充足的条件。In step S20, the router 4 receives the RS message forwarded by the access device 3. For the options added by the access device in the RS message, please refer to FIG. 3 and the description of FIG. 3 above. The port identifier corresponding to the user network 1 together with the address information of the access device 3 uniquely identifies the user network 1 . This provides sufficient conditions for efficient authentication of user networks.

图1仅示出了路由器4与AAA服务器5的一种关系,在实际应用中,AAA服务器既可以与路由器一体,也可以与路由器相互独立(如图1所示);根据本发明的不同实施方式,在认证后对接入请求(RS消息)有至少两种响应方式,因此,在步骤S20后,本发明的具体实施方式至少包括以下情形(其中,图4所示对应下述情形1):Fig. 1 has only shown a kind of relation of router 4 and AAA server 5, and in actual application, AAA server both can be integrated with router, also can be mutually independent with router (as shown in Fig. 1); According to different implementations of the present invention way, there are at least two ways to respond to the access request (RS message) after authentication, therefore, after step S20, the specific implementation of the present invention includes at least the following situations (wherein, Figure 4 corresponds to the following situation 1) :

情形1:AAA服务器与路由器一体 Scenario 1: AAA server and router integrated

       且只在认证成功时提供响应 and only provide a response when the authentication is successful

这种情形与现有标准的兼容性最佳。在这种情形下,由于路由器4本身就能够根据RS消息进行对用户网络I的接入认证,因此进到步骤S21中从RS消息中提取用户网络I的特征信息(包括但不限于该用户网络对应的端口标识和接入设备3的地址信息);This scenario provides the best compatibility with existing standards. In this case, since the router 4 itself can perform the access authentication to the user network 1 according to the RS message, it proceeds to step S21 to extract the characteristic information of the user network 1 (including but not limited to the user network 1) from the RS message. Corresponding port identification and address information of the access device 3);

接着,在步骤S22中利用提取出的所述端口标识和接入设备3的地址信息对用户网络I进行接入认证,得到一个接入认证结果;Then, in step S22, use the extracted port identifier and the address information of the access device 3 to perform access authentication to the user network 1, and obtain an access authentication result;

如果认证成功,则在步骤S23中依照标准生成RA消息,其中包含分配给用户网络I的IPv6地址前缀,与现有技术不同的是,该RA消息还包括如图3所示的选项,使得接入设备3能够将该IPv6地址前缀唯一地告知用户网络I中的各个用户设备。容易理解,路由器4可以在接收到来自接入设备3的RS消息时提取并存储其中的用户网络特征信息(包括端口标识和接入设备3的地址信息),或者直接存储图3所示的选项,用于附加到基于本发明生成的所述RA消息中。If the authentication is successful, then in step S23, generate an RA message according to the standard, which includes the IPv6 address prefix assigned to the user network 1. Unlike the prior art, the RA message also includes options as shown in Figure 3, so that the receiving The ingress device 3 can uniquely inform each user equipment in the user network 1 of the IPv6 address prefix. It is easy to understand that when router 4 receives RS message from access device 3, it can extract and store user network feature information (including port identification and address information of access device 3), or directly store the option shown in FIG. , used to be appended to the RA message generated based on the present invention.

生成所述RA消息后,路由器4在步骤S24中将其发送给相应的接入设备3。After generating the RA message, the router 4 sends it to the corresponding access device 3 in step S24.

如果认证失败,优选地,路由器4可以不作任何响应,并准备接收下一个接入请求消息(譬如RS消息)。If the authentication fails, router 4 preferably does not make any response, and prepares to receive the next access request message (such as RS message).

情形2:AAA服务器与路由器一体 Scenario 2: AAA server and router integrated

       且无论认证是否成功均提供响应 and provide a response regardless of whether the authentication was successful

情形2下,路由器4在接收到接入设备3转发的RS消息后至在本地获得接入认证结果的过程与情形1下完全相同。In case 2, the process from router 4 to obtaining the access authentication result locally after receiving the RS message forwarded by access device 3 is exactly the same as in case 1.

接着,路由器4根据接入认证结果来提供相应的响应,具体地,如果认证成功,与情形1相同地,路由器4生成RA消息,其中包含分配给用户网络I的IP地址前缀以及所述用户网络I的特征信息;Next, router 4 provides a corresponding response according to the access authentication result. Specifically, if the authentication is successful, similar to case 1, router 4 generates an RA message, which includes the IP address prefix assigned to user network 1 and the user network I characteristic information;

如果认证失败,路由器4生成一个包含指示认证失败的认证失败指示消息,并将其发送给相应的接入设备3。该认证失败指示消息可以是RA消息(本领域技术人员可以理解,只要在RA消息中附加新的选项即可实现该功能),也可以是其它另行定义的消息。If the authentication fails, the router 4 generates an authentication failure indication message including an authentication failure indication message, and sends it to the corresponding access device 3 . The authentication failure indication message may be an RA message (those skilled in the art can understand that this function can be realized as long as a new option is added to the RA message), or other additionally defined messages.

情形3:AAA服务器与路由器相互独立 Scenario 3: AAA server and router are independent of each other

       且仅在认证成功时提供响应 and only provide a response if the authentication is successful

接收到来自接入设备3的RS消息后,路由器4需要对该用户网络I进行接入认证,由于AAA服务器与该路由器相互独立,因此,路由器4向AAA服务器5发送认证请求,例如,可以将来自接入设备3的RS消息作为所述认证请求并转发至AAA服务器5,也可基于该RS消息生成一个新的认证请求消息,譬如RADIUS请求(RadiusRequest,RADIUS是Remote Authentication Dial In User Service的缩写,是网络远程接入设备、用户设备以及包含用户认证与配置信息的服务器之间信息交换的标准客户/服务器模式),并将该新的认证请求消息发送至AAA服务器5。After receiving the RS message from the access device 3, the router 4 needs to perform access authentication on the user network 1. Since the AAA server and the router are independent of each other, the router 4 sends an authentication request to the AAA server 5. For example, the The RS message from the access device 3 is forwarded to the AAA server 5 as the authentication request, and a new authentication request message can also be generated based on the RS message, such as a RADIUS request (RadiusRequest, RADIUS is the abbreviation of Remote Authentication Dial In User Service , is the standard client/server mode of information exchange between the network remote access device, the user equipment and the server including user authentication and configuration information), and sends the new authentication request message to the AAA server 5.

AAA服务器5根据该认证请求对该用户网络I进行接入认证,得到一个接入认证结果(成功/失败),并将该接入认证结果通过一个接入认证响应消息来返回给所述路由器4,其中,该接入认证响应消息可以为RADIUS响应消息(RADIUS ACK/NACK);The AAA server 5 performs access authentication to the user network 1 according to the authentication request, obtains an access authentication result (success/failure), and returns the access authentication result to the router 4 through an access authentication response message , wherein, the access authentication response message may be a RADIUS response message (RADIUS ACK/NACK);

路由器4接收该接入认证结果,并根据该接入认证结果来对该RS进行响应:Router 4 receives the access authentication result, and responds to the RS according to the access authentication result:

如果来自AAA服务器的接入认证结果显示该用户网络I通过了认证,则生成RA消息,其中包含分配给该用户网络的IP地址前缀以及相应的端口标识;If the access authentication result from the AAA server shows that the user network 1 has passed the authentication, an RA message is generated, which includes the IP address prefix assigned to the user network and the corresponding port identification;

如果来自AAA服务器的接入认证结果显示该用户网络I未能通过认证,则不作响应。If the access authentication result from the AAA server shows that the user network I fails to pass the authentication, no response will be made.

情形4:AAA服务器与路由器相互独立 Scenario 4: AAA server and router are independent of each other

       且无论认证是否成功均提供响应 and provide a response regardless of whether the authentication was successful

情形4下,路由器4在接收到接入设备3转发的RS消息后至从AAA服务器处接收接入认证结果的过程与情形3下完全相同。In case 4, the process from router 4 to receiving the access authentication result from the AAA server after receiving the RS message forwarded by access device 3 is exactly the same as in case 3.

接着,路由器4根据来自AAA服务器5的所述接入认证结果来提供相应的响应,具体地,如果认证成功,与情形3相同地,路由器4生成RA消息,其中包含分配给用户网络I的IP地址前缀以及所述用户网络I的特征信息;Then, the router 4 provides a corresponding response according to the access authentication result from the AAA server 5. Specifically, if the authentication is successful, as in the case 3, the router 4 generates an RA message, which includes the IP address assigned to the user network 1 address prefix and characteristic information of the user network I;

如果认证失败,路由器4生成一个包含指示认证失败的指示信息的认证失败指示消息,并将其发送给相应的接入设备3。该认证失败指示消息可以是RA消息(本领域技术人员可以理解,只要在RA消息中附加新的选项即可实现该功能),也可以是其它另行定义的消息。If the authentication fails, the router 4 generates an authentication failure indication message including indication information indicating the authentication failure, and sends it to the corresponding access device 3 . The authentication failure indication message may be an RA message (those skilled in the art can understand that this function can be realized as long as a new option is added to the RA message), or other additionally defined messages.

图6为根据本发明的一个具体实施方式的在IPv6网络的网络控制器(如,路由器)中用于控制用户终端接入的接入控制装置框图。以下结合图6并参照图1对本发明提供的所述接入控制装置进行详述。Fig. 6 is a block diagram of an access control device for controlling user terminal access in a network controller (eg, router) of an IPv6 network according to a specific embodiment of the present invention. The access control device provided by the present invention will be described in detail below in conjunction with FIG. 6 and with reference to FIG. 1 .

在本实施例中,接入请求消息仍以RS消息为例,接入应答消息仍以RA消息为例。In this embodiment, the RS message is still used as an example for the access request message, and the RA message is still used as an example for the access response message.

该接入控制装置包括:第一接收装置20和响应装置21,其中,根据本发明的一个具体实施方式,该响应装置21包括获得装置210和提供装置211,所述获得装置210包括提取装置2100和认证装置2101,所述提供装置211包括生成装置2110和第一发送装置2111。根据本发明的另一具体实施方式,所述获得装置210还包括第二发送装置2102和第二接收装置2103。为方便起见,将根据本发明的不同实施方式的所述接入控制装置2中可能包括的装置(模块)均在图6中示出,应当理解,本领域的普通技术人员可以根据实际需要选择其中的部分装置(模块)来实现本发明提供的接入控制装置2,如,在路由器4与AAA服务器的位置关系不同于图1所示情况,而是二位一体时,所述第二发送装置2102和第二接收装置2103即可省略。The access control device includes: a first receiving device 20 and a responding device 21, wherein, according to a specific embodiment of the present invention, the responding device 21 includes an obtaining device 210 and a providing device 211, and the obtaining device 210 includes an extracting device 2100 and authentication means 2101, the providing means 211 includes generating means 2110 and first sending means 2111. According to another specific implementation manner of the present invention, the obtaining means 210 further includes a second sending means 2102 and a second receiving means 2103 . For convenience, the devices (modules) that may be included in the access control device 2 according to different embodiments of the present invention are shown in FIG. 6 , and it should be understood that those skilled in the art can select Some of the devices (modules) are used to implement the access control device 2 provided by the present invention. For example, when the positional relationship between the router 4 and the AAA server is different from that shown in FIG. 1, but two in one, the second sending The device 2102 and the second receiving device 2103 can be omitted.

所述第一接收装置20接收由接入设备3发来的RS消息,其中接入设备3在该RS消息中附加的选项请参看图3及上文对图3的说明。用户网络I对应的端口标识与接入设备3的地址信息一起唯一地标识了用户网络I。这为对用户网络进行有效认证提供了充足的条件。The first receiving means 20 receives the RS message sent by the access device 3, and for the options added by the access device 3 in the RS message, please refer to FIG. 3 and the description of FIG. 3 above. The port identifier corresponding to the user network 1 together with the address information of the access device 3 uniquely identifies the user network 1 . This provides sufficient conditions for effective authentication of user networks.

图1仅示出了路由器4与AAA服务器5的一种关系,在实际应用中,AAA服务器既可以与路由器一体,也可以与路由器相互独立(如图1所示);根据本发明的不同实施方式,在认证后对接入请求(RS消息)有至少两种响应方式,因此,在接收到所述RS消息后,本发明的具体实施方式至少包括以下情形,其中,图1对应下述情形1:Fig. 1 has only shown a kind of relation of router 4 and AAA server 5, and in actual application, AAA server both can be integrated with router, also can be mutually independent with router (as shown in Fig. 1); According to different implementations of the present invention There are at least two ways to respond to the access request (RS message) after authentication. Therefore, after receiving the RS message, the specific implementation manners of the present invention include at least the following situations, wherein FIG. 1 corresponds to the following situations 1:

情形1:AAA服务器与路由器一体 Scenario 1: AAA server and router integrated

       且只在认证成功时提供响应 and only provide a response when the authentication is successful

这种情形与现有标准的兼容性最佳。在这种情形下,由于路由器4本身就能够根据RS消息进行对用户网络I的接入认证,因此由提取装置2100从RS消息中提取用户网络I的特征信息(包括但不限于该用户网络对应的端口标识和接入设备3的地址信息);This scenario provides the best compatibility with existing standards. In this case, since the router 4 itself can perform access authentication to the user network I according to the RS message, the extraction device 2100 extracts the feature information of the user network I from the RS message (including but not limited to the corresponding port identification and address information of the access device 3);

接着,认证装置2101利用提取出的所述端口标识和接入设备3的地址信息对用户网络I进行接入认证,得到一个接入认证结果;Next, the authentication means 2101 uses the extracted port identifier and the address information of the access device 3 to perform access authentication on the user network 1, and obtain an access authentication result;

如果认证成功,则由生成装置2110依照标准生成RA消息,其中包含分配给用户网络I的IP地址前缀,与现有技术不同的是,该RA消息还包括如图3所示的选项,使得接入设备3能够将该IP地址前缀唯一地告知用户网络I中的各个用户设备。容易理解,路由器4可以在接收到来自接入设备3的RS消息时提取并存储其中的用户网络特征信息(包括端口标识和接入设备3的地址信息),或者直接存储图3所示的选项,用于附加到基于本发明生成的所述RA消息中。If the authentication is successful, the generating means 2110 generates an RA message according to the standard, which includes the IP address prefix assigned to the user network 1. Unlike the prior art, the RA message also includes options as shown in FIG. The ingress device 3 can uniquely inform each user equipment in the user network 1 of the IP address prefix. It is easy to understand that when router 4 receives RS message from access device 3, it can extract and store user network feature information (including port identification and address information of access device 3), or directly store the option shown in FIG. , used to be appended to the RA message generated based on the present invention.

生成所述RA消息后,所述第一发送装置2111将该RA消息发送给相应的接入设备3。After the RA message is generated, the first sending module 2111 sends the RA message to the corresponding access device 3 .

如果认证失败,优选地,路由器4可以不作任何响应,并准备接收下一个接入请求消息(譬如RS消息)。If the authentication fails, router 4 preferably does not make any response, and prepares to receive the next access request message (such as RS message).

情形2:AAA服务器与路由器一体 Scenario 2: AAA server and router integrated

       且无论认证是否成功均提供响应 and provide a response regardless of whether the authentication was successful

情形2下,路由器4在接收到接入设备3转发的RS消息后至在本地获得接入认证结果的过程与情形1下完全相同。In case 2, the process from router 4 to obtaining the access authentication result locally after receiving the RS message forwarded by access device 3 is exactly the same as in case 1.

接着,响应装置21根据接入认证结果来提供相应的响应,具体地,如果认证成功,与情形1相同地,生成装置2110生成RA消息,其中包含分配给用户网络I的IP地址前缀以及所述用户网络I的特征信息;Next, the responding means 21 provides a corresponding response according to the access authentication result. Specifically, if the authentication is successful, as in case 1, the generating means 2110 generates an RA message, which includes the IP address prefix assigned to the user network 1 and the Feature information of user network I;

如果认证失败,生成装置2110生成一个包含指示认证失败的指示信息的认证失败指示消息,并将其发送给相应的接入设备3。该认证失败指示消息可以是RA消息(本领域技术人员可以理解,只要在RA消息中附加新的选项即可实现该功能),也可以是其它另行定义的消息。If the authentication fails, generating means 2110 generates an authentication failure indication message including indication information indicating authentication failure, and sends it to the corresponding access device 3 . The authentication failure indication message may be an RA message (those skilled in the art can understand that this function can be realized as long as a new option is added to the RA message), or other additionally defined messages.

情形3:AAA服务器与路由器相互独立 Scenario 3: AAA server and router are independent of each other

       且仅在认证成功时提供响应 and only provide a response if the authentication is successful

第一接收装置20接收到来自接入设备3的RS消息后,路由器4需要对该用户网络I进行接入认证,由于AAA服务器5与该路由器4相互独立,因此,路由器4通过第二发送装置2102向AAA服务器5发送认证请求,例如,可以将来自接入设备3的RS消息作为所述认证请求并转发至AAA服务器5,也可基于该RS消息生成一个新的认证请求消息,譬如RADIUS请求(Radius Request,RADIUS是RemoteAuthentication Dial In User Service的缩写,是网络远程接入设备、用户设备以及包含用户认证与配置信息的服务器之间信息交换的标准客户/服务器模式),并将该新的认证请求消息发送至AAA服务器5。After the first receiving device 20 receives the RS message from the access device 3, the router 4 needs to carry out access authentication to the user network 1. Since the AAA server 5 and the router 4 are independent of each other, the router 4 passes through the second sending device. 2102 Send an authentication request to the AAA server 5, for example, the RS message from the access device 3 may be used as the authentication request and forwarded to the AAA server 5, or a new authentication request message may be generated based on the RS message, such as a RADIUS request (Radius Request, RADIUS is the abbreviation of Remote Authentication Dial In User Service, which is a standard client/server mode for information exchange between network remote access devices, user devices, and servers containing user authentication and configuration information), and the new authentication The request message is sent to the AAA server 5 .

AAA服务器5根据该认证请求对该用户网络I进行接入认证,得到一个接入认证结果(成功/失败),并将该接入认证结果通过一个接入认证响应消息返回给所述路由器4,其中,该接入认证响应消息可以为RADIUS响应消息(RADIUS ACK/NACK);The AAA server 5 performs access authentication to the user network 1 according to the authentication request, obtains an access authentication result (success/failure), and returns the access authentication result to the router 4 through an access authentication response message, Wherein, the access authentication response message may be a RADIUS response message (RADIUS ACK/NACK);

第二接收装置2103接收该接入认证结果,接下来,需要根据该接入认证结果来对该RS进行响应:The second receiving means 2103 receives the access authentication result, and then needs to respond to the RS according to the access authentication result:

如果来自AAA服务器的接入认证结果显示该用户网络I通过了认证,则由生成装置2110生成RA消息,其中包含分配给该用户网络的IP地址前缀以及相应的端口标识;If the access authentication result from the AAA server shows that the user network 1 has passed the authentication, then the generating means 2110 generates an RA message, which includes the IP address prefix assigned to the user network and the corresponding port identification;

如果来自AAA服务器的接入认证结果显示该用户网络I未能通过认证,则不作响应。If the access authentication result from the AAA server shows that the user network I fails to pass the authentication, no response will be made.

情形4:AAA服务器与路由器相互独立 Scenario 4: AAA server and router are independent of each other

       且无论认证是否成功均提供响应 and provide a response regardless of whether the authentication was successful

情形4下,路由器4在接收到接入设备3转发的RS消息后至从AAA服务器处接收接入认证结果的过程与情形3下完全相同。In case 4, the process from router 4 to receiving the access authentication result from the AAA server after receiving the RS message forwarded by access device 3 is exactly the same as in case 3.

接着,路由器4根据来自AAA服务器5的所述接入认证结果来提供相应的响应,具体地,如果认证成功,与情形3相同地,生成装置2110生成RA消息,其中包含分配给用户网络I的IP地址前缀以及所述用户网络I的特征信息;Next, the router 4 provides a corresponding response according to the access authentication result from the AAA server 5. Specifically, if the authentication is successful, as in the case 3, the generating means 2110 generates an RA message, which contains the information allocated to the user network 1. IP address prefix and characteristic information of the user network I;

如果认证失败,生成装置2110生成一个包含指示认证失败的指示信息的认证失败指示消息,再由第一发送装置2111发送给相应的接入设备3。该认证失败指示消息可以是RA消息(本领域技术人员可以理解,只要在RA消息中附加新的选项即可实现该功能),也可以是其它另行定义的消息。If the authentication fails, the generating unit 2110 generates an authentication failure indication message including indication information indicating the authentication failure, and then the first sending unit 2111 sends it to the corresponding access device 3 . The authentication failure indication message may be an RA message (those skilled in the art can understand that this function can be realized as long as a new option is added to the RA message), or other additionally defined messages.

前面结合附图对接入设备端和路由器端的方法和装置进行了描述。图7综合性地示出了根据本发明的一个具体实施方式的用于对用户网络进行接入控制的方法流程。其具体内容已经在此前结合图3-图6进行了详述。The method and device for accessing the device side and the router side have been described above with reference to the accompanying drawings. Fig. 7 comprehensively shows the flow of a method for controlling access to a user network according to a specific embodiment of the present invention. Its specific content has been described in detail above with reference to FIGS. 3-6 .

图8示出了根据本发明的一个优选实施例各网络节点对RS消息和RA消息的处理方法,请同时参看图1。具体地,图中示出了各个网络节点发出的消息的各层(即封装后的各个包头,如以太网、IP、ICMP等)的目的地址以及源地址。FIG. 8 shows a method for processing RS messages and RA messages by each network node according to a preferred embodiment of the present invention. Please refer to FIG. 1 at the same time. Specifically, the figure shows the destination address and source address of each layer of the message sent by each network node (that is, each packet header after encapsulation, such as Ethernet, IP, ICMP, etc.).

在上述各实施例中,充分利用了现有标准中定义的RS消息和RA消息,与现有技术相比明显降低了信令开销。应当理解,本发明中的接入请求消息不限于本实施例中的RS消息,同样,接入应答消息也不限于RA消息。In each of the above embodiments, the RS message and RA message defined in the existing standard are fully utilized, and the signaling overhead is significantly reduced compared with the prior art. It should be understood that the access request message in the present invention is not limited to the RS message in this embodiment, and the access response message is also not limited to the RA message.

以上结合具体实施例对本发明进行了描述,需要理解的是,本发明并不局限于上述特定实施方式,本领域技术人员可以在所附权利要求的范围内做出各种变形或修改。The present invention has been described above in conjunction with specific embodiments. It should be understood that the present invention is not limited to the above specific embodiments, and those skilled in the art can make various changes or modifications within the scope of the appended claims.

Claims (30)

1. one kind is used for the method that the assist control user terminal inserts in the access device of IPv6 network, it is characterized in that, automatically dispose the access that comes this user terminal of assist control according to the characteristic information of user network under the described user terminal based on the IPv6 stateless address.
2. method according to claim 1 wherein, may further comprise the steps:
A. receive the access request message from a user terminal, this user terminal belongs to a user network;
B. by characteristic information, to generate a new access request message at additional this user network of described access request message;
C. send this new access request message to a network controller;
D. respond the access of this user terminal of assist control based on the access of described network controller.
3. method according to claim 2, wherein, described steps d comprises:
D1. judge whether to receive the access response message from this network controller, wherein this access response message comprises the route related information of described user network;
D2. when the access response message that receives from this network controller, this access response message is sent to the user network at this user terminal place.
4. method according to claim 3, wherein, described steps d 2 also comprises:
-when the access response message that receives from described network controller, insert the characteristic information of this user network of deletion the response message from this, to generate a new access response message;
-described new access response message is sent to the user network at this user terminal place.
5. according to each described method among the claim 1-4, it is characterized in that described access request message is a router request message, described access response message is a router broadcast message.
6. according to each described method among the claim 1-4, wherein,
The characteristic information of described user network comprises and the identifier of the corresponding access interface of this user network, AN (access node) address information etc. that described route related information is the IPv6 address prefix.
7. one kind is used for the access sub controlling unit that the assist control user terminal inserts in the access device of IPv6 network, it is characterized in that, automatically dispose the access that comes this user terminal of assist control according to the characteristic information of user network under the described user terminal based on the IPv6 stateless address.
8. device according to claim 7 wherein, comprising:
Receiving system is used to receive the access request message from a user terminal, and this user terminal belongs to a user network;
Generating apparatus is by the characteristic information at additional this user network of described access request message, to generate a new access request message;
Dispensing device is used to send this new access request message to a network controller;
Sub controlling unit is used for responding based on the access of described network controller the access of this user terminal of assist control.
9. device according to claim 8, wherein, described sub controlling unit also comprises:
Judgment means is used to judge whether to receive the access response message from this network controller, and wherein this access response message comprises the route related information of described user network;
Controlled dispensing device is used for should inserting response message and being sent to this user terminal when the access response message that receives from this network controller.
10. device according to claim 9, wherein, described sub controlling unit also comprises:
Delete device is used for when the access response message that receives from described network controller, inserts the characteristic information of this user network of deletion the response message from this, to generate a new access response message;
Wherein, described controlled dispensing device also is used for, and described new access response message is sent to the user network at described user terminal place.
11., it is characterized in that described access request message is a router request message according to each described device among the claim 7-10, described access response message is a router broadcast message.
12. according to each described device among the claim 7-11, it is characterized in that, the characteristic information of described user network comprises and the identifier of the corresponding access interface of this user network, AN (access node) address information etc. that described route related information is the IPv6 address prefix.
13. the access device in the IPv6 network is characterized in that, comprises according to each described access sub controlling unit that is used for the access of assist control user terminal among the claim 7-12.
14. one kind is used to control the method that user terminal inserts in IPv6 network of network controller, it is characterized in that, automatically dispose based on the IPv6 stateless address, come this user terminal is carried out access control according to the characteristic information of user network under the described user terminal.
15. method according to claim 14 wherein, may further comprise the steps:
G. receive the new access request message from a user terminal of its subordinate's an access device forwarding, described new access request message comprises the characteristic information of the affiliated user network of this user terminal;
H. provide corresponding access response based on described access request message.
16. method according to claim 15, wherein, step h may further comprise the steps:
H1. obtain an access authentication result based on described access request message;
H2. provide corresponding access response according to described access authentication result.
17. method according to claim 16, wherein, step h1 comprises:
-by the characteristic information that extracts this user network in the described access request;
-come this user network is carried out access authentication based on the characteristic information of this user network, to obtain the access authentication result.
18. according to claim 16 or 17 described methods, wherein, described step h2 comprises:
-when this user network passes through authentication, then generate one and insert response message, wherein, this access request-reply message comprises the route related information of this user network;
-described access response message is sent to described access device.
19. method according to claim 16, wherein, described step h1 comprises:
H11. send authentication request message to a webserver, comprise the characteristic information of described user network in this authentication request message;
H12. receive access authentication result from the described webserver;
Described step h2 also comprises, provides corresponding access response according to the access authentication result from the described webserver.
20. method according to claim 19, wherein, described step h2 comprises:
-when described access authentication result from the described webserver indicates this subscriber network by authentication, generate one and insert response message, wherein, this access request-reply message comprises the route related information of this user network.
21., it is characterized in that described access request message is a router request message according to each described method among the claim 14-20, described access response message is a router broadcast message.
22. one kind is used to control the access control apparatus that user terminal inserts in IPv6 network of network controller, it is characterized in that, based on the state automatic address configuration of IPv6 unit, come this user terminal is carried out access control according to the characteristic information of user network under the user terminal.
23. access control apparatus according to claim 22 wherein, comprising:
First receiving device is used to receive the new access request message from a user terminal that its subordinate's a access device is transmitted, and described new access request message comprises the characteristic information of user network under this user terminal;
Responding device is used for providing corresponding access response based on described access request message.
24. access control apparatus according to claim 21, wherein, described responding device comprises:
Obtain device, be used for obtaining an access authentication result based on described access request message;
Generator is used for providing corresponding access response according to described access authentication result.
25. access control apparatus according to claim 24, wherein, described acquisition device comprises:
Extraction element is used for being extracted by described access request the characteristic information of this user network;
Authenticate device comes this user network is carried out access authentication based on the characteristic information of this user network, to obtain the access authentication result.
26. according to claim 24 or 25 described access control apparatus, wherein, described generator comprises:
Generating apparatus is used for passing through authentication when this user network, then generates one and inserts response message, and wherein, this access request-reply message comprises the route related information of this user network;
First dispensing device is used for described access response message is sent to described access device.
27. access control apparatus according to claim 25, wherein, described acquisition device comprises:
Second dispensing device is used to send authentication request message to a webserver, comprises the characteristic information of described user network in this authentication request message;
Second receiving system is used to receive the access authentication result from the described webserver;
The described dress that provides directly also is used for, and provides corresponding access response according to described access authentication result from the described webserver.
28. access control apparatus according to claim 27, wherein, described generator also is used for, when described access authentication result from the described webserver indicates this subscriber network by authentication, generate one and insert response message, wherein, this access request-reply message comprises the route related information of this user network.
29., it is characterized in that described access request message is a router request message according to each described access control apparatus among the claim 22-28, described access response message is a router broadcast message.
30. the network controller in the IPv6 network is characterized in that, comprises according to each described access control apparatus that is used to control the user terminal access among the claim 22-29.
CN2006101181404A 2006-11-09 2006-11-09 Method and device for controlling user network access in IPv6 network Active CN101179603B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2006101181404A CN101179603B (en) 2006-11-09 2006-11-09 Method and device for controlling user network access in IPv6 network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2006101181404A CN101179603B (en) 2006-11-09 2006-11-09 Method and device for controlling user network access in IPv6 network

Publications (2)

Publication Number Publication Date
CN101179603A true CN101179603A (en) 2008-05-14
CN101179603B CN101179603B (en) 2011-06-08

Family

ID=39405685

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2006101181404A Active CN101179603B (en) 2006-11-09 2006-11-09 Method and device for controlling user network access in IPv6 network

Country Status (1)

Country Link
CN (1) CN101179603B (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010069181A1 (en) * 2008-12-17 2010-06-24 华为技术有限公司 Method and system for configuring ipv6 address
CN101902482A (en) * 2010-08-23 2010-12-01 中国电信股份有限公司 Method and system for realizing terminal security admission control based on IPv6 (Internet Protocol Version 6) automatic configuration
CN102195803A (en) * 2010-03-01 2011-09-21 美国博通公司 Data communication method and system
CN102299974A (en) * 2010-06-25 2011-12-28 中兴通讯股份有限公司 Method and device for realizing IPv6 (Internet Protocol Version 6) prefix distribution
US8145764B2 (en) 2008-05-30 2012-03-27 Asustek Computer Inc. Network sharing method without conflict
CN102405629A (en) * 2009-04-20 2012-04-04 阿尔卡特朗讯公司 Method and apparatus for connecting user equipment to a converged network supporting IPv6
CN102812691A (en) * 2010-03-18 2012-12-05 高通股份有限公司 Method and apparatus for facilitating prefix allocation and advertisement or delegation
CN103841119A (en) * 2014-03-25 2014-06-04 广州物联家信息科技股份有限公司 Method and system for achieving equipment access authentication based on Home-IOT cloud gateway
CN104378227A (en) * 2013-08-14 2015-02-25 特拉博斯股份有限公司 A method and network device for configuring a data transfer network
CN105591848A (en) * 2014-10-20 2016-05-18 中兴通讯股份有限公司 Authentication method and device of IPv6 stateless automatic configuration
CN105939377A (en) * 2016-04-28 2016-09-14 杭州迪普科技有限公司 Load balance dispatching method and device
CN107070699A (en) * 2017-03-04 2017-08-18 郑州云海信息技术有限公司 Controller monitoring is managed in storage system redundancy design method and device
CN108769290A (en) * 2018-06-06 2018-11-06 浙江农林大学暨阳学院 A kind of IPv6 multiaddresses generate and repeat address detecting method
CN110601984A (en) * 2019-09-20 2019-12-20 清华大学 Method and device for acquiring local service and generating link local address
CN110621053A (en) * 2019-06-06 2019-12-27 珠海全志科技股份有限公司 Network distribution method, network distribution device and electronic equipment

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FI109950B (en) * 2000-01-20 2002-10-31 Nokia Corp Address Acquisition
CN1167227C (en) * 2001-10-31 2004-09-15 华为技术有限公司 Virtual Local Area Network Access Method in Fiber-Coaxial Hybrid Access Network
CN100493073C (en) * 2003-07-19 2009-05-27 华为技术有限公司 Method for implementing neighbor discovery of different link layer separated domain
JP2005295217A (en) * 2004-03-31 2005-10-20 Toshiba Corp Communication device, name resolution method and program
CN100474839C (en) * 2004-10-12 2009-04-01 上海贝尔阿尔卡特股份有限公司 Network service selection and authentication in IPv6 access network, and automatic configuration without status
CN100583904C (en) * 2006-03-03 2010-01-20 华为技术有限公司 A method for automatic configuration of host address in IPV6 network

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8145764B2 (en) 2008-05-30 2012-03-27 Asustek Computer Inc. Network sharing method without conflict
WO2010069181A1 (en) * 2008-12-17 2010-06-24 华为技术有限公司 Method and system for configuring ipv6 address
CN102405629B (en) * 2009-04-20 2015-06-03 阿尔卡特朗讯公司 Method and apparatus for connecting subscriber devices to an ipv6-capable aggregation network
CN102405629A (en) * 2009-04-20 2012-04-04 阿尔卡特朗讯公司 Method and apparatus for connecting user equipment to a converged network supporting IPv6
CN102195803B (en) * 2010-03-01 2014-08-13 美国博通公司 Data communication method and system
CN102195803A (en) * 2010-03-01 2011-09-21 美国博通公司 Data communication method and system
CN102812691B (en) * 2010-03-18 2015-11-25 高通股份有限公司 For the method and apparatus promoting prefix assignment and bulletin or appoint
CN102812691A (en) * 2010-03-18 2012-12-05 高通股份有限公司 Method and apparatus for facilitating prefix allocation and advertisement or delegation
US9491036B2 (en) 2010-03-18 2016-11-08 Qualcomm Incorporated Method and apparatus for facilitating prefix allocation and advertisement or delegation
CN102299974A (en) * 2010-06-25 2011-12-28 中兴通讯股份有限公司 Method and device for realizing IPv6 (Internet Protocol Version 6) prefix distribution
CN102299974B (en) * 2010-06-25 2016-02-24 中兴通讯股份有限公司 A kind of method and apparatus realizing IPv6 prefix assignment
CN101902482A (en) * 2010-08-23 2010-12-01 中国电信股份有限公司 Method and system for realizing terminal security admission control based on IPv6 (Internet Protocol Version 6) automatic configuration
CN101902482B (en) * 2010-08-23 2013-04-10 中国电信股份有限公司 Method and system for realizing terminal security admission control based on IPv6 (Internet Protocol Version 6) automatic configuration
CN104378227A (en) * 2013-08-14 2015-02-25 特拉博斯股份有限公司 A method and network device for configuring a data transfer network
CN104378227B (en) * 2013-08-14 2018-12-07 特拉博斯股份有限公司 Method and the network equipment for configuration data transmission network
CN103841119B (en) * 2014-03-25 2017-12-01 广州物联家信息科技股份有限公司 The method and system for realizing equipment access authentication are closed based on Home IOT clouds
CN103841119A (en) * 2014-03-25 2014-06-04 广州物联家信息科技股份有限公司 Method and system for achieving equipment access authentication based on Home-IOT cloud gateway
CN105591848A (en) * 2014-10-20 2016-05-18 中兴通讯股份有限公司 Authentication method and device of IPv6 stateless automatic configuration
CN105939377A (en) * 2016-04-28 2016-09-14 杭州迪普科技有限公司 Load balance dispatching method and device
CN107070699A (en) * 2017-03-04 2017-08-18 郑州云海信息技术有限公司 Controller monitoring is managed in storage system redundancy design method and device
CN108769290A (en) * 2018-06-06 2018-11-06 浙江农林大学暨阳学院 A kind of IPv6 multiaddresses generate and repeat address detecting method
CN110621053A (en) * 2019-06-06 2019-12-27 珠海全志科技股份有限公司 Network distribution method, network distribution device and electronic equipment
CN110621053B (en) * 2019-06-06 2022-09-09 珠海全志科技股份有限公司 Network distribution method, network distribution device and electronic equipment
CN110601984A (en) * 2019-09-20 2019-12-20 清华大学 Method and device for acquiring local service and generating link local address

Also Published As

Publication number Publication date
CN101179603B (en) 2011-06-08

Similar Documents

Publication Publication Date Title
KR100750370B1 (en) Address acquisition
CN101213817B (en) Mapping original MAC address of terminal to unique locally administrated virtual MAC address
EP2458799B1 (en) Method, apparatus and system for forwarding messages
US8681695B1 (en) Single address prefix allocation within computer networks
EP2241091B1 (en) Combining locally addressed devices and wide area network (wan) addressed devices on a single network
US8484715B2 (en) Method and system for network access and network connection device
US20030115345A1 (en) Methods and apparatus for masking destination addresses to reduce traffic over a communication link
CN101179603B (en) Method and device for controlling user network access in IPv6 network
EP2347554B1 (en) A method and a gateway for providing multiple internet access
US20080247395A1 (en) Internet protocol switch and use of the switch for switching a frame
JP2006115499A (en) Network service selection, authentication and stateless autoconfiguration in IPv6 access networks
CN102170395A (en) Data transmission method and network equipment
CA2274050A1 (en) System, device, and method for routing dhcp packets in a public data network
CN101547383A (en) Access authentication method, access authentication system and related equipment
CN102055637A (en) Wide band network system and realizing method thereof
US20070127461A1 (en) Router and communication system
CN102244689B (en) Method and equipment for obtaining remote IP address
CN101527671A (en) Method, equipment and system for realizing IPv6 conversation
US10164937B2 (en) Method for processing raw IP packet and device thereof
CN112437355B (en) Method and system for realizing three-layer multicast
KR100772537B1 (en) IP6 switching device and method for tunneling IP6 packets to IP4 in an IP4 network environment
JP2004207788A (en) Access control method, access control device, and access control system using the device
Jeon et al. Transmission of IP over Ethernet over IEEE 802.16 Networks
CN108322400B (en) Packet processing method, system and routing device
KR100702783B1 (en) Subscriber terminal processing system and processing method having the same MAC address

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C56 Change in the name or address of the patentee

Owner name: SHANGHAI ALCATEL-LUCENT CO., LTD.

Free format text: FORMER NAME: BEIER AERKATE CO., LTD., SHANGHAI

CP01 Change in the name or title of a patent holder

Address after: 201206 Pudong Jinqiao Export Processing Zone, Nanjing Road, No. 388, Shanghai

Patentee after: ALCATEL-LUCENT SHANGHAI BELL Co.,Ltd.

Address before: 201206 Pudong Jinqiao Export Processing Zone, Nanjing Road, No. 388, Shanghai

Patentee before: Shanghai Bell Alcatel Co.,Ltd.

CP01 Change in the name or title of a patent holder

Address after: 201206 Pudong Jinqiao Export Processing Zone, Nanjing Road, No. 388, Shanghai

Patentee after: NOKIA SHANGHAI BELL Co.,Ltd.

Address before: 201206 Pudong Jinqiao Export Processing Zone, Nanjing Road, No. 388, Shanghai

Patentee before: ALCATEL-LUCENT SHANGHAI BELL Co.,Ltd.

CP01 Change in the name or title of a patent holder
CP03 Change of name, title or address

Address after: 201206 Pudong Jinqiao Export Processing Zone, Nanjing Road, No. 388, Shanghai

Patentee after: Nokia Communications (Shanghai) Co., Ltd.

Country or region after: China

Address before: 201206 Pudong Jinqiao Export Processing Zone, Nanjing Road, No. 388, Shanghai

Patentee before: NOKIA SHANGHAI BELL Co.,Ltd.

Country or region before: China