[go: up one dir, main page]

CN118473710A - Authentication method of PPPoE message and BRAS equipment - Google Patents

Authentication method of PPPoE message and BRAS equipment Download PDF

Info

Publication number
CN118473710A
CN118473710A CN202410471775.0A CN202410471775A CN118473710A CN 118473710 A CN118473710 A CN 118473710A CN 202410471775 A CN202410471775 A CN 202410471775A CN 118473710 A CN118473710 A CN 118473710A
Authority
CN
China
Prior art keywords
pppoe
message
ipv6
path information
header
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410471775.0A
Other languages
Chinese (zh)
Inventor
林英姿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN202410471775.0A priority Critical patent/CN118473710A/en
Publication of CN118473710A publication Critical patent/CN118473710A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/659Internet protocol version 6 [IPv6] addresses

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本说明书提供一种PPPoE报文的认证方法和BRAS设备,该方法包括:接收PPPoE报文,所述PPPoE报文封装IPv6报文头,获取所述IPv6报文头中记录的所述PPPoE报文途径各路由设备的路径信息,将路径信息和所述PPPoE报文的认证信息发送给认证服务器。通过该方法,可以实现PPPoE报文三层转发时验证PPPoE终端的物理位置信息是否正确。从而实现用户账号与用户位置信息的绑定认证,有效地提高了PPPoE网络的安全性,防止冒用、盗用账号等行为。

The present specification provides a PPPoE message authentication method and BRAS device, the method comprising: receiving a PPPoE message, encapsulating the PPPoE message with an IPv6 message header, obtaining the path information of the PPPoE message passing through each routing device recorded in the IPv6 message header, and sending the path information and the authentication information of the PPPoE message to an authentication server. Through this method, it is possible to verify whether the physical location information of the PPPoE terminal is correct when the PPPoE message is forwarded at the third layer. Thus, the binding authentication of the user account and the user location information is realized, which effectively improves the security of the PPPoE network and prevents the acts of impersonation and theft of accounts.

Description

一种PPPoE报文的认证方法和BRAS设备A PPPoE message authentication method and BRAS device

技术领域Technical Field

本说明书涉及通信技术领域,尤其涉及一种PPPoE报文的认证方法和BRAS设备。The present invention relates to the field of communication technology, and in particular to a PPPoE message authentication method and a BRAS device.

背景技术Background Art

PPPoE(Point-to-Point Protocol over Ethernet,以太网上的点对点协议)是一种网络协议,将宽带连接中的以太网和点对点协议(PPP)结合起来,用于DSL连接和以太网接入互联网的场景。PPPoE协议允许多个用户通过以太网接入服务提供商的网络,并建立一个虚拟点对点连接。这种连接通常用于实现通过电话线(ADSL服务)或电缆进行的互联网接入。PPPoE (Point-to-Point Protocol over Ethernet) is a network protocol that combines Ethernet in broadband connections with the Point-to-Point Protocol (PPP) for DSL connections and Ethernet access to the Internet. The PPPoE protocol allows multiple users to access the service provider's network via Ethernet and establish a virtual point-to-point connection. This connection is commonly used to achieve Internet access via telephone lines (ADSL services) or cables.

在传统的PPPoE网络中,仅基于用户名和密码对接入用户进行认证的方式存在一定的安全风险,如果用户账号被盗,盗用者可以轻易地在其它地方使用该账号接入网络。In traditional PPPoE networks, authenticating access users based solely on usernames and passwords poses certain security risks. If a user account is stolen, the thief can easily use the account to access the network from other locations.

发明内容Summary of the invention

为克服相关技术中存在的问题,本说明书提供了一种PPPoE报文的认证方法和BRAS设备。In order to overcome the problems existing in the related art, this specification provides a PPPoE message authentication method and BRAS device.

根据本说明书实施例的第一方面,提供一种PPPoE报文的认证方法,所述方法应用于BRAS设备中,所述方法包括:According to a first aspect of an embodiment of this specification, a PPPoE message authentication method is provided, the method being applied to a BRAS device, the method comprising:

接收PPPoE报文,所述PPPoE报文封装IPv6报文头;Receiving a PPPoE message, wherein the PPPoE message is encapsulated with an IPv6 message header;

获取所述IPv6报文头中记录的所述PPPoE报文途径各路由设备的路径信息;Obtaining path information of the PPPoE message passing through each routing device recorded in the IPv6 message header;

将路径信息和所述PPPoE报文的认证信息发送给认证服务器,以使认证服务器根据所述路径信息和认证信息对发送所述PPPoE报文的PPPoE终端进行认证。The path information and the authentication information of the PPPoE message are sent to an authentication server, so that the authentication server authenticates the PPPoE terminal that sends the PPPoE message according to the path information and the authentication information.

为所述PPPoE报文封装IPv6报文头的方法包括:The method for encapsulating the IPv6 message header for the PPPoE message includes:

由PPPoE终端或PPPoE报文途径的首个路由设备为所述PPPoE报文封装IPv6报文头。The PPPoE terminal or the first routing device along the PPPoE message path encapsulates the PPPoE message with an IPv6 message header.

其中,所述IPv6报文头中的IPv6源地址为首个路由设备的地址,所述IPv6报文头中的IPv6目的地址为所述BRAS的地址。The IPv6 source address in the IPv6 message header is the address of the first routing device, and the IPv6 destination address in the IPv6 message header is the address of the BRAS.

其中,获取所述IPv6报文头中记录的所述PPPoE报文途径各路由设备的路径信息,包括:Wherein, obtaining the path information of the PPPoE message passing through each routing device recorded in the IPv6 message header includes:

获取IPv6报文头中SID列表,所述SID列表中记录了所述PPPoE报文途径各路由设备的路径信息。The SID list in the IPv6 message header is obtained, wherein the SID list records the path information of the PPPoE message passing through each routing device.

其中,所述将路径信息和所述PPPoE报文的认证信息发送给认证服务器,包括:The step of sending the path information and the authentication information of the PPPoE message to the authentication server includes:

将PPPoE报文的IPv6报文头剔除,并将路径信息加载到NAS-PORT-ID属性中发送给认证服务器。The IPv6 header of the PPPoE message is removed, and the path information is loaded into the NAS-PORT-ID attribute and sent to the authentication server.

通过上述各实施例可以看出,通过对PPPoE报文封装IPv6报文头,并通过IPv6报文头记录该PPPoE报文途径的各路由设备的路径信息,并在向认证服务器发送认证信息是携带该路径信息,以使认证服务器在根据用户名和密钥认证的同时,验证PPPoE终端的物理位置信息是否正确,从而防止用户账号被盗,盗用者可以轻易地在其它地方使用该账号接入网络的情况发生。It can be seen from the above embodiments that by encapsulating the PPPoE message with an IPv6 message header, and recording the path information of each routing device through which the PPPoE message passes through the IPv6 message header, and carrying the path information when sending authentication information to the authentication server, the authentication server verifies whether the physical location information of the PPPoE terminal is correct while authenticating according to the user name and key, thereby preventing the user account from being stolen and the thief from easily using the account to access the network in other places.

根据本说明书实施例的第二方面,提供了一种BRAS设备,所述BRAS设备包括:存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其中,所述处理器执行所述程序时实现如下方法:According to a second aspect of an embodiment of this specification, a BRAS device is provided, the BRAS device comprising: a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the following method when executing the program:

接收PPPoE报文,所述PPPoE报文封装IPv6报文头;Receiving a PPPoE message, wherein the PPPoE message is encapsulated with an IPv6 message header;

获取所述IPv6报文头中记录的所述PPPoE报文途径各路由设备的路径信息;Obtaining path information of the PPPoE message passing through each routing device recorded in the IPv6 message header;

将路径信息和所述PPPoE报文的认证信息发送给认证服务器,以使认证服务器根据所述路径信息和认证信息对发送所述PPPoE报文的PPPoE终端进行认证。The path information and the authentication information of the PPPoE message are sent to an authentication server, so that the authentication server authenticates the PPPoE terminal that sends the PPPoE message according to the path information and the authentication information.

根据本说明书实施例的第三方面,提供了一种BRAS设备,所述BRAS设备包括:According to a third aspect of an embodiment of this specification, a BRAS device is provided, the BRAS device comprising:

接收模块,用于接收PPPoE报文,所述PPPoE报文封装IPv6报文头;A receiving module, used for receiving a PPPoE message, wherein the PPPoE message encapsulates an IPv6 message header;

获取模块,用于获取所述IPv6报文头中记录的所述PPPoE报文途径各路由设备的路径信息;An acquisition module, used to acquire the path information of the PPPoE message passing through each routing device recorded in the IPv6 message header;

发送模块,用于将路径信息和所述PPPoE报文的认证信息发送给认证服务器,以使认证服务器根据所述路径信息和认证信息对发送所述PPPoE报文的PPPoE终端进行认证。The sending module is used to send the path information and the authentication information of the PPPoE message to the authentication server, so that the authentication server authenticates the PPPoE terminal that sends the PPPoE message according to the path information and the authentication information.

所述IPv6报文头中的IPv6源地址为PPPoE报文途径的首个路由设备的地址,所述IPv6报文头中的IPv6目的地址为所述BRAS的地址。The IPv6 source address in the IPv6 message header is the address of the first routing device through which the PPPoE message passes, and the IPv6 destination address in the IPv6 message header is the address of the BRAS.

所述获取模块,具体用于获取IPv6报文头中SID列表,所述SID列表中记录了所述PPPoE报文途径各路由设备的路径信息。The acquisition module is specifically used to acquire the SID list in the IPv6 message header, and the SID list records the path information of the PPPoE message passing through each routing device.

所述发送模块,具体用于将PPPoE报文的IPv6报文头剔除,并将路径信息加载到NAS-PORT-ID属性中发送给认证服务器。The sending module is specifically used to remove the IPv6 message header of the PPPoE message, and load the path information into the NAS-PORT-ID attribute and send it to the authentication server.

应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本说明书。It is to be understood that the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the present specification.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本说明书的实施例,并与说明书一起用于解释本说明书的原理。The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the specification and, together with the description, serve to explain the principles of the specification.

图1是本说明书根据一示例性实施例示出的PPPoE报文的认证方法的流程示意图。FIG. 1 is a flow chart of a method for authenticating a PPPoE message according to an exemplary embodiment of the present specification.

图2是本说明书根据一示例性实施例示出的一种网络架构示意图。FIG. 2 is a schematic diagram of a network architecture according to an exemplary embodiment of this specification.

具体实施方式DETAILED DESCRIPTION

这里将详细地对示例性实施例进行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本说明书相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本说明书的一些方面相一致的装置和方法的例子。Exemplary embodiments will be described in detail herein, examples of which are shown in the accompanying drawings. When the following description refers to the drawings, the same numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with this specification. Instead, they are merely examples of devices and methods consistent with some aspects of this specification as detailed in the appended claims.

在本说明书使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本说明书。在本说明书和所附权利要求书中所使用的单数形式的“一种”、“所述”和“该”也旨在包括多数形式,除非上下文清楚地表示其他含义。还应当理解,本文中使用的术语“和/或”是指并包含一个或多个相关联的列出项目的任何或所有可能组合。The terms used in this specification are for the purpose of describing specific embodiments only and are not intended to limit this specification. The singular forms "a", "the" and "the" used in this specification and the appended claims are also intended to include plural forms unless the context clearly indicates otherwise. It should also be understood that the term "and/or" used herein refers to and includes any or all possible combinations of one or more associated listed items.

应当理解,尽管在本说明书可能采用术语第一、第二、第三等来描述各种信息,但这些信息不应限于这些术语。这些术语仅用来将同一类型的信息彼此区分开。例如,在不脱离本说明书范围的情况下,第一信息也可以被称为第二信息,类似地,第二信息也可以被称为第一信息。取决于语境,如在此所使用的词语“如果”可以被解释成为“在……时”或“当……时”或“响应于确定”。It should be understood that although the terms first, second, third, etc. may be used in this specification to describe various information, these information should not be limited to these terms. These terms are only used to distinguish the same type of information from each other. For example, without departing from the scope of this specification, the first information may also be referred to as the second information, and similarly, the second information may also be referred to as the first information. Depending on the context, the word "if" as used herein may be interpreted as "at the time of" or "when" or "in response to determining".

目前在同一个二层网路中,通过在PPPoE client(PPPoE终端)和PPPoE server之间部署PPPoErelay设备,通过接入线路ID(access-line-id)把用户的物理位置信息传送给BRAS设备(PPPoE server功能部署在BRAS设备上),接入线路ID的内容包括circuit-id和remote-id两部分。BRAS设备直接将接入线路ID复制到RADIUS的NAS-PORT-ID属性中发送给RADIUS服务器,RADIUS服务器通过收到的NAS-PORT-ID属性和数据库中已配置好的物理位置信息比较,验证用户的物理位置信息是否正确。从而实现用户账号与用户位置信息的绑定认证。Currently, in the same Layer 2 network, by deploying PPPoE relay equipment between PPPoE client (PPPoE terminal) and PPPoE server, the user's physical location information is transmitted to the BRAS device (PPPoE server function is deployed on the BRAS device) through the access line ID (access-line-id). The content of the access line ID includes two parts: circuit-id and remote-id. The BRAS device directly copies the access line ID to the NAS-PORT-ID attribute of RADIUS and sends it to the RADIUS server. The RADIUS server compares the received NAS-PORT-ID attribute with the physical location information configured in the database to verify whether the user's physical location information is correct. In this way, the binding authentication of the user account and the user's location information is realized.

当PPPoE client与PPPoE server间存在路由器时(即需要通过三层网络时),会通过PPPoE over IPv6的方式为PPPoE报文加上一层IPv6的封装,用于在城域网等路由器设备中进行转发,最终PPPoE报文在达到BRAS设备后会将IPv6头剥去,还原回原来的PPPoE报文。When there is a router between the PPPoE client and the PPPoE server (that is, when a three-layer network is required), a layer of IPv6 encapsulation will be added to the PPPoE message through PPPoE over IPv6 for forwarding in router devices such as the metropolitan area network. Finally, after the PPPoE message reaches the BRAS device, the IPv6 header will be stripped off and restored to the original PPPoE message.

由于PPPoE各协议报文均为数据链路层报文,仅能够在同一个二层网络进行转发,无法支持对通过三层网络转发的PPPoE报文进行位置检测。Since all PPPoE protocol messages are data link layer messages, they can only be forwarded on the same Layer 2 network, and cannot support location detection of PPPoE messages forwarded through a Layer 3 network.

为了解决上述技术问题,本公开实施例提供了一种PPPoE报文的认证方法,所述方法应用于BRAS设备中,如图1所示,该方法包括:In order to solve the above technical problems, the embodiment of the present disclosure provides a PPPoE message authentication method, which is applied to a BRAS device. As shown in FIG1 , the method includes:

S101接收PPPoE报文,所述PPPoE报文封装IPv6报文头;S101 receives a PPPoE message, wherein the PPPoE message is encapsulated with an IPv6 message header;

S102获取所述IPv6报文头中记录的所述PPPoE报文途径各路由设备的路径信息;S102 obtains the path information of the PPPoE message passing through each routing device recorded in the IPv6 message header;

S103将路径信息和所述PPPoE报文的认证信息发送给认证服务器,以使认证服务器根据所述路径信息和认证信息对发送所述PPPoE报文的PPPoE终端进行认证。S103 sends the path information and the authentication information of the PPPoE message to an authentication server, so that the authentication server authenticates the PPPoE terminal that sends the PPPoE message according to the path information and the authentication information.

在本实施例中,PPPoE client(以下称为PPPoE终端)在通过三层网络转发时,对PPPoE报文封装IPv6报文头,在一种示例中,PPPoE终端可对要通过三层网络转发的PPPoE报文封装IPv6报文头,也可以由PPPoE报文途径的首个路由设备(如路由器,具有路由功能的交换机等)对PPPoE报文封装IPv6报文头。In this embodiment, the PPPoE client (hereinafter referred to as the PPPoE terminal) encapsulates the IPv6 message header for the PPPoE message when forwarding it through the three-layer network. In one example, the PPPoE terminal can encapsulate the IPv6 message header for the PPPoE message to be forwarded through the three-layer network, or the first routing device (such as a router, a switch with routing function, etc.) through which the PPPoE message passes can encapsulate the IPv6 message header for the PPPoE message.

如图2所示的一种网络架构,PPPoE终端将PPPoE报文发送给Router A,Router A对PPPoE封装IPv6报文头,其中,该IPv6报文头中的源地址为Router A的地址信息,IPv6报文头中的目的地址为PPPoE Server(即BRAS设备)的地址信息。In a network architecture as shown in Figure 2, the PPPoE terminal sends a PPPoE message to Router A, and Router A encapsulates the PPPoE with an IPv6 message header, wherein the source address in the IPv6 message header is the address information of Router A, and the destination address in the IPv6 message header is the address information of the PPPoE Server (i.e., the BRAS device).

在本实施例中,对PPPoE报文封装好IPv6报文头后,Router A根据IPv6目的地址查找IPv6路由表,并从对应的接口将PPPoE over IPv6报文(即封装了IPv6报文头的PPPoE报文)转发出去。In this embodiment, after encapsulating the PPPoE message with an IPv6 message header, Router A searches the IPv6 routing table according to the IPv6 destination address and forwards the PPPoE over IPv6 message (i.e., the PPPoE message encapsulated with an IPv6 message header) from the corresponding interface.

在本实施例中,该PPPoE over IPv6报文途径路由设备时,相应路由设备可将自身的地址信息封装到IPv6报文头中。如图2所示,假设Router B、Router C具备PPPoE overIPv6溯源功能,当PPPoE over IPv6报文途径Router B时,Router B将自身的地址信息封装到IPv6报文头,当PPPoE over IPv6报文途径Router C时,Router C将自身的地址信息封装到IPv6中。其中,上述的地址信息包括IP地址信息或端口信息或对应的SID标识。In this embodiment, when the PPPoE over IPv6 message passes through a routing device, the corresponding routing device can encapsulate its own address information into the IPv6 message header. As shown in Figure 2, assuming that Router B and Router C have the PPPoE over IPv6 source tracing function, when the PPPoE over IPv6 message passes through Router B, Router B encapsulates its own address information into the IPv6 message header, and when the PPPoE over IPv6 message passes through Router C, Router C encapsulates its own address information into IPv6. The above-mentioned address information includes IP address information or port information or corresponding SID identification.

在其它实施例中,PPPoE终端或PPPoE报文途径的首个路由设备可以预先规划好PPPoE over IPv6报文的路径,并将途径各路由设备的路径信息在封装IPv6报文头中。In other embodiments, the PPPoE terminal or the first routing device through which the PPPoE message passes can pre-plan the path of the PPPoE over IPv6 message and encapsulate the path information through each routing device in the IPv6 message header.

在本实施例中,各路由设备将自身的地址信息加入PPPoE报文中的接入线路ID中,以Segment List即SID列表形式记录形成路径信息。In this embodiment, each routing device adds its own address information to the access line ID in the PPPoE message, and records the path information in the form of a Segment List, namely, a SID list.

在一种示例中,可按照PPPoE over IPv6报文转发路径上路由设备从近到远的顺序进行排列,例如,Segment List[0]表示路径的第一个SID,Segment List[1]表示路径的第二个SID,以此类推,经过第N个路由设备时添加该路由设备的地址信息至接入线路ID中的Segment List[N-1]。In one example, the routing devices on the PPPoE over IPv6 message forwarding path can be arranged in order from near to far. For example, Segment List[0] represents the first SID of the path, Segment List[1] represents the second SID of the path, and so on. When passing through the Nth routing device, the address information of the routing device is added to Segment List[N-1] in the access line ID.

BRAS设备(即图2中PPPoE Server设备)在PPPoE over IPv6的场景中会作为尾节点,负责在收到带有IPv6封装的PPPoE报文时将其中的IPv6封装去除。The BRAS device (i.e., the PPPoE Server device in FIG2 ) acts as a tail node in the PPPoE over IPv6 scenario and is responsible for removing the IPv6 encapsulation from the PPPoE message when it receives the IPv6 encapsulation.

当PPPoE上线流程到达认证阶段时,即BRAS设备收到PPPoE终端发送的带有用户名和密码的报文之后,提取该报文接入线路ID中的Segment List;同时BRAS设备在发送给RADIUS服务器的RADIUS认证请求报文中不仅携带接入线路的ID及BRAS设备上接入的端口信息,同时也携带该Segment List。由于每个路由设备的SID在网络中是唯一的,由此可以实现RADIUS服务器对PPPoE over IPv6上线过程中途经所有路由设备的精确识别与验证。When the PPPoE online process reaches the authentication stage, that is, after the BRAS device receives the message with the user name and password sent by the PPPoE terminal, it extracts the Segment List in the access line ID of the message; at the same time, the BRAS device carries not only the access line ID and the access port information on the BRAS device, but also the Segment List in the RADIUS authentication request message sent to the RADIUS server. Since the SID of each routing device is unique in the network, the RADIUS server can accurately identify and verify all routing devices passing through the PPPoE over IPv6 online process.

具体的,RADIUS服务器在收到BRAS设备发送的认证报文后,通过NAS-PORT-ID属性获取该PPPoE over IPv6报文的路径信息(SID标识),并校验该报文的路径信息是否合法(通过匹配自身中预设的路径信息),若合法且用户名和密码验证正确,则可允许PPPoE终端接入网络,若不合法即使用户名和密码验证正确也不允许PPPoE终端接入网络。Specifically, after receiving the authentication message sent by the BRAS device, the RADIUS server obtains the path information (SID identifier) of the PPPoE over IPv6 message through the NAS-PORT-ID attribute, and verifies whether the path information of the message is legal (by matching the path information preset in itself). If it is legal and the username and password are verified correctly, the PPPoE terminal is allowed to access the network. If it is illegal, the PPPoE terminal is not allowed to access the network even if the username and password are verified correctly.

通过上述各实施例可以看出,通过PPPoE报文加完IPv6封装之后所途经的路由设备的路径信息,将各自的路由设备的地址信息加入PPPoE报文的接入线路ID中。BRAS设备将PPPoE报文中接入线路ID复制到RADIUS的NAS-PORT-ID属性中发送给RADIUS服务器,RADIUS服务器通过收到的NAS-PORT-ID属性和数据库中已配置好的物理位置信息比较,验证用户的物理位置信息是否正确。从而实现用户账号与用户位置信息的绑定认证,有效地提高了PPPoE网络的安全性,防止冒用、盗用账号等行为。It can be seen from the above embodiments that the address information of each routing device is added to the access line ID of the PPPoE message through the path information of the routing device that the PPPoE message passes through after adding IPv6 encapsulation. The BRAS device copies the access line ID in the PPPoE message to the NAS-PORT-ID attribute of RADIUS and sends it to the RADIUS server. The RADIUS server compares the received NAS-PORT-ID attribute with the physical location information configured in the database to verify whether the user's physical location information is correct. In this way, the binding authentication of the user account and the user location information is realized, which effectively improves the security of the PPPoE network and prevents the impersonation and theft of accounts.

基于上述各实施例,本公开实施例还提供了一种BRAS设备,所述BRAS设备包括:存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其中,所述处理器执行所述程序时实现如下方法:Based on the above embodiments, an embodiment of the present disclosure further provides a BRAS device, the BRAS device comprising: a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the following method when executing the program:

接收PPPoE报文,所述PPPoE报文封装IPv6报文头;Receiving a PPPoE message, wherein the PPPoE message is encapsulated with an IPv6 message header;

获取所述IPv6报文头中记录的所述PPPoE报文途径各路由设备的路径信息;Obtaining path information of the PPPoE message passing through each routing device recorded in the IPv6 message header;

将路径信息和所述PPPoE报文的认证信息发送给认证服务器,以使认证服务器根据所述路径信息和认证信息对发送所述PPPoE报文的PPPoE终端进行认证。The path information and the authentication information of the PPPoE message are sent to an authentication server, so that the authentication server authenticates the PPPoE terminal that sends the PPPoE message according to the path information and the authentication information.

基于上述各方法实施例中的内容,本公开实施例还提供了一种BRAS设备,所述BRAS设备包括:Based on the contents of the above method embodiments, the embodiment of the present disclosure further provides a BRAS device, the BRAS device comprising:

接收模块,用于接收PPPoE报文,所述PPPoE报文封装IPv6报文头;A receiving module, used for receiving a PPPoE message, wherein the PPPoE message encapsulates an IPv6 message header;

获取模块,用于获取所述IPv6报文头中记录的所述PPPoE报文途径各路由设备的路径信息;An acquisition module, used to acquire the path information of the PPPoE message passing through each routing device recorded in the IPv6 message header;

发送模块,用于将路径信息和所述PPPoE报文的认证信息发送给认证服务器,以使认证服务器根据所述路径信息和认证信息对发送所述PPPoE报文的PPPoE终端进行认证。The sending module is used to send the path information and the authentication information of the PPPoE message to the authentication server, so that the authentication server authenticates the PPPoE terminal that sends the PPPoE message according to the path information and the authentication information.

其中,所述IPv6报文头中的IPv6源地址为PPPoE报文途径的首个路由设备的地址,所述IPv6报文头中的IPv6目的地址为所述BRAS的地址。The IPv6 source address in the IPv6 message header is the address of the first routing device through which the PPPoE message passes, and the IPv6 destination address in the IPv6 message header is the address of the BRAS.

其中,所述获取模块,具体用于获取IPv6报文头中SID列表,所述SID列表中记录了所述PPPoE报文途径各路由设备的路径信息。The acquisition module is specifically used to acquire the SID list in the IPv6 message header, and the SID list records the path information of the PPPoE message passing through each routing device.

其中,所述发送模块,具体用于将PPPoE报文的IPv6报文头剔除,并将路径信息加载到NAS-PORT-ID属性中发送给认证服务器。The sending module is specifically used to remove the IPv6 message header of the PPPoE message, and load the path information into the NAS-PORT-ID attribute and send it to the authentication server.

对于装置实施例而言,由于其基本对应于方法实施例,所以相关之处参见方法实施例的部分说明即可。以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的模块可以是或者也可以不是物理上分开的,作为模块显示的部件可以是或者也可以不是物理模块,即可以位于一个地方,或者也可以分布到多个网络模块上。可以根据实际的需要选择其中的部分或者全部模块来实现本说明书方案的目的。本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。For the device embodiment, since it basically corresponds to the method embodiment, the relevant parts can refer to the partial description of the method embodiment. The device embodiment described above is only schematic, wherein the modules described as separate components may or may not be physically separated, and the components displayed as modules may or may not be physical modules, that is, they may be located in one place, or they may be distributed on multiple network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the scheme of this specification. Ordinary technicians in this field can understand and implement it without paying creative work.

上述对本说明书特定实施例进行了描述。其它实施例在所附权利要求书的范围内。在一些情况下,在权利要求书中记载的动作或步骤可以按照不同于实施例中的顺序来执行并且仍然可以实现期望的结果。另外,在附图中描绘的过程不一定要求示出的特定顺序或者连续顺序才能实现期望的结果。在某些实施方式中,多任务处理和并行处理也是可以的或者可能是有利的。The above is a description of a specific embodiment of the present specification. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps recorded in the claims can be performed in an order different from that in the embodiments and still achieve the desired results. In addition, the processes depicted in the accompanying drawings do not necessarily require the specific order or continuous order shown to achieve the desired results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

本领域技术人员在考虑说明书及实践这里申请的发明后,将容易想到本说明书的其它实施方案。本说明书旨在涵盖本说明书的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本说明书的一般性原理并包括本说明书未申请的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的,本说明书的真正范围和精神由下面的权利要求指出。Those skilled in the art will readily appreciate other embodiments of the specification after considering the specification and practicing the invention claimed herein. The specification is intended to cover any variations, uses or adaptations of the specification that follow the general principles of the specification and include common knowledge or customary techniques in the art that are not claimed in the specification. The specification and examples are to be considered exemplary only, and the true scope and spirit of the specification are indicated by the following claims.

应当理解的是,本说明书并不局限于上面已经描述并在附图中示出的精确结构,并且可以在不脱离其范围进行各种修改和改变。本说明书的范围仅由所附的权利要求来限制。It should be understood that the present description is not limited to the precise structures that have been described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present description is limited only by the appended claims.

以上所述仅为本说明书的较佳实施例而已,并不用以限制本说明书,凡在本说明书的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本说明书保护的范围之内。The above description is only a preferred embodiment of this specification and is not intended to limit this specification. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of this specification should be included in the scope of protection of this specification.

Claims (10)

1. The authentication method of the PPPoE message is characterized by being applied to BRAS equipment, and comprises the following steps:
Receiving a PPPoE message, wherein the PPPoE message encapsulates an IPv6 message header;
Acquiring path information of each routing device of the PPPoE message path recorded in the IPv6 message header;
and sending the path information and the authentication information of the PPPoE message to an authentication server so that the authentication server authenticates the PPPoE terminal sending the PPPoE message according to the path information and the authentication information.
2. The method of claim 1, wherein encapsulating the PPPoE message header with an IPv6 message header comprises:
And the PPPoE terminal or the first routing equipment of the PPPoE message path encapsulates the IPv6 message header for the PPPoE message.
3. A method according to claim 1 or 2, characterized in that,
And the IPv6 source address in the IPv6 message header is the address of the first routing device, and the IPv6 destination address in the IPv6 message header is the address of the BRAS.
4. The method according to claim 1, wherein obtaining path information of each routing device of the PPPoE message path recorded in the IPv6 message header comprises:
And acquiring an SID list in the IPv6 message header, wherein the SID list records path information of each routing device of the PPPoE message path.
5. The method of claim 1, wherein the sending path information and authentication information of the PPPoE message to an authentication server comprises:
And eliminating the IPv6 message header of the PPPoE message, loading the path information into the NAS-PORT-ID attribute and sending the path information to the authentication server.
6. A BRAS device, the BRAS device comprising: a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the following method when executing the program:
Receiving a PPPoE message, wherein the PPPoE message encapsulates an IPv6 message header;
Acquiring path information of each routing device of the PPPoE message path recorded in the IPv6 message header;
and sending the path information and the authentication information of the PPPoE message to an authentication server so that the authentication server authenticates the PPPoE terminal sending the PPPoE message according to the path information and the authentication information.
7. A BRAS device, the BRAS device comprising:
The receiving module is used for receiving the PPPoE message, and the PPPoE message encapsulates an IPv6 message header;
the acquisition module is used for acquiring path information of each routing device of the PPPoE message path recorded in the IPv6 message header;
And the sending module is used for sending the path information and the authentication information of the PPPoE message to the authentication server so that the authentication server authenticates the PPPoE terminal sending the PPPoE message according to the path information and the authentication information.
8. The BRAS device of claim 7, wherein an IPv6 source address in the IPv6 header is an address of a first routing device of a PPPoE message pathway, and an IPv6 destination address in the IPv6 header is an address of the BRAS.
9. The BRAS device of claim 7, wherein,
The obtaining module is specifically configured to obtain a SID list in an IPv6 packet header, where path information of each routing device in the PPPoE packet path is recorded in the SID list.
10. The BRAS device of claim 7, wherein,
The sending module is specifically configured to reject an IPv6 header of the PPPoE packet, load path information into NAS-PORT-ID attribute, and send the path information to the authentication server.
CN202410471775.0A 2024-04-18 2024-04-18 Authentication method of PPPoE message and BRAS equipment Pending CN118473710A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410471775.0A CN118473710A (en) 2024-04-18 2024-04-18 Authentication method of PPPoE message and BRAS equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410471775.0A CN118473710A (en) 2024-04-18 2024-04-18 Authentication method of PPPoE message and BRAS equipment

Publications (1)

Publication Number Publication Date
CN118473710A true CN118473710A (en) 2024-08-09

Family

ID=92158225

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410471775.0A Pending CN118473710A (en) 2024-04-18 2024-04-18 Authentication method of PPPoE message and BRAS equipment

Country Status (1)

Country Link
CN (1) CN118473710A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012142867A1 (en) * 2011-04-21 2012-10-26 中兴通讯股份有限公司 Authentication notification method and system
CN104639439A (en) * 2015-01-27 2015-05-20 杭州华三通信技术有限公司 Service message processing method and service message processing device
CN107104872A (en) * 2016-02-23 2017-08-29 华为技术有限公司 Access control method, device and system
CN110474922A (en) * 2019-09-02 2019-11-19 锐捷网络股份有限公司 A kind of communication means, PC system and access control router
CN112492058A (en) * 2020-11-16 2021-03-12 赛尔网络有限公司 Method, system, electronic device and medium for distributing real source IPv6 address

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012142867A1 (en) * 2011-04-21 2012-10-26 中兴通讯股份有限公司 Authentication notification method and system
CN104639439A (en) * 2015-01-27 2015-05-20 杭州华三通信技术有限公司 Service message processing method and service message processing device
CN107104872A (en) * 2016-02-23 2017-08-29 华为技术有限公司 Access control method, device and system
CN110474922A (en) * 2019-09-02 2019-11-19 锐捷网络股份有限公司 A kind of communication means, PC system and access control router
CN112492058A (en) * 2020-11-16 2021-03-12 赛尔网络有限公司 Method, system, electronic device and medium for distributing real source IPv6 address

Similar Documents

Publication Publication Date Title
CN110650076B (en) VXLAN implementation method, network equipment and communication system
US6920503B1 (en) Tunnel interworking
JP4741193B2 (en) User authentication method and system for network access when connected to the Internet
US9059841B2 (en) Auto-discovery of a non-advertised public network address
JP4105722B2 (en) Communication device
EP3410648B1 (en) Method, device and system for access control
US20080092213A1 (en) Method, system and server for realizing secure assignment of dhcp address
US20070011301A1 (en) Provisioning relay and re-direction server for service implementation on generic customer premises equipment
US20080225749A1 (en) Auto-configuration of a network device
US9065684B2 (en) IP phone terminal, server, authenticating apparatus, communication system, communication method, and recording medium
CN103067337B (en) Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system
CN107404470A (en) Connection control method and device
BRPI0719682B1 (en) INTERCEPTING VOICE COMMUNICATIONS VIA IP AND OTHER DATA COMMUNICATIONS
WO2018041152A1 (en) Separation of control plane function and forwarding plane function of broadband remote access server
JP2007293870A (en) Method for using network address information to improve the performance of network transactions
TW201204098A (en) Dynamic service groups based on session attributes
WO2016192608A2 (en) Authentication method, authentication system and associated device
CN106487788A (en) A kind of user access method, SDN controller, forwarding unit and subscriber access system
US8134999B2 (en) Generic provisioning of voice over internet protocol (VoIP)
CN101141492B (en) Method and system for implementing DHCP address safety allocation
WO2018039901A1 (en) Method, device and system for ip address allocation, and computer program product
CN108429773A (en) Authentication method and authentication system
JP4873960B2 (en) Method for facilitating application server functions and access nodes including application server functions
CN118473710A (en) Authentication method of PPPoE message and BRAS equipment
CN112870692A (en) Game acceleration method, acceleration system, acceleration device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination