[go: up one dir, main page]

CN101370018A - A DHCP authentication method, device and system - Google Patents

A DHCP authentication method, device and system Download PDF

Info

Publication number
CN101370018A
CN101370018A CNA2008102117993A CN200810211799A CN101370018A CN 101370018 A CN101370018 A CN 101370018A CN A2008102117993 A CNA2008102117993 A CN A2008102117993A CN 200810211799 A CN200810211799 A CN 200810211799A CN 101370018 A CN101370018 A CN 101370018A
Authority
CN
China
Prior art keywords
authentication
message
dhcp
dhcp client
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2008102117993A
Other languages
Chinese (zh)
Inventor
吴颂期
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNA2008102117993A priority Critical patent/CN101370018A/en
Publication of CN101370018A publication Critical patent/CN101370018A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Computer And Data Communications (AREA)
  • Small-Scale Networks (AREA)

Abstract

本发明公开了一种DHCP认证方法、装置和系统,该方法包括:接收DHCP客户端发送的指明认证方法的消息;根据所述认证方法向所述DHCP客户端发送认证请求消息;接收所述DHCP客户端对所述认证请求消息的认证答复消息;向所述DHCP客户端发送携带对所述认证答复消息进行认证后所得到的认证结果的消息。本发明实施例根据DHCP客户端支持的认证方法进行认证请求消息和认证答复消息的交互,扩展认证消息的类型,以提高认证可靠性和安全性。

The invention discloses a DHCP authentication method, device and system. The method includes: receiving a message indicating an authentication method sent by a DHCP client; sending an authentication request message to the DHCP client according to the authentication method; receiving the DHCP An authentication reply message from the client to the authentication request message; sending a message carrying an authentication result obtained after authenticating the authentication reply message to the DHCP client. In the embodiment of the present invention, the authentication request message and the authentication reply message are interacted according to the authentication method supported by the DHCP client, and the type of the authentication message is expanded to improve authentication reliability and security.

Description

一种DHCP认证方法、装置和系统 A DHCP authentication method, device and system

技术领域 technical field

本发明涉及通信领域,尤其涉及一种DHCP认证方法、装置和系统。The present invention relates to the communication field, in particular to a DHCP authentication method, device and system.

背景技术 Background technique

在以往的移动网络应用中,像基站BS(Base Station)等网元的IP地址以及其接入网络时的一些通信实体,例如网关(Gateway,GW)的IP地址都是在开局时,由现场操作人员手工配置,这就要求现场操作人员具备一定的专业技术知识。In the past mobile network applications, the IP addresses of network elements such as base station BS (Base Station) and some communication entities when they access the network, such as the IP addresses of gateways (Gateway, GW), are determined by the on-site Operators configure manually, which requires on-site operators to have certain professional and technical knowledge.

随着移动网络的发展和扩大,BS设备也由传统的宏基站往微型基站、家用基站发展,因此这种BS设备的需求量成数以百计的增长趋势,同时客户或用户要求买回的这类设备能即插即用,这样传统的现场技术人员手工配置IP地址等的方式已不能满足市场需求,为节约运营商劳动成本,简化管理等,DHCP(Dynamic Host Configuration Protocol,动态主机配置协议)被应用于这类移动网络设备的IP地址分配等应用场景,以实现该类设备的IP地址自动分配和获取。With the development and expansion of mobile networks, BS equipment has also developed from traditional macro base stations to micro base stations and home base stations. Therefore, the demand for such BS equipment has become an increasing trend of hundreds, and customers or users require to buy back This type of equipment can be plug-and-play, so the traditional method of manually configuring IP addresses by field technicians can no longer meet market demand. In order to save operator labor costs and simplify management, DHCP (Dynamic Host Configuration Protocol, Dynamic Host Configuration Protocol, etc.) ) is applied to application scenarios such as IP address allocation of such mobile network devices, so as to realize automatic allocation and acquisition of IP addresses of such devices.

由于历史原因,DHCP协议是一种不需要进行身份认证的协议,毫无安全性可言,容易给运营网络带来严重的安全隐患。比如:Due to historical reasons, the DHCP protocol is a protocol that does not require identity authentication and has no security at all, which easily brings serious security risks to the operating network. for example:

攻击者不断变换物理地址,尝试申请一个DHCP域中所有的地址,耗尽DHCP Server(服务器)地址池中的地址,导致其他正常用户无法获得地址;The attacker constantly changes the physical address, tries to apply for all addresses in a DHCP domain, exhausts the addresses in the DHCP Server (server) address pool, and causes other normal users to be unable to obtain addresses;

DHCP是一个不需要进行认证的协议,当租约用户或用户登录的设备接入网络时,用户或设备不需要提供信任凭证即可获取租期,因此任意DHCP Client(客户端)都可以向DHCP Server获取IP地址的使用租约,这样恶意的用户就可以向DHCP Server发起DoS攻击,以耗尽DHCP Server的IP地址租约,拒绝合法用户的租约请求;DHCP is a protocol that does not require authentication. When the leased user or the device logged in by the user accesses the network, the user or device does not need to provide a trust certificate to obtain the lease period. Therefore, any DHCP Client (client) can request the DHCP Server Obtain the use lease of the IP address, so that malicious users can initiate a DoS attack to the DHCP Server to exhaust the IP address lease of the DHCP Server and reject the lease request of legitimate users;

非授权的DHCP Server也很容易部署,由于DHCP请求报文以广播形式发送,所以DHCP Server仿冒者可以侦听到,并且回应错误的网关、DNS、IP地址,比如IP地址的副本、不正确的路由信息,比如非法路由器、获取合法的DHCP Client信息等等。Unauthorized DHCP Server is also easy to deploy. Since the DHCP request message is sent in the form of broadcast, DHCP Server counterfeiters can intercept and respond to wrong gateways, DNS, and IP addresses, such as copies of IP addresses, incorrect Routing information, such as illegal routers, obtaining legal DHCP Client information, etc.

为了提高DHCP的安全性,RFC(Requestfor Comments,请求注解)3118标准定义了DHCP消息认证选项:DHCP Option 90,该认证选项指出可以提供两种功能:一是认证DHCP对端的身份;另一个是验证单个DHCP消息,即对DHCP消息进行完整性校验。RFC3118标准给出该选项的内容格式定义如表1所示:In order to improve the security of DHCP, the RFC (Request for Comments) 3118 standard defines the DHCP message authentication option: DHCP Option 90, which points out that two functions can be provided: one is to authenticate the identity of the DHCP peer; the other is to verify A single DHCP message, that is, to perform integrity check on the DHCP message. The RFC3118 standard gives the content format definition of this option as shown in Table 1:

                            表1 Table 1

Figure A200810211799D00051
Figure A200810211799D00051

表1中各内容字段的详细描述如表2所示:The detailed description of each content field in Table 1 is shown in Table 2:

                       表2 Table 2

Figure A200810211799D00052
Figure A200810211799D00052

Figure A200810211799D00061
Figure A200810211799D00061

在现有技术中定义了一种“配置令牌(Configuration Token)”和“延迟认证(Delayed Authentication)”方法,因两者都是以Option90来携带认证消息,故下面以延迟认证方法为例来进行描述。In the prior art, a method of "Configuration Token" and "Delayed Authentication" is defined, because both of them use Option90 to carry the authentication message, so the delayed authentication method is used as an example below to describe.

延迟认证这种方法要求表1中Protocol域使用值为1,对应的算法Algorithm的值为1,该方法要求表1所定义在格式在DHCPDISCOVER(DHCP发现消息)和DHCPINFORM(DHCP通知消息)中的内容如表3所示:This method of delayed authentication requires the value of the Protocol field in Table 1 to be 1, and the value of the corresponding algorithm Algorithm to be 1. This method requires the format defined in Table 1 to be in DHCPDISCOVER (DHCP discovery message) and DHCPINFORM (DHCP notification message). The content is shown in Table 3:

                            表3 table 3

Figure A200810211799D00062
Figure A200810211799D00062

在这两条消息中DHCP Option 90的内容要求Protocol域的值为1,同时Authentication Information(认证信息)域为空,也就是没有这个域。In these two messages, the content of DHCP Option 90 requires the value of the Protocol field to be 1, and the Authentication Information (authentication information) field is empty, that is, there is no such field.

该方法还要求表1所定义在格式在DHCPOFFER(DHCP提供消息)、DHCPREQUEST(DHCP请求消息)和DHCPACK(DHCP承认消息)中的内容如表4所示:This method also requires that the content defined in Table 1 in the format in DHCPOFFER (DHCP offer message), DHCPREQUEST (DHCP request message) and DHCPACK (DHCP acknowledge message) is as shown in Table 4:

                                表4 Table 4

Figure A200810211799D00071
Figure A200810211799D00071

在上述3种消息中,DHCP Option 90内容的Authentication Information域包含一个用来唯一指定共享密钥的标识Secret ID(秘密身份识别号)以及用共享密钥对DHCP消息进行消息摘要所计算出来的消息认证码域HMAC-MD5。Among the above three messages, the Authentication Information field of the content of DHCP Option 90 contains a Secret ID (secret identification number) used to uniquely specify the shared key and the message calculated by using the shared key to perform a message digest on the DHCP message Authentication code field HMAC-MD5.

“延迟认证”这种方法需要为每个DHCP服务器的每个DHCP客户端配备一个共享密钥,且每个共享密钥都必须关联一个唯一的标识ID。这个共享密钥需要通过带外out-of-band机制事先分发到各DHCP客户端与服务端,且保存在本地以便后续使用。The method of "delayed authentication" needs to be equipped with a shared key for each DHCP client of each DHCP server, and each shared key must be associated with a unique identification ID. This shared key needs to be distributed to each DHCP client and server in advance through an out-of-band mechanism, and stored locally for subsequent use.

“延迟认证”这种方法的正常通信流程如图1所示,包括:The normal communication process of the method of "delayed authentication" is shown in Figure 1, including:

步骤s101,DHCP客户端在DHCPDISCOVER中携带Option 90,用以通知服务器需要进行认证,同时还携带能唯一标识客户端身份的标识选项Option61,然后广播该消息,寻找可以使用的服务器;Step s101, the DHCP client carries Option 90 in DHCPDISCOVER to notify the server that authentication is required, and also carries the identification option Option 61 that can uniquely identify the identity of the client, and then broadcasts the message to find an available server;

步骤s102,网络上的DHCP服务器(可能不止一个)收到该消息后,如果判断其可以提供服务,则根据客户端的标识选项Option 61查找数据库,得到用来计算该客户端会话秘钥K所需要的密钥物料如二元组(客户端标识、子网地址),并计算出会话秘钥K,或者根据Option 90里的Secret ID查找其会话秘钥K,然后用会话秘钥K计算该消息的认证码,填充Option 90选项,并构造DHCPOFFER消息;Step s102, after the DHCP server (possibly more than one) on the network receives the message, if it judges that it can provide the service, it searches the database according to the identification option Option 61 of the client, and obtains what is used to calculate the session key K of the client Key materials such as two-tuple (client identifier, subnet address), and calculate the session key K, or look up the session key K according to the Secret ID in Option 90, and then use the session key K to calculate the message authentication code, fill in the Option 90 option, and construct a DHCPOFFER message;

步骤s103,DHCP服务器将DHCPOFFER消息发送给DHCP客户端;Step s103, the DHCP server sends the DHCPOFFER message to the DHCP client;

步骤s104,DHCP客户端收到DHCPOFFER消息后,使用其本地存储的会话秘钥K,按要求验证Option 90选项里的Authentication Information是否正确,如果验证失败,则根据其本地的安全策略进行相应的处理,否则选中一个DHCP服务器进行交互:构造DHCPREQUEST消息,并用会话秘钥K计算该消息的认证码,填充Option 90选项;Step s104, after the DHCP client receives the DHCPOFFER message, it uses its locally stored session key K to verify whether the Authentication Information in Option 90 is correct as required, and if the verification fails, perform corresponding processing according to its local security policy , otherwise select a DHCP server to interact: construct a DHCPREQUEST message, and use the session key K to calculate the authentication code of the message, and fill in the Option 90 option;

步骤s105,DHCP客户端向选中的DHCP服务器发送DHCPREQUEST消息,请求服务;Step s105, the DHCP client sends a DHCPREQUEST message to the selected DHCP server to request a service;

步骤s106,DHCP服务器收到DHCPREQUEST消息,然后再使用密钥K验证该消息,如果验证失败,则直接丢弃该消息,回复DHCPNAK消息,否则构造DHCPACK消息;不管是DHCPNAK还是DHCPACK都需携带Option 90,并根据RFC3118标准的要求填充它。Step s106, the DHCP server receives the DHCPREQUEST message, and then uses the key K to verify the message. If the verification fails, the message is directly discarded and the DHCPNAK message is replied, otherwise a DHCPACK message is constructed; both DHCPNAK and DHCPACK must carry Option 90, And populate it according to the requirements of the RFC3118 standard.

步骤s107,DHCP服务器将DHCPACK/DHCPNAK消息发送给DHCP客户端。In step s107, the DHCP server sends a DHCPACK/DHCPNAK message to the DHCP client.

步骤s108,DHCP客户端收到DHCPACK/DHCPNAK消息后,根据步骤s104的处理方式验证该消息。验证结束后,结束认证。In step s108, after receiving the DHCPACK/DHCPNAK message, the DHCP client verifies the message according to the processing method in step s104. After the verification is completed, the authentication is ended.

发明人发现现有技术中至少存在以下问题:The inventor finds that there are at least the following problems in the prior art:

无法利用集中认证服务器进行DHCP客户端与服务端身份认证,可扩展性差;DHCP交互流程简单,无法实现安全强度和可靠性较高的认证技术。The centralized authentication server cannot be used for DHCP client and server identity authentication, and the scalability is poor; the DHCP interaction process is simple, and an authentication technology with high security strength and reliability cannot be realized.

发明内容 Contents of the invention

本发明实施例提供一种DHCP认证方法、装置和系统,以实现通过增加认证请求消息和认证答复消息,增强DHCP认证的可靠性和安全性。Embodiments of the present invention provide a DHCP authentication method, device and system to enhance the reliability and security of DHCP authentication by adding authentication request messages and authentication reply messages.

本发明实施例提供一种DHCP认证方法,包括:The embodiment of the present invention provides a kind of DHCP authentication method, comprising:

接收DHCP客户端发送的指明认证方法的消息;Receive the message indicating the authentication method sent by the DHCP client;

根据所述认证方法向所述DHCP客户端发送认证请求消息;sending an authentication request message to the DHCP client according to the authentication method;

接收所述DHCP客户端对所述认证请求消息的认证答复消息;receiving an authentication reply message from the DHCP client to the authentication request message;

向所述DHCP客户端发送携带对所述认证答复消息进行认证后所得到的认证结果的消息。Sending a message carrying an authentication result obtained after authenticating the authentication reply message to the DHCP client.

本发明实施例提供一种DHCP认证装置,包括:Embodiments of the present invention provide a DHCP authentication device, comprising:

方法接收单元,用于接收DHCP客户端发送的指明认证方法的消息;A method receiving unit, configured to receive a message indicating an authentication method sent by a DHCP client;

认证请求单元,用于根据所述认证方法向所述DHCP客户端发送认证请求消息;an authentication request unit, configured to send an authentication request message to the DHCP client according to the authentication method;

认证答复单元,用于接收所述DHCP客户端对所述认证请求消息的认证答复消息;an authentication reply unit, configured to receive an authentication reply message from the DHCP client to the authentication request message;

结果发送单元,用于向所述DHCP客户端发送携带对所述认证答复消息进行认证后所得到的认证结果的消息。A result sending unit, configured to send a message carrying an authentication result obtained after authenticating the authentication reply message to the DHCP client.

本发明实施例提供一种DHCP认证系统,包括DHCP客户端、DHCP认证装置;An embodiment of the present invention provides a DHCP authentication system, including a DHCP client and a DHCP authentication device;

所述DHCP客户端,用于向所述DHCP认证装置发送消息,所述消息指明认证方法,接收所述DHCP认证装置根据所述认证方法发送的认证请求消息,根据所述认证请求消息向所述DHCP认证装置发送认证答复消息;The DHCP client is configured to send a message to the DHCP authentication device, the message indicates an authentication method, receive an authentication request message sent by the DHCP authentication device according to the authentication method, and send the authentication request message to the The DHCP authentication device sends an authentication reply message;

所述DHCP认证装置,用于接收所述DHCP客户端发送的指明认证方法的消息;根据所述认证方法向所述DHCP客户端发送认证请求消息;接收所述DHCP客户端对所述认证请求消息的认证答复消息,向所述DHCP客户端发送携带对所述认证答复消息进行认证后所得到的认证结果的消息。The DHCP authentication device is configured to receive a message indicating an authentication method sent by the DHCP client; send an authentication request message to the DHCP client according to the authentication method; receive the authentication request message from the DHCP client an authentication reply message, and send a message carrying an authentication result obtained after authenticating the authentication reply message to the DHCP client.

与现有技术相比,本发明实施例至少具有以下优点:Compared with the prior art, the embodiments of the present invention have at least the following advantages:

根据DHCP客户端支持的认证方法进行认证请求消息和认证答复消息的交互,扩展认证消息的类型,以提高认证可靠性和安全性。According to the authentication methods supported by the DHCP client, the authentication request message and the authentication reply message are exchanged, and the types of authentication messages are expanded to improve authentication reliability and security.

附图说明 Description of drawings

图1为现有技术的DHCP认证方法流程图;Fig. 1 is the flow chart of the DHCP authentication method of prior art;

图2为本发明实施例提供的认证方法流程图;FIG. 2 is a flowchart of an authentication method provided by an embodiment of the present invention;

图3为本发明又一实施例提供的认证方法流程图;Fig. 3 is a flowchart of an authentication method provided by another embodiment of the present invention;

图4为本发明又一实施例提供的认证方法流程图;FIG. 4 is a flowchart of an authentication method provided by another embodiment of the present invention;

图5为本发明又一实施例提供的认证方法流程图;FIG. 5 is a flowchart of an authentication method provided by another embodiment of the present invention;

图6为本发明又一实施例提供的认证方法流程图;FIG. 6 is a flowchart of an authentication method provided by another embodiment of the present invention;

图7为本发明又一实施例提供的认证方法流程图;Fig. 7 is a flowchart of an authentication method provided by another embodiment of the present invention;

图8为本发明又一实施例提供的认证方法流程图;Fig. 8 is a flowchart of an authentication method provided by another embodiment of the present invention;

图9为本发明实施例提供的认证装置结构示意图;FIG. 9 is a schematic structural diagram of an authentication device provided by an embodiment of the present invention;

图10为本发明又一实施例提供的认证装置结构示意图;Fig. 10 is a schematic structural diagram of an authentication device provided by another embodiment of the present invention;

图11为本发明又一实施例提供的认证装置结构示意图;Fig. 11 is a schematic structural diagram of an authentication device provided by another embodiment of the present invention;

图12为本发明实施例提供的认证系统的结构示意图;FIG. 12 is a schematic structural diagram of an authentication system provided by an embodiment of the present invention;

图13为本发明又一实施例提供的认证系统的结构示意图。Fig. 13 is a schematic structural diagram of an authentication system provided by another embodiment of the present invention.

具体实施方式 Detailed ways

下面结合附图和具体实施例对本发明进行进一步介绍。The present invention will be further described below in conjunction with the accompanying drawings and specific embodiments.

本发明实施例提供一种DHCP认证方法,如图2所示,包括以下步骤:The embodiment of the present invention provides a kind of DHCP authentication method, as shown in Figure 2, comprises the following steps:

步骤s201,接收DHCP客户端发送的指明认证方法的消息;Step s201, receiving a message indicating an authentication method sent by a DHCP client;

步骤s202,根据上述认证方法向DHCP客户端发送认证请求消息;Step s202, sending an authentication request message to the DHCP client according to the above-mentioned authentication method;

步骤s203,接收DHCP客户端对上述认证请求消息的认证答复消息;Step s203, receiving an authentication reply message from the DHCP client to the authentication request message;

步骤s204,向DHCP客户端发送携带对上述认证答复消息进行认证后所得到的认证结果的消息。Step s204, sending a message carrying an authentication result obtained after authenticating the authentication reply message to the DHCP client.

通过采用本发明实施例提供的方法,根据DHCP客户端支持的认证方法进行认证请求消息和认证答复消息的交互,扩展认证消息的类型,以提高认证可靠性和安全性。By adopting the method provided by the embodiment of the present invention, the authentication request message and the authentication reply message are interacted according to the authentication method supported by the DHCP client, and the types of authentication messages are expanded to improve authentication reliability and security.

本发明实施例提供一种DHCP认证方法,如图3所示,包括以下步骤:The embodiment of the present invention provides a kind of DHCP authentication method, as shown in Figure 3, comprises the following steps:

步骤s301,接收携带认证选项的消息,认证选项指明DHCP客户端支持的身份认证方法;Step s301, receiving a message carrying an authentication option, where the authentication option indicates an identity authentication method supported by the DHCP client;

步骤s302,根据身份认证方法向DHCP客户端发送认证请求消息AUTHREQ;Step s302, sending an authentication request message AUTHREQ to the DHCP client according to the identity authentication method;

该认证请求消息AUTHREQ为本实施例中扩展的DHCP消息类型,扩展消息类型还包括认证答复消息AUTHRSP。The authentication request message AUTHREQ is an extended DHCP message type in this embodiment, and the extended message type also includes an authentication reply message AUTHRSP.

步骤s303,接收DHCP客户端发送的认证答复消息AUTHRSP;Step s303, receiving the authentication reply message AUTHRSP sent by the DHCP client;

步骤s304,转发认证答复消息AUTHRSP到集中认证服务器;Step s304, forwarding the authentication reply message AUTHRSP to the centralized authentication server;

步骤s305,接收集中认证服务器发送的消息,封装成AUTHRSP发送到DHCP客户端;Step s305, receiving the message sent by the centralized authentication server, encapsulating it into AUTHRSP and sending it to the DHCP client;

步骤s306,转发DHCP客户端发送的AUTHRSP到集中认证服务器;Step s306, forwarding the AUTHRSP sent by the DHCP client to the centralized authentication server;

步骤s307,接收集中认证服务器发送的认证结果,并发送携带认证结果的消息。Step s307, receiving the authentication result sent by the centralized authentication server, and sending a message carrying the authentication result.

通过采用本发明实施例提供的方法,扩展认证消息的类型,提高了DHCP认证的可靠性和安全性。By adopting the method provided by the embodiment of the present invention, the types of authentication messages are expanded, and the reliability and security of DHCP authentication are improved.

下面结合具体的应用场景对本发明进行进一步详细介绍,以RFC2716标准定义的EAP-TLS为例说明上述过程的实现。In the following, the present invention will be further introduced in detail in conjunction with specific application scenarios, and the implementation of the above process will be described by taking EAP-TLS defined in the RFC2716 standard as an example.

本发明实施例提供一种DHCP认证方法,如图4所示,包括以下步骤:The embodiment of the present invention provides a kind of DHCP authentication method, as shown in Figure 4, comprises the following steps:

步骤s401,DHCP客户端广播DHCP DISCOVER消息,消息中包括AUTH,即认证选项Option 90,指明客户端支持使用EAP(ExtensibleAuthentication Protocol,扩展认证协议)进行身份认证。In step s401, the DHCP client broadcasts a DHCP DISCOVER message, which includes AUTH, that is, the authentication option Option 90, indicating that the client supports EAP (Extensible Authentication Protocol, Extensible Authentication Protocol) for identity authentication.

本发明实施例所需要的DHCP Option选项AUTH,及后面出现的AUTH-MSG、AUTH-Success的定义,有两种方式:The required DHCP Option option AUTH in the embodiment of the present invention, and the definition of AUTH-MSG, AUTH-Success that occurs later, has two kinds of modes:

A、对RFC3118标准定义的认证选项DHCP Option 90进行重新赋值定义;A. Reassign and define the authentication option DHCP Option 90 defined in the RFC3118 standard;

B、重新定义一个新的DHCP Option选项,用来承载认证过程中的认证数据。B. Redefine a new DHCP Option option to carry the authentication data in the authentication process.

本发明实施例以方式A进行说明,DHCP Option 90选项的格式如表5所示,在本实施例中需要对其进行重定义的内容包括Protocol、Algorithm及Authentication Information三个域:The embodiment of the present invention is illustrated with mode A, and the format of the DHCP Option 90 option is as shown in Table 5. In this embodiment, the content that needs to be redefined includes three domains of Protocol, Algorithm and Authentication Information:

                       表5 table 5

Figure A200810211799D00111
Figure A200810211799D00111

Figure A200810211799D00121
Figure A200810211799D00121

DHCP Discover消息里的AUTH的内容如表6所示:The content of AUTH in the DHCP Discover message is shown in Table 6:

                  表6Table 6

Figure A200810211799D00122
Figure A200810211799D00122

在DHCPDISCOVER消息里,通过Protocol及Algorithm域,指示DHCP服务器使用EAP进行身份认证。In the DHCPDISCOVER message, through the Protocol and Algorithm fields, instruct the DHCP server to use EAP for identity authentication.

RFC3748标准对EAP这种认证方式进行了定义,其定义的EAP报文格式如表7所示:The RFC3748 standard defines the authentication method of EAP, and the format of the EAP message defined by it is shown in Table 7:

                     表7Table 7

Figure A200810211799D00123
Figure A200810211799D00123

其中,Code域用来指定EAP包的类型,目前只定义了4种类型的数据包,其他类型的包都做无效处理,直接丢弃:Among them, the Code field is used to specify the type of EAP packet. Currently, only 4 types of data packets are defined, and other types of packets are invalidated and discarded directly:

A、RequestA. Request

B、ResponseB. Response

C、SuccessC. Success

D、FailureD. Failure

Identifier域用来匹配请求与回复。The Identifier field is used to match requests and replies.

Length用来表示这个数据包的长度,其中包括Code、Identifer、Length这三个域的长度。Length is used to indicate the length of the packet, including the lengths of the three fields Code, Identifer, and Length.

Data域用来承载EAP协议所需要携带的数据包。其格式由Code域决定,当Code域为1和2,即Request和Response时,其格式为:Type、Type-Data。The Data field is used to carry data packets required by the EAP protocol. Its format is determined by the Code field. When the Code field is 1 and 2, that is, Request and Response, its format is: Type, Type-Data.

其中Type用来指定承载的数据包的类型,而Type-Data的格式又依赖Type的值。当Code域的值为3和4时,Data域为空。Among them, Type is used to specify the type of data packet carried, and the format of Type-Data depends on the value of Type. When the values of the Code field are 3 and 4, the Data field is empty.

步骤s402,DHCP服务器接收到DHCP DISCOVER消息后,判断客户端支持使用EAP进行身份认证,于是向DHCP客户端发认证请求消息DHCPAUTHREQ。In step s402, after receiving the DHCP DISCOVER message, the DHCP server judges that the client supports using EAP for identity authentication, and then sends an authentication request message DHCPAUTHREQ to the DHCP client.

该认证请求消息DHCPAUTHREQ中包括Option 90选项AUTH-MSG,AUTH-MSG的内容包含EAP-Request/Identity消息。The authentication request message DHCPAUTHREQ includes Option 90 option AUTH-MSG, and the content of AUTH-MSG includes EAP-Request/Identity message.

DHCP AUTHREQ消息及后面出现的DHCPAUTHRSP消息里的Option 90选项,即AUTH-MSG的内容如表8所示:The Option 90 option in the DHCP AUTHREQ message and the DHCPAUTHRSP message that appears later, that is, the content of the AUTH-MSG is shown in Table 8:

                        表8Table 8

Figure A200810211799D00131
Figure A200810211799D00131

步骤s403,DHCP客户端接收到EAP身份请求消息之后,回复DHCPAUTHRSP/AUTH-MSG消息给DHCP服务器,该消息包含了客户端的身份信息EAP-Response/Identity/NAI。DHCP服务器接收到该消息后,向AAA服务器发送请求,将客户端的身份信息转发给AAA服务器。In step s403, after receiving the EAP identity request message, the DHCP client replies a DHCP AUTHRSP/AUTH-MSG message to the DHCP server, and the message includes the client's identity information EAP-Response/Identity/NAI. After receiving the message, the DHCP server sends a request to the AAA server, and forwards the identity information of the client to the AAA server.

步骤s404,AAA服务器接收到请求后,根据客户端的身份信息确定该客户端所使用的身份认证方式,这里假设是使用EAP-TLS进行身份认证。In step s404, after receiving the request, the AAA server determines the identity authentication method used by the client according to the identity information of the client. Here, it is assumed that EAP-TLS is used for identity authentication.

步骤s405,AAA服务器向DHCP服务器发送EAP-Request/TLS/Start消息,指示认证开始。In step s405, the AAA server sends an EAP-Request/TLS/Start message to the DHCP server, indicating that the authentication starts.

步骤s406,DHCP服务器收到这个消息后,将其封装成DHCPAUTHREQ/AUTH-MSG消息转发给DHCP客户端。In step s406, after receiving the message, the DHCP server encapsulates it into a DHCPAUTHREQ/AUTH-MSG message and forwards it to the DHCP client.

步骤s407,DHCP客户端接到DHCPAUTHREQ/AUTH-MSG消息,并判断是TLS/Start消息,于是向DHCP服务器发送DHCPAUTHRSP/AUTH-MSG消息,内容包括EAP-Response/TLS/ClientHello。In step s407, the DHCP client receives the DHCPAUTHREQ/AUTH-MSG message and judges that it is a TLS/Start message, and then sends a DHCPAUTHRSP/AUTH-MSG message to the DHCP server, including EAP-Response/TLS/ClientHello.

步骤s408,DHCP服务器接收后转发给AAA服务器。In step s408, the DHCP server forwards the reception to the AAA server.

步骤s409,AAA服务器接收后,回复EAP-Request/TLS/ServerHello、Certificate、ServerKeyRequest、CertificateRequest、ServerHelloDone消息给DHCP服务器。In step s409, after receiving the message, the AAA server replies EAP-Request/TLS/ServerHello, Certificate, ServerKeyRequest, CertificateRequest, ServerHelloDone message to the DHCP server.

步骤s410,DHCP服务器将这些内容封装成DHCPAUTHREQ/AUTH-MSG消息转发给DHCP客户端。In step s410, the DHCP server encapsulates these contents into a DHCPAUTHREQ/AUTH-MSG message and forwards it to the DHCP client.

步骤s411,DHCP客户端接收到该消息后进行相应的处理,如果验证身份通过,则向DHCP服务器发送DHCPAUTHRSP/AUTH-MSG消息,内容包括EAP-Response/TLS/Certificate、ClientKeyExchange、CertificateVerify、ChangeCipherSpec、Finished。In step s411, the DHCP client performs corresponding processing after receiving the message. If the identity verification is passed, a DHCPAUTHRSP/AUTH-MSG message is sent to the DHCP server, and the content includes EAP-Response/TLS/Certificate, ClientKeyExchange, CertificateVerify, ChangeCipherSpec, Finished .

步骤s412,DHCP服务器接收DHCPAUTHRSP/AUTH-MSG消息后转发给AAA服务器。In step s412, the DHCP server forwards the DHCP AUTHRSP/AUTH-MSG message to the AAA server after receiving the message.

步骤s413,AAA服务器接收到该消息后进行相应的处理,如果验证身份通过,则向DHCP服务器发送EAP-Request/TLS/ChangeCipherSpec、Finished。In step s413, the AAA server performs corresponding processing after receiving the message, and sends EAP-Request/TLS/ChangeCipherSpec, Finished to the DHCP server if the authentication passes.

步骤s414,DHCP服务器将这些内容封装成DHCPAUTHREQ/AUTH-MSG消息转发给DHCP客户端。In step s414, the DHCP server encapsulates these contents into a DHCPAUTHREQ/AUTH-MSG message and forwards it to the DHCP client.

步骤s415,DHCP客户端接收到该消息答复一个确认消息DHCPAUTHRSP/AUTH-MSG,内容包括EAP-Response/TLS/NoData,同时计算出一个主密钥MSK,用于后续的DHCP消息认证。In step s415, the DHCP client receives the message and replies with an acknowledgment message DHCPAUTHRSP/AUTH-MSG, which includes EAP-Response/TLS/NoData, and calculates a master key MSK for subsequent DHCP message authentication.

步骤s416,DHCP服务器接收该确认消息后转发给AAA服务器。In step s416, the DHCP server forwards the confirmation message to the AAA server after receiving the confirmation message.

步骤s417,AAA服务器接收到该确认消息后,也计算出一个主密钥MSK,然后向DHCP服务器发送EAP-Request/TLS/Success消息。In step s417, after receiving the confirmation message, the AAA server also calculates a master key MSK, and then sends an EAP-Request/TLS/Success message to the DHCP server.

步骤s418,DHCP服务器接收到该消息后,确定DHCP客户端的身份认证通过,于是向客户端发送DHCPOFFER/AUTH-Success消息,同时DHCP服务器向AAA服务器获取共享密钥MSK,用于后续的DHCP消息认证。Step s418, after the DHCP server receives the message, it determines that the identity authentication of the DHCP client is passed, and then sends a DHCPOFFER/AUTH-Success message to the client, and at the same time, the DHCP server obtains the shared key MSK from the AAA server for subsequent DHCP message authentication .

DHCP OFFER消息里的Option 90选项,即AUTH-Success的内容如表9所示:The Option 90 option in the DHCP OFFER message, that is, the content of AUTH-Success is shown in Table 9:

                         表9Table 9

Figure A200810211799D00151
Figure A200810211799D00151

步骤s419,DHCP客户端接收到DHCPOFFER/AUTH-Success消息后,向DHCP服务器发送DHCPREQUEST消息,且该消息中包含用MSK生成的认证消息AUTH,该认证选项可以使用RFC3118标准定义的认证选项Option90。In step s419, after receiving the DHCPOFFER/AUTH-Success message, the DHCP client sends a DHCPREQUEST message to the DHCP server, and the message includes the authentication message AUTH generated by MSK, and the authentication option can use the authentication option Option90 defined in the RFC3118 standard.

步骤s420,DHCP服务器收到该请求后,对消息中的认证选项进行验证,如果验证通过,则回复DHCPACK,否则回复DHCPNAK,这两个消息都必须携带用MSK生成的认证选项AUTH,DHCP客户端收到这两个消息,也需要对其进行验证。Step s420, after the DHCP server receives the request, it verifies the authentication option in the message, if the verification is passed, it replies with DHCPACK, otherwise it replies with DHCPNAK, both messages must carry the authentication option AUTH generated by MSK, the DHCP client When these two messages are received, they also need to be verified.

通过采用本发明实施例提供的方法,增加认证消息的类型,提高了DHCP认证的可靠性和安全性;方便地进行集中认证或充分利用现网中部署的集中认证服务器,共享网络资源。By adopting the method provided by the embodiment of the present invention, the types of authentication messages are increased, and the reliability and security of DHCP authentication are improved; centralized authentication is conveniently performed or the centralized authentication server deployed in the existing network is fully utilized to share network resources.

本发明又一实施例还提供一种DHCP认证方法,如图5所示,包括以下步骤:Yet another embodiment of the present invention also provides a kind of DHCP authentication method, as shown in Figure 5, comprises the following steps:

步骤s501,DHCP客户端发送DHCP DISCOVER,通知服务器需要进行认证,同时还携带能唯一标识客户端身份的标识选项Option 61,然后广播该消息,寻找可以使用的服务器。In step s501, the DHCP client sends DHCP DISCOVER to notify the server that authentication is required, and also carries the identification option Option 61 that can uniquely identify the identity of the client, and then broadcasts the message to find an available server.

步骤s502,DHCP服务器收到该消息后,构造DHCP OFFER消息,发送给DHCP客户端。In step s502, after receiving the message, the DHCP server constructs a DHCP OFFER message and sends it to the DHCP client.

步骤s503,DHCP客户端收到DHCP OFFER消息后,验证该消息,验证通过则向DHCP服务器发送DHCP REQUEST消息,该消息携带认证选项,指明客户端支持的认证方法。In step s503, after the DHCP client receives the DHCP OFFER message, it verifies the message, and if the verification passes, it sends a DHCP REQUEST message to the DHCP server, which carries authentication options and indicates the authentication methods supported by the client.

步骤s504,DHCP服务器收到该消息后,根据上述身份认证方法向DHCP客户端发送认证请求消息AUTHREQ。Step s504, after receiving the message, the DHCP server sends an authentication request message AUTHREQ to the DHCP client according to the above identity authentication method.

步骤s505,DHCP客户端收到DHCP AUTHREQ,对其内容进行处理后向DHCP服务端发送DHCP认证答复消息AUTHRSP。In step s505, the DHCP client receives the DHCP AUTHREQ, processes its content, and then sends a DHCP authentication reply message AUTHRSP to the DHCP server.

步骤s506,DHCP服务器接收到客户端的AUTHRSP后,转发给集中认证服务器进行身份验证。In step s506, after receiving the AUTHRSP from the client, the DHCP server forwards it to the centralized authentication server for identity verification.

步骤s507,集中认证服务器在收到该消息后,进行身份认证,重复下述步骤:DHCP服务端转发集中认证服务器发送的DHCP认证请求消息AUTHREQ到客户端,转发DHCP客户端发送的DHCP认证答复消息AUTHRSP到集中认证服务器;直到认证完成。Step s507, after receiving the message, the centralized authentication server performs identity authentication, and repeats the following steps: the DHCP server forwards the DHCP authentication request message AUTHREQ sent by the centralized authentication server to the client, forwards the DHCP authentication reply message sent by the DHCP client AUTHRSP to the centralized authentication server; until the authentication is completed.

步骤s508,如果认证通过,DHCP服务端发送DHCPACK给客户端,否则发送DHCPNAK给客户端。Step s508, if the authentication is passed, the DHCP server sends a DHCPACK to the client, otherwise sends a DHCPNAK to the client.

通过采用本发明实施例提供的方法,增加认证消息的类型,提高了DHCP认证的可靠性和安全性;方便地进行集中认证或充分利用现有网络中部署的集中认证服务器,共享网络资源。By adopting the method provided by the embodiment of the present invention, the types of authentication messages are increased, and the reliability and security of DHCP authentication are improved; centralized authentication is conveniently performed or the centralized authentication server deployed in the existing network is fully utilized to share network resources.

本发明又一实施例还提供一种DHCP认证方法,如图6所示,包括以下步骤:Yet another embodiment of the present invention also provides a kind of DHCP authentication method, as shown in Figure 6, comprises the following steps:

步骤s601,DHCP客户端发送携带认证选项的DHCP DISCOVER消息到DHCP中继代理,指明客户端所支持的身份认证方法。In step s601, the DHCP client sends a DHCP DISCOVER message carrying authentication options to the DHCP relay agent, indicating the identity authentication methods supported by the client.

步骤s602,DHCP中继代理将该消息转发到DHCP服务端。In step s602, the DHCP relay agent forwards the message to the DHCP server.

步骤s603,DHCP服务端发送DHCP OFFER到DHCP中继代理。In step s603, the DHCP server sends a DHCP OFFER to the DHCP relay agent.

步骤s604,DHCP中继代理根据客户端支持的身份认证方法向DHCP客户端发送DHCP认证请求消息AUTHREQ。In step s604, the DHCP relay agent sends a DHCP authentication request message AUTHREQ to the DHCP client according to the identity authentication methods supported by the client.

步骤s605,DHCP客户端收到DHCP AUTHREQ,对其内容进行处理后向DHCP中继代理发送DHCP认证答复消息AUTHRSP。In step s605, the DHCP client receives the DHCP AUTHREQ, processes its content, and then sends a DHCP authentication reply message AUTHRSP to the DHCP relay agent.

步骤s606,DHCP中继代理接收到客户端的AUTHRSP后,转发给集中认证服务器进行身份验证。In step s606, after receiving the AUTHRSP of the client, the DHCP relay agent forwards it to the centralized authentication server for identity verification.

步骤s607,集中认证服务器在收到该消息后,进行身份认证,重复下述步骤:DHCP中继代理转发集中认证服务器发送的DHCP认证请求消息AUTHREQ到客户端,转发DHCP客户端发送的DHCP认证答复消息AUTHRSP到集中认证服务器;直到认证完成。Step s607, after receiving the message, the centralized authentication server performs identity authentication, and repeats the following steps: the DHCP relay agent forwards the DHCP authentication request message AUTHREQ sent by the centralized authentication server to the client, and forwards the DHCP authentication reply sent by the DHCP client Message AUTHRSP to the centralized authentication server; until the authentication is completed.

步骤s608,DHCP中继代理发送DHCP OFFER给DHCP客户端,如果认证通过,则在该消息的认证选项中指明认证成功,否则直接返回拒绝消息DHCPNAK,并指明认证失败。In step s608, the DHCP relay agent sends a DHCP OFFER to the DHCP client. If the authentication is passed, it indicates that the authentication is successful in the authentication option of the message, otherwise it directly returns a rejection message DHCPNAK and indicates that the authentication failed.

步骤s609,如果认证通过,DHCP客户端发送DHCP REQUEST给DHCP中继代理,该消息需携带认证选项Option 90。Step s609, if the authentication is passed, the DHCP client sends a DHCP REQUEST to the DHCP relay agent, and the message needs to carry the authentication option Option 90.

步骤s610,DHCP中继代理接收到DHCP REQUEST后,将该消息转发到DHCP服务端对认证选项Option90进行验证,如果验证通过,则转发DHCP服务端发送的DHCPACK给客户端,否则发送DHCPNAK给客户端。Step s610, after the DHCP relay agent receives the DHCP REQUEST, forwards the message to the DHCP server to verify the authentication option Option90, if the verification is passed, then forwards the DHCPACK sent by the DHCP server to the client, otherwise sends the DHCPNAK to the client .

通过采用本发明实施例提供的方法,增加认证消息的类型,提高了DHCP认证的可靠性和安全性;方便地进行集中认证或充分利用现网中部署的集中认证服务器,共享网络资源。By adopting the method provided by the embodiment of the present invention, the types of authentication messages are increased, and the reliability and security of DHCP authentication are improved; centralized authentication is conveniently performed or the centralized authentication server deployed in the existing network is fully utilized to share network resources.

本发明又一实施例提供一种DHCP认证方法,如图7所示,包括以下步骤:Another embodiment of the present invention provides a DHCP authentication method, as shown in Figure 7, comprising the following steps:

步骤s701,DHCP客户端发送DHCP DISCOVER,通知服务器需要进行认证,同时还携带能唯一标识客户端身份的标识选项Option 61,然后广播该消息,寻找可以使用的服务器。In step s701, the DHCP client sends DHCP DISCOVER to notify the server that authentication is required, and also carries the identification option Option 61 that can uniquely identify the identity of the client, and then broadcasts the message to find an available server.

步骤s702,DHCP中继代理收到该消息,转发到DHCP服务端,接收DHCP服务端发送的DHCP OFFER,转发该消息到DHCP客户端。Step s702, the DHCP relay agent receives the message, forwards it to the DHCP server, receives the DHCP OFFER sent by the DHCP server, and forwards the message to the DHCP client.

步骤s703,DHCP中继代理接收DHCP客户端发送的REQUEST,该消息携带认证选项,指明客户端支持的认证方法。In step s703, the DHCP relay agent receives the REQUEST sent by the DHCP client, and the message carries authentication options, indicating the authentication methods supported by the client.

步骤s704,DHCP中继代理根据上述身份认证方法向DHCP客户端发送认证请求消息AUTHREQ。In step s704, the DHCP relay agent sends an authentication request message AUTHREQ to the DHCP client according to the above identity authentication method.

步骤s705,DHCP客户端收到DHCP AUTHREQ,对其内容进行处理后向DHCP服务端发送DHCP认证答复消息AUTHRSP。In step s705, the DHCP client receives the DHCP AUTHREQ, processes its content, and then sends a DHCP authentication reply message AUTHRSP to the DHCP server.

步骤s706,DHCP中继代理接收到客户端的AUTHRSP后,转发给集中认证服务器进行身份验证。In step s706, after receiving the AUTHRSP of the client, the DHCP relay agent forwards it to the centralized authentication server for identity verification.

步骤s707,集中认证服务器在收到该消息后,进行身份认证,重复下述步骤:DHCP中继代理转发集中认证服务器发送的消息AUTHREQ到客户端,转发DHCP客户端发送的DHCP认证答复消息AUTHRSP到集中认证服务器;直到认证完成。Step s707, after receiving the message, the centralized authentication server performs identity authentication, and repeats the following steps: the DHCP relay agent forwards the message AUTHREQ sent by the centralized authentication server to the client, forwards the DHCP authentication reply message AUTHRSP sent by the DHCP client to Centralize the authentication server; until the authentication is complete.

步骤s708,如果认证通过,DHCP服务端发送DHCPACK给客户端,否则发送DHCPNAK给客户端。Step s708, if the authentication is passed, the DHCP server sends a DHCPACK to the client, otherwise sends a DHCPNAK to the client.

通过采用本发明实施例提供的方法,增加认证消息的类型,提高了DHCP认证的可靠性和安全性;方便地进行集中认证或充分利用现网中部署的集中认证服务器,共享网络资源。By adopting the method provided by the embodiment of the present invention, the types of authentication messages are increased, and the reliability and security of DHCP authentication are improved; centralized authentication is conveniently performed or the centralized authentication server deployed in the existing network is fully utilized to share network resources.

本发明实施例提供一种DHCP协议的认证方法,如图8所示,包括以下步骤:The embodiment of the present invention provides a kind of authentication method of DHCP agreement, as shown in Figure 8, comprises the following steps:

步骤s801,接收携带认证选项的消息,认证选项指明DHCP客户端支持的身份认证方法;Step s801, receiving a message carrying an authentication option, where the authentication option indicates an identity authentication method supported by the DHCP client;

步骤s802,根据身份认证方法向DHCP客户端发送认证请求消息AUTHREQ;Step s802, sending an authentication request message AUTHREQ to the DHCP client according to the identity authentication method;

该认证请求消息AUTHREQ为本实施例中扩展的DHCP消息类型,扩展消息类型还包括认证答复消息AUTHRSP。The authentication request message AUTHREQ is an extended DHCP message type in this embodiment, and the extended message type also includes an authentication reply message AUTHRSP.

步骤s803,接收DHCP客户端发送的认证答复消息AUTHRSP,进行认证;Step s803, receiving the authentication reply message AUTHRSP sent by the DHCP client, and performing authentication;

步骤s804,发送携带认证结果的消息。Step s804, sending a message carrying the authentication result.

通过采用本发明实施例提供的方法,根据DHCP客户端支持的认证方法进行认证请求消息和认证答复消息的交互,扩展认证消息的类型,以提高认证可靠性和安全性。By adopting the method provided by the embodiment of the present invention, the authentication request message and the authentication reply message are interacted according to the authentication method supported by the DHCP client, and the types of authentication messages are expanded to improve authentication reliability and security.

本发明又一实施例提供一种DHCP认证装置,如图9所示,包括:Another embodiment of the present invention provides a DHCP authentication device, as shown in Figure 9, comprising:

方法接收单元91,用于接收DHCP客户端发送的指明认证方法的消息;A method receiving unit 91, configured to receive a message indicating an authentication method sent by a DHCP client;

认证请求单元92,用于根据方法接收单元91接收的消息中的认证方法向DHCP客户端发送认证请求消息;An authentication request unit 92, configured to send an authentication request message to the DHCP client according to the authentication method in the message received by the method receiving unit 91;

认证答复单元93,用于接收DHCP客户端对上述认证请求消息的认证答复消息;An authentication reply unit 93, configured to receive an authentication reply message from the DHCP client to the authentication request message;

结果发送单元94,用于向DHCP客户端发送携带对上述认证答复消息进行认证后所得到的认证结果的消息。The result sending unit 94 is configured to send, to the DHCP client, a message carrying an authentication result obtained after authenticating the authentication reply message.

通过采用本发明实施例提供的装置,根据DHCP客户端支持的认证方法进行认证请求消息和认证答复消息的交互,扩展认证消息的类型,以提高认证可靠性和安全性。By adopting the device provided by the embodiment of the present invention, the interaction between the authentication request message and the authentication reply message is performed according to the authentication method supported by the DHCP client, and the types of authentication messages are expanded to improve authentication reliability and security.

本发明实施例提供一种DHCP认证装置,如图10所示,还包括:The embodiment of the present invention provides a kind of DHCP authentication device, as shown in Figure 10, also includes:

转发单元95,用于转发DHCP客户端发送的认证答复消息到集中认证服务器;The forwarding unit 95 is configured to forward the authentication reply message sent by the DHCP client to the centralized authentication server;

接收单元96,用于接收上述集中认证服务器对认证答复消息进行认证后所得到的认证结果。The receiving unit 96 is configured to receive an authentication result obtained after the centralized authentication server authenticates the authentication reply message.

通过采用本发明实施例提供的装置,根据DHCP客户端支持的认证方法进行认证请求消息和认证答复消息的交互,扩展认证消息的类型,以提高认证可靠性和安全性。By adopting the device provided by the embodiment of the present invention, the interaction between the authentication request message and the authentication reply message is performed according to the authentication method supported by the DHCP client, and the types of authentication messages are expanded to improve authentication reliability and security.

本发明实施例提供一种DHCP认证装置,如图11所示,还包括:The embodiment of the present invention provides a kind of DHCP authentication device, as shown in Figure 11, also includes:

认证单元95,用于对DHCP客户端发送的认证答复消息进行认证并获得认证结果。The authentication unit 95 is configured to authenticate the authentication reply message sent by the DHCP client and obtain an authentication result.

通过采用本发明实施例提供的装置,根据DHCP客户端支持的认证方法进行认证请求消息和认证答复消息的交互,扩展认证消息的类型,以提高认证可靠性和安全性。By adopting the device provided by the embodiment of the present invention, the interaction between the authentication request message and the authentication reply message is performed according to the authentication method supported by the DHCP client, and the types of authentication messages are expanded to improve authentication reliability and security.

本发明实施例还提供一种DHCP认证系统,如图12所示,包括DHCP客户端121、DHCP认证装置122;The embodiment of the present invention also provides a DHCP authentication system, as shown in FIG. 12 , including a DHCP client 121 and a DHCP authentication device 122;

DHCP客户端121,用于向DHCP认证装置122发送消息,该消息指明认证方法,接收DHCP认证装置122根据该认证方法发送的认证请求消息,根据认证请求消息向DHCP认证装置122发送认证答复消息;The DHCP client 121 is configured to send a message to the DHCP authentication device 122, the message specifies the authentication method, receives the authentication request message sent by the DHCP authentication device 122 according to the authentication method, and sends an authentication reply message to the DHCP authentication device 122 according to the authentication request message;

DHCP认证装置122,用于接收DHCP客户端121发送的指明认证方法的消息;根据该认证方法向DHCP客户端121发送认证请求消息;接收DHCP客户端121对该认证请求消息的认证答复消息,向DHCP客户端121发送携带对该认证答复消息进行认证后所得到的认证结果的消息。The DHCP authentication device 122 is used to receive the message indicating the authentication method sent by the DHCP client 121; send an authentication request message to the DHCP client 121 according to the authentication method; receive the authentication reply message of the authentication request message from the DHCP client 121, and send the authentication request message to the DHCP client 121. The DHCP client 121 sends a message carrying an authentication result obtained after authenticating the authentication reply message.

如图13所示,本发明实施例提供的系统还包括集中认证服务器123,集中认证服务器123,用于接收DHCP认证装置122转发DHCP客户端121的认证答复消息,对该认证答复消息进行认证,将认证的结果向DHCP认证装置122发送。As shown in Figure 13, the system provided by the embodiment of the present invention also includes a centralized authentication server 123, and the centralized authentication server 123 is used to receive the authentication reply message forwarded by the DHCP authentication device 122 to the DHCP client 121, and to authenticate the authentication reply message, The result of the authentication is sent to the DHCP authentication device 122 .

通过采用本发明实施例提供的系统,根据DHCP客户端支持的认证方法进行认证请求消息和认证答复消息的交互,扩展认证消息的类型,以提高认证可靠性和安全性。By adopting the system provided by the embodiment of the present invention, the interaction between the authentication request message and the authentication reply message is performed according to the authentication method supported by the DHCP client, and the types of authentication messages are expanded to improve authentication reliability and security.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到本发明可以通过硬件实现,也可以借助软件加必要的通用硬件平台的方式来实现。基于这样的理解,本发明的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述的方法。Through the above description of the embodiments, those skilled in the art can clearly understand that the present invention can be realized by hardware, or by software plus a necessary general hardware platform. Based on this understanding, the technical solution of the present invention can be embodied in the form of software products, which can be stored in a non-volatile storage medium (which can be CD-ROM, U disk, mobile hard disk, etc.), including several The instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute the methods described in various embodiments of the present invention.

总之,以上所述仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。In a word, the above descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included within the protection scope of the present invention.

Claims (12)

1. a dynamic host configuration protocol DHCP authentication method is characterized in that, comprising:
Receive the message that indicates authentication method that dhcp client sends;
Send authentication request message according to described authentication method to described dhcp client;
Receive the authentication answer message of described dhcp client to described authentication request message;
Carry the message that described authentication answer message is authenticated the resulting authentication result in back to described dhcp client transmission.
2. the method for claim 1 is characterized in that, also comprises after the authentication answer message of described reception dhcp client to described authentication request message:
The authentication answer message of transmitting described dhcp client transmission is to the Collective qualification server;
Receive described Collective qualification server described authentication answer message is authenticated the resulting authentication result in back.
3. the method for claim 1 is characterized in that, also comprises after the authentication answer message of described reception dhcp client to described authentication request message:
Described authentication answer message is authenticated and the access authentication result.
4. the method for claim 1 is characterized in that, in the message that indicates authentication method that described dhcp client sends, indicates authentication method by entrained authentication option.
5. as claim 1 or 4 described methods, it is characterized in that the message that indicates authentication method that described dhcp client sends is specially DHCP DISCOVER or DHCP REQUEST.
6. method as claimed in claim 2 is characterized in that the message of described authentication result is specially DHCPOFFER.
7. the method for claim 1 is characterized in that, carries the authentication option of expansion in described authentication request message and the authentication answer message.
8. a DHCP authenticate device is characterized in that, comprising:
The method receiving element is used to receive the message that indicates authentication method that dhcp client sends;
The authentication request unit is used for sending authentication request message according to described authentication method to described dhcp client;
The authentication answer unit is used to receive the authentication answer message of described dhcp client to described authentication request message;
Transmitting element is used for carrying the message that described authentication answer message is authenticated the resulting authentication result in back to described dhcp client transmission as a result.
9. device as claimed in claim 8 is characterized in that, also comprises:
Retransmission unit is used to transmit the authentication answer message of described dhcp client transmission to the Collective qualification server;
Receiving element is used to receive described Collective qualification server described authentication answer message is authenticated the resulting authentication result in back.
10. device as claimed in claim 8 is characterized in that, also comprises:
Authentication ' unit is used for described authentication answer message is authenticated and the access authentication result.
11. a DHCP Verification System is characterized in that, comprises dhcp client, DHCP authenticate device;
Described dhcp client, be used for sending message to described DHCP authenticate device, described message indicates authentication method, receives the authentication request message that described DHCP authenticate device sends according to described authentication method, sends authentication answer message according to described authentication request message to described DHCP authenticate device;
Described DHCP authenticate device is used to receive the message that indicates authentication method that described dhcp client sends; Send authentication request message according to described authentication method to described dhcp client; Receive the authentication answer message of described dhcp client, send to described dhcp client and carry the message that described authentication answer message is authenticated the resulting authentication result in back described authentication request message.
12. system as claimed in claim 11, it is characterized in that, also comprise the Collective qualification server, described Collective qualification server, be used to receive the authentication answer message that described DHCP authenticate device is transmitted described dhcp client, described authentication answer message is authenticated, authentication result is sent to described DHCP authenticate device.
CNA2008102117993A 2008-09-25 2008-09-25 A DHCP authentication method, device and system Pending CN101370018A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNA2008102117993A CN101370018A (en) 2008-09-25 2008-09-25 A DHCP authentication method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNA2008102117993A CN101370018A (en) 2008-09-25 2008-09-25 A DHCP authentication method, device and system

Publications (1)

Publication Number Publication Date
CN101370018A true CN101370018A (en) 2009-02-18

Family

ID=40413633

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2008102117993A Pending CN101370018A (en) 2008-09-25 2008-09-25 A DHCP authentication method, device and system

Country Status (1)

Country Link
CN (1) CN101370018A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103634113A (en) * 2013-11-26 2014-03-12 成都卫士通信息产业股份有限公司 Encryption and decryption method and device with user/equipment identity authentication
CN104702427A (en) * 2013-12-06 2015-06-10 华为技术有限公司 Method and system for acquiring fault information
CN115967624A (en) * 2022-12-28 2023-04-14 迈普通信技术股份有限公司 Zero configuration opening method and device and electronic equipment

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103634113A (en) * 2013-11-26 2014-03-12 成都卫士通信息产业股份有限公司 Encryption and decryption method and device with user/equipment identity authentication
CN104702427A (en) * 2013-12-06 2015-06-10 华为技术有限公司 Method and system for acquiring fault information
CN115967624A (en) * 2022-12-28 2023-04-14 迈普通信技术股份有限公司 Zero configuration opening method and device and electronic equipment

Similar Documents

Publication Publication Date Title
JP4583167B2 (en) Transitive authentication, authorization, and accounting for interconnections between access networks
CN100591013C (en) Authentication method and authentication system
CN102369750B (en) Method and apparatus for managing authentication of users
CN101006682B (en) Fast network attachment
US20070022476A1 (en) System and method for optimizing tunnel authentication procedure over a 3G-WLAN interworking system
US7861076B2 (en) Using authentication server accounting to create a common security database
CN102136938B (en) Method and device for providing user information for carried grade network address translation (CGN) equipment
CN103067337B (en) Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system
KR20140025600A (en) Dynamic host configuration and network access authentication
RU2424628C2 (en) Method and apparatus for interworking authorisation of dual stack operation
CN103685272A (en) Authentication method and system
US7117258B2 (en) Method and apparatus for assigning IP address using agent in zero configuration network
US7933253B2 (en) Return routability optimisation
CN101296081A (en) Authentication, method, system, access entity and device for assigning IP address after authentication
CN101621433B (en) Method, device and system for configuring access equipment
WO2009082950A1 (en) Key distribution method, device and system
CN101436969B (en) Network access method, apparatus and system
CN101370018A (en) A DHCP authentication method, device and system
CN102577299B (en) The Access Network authentication information bearing protocol simplified
JP2004072633A (en) IPv6 node accommodation method and IPv6 node accommodation system
CN102869000B (en) Certificate authorization method of separation-mechanism mobile management system
CN115694856A (en) DHCP (dynamic host configuration protocol) -based authentication method and related equipment
CN106162632B (en) Key transmission method and device
EP4625885A1 (en) Terminal authentication method and apparatus, access device and medium
JP4236167B2 (en) Method of assigning IP interface information, granting device, granting program thereof, and access authentication device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20090218