CN1798158A - Method for distributing second level address - Google Patents

Abstract

The present invention provides a secondary address allocation method, which is applied to an IPv6 network, comprising the following steps: a client interacts with a DHCPv6 server to obtain an IPv6 address allocated by the DHCPv6 server, and adds a user policy for the client on the access server; the client The client initiates an authentication request, the authentication server authenticates the client, and sends the authentication result to the DHCPv6 server; after the DHCPv6 server obtains the authentication result, it instructs the client to reset the DHCPv6 process according to the authentication result; the client communicates with the DHCPv6 The server interacts to obtain the IPv6 address reassigned by the DHCPv6 server; and updates the user policy for the client on the access server. The invention can realize the redistribution of the server end to the client end address under the IPv6 network.

Description

A Secondary Address Allocation Method

technical field

The invention relates to the technical field of IPv6 network access, in particular to a secondary address allocation method.

Background technique

In IPv6 (network protocol, version 6), there are two ways for the client (Host) to obtain an IP address. One is Stateless Address Autoconfiguration, which mainly uses the ND protocol and obtains it through RS and RA messages. IP address; the other is Stateful Address Autoconfiguration, which currently obtains an IP address through DHCPv6 (Dynamic Host Configuration Protocol for IPv6). Because the DHCPv6 protocol is relatively complete, it can realize many functions, and it can use the same server to manage the addresses of the entire network uniformly. Therefore, DHCPv6 is a better choice for network management and operation.

With the development and promotion of NGN and IPv6, many electronic products will be assigned IPv6 addresses to access IPv6 networks more easily at any time, such as mobile phones of users. This makes it possible to transplant the original communication services to the Internet with IPv6 as the bearer protocol, and how to enhance the control of the client from the network side under IPv6 is necessary to realize various services. Among them, the first problem to be solved is to control the client to have different IPv6 addresses or permissions in different services or scenarios.

For example, different IPv6 addresses of a certain client under different circumstances are recorded on the DHCPv6 server. For example, IPv6-A is a campus network/LAN address and has permission to access campus network resources; IPv6-B has permission to access the Internet and uses IPv6 -B need to pay a certain fee. Users will access the campus network and the Internet according to their needs. When accessing different networks, it is necessary to change the IPv6 address of the client and change the user rights accordingly.

At present, the control of the client is basically based on the fact that the client has a definite IPv6 address. For the change of the user's IPv6 address, the user needs to actively update, such as manually modifying the client IPv6 address, restarting the client, and so on. The network-side system cannot actively modify the client.

Generally speaking, although the existing DHCPv6 protocol highlights the control of the server (Server) to the client (Host), it also has a new improvement in security. For details, please refer to RFC3315. However, at present, the Server side cannot realize the control of reallocation of the address of the Host side, and the control of the change of the authority of the Host side.

Contents of the invention

In view of this, the main purpose of the present invention is to provide a method for secondary address allocation under the IPv6 network, so as to realize the re-allocation of addresses from the server end to the client end under the IPv6 network.

Secondary address assignment method of the present invention is applied in IPv6 network, comprises the following steps:

A. The client interacts with the DHCPv6 server to obtain the IPv6 address assigned by the DHCPv6 server;

B. The client initiates an authentication request, the authentication server authenticates the client, and sends the authentication result to the DHCPv6 server;

C. After the DHCPv6 server obtains the authentication result, it instructs the client to reset the DHCPv6 process according to the authentication result;

D. The client interacts with the DHCPv6 server to obtain the IPv6 address reassigned by the DHCPv6 server according to the instructions of the DHCPv6 server.

Wherein, it also includes an access server for the client to access the IPv6 network; step A further includes: adding user policy for the client on the access server; step D further includes: updating the user policy for the client on the access server Policy; the user policy includes at least the rights assigned to the user. Wherein, the authority includes at least one of the following: addresses that are allowed to be accessed, addresses that are not allowed to be accessed, user traffic restrictions, and services that are allowed to be carried out. Wherein, the access server includes: a BRAS, a Layer 3 switch, a router, and the like.

Wherein, the authentication result in step B includes at least one of the following: attributes that require re-allocation of addresses, and attributes that require client authority changes.

Wherein, the step of instructing the client to reset the DHCPv6 process described in step C is to instruct the client to initiate the request information REQUEST by resetting the RECONFIGURE Option field in the message RECONFIGURE.

Wherein, the authentication server is: AAA server or Radius server.

Wherein, when the client exits the IPv6 network, step D further includes: the client releases the IPv6 address obtained in step D.

As can be seen from the above method, the present invention completes the secondary address allocation and dynamic authorization of the host end's address by the network side server end through rational utilization and partial expansion of the DHCPv6 protocol under the IPv6 network. Through secondary address allocation or dynamic authorization after authentication, the flexible control of the server side on the network side to the Host side is realized.

On the other hand, the present invention can realize that the network side actively updates the IPv6 address or authority of the Host side, so that users can conveniently switch between different Internet service providers (ISPs) to realize access to different access networks, and the network side The system automatically updates the user's client address and authority, and does not require the user to manually update, which is convenient for the user.

Description of drawings

Figure 1 is a schematic diagram of Host access network

Fig. 2 is a flow chart of secondary address allocation in the present invention.

Fig. 3 is the schematic diagram of the embodiment of Host access network

FIG. 4 is a flow chart of an embodiment of secondary address allocation in the present invention.

Detailed ways

Generally, the client (Host) obtains its own corresponding IPv6 address through a layer-3 device as a DHCPv6 relay (Relay) or server (Server), wherein the layer-3 device can be a broadband remote access server (BRAS ), Layer 3 switch (L3Switch), router (Router) and other equipment. Figure 1 shows a schematic diagram of the Host access network. A DHCPv6Server (DHCPv6 server) is uniformly placed in a local area network or a metropolitan area network to uniformly manage the addresses of the entire network, and an authentication server (which can be AAA authentication server, RADIUS authentication server, etc.) to manage the authority of each Host. Wherein, the DHCPv6 Server and the authentication server may be separate devices, or may be located in other devices, for example, located in the above-mentioned layer-3 device. The BRAS in Figure 1 functions as a relay.

The main steps of the secondary address distribution of the present invention are: when the client accesses the network for the first time, obtain the IPv6 network address distributed by the DHCPv6Server; when the user needs more authority, initiate an authentication request; Set the DHCPv6 process, the client resets the DHCPv6 process according to the instructions of the DHCPv6Server, and obtains an updated IPv6 address or/and updated authority.

Next, with the networking diagram shown in FIG. 1 and referring to the flow chart shown in FIG. 2 , taking Host access to the second network as an example, the method for secondary address allocation of the present invention will be introduced. Include the following steps:

Step 201: When the Host is turned on, it exchanges information with the DHCPv6 Server, and obtains the IPv6 address assigned by the DHCPv6 Server through the DHCPv6 protocol.

At the same time, when the DHCPv6Server performs DHCPv6 configuration with the Host, it sends the user-related access rights to the Relay side through the DHCPv6 message, that is, the BRAS device side in the figure, so that the BRAS side can control the user's access rights through the ACL (Access Control List). access permission.

Step 202: The Host needs to obtain greater access rights, and initiates authentication to the authentication server. Wherein, the authentication form may be WEB authentication, dial-up authentication, and the like. Enter the correct user name and password as required when initiating authentication.

Step 203: the authentication server performs authentication according to the authentication information of the Host, and when the authentication is successful, the authentication server sends the result of the Host authentication to the DHCPv6Server. Wherein, the information also includes the current IPv6 address of the Host, which is used by the DHCPv6 Server to identify the Host corresponding to the authentication result.

Step 204: The DHCPv6 Server receives the authentication result information of the Host, sends a DHCPv6 reset message (RECONFIGURE) to the Host, and requires the Host to start the process of resetting the DHCPv6.

Among them, in the RECONFIGURE message, the DHCPv6Server can specify the Host in the RECONFIGURE Option byte in the message to initiate a REQUEST (request), RENEW (update), or INFORMATION-REQUEST (information request) message, or the DHCPv6 server does not The message to be used by the host is specified, but the host chooses to send one of the above three messages according to its own configuration.

Step 205: After receiving the RECONFIGURE message, the Host sends a specified or configured message according to the specification of the Server or the configuration of the Host itself to initiate a DHCPv6 reset.

Wherein, if secondary address allocation is required, the Host directly sends a REQUEST message to the Server, requesting the Server to re-allocate the IPv6 address, and the Server configures corresponding parameters. For example, the Host obtained a Local-Link (local) address when it was started for the first time, and now it can request the DHCPv6 Server to reassign a Global (full network) address to the user through the REQUEST message to access the Internet;

If there is no need to perform secondary address allocation, but to change the Host authority under the original address, a RENEW or INFORMATION-REQUEST message can be sent to start the configuration process of the existing DHCPv6 protocol.

According to the current DHCPv6 protocol, the Host can only send RENEW or INFORMATION-REQUEST packets after receiving the RECONFIGURE packet sent by the DHCPv6 server. That is to say, the current DHCPv6 protocol can only control the Host without changing the original IPv6 address, but cannot actively modify the IPv6 address of the Host.

Step 206: When the DHCPv6Server and the Host are reconfigured, the corresponding control information is sent to the BRAS (as a DHCPv6Relay device) through a DHCPv6 message. If it is a secondary address assignment, the BRAS will configure the new address and corresponding permissions ; If it is not secondary address allocation, then only need to make corresponding changes to the original IPv6 address authority, such as opening the authority of the Host to access the Internet.

Step 207: When the Host needs to go offline, the authentication server obtains the user offline information in real time and notifies the DHCPv6Server, and the DHCPv6Server will send a RECONFIGURE message to the Host again, requesting to reset the relevant IPv6 and parameters, and return to step 201 The state of the Host, or restore to the state of the network where the Host has disconnected all connections as needed.

Step 208: The Host can send a REQUEST, RENEW, or INFORMATION-REQUEST message as required, and start the corresponding process of resetting the DHCPv6. This step is the same as the process of step 205, so the description will not be repeated.

Step 209: The DHCPv6Server sends relevant control information to the BRAS through the DHCPv6 message, and the BRAS deletes the address authority of the corresponding Host according to the requirements of the control information, or adjusts the address authority of the Host accordingly, such as canceling the access of the Host to the Internet permission.

In the following, the present invention will be further described in detail by taking the way of WEB authentication and network address allocation as a specific embodiment.

Figure 3 shows a network diagram of network address allocation based on WEB authentication. WEB users access the BRAS through the layer 2 device L2, and the BRAS, the portal server (referred to as the Portal server), the remote authentication server (referred to as the Radius server), and the dynamic address allocation server (DHCPv6 server) are all connected to the network, and the BRAS can be built in The address pool used by the Portal server to provide web authentication pages. The communication with the DHCPv6 server adopts the DHCPv6 protocol; the communication with the Radius server adopts the radius protocol; the communication with the Portal server adopts the portal protocol.

With reference to the networking of Figure 3, and with reference to the flow chart shown in Figure 4, the following steps are included:

The user applies for an IPv6 address through the DHCPv6 protocol, and the DHCPv6 message is intercepted by the BRAS. The configuration information in the BRAS includes how to handle a user's request for an IPv6 address allocation, and specifying to the DHCPv6 server to apply for an address. After receiving the DHCPv6 message, the BRAS selects the specified DHCPv6 server for the user according to its configuration information, and applies for an IPv6 address from the DHCPv6 server as a DHCPv6 relay to obtain a Local-Link (local) IPv6 address; or the BRAS can also Select an address for the user from its internal address pool.

While allocating addresses for users, the BRAS device also allocates resources for users, such as user entries, address resolution protocol entries, user logs, flow matching tables, etc., and adds user policies. User policies include permissions assigned to users, such as Which websites can be accessed, which websites cannot be accessed, what is the user's traffic limit, what services are allowed to the user, etc., access control list ACL, broadband address restriction CAR, user priority, quality of service QOS, etc., for example, "allow access to Portal server and web site 1, cannot access web site 2; the user is forced to visit the Portal server when accessing a web site that is not allowed to be accessed", so that the user can only access the specified address before authentication, such as the Portal server or DNS server. Therefore, for the above user policy, if the user visits web site 2 before authentication, he will be forced to visit the Portal server; if the user visits web site 1, he will be allowed to access.

The user starts the browser, accesses the Portal server, and obtains the authentication page; if the user accesses other addresses that are not allowed to be accessed, the BRAS forces the user to access the Portal server, and obtains the authentication page. After the user enters the user name and password, the user submits an authentication request, which is sent to the Portal server through the HTTP protocol for analysis.

The Portal server interacts with the BRAS through the Portal protocol, so that the BRAS obtains the user name and password.

The BRAS judges whether to perform local authentication or radius authentication according to the suffix of the user name. When performing radius authentication, the BRAS sends the user name and password to the Radius server through the radius protocol.

The Radius server performs authentication based on the user name and password. After the authentication is completed, the authentication result is generated, and the authentication result needs to include the attribute of whether to re-allocate the address, as well as the user's authorization information, such as broadband address limit CAR, the user's remaining online time, user priority, etc. And notify the DHCPv6 server of the authentication result.

If the authentication is successful and address allocation needs to be performed again, the DHCPv6 server sends a RECONFIGURE message to the user terminal, and the extended byte RECONFIGURE Option in the message specifies that the user terminal initiates a REQUEST message.

After receiving the RECONFIGURE message, the user terminal initiates a REQUEST message according to the instructions to perform a DHCPv6 reset, and the DHCPv6 server assigns an IPv6 address capable of accessing other addresses (such as web site 2) and corresponding rights, and sends them to the BRAS.

The BRAS acts as a relay and returns the applied for new IPv6 address to the user.

After the user obtains the new IPv6 address, the BRAS refreshes the user policy for the user, so that the user can access the specified Gloal (full network) address, and the BRAS notifies the Portal server that the user's IPv6 address has changed through the Portal protocol.

In the above embodiment, the network address assigned before the authentication is a local IPv6 address, and the IPv6 address of the whole network is assigned after the authentication. In practice, the network addresses before and after authentication can also be the IPv6 addresses of the entire network, so as to realize the switching of users between different ISPs. For example, the user belongs to operator 1 by default before authentication, and its network address is allocated by operator 1, and the websites that can be accessed are also specified by operator 1. If the user needs to switch operators, he needs to be authenticated by operator 2 to obtain the authority granted by operator 2. Therefore, after the authentication is passed, the network address allocated by operator 1 should be released and the address allocated by operator 2 should be applied.

The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the scope of the present invention. within the scope of protection.

Claims (8)

1, a kind of second level address distribution method is applied to it is characterized in that in the IPv6 network that this method may further comprise the steps:

A, client and DHCPv6 server interaction obtain the IPv6 address of DHCPv6 server-assignment;

B, client are initiated authentication request, and certificate server authenticates client, and authentication result is sent to the DHCPv6 server;

Behind C, the DHCPv6 server access authentication result, according to authentication result indication client replacement DHCPv6 process;

D, client obtain the IPv6 address that the DHCPv6 server is redistributed according to the indication of DHCPv6 server with the DHCPv6 server interaction.

2, method according to claim 1 is characterized in that, also comprises an access server, is used for client and inserts the IPv6 network;

Steps A further comprises: add subscriber policy for client on access server;

Step D further comprises: upgrade subscriber policy for client on access server;

Described subscriber policy comprises the authority of distributing to the user at least.

One of 3, method according to claim 2 is characterized in that, below described authority comprises at least:

Allow the address of visit, the address that does not allow to visit, user flow restriction, allow the business of carrying out.

4, method according to claim 2 is characterized in that, described access server includes but not limited to: BRAS, three-tier switch, router.

One of 5, method according to claim 1 is characterized in that, below the described authentication result of step B comprises at least:

Need carry out once more the attribute of address assignment, the attribute that need carry out the client permission modification.

6, method according to claim 1 is characterized in that, the step of the described indication client of step C replacement DHCPv6 process is to initiate solicited message REQUEST by the indication of the RECONFIGURE Option field among replacement message RECONFIGURE client.

7, method according to claim 1 is characterized in that, described certificate server is: aaa server or Radius server.

8, method according to claim 1 is characterized in that, when client withdraws from the IPv6 network, further comprises behind the step D:

The IPv6 address that client release steps D obtains.

Images