[background technology]
Along with popularizing of Internet, IP network is developed in the past few years greatly, uses the IP agreement progressively to become the common recognition of broadband communications network field and computer network field as the basic agreement of network communication.
IP network communications must at first obtain the IP address just can carry out, and does not have the IP address just can't use the IP network resource.And the IP address is a kind of limited, the valuable resource in the broadband networks, provides the basis of broadband services.Therefore, the rational and orderly of IP address distributes and provides, and often control combines with the communication network access permission, is controlling user's the IP network usage license jointly.How safety, reliably, distributing IP address easily, big as far as possible limit ground improves the distribution utilance of IP address, and the user carried out access control, make IP address assignment mechanism less simultaneously to the operation and the cost impact of IP network communications as far as possible, be to influence the key factor that IP network is used and disposed always, also become one of emphasis problem of IP network technical field focal issue of greatest concern and technological innovation.
Existing IP address assignment and access control generally have multiple modes such as PPP (Point-to-Point Protocol, point-to-point protocol), DHCP, DHCP+WEB and 802.1x.But because reasons such as other agreement use occasions restriction and limitations itself, present PPP and DHCP (and the expansion of DHCP, as DHCP+WEB) are to use the most general mode.
The ppp protocol of on the basis of IETF RFC system, developing jointly by Redback network company, client software developer RouterWare company and UUNET Technologies company of Worldcom subsidiary, perfect user management and control protocol are arranged itself, can finish subscriber authorisation preferably inserts and authenticates, and the Extended Protocol support by Radius/Radius+, can carry out accurate and abundant access permission to the user and control.But the use of ppp protocol, the one, agreement itself has consumed about bandwidth cost of average 3% (under the models such as video stream traffic that continue, the accumulative total effect of bandwidth cost is clearly), PPP can produce a large amount of broadcast traffics in the discovery stage, and network performance is produced very big influence; The 2nd, need use expensive BRAS equipment, after authentication is finished, business data flow also must be through BRAS equipment, cause single-point bottleneck and fault easily, make it support there is deficiency aspect the emerging service (as the video stream media service), there is certain defective in particularly existing main flow BRAS for the performance and the function of streaming media service; The 3rd, need operator that client terminal software is provided, maintenance workload is excessive.Therefore use PPP in the face of emerging service the time, cost performance is seriously on the low side.
DHCP agreement (detailed protocol contents sees RFC document RFC2131/RFC2132) by IETF (Internet network engineers group of task) design, be BOOTP (Bootstrap Protocol, see RFC951 for details) expansion, it is based on C/S (Client/Server, client terminal/server) pattern provides the mechanism of a kind of dynamic assigned ip address and network configuration.Under dynamic-configuration mechanism, after dhcp client is rented the IP address from Dynamic Host Configuration Protocol server for the first time, and use this address non-permanently, as long as lease expires, dhcp client will discharge this IP address.Dynamically assign the IP address for this dhcp client the IP address database of the Dynamic Host Configuration Protocol server of DHCP permission dhcp client from local network, thereby avoid the configuration error that may cause by manually on every computer, keying in the IP address, also improved simultaneously the efficient of configuration, help to prevent the IP address conflict of disposing, greatly reduce the time of the IP address that is used to dispose and reconfigure computer.
Though DHCP is a kind of simple relatively IP address assignment mode, its management and use are all very convenient, also can not have extra message encapsulation overhead, still, the DHCP agreement of standard is not verified terminal use's qualification, is not a kind of very reliable and safe IP address assignment method therefore.Standard DHCP agreement also can't accomplish to give the control of suitable network legal power according to the user profile feature in addition, so let alone granted access.The expansion of DHCP as DHCP+WEB, has solved the problem of granted access by certain means, but because still do not solve the integrity problem that IP distributes, and there is certain complexity and nonstandard in agreement, therefore also can't accomplish real safe and reliable.
[summary of the invention]
The object of the present invention is to provide a kind of IP address assignment method based on the DHCP extended attribute, to realize safe, the reliable distribution of IP address, and by with the combining of various gateway devices, effectively realize user's IP network access permission authentication, and ensure that this expansion has the backward compatible of maximum for the DHCP agreement and the IP network of standard.
Below related protocol that the present invention is proposed improve and be commonly referred to as the DHCP+ agreement, be the expansion on standard DHCP basis to show the present invention.
The objective of the invention is to be achieved through the following technical solutions: a kind of IP address assignment method based on the DHCP extended attribute, can be applicable to comprise has increased the DHCP+ of authentication function client terminal, has increased in the IP address assignment system of DHCP+ server that Certificate Authority supports and aaa server, and this method comprises:
(1) discovery procedure: the DHCP+ client terminal sends the DHCPDISCOVER message that includes Option 60 fields with broadcast mode to network and seeks the DHCP+ server;
(2) discriminating and checking procedure: after the DHCP+ server is received the DHCPDISCOVER message, differentiate whether its inside includes Option 60 fields, if have, then whether verification Option 60 fields comprise the identifying information of agreement, otherwise discardable DHCPDISCOVER message or handle as standard DHCP;
(3) provide process: find that through verification Option 60 fields include the identifying information of agreement, then the DHCP+ server is from still picking out one the unappropriated IP address, and sends one to the DHCP+ client terminal and comprise the IP address picked out and IP address lease (DHCPOFFER) message of Option 60 fields;
(4) information extraction and checking procedure: the information extraction from Option 60 fields of DHCPOFFER message of DHCP+ client terminal, whether the agreement field that verification DHCP+ server is sent is legal, do not conform to rule and abandons;
(5) selection course: Option 60 fields that comprise in verification DHCPOFFER are legal, then the DHCP+ client terminal sends a DHCPREQUEST message that comprises Option 60 fields with broadcast mode to the DHCP+ server, to its selected DHCP+ server requests distributing IP address;
(6) authentication control procedure: the user totem information that is comprised in Option 60 fields of DHCP+ server with the DHCPREQUEST message received is delivered to aaa server, aaa server carries out authentication control according to user profile, returns the control information of corresponding success/failure and gives the DHCP+ server;
(7) affirmation process: if what return is successful control information, the DHCP+ server sends the DHCPACK message that comprises its IP address allocated and Option 60 fields to the DHCP+ client terminal, if what return is the control information of failure, then send the DHCPNACK message; And with in the success/error code information insertion Option60 field.
The present invention utilizes many extended attributes (Option) that standard DHCP provides to support the Custom Attributes field Option of producer 60 in (referring to RFC2132 etc.) to realize the safety certification function of DHCP, reaches network ip address safety, reliable purpose of distributing.The present invention can further combine with various gateway devices in addition, effectively realizes user's IP network access permission authentication, and ensures that this expansion has the backward compatible of maximum for the DHCP agreement and the IP network of standard.And compared with prior art, the present invention has realized the controlled IP distributorship agreement outside a kind of PPP, can substitute BRAS equipment, thereby reduce the dependence of networking to BRAS, significantly reduce network rebuilding cost, and and then promote IP network operator and promote the network rebuilding, actively develop the IPTV business.
[embodiment]
The DHCP agreement of standard provides many extended attribute supports (referring to RFC2132 etc.), these extended attributes (Option) can allow each producer expand the function of use of DHCP agreement, finish some specific work, participate in sign such as carrying, carry user profile, carry positional information etc., therefore the available transmission channels that is used as control information.This transforms the DHCP agreement for us, and providing authentication mechanism to provide may.If the expanded function of Option definition is generally acknowledged and acceptance by industry, confirm with the RFC form that then as recommendation or official standard, for example Option 82 is exactly one of standard with the RFC3046 affirmation.
The standard DHCP of considering has numerous extended fields, and based on the consideration of try one's best compatible DHCP+ and DHCP, we select 60 signs as expansion.Option 60 is set to producer's Custom Attributes field in RFC, its content and realization function can be determined voluntarily to use by each producer, therefore select the compatible the best of Option60.
The present invention utilizes Option 60 extended attributes to realize the safety certification function of DHCP.
Be the present invention's flow chart of distributing IP address for the first time as shown in Figure 1, shown among the figure that method of the present invention can be applicable to comprise in the IP address assignment system of 3 equipment such as DHCP+ client terminal, DHCP+ server and aaa server.Wherein, the DHCP+ client terminal is the client terminal that has increased authentication function, the DHCP+ server is to have increased the server that Certificate Authority is supported, comprise standard DHCP processing module and AAA processing module, wherein the AAA processing module is a software module in the DHCP+ server, is responsible for the work of treatment of Certificate Authority.Aaa server is a certificate server, mainly is responsible for preserving user's information and offers the DHCP+ server and carry out authentication challenge work.
AAA is meant Authentication (authentication), Authorization (mandate), Accounting (charging), is defined as follows:
Authentication (authentication): whether the user identity that contains in the authentication request that stored user information and terminal use send in the aaa server comparison database proves, legal to confirm user identity.
Authorization (mandate): defined right and service that the user can enjoy after being allowed to insert the networking.
Accounting (charging): collect the information of relevant user resources operating position, be used for chargeing.
As shown in Figure 1, process A, B, C, D are the DHCP flow process of standard, and process 1~15 is the Extended Protocol flow process of DHCP+, below it are specified.
In process 1, the DHCP+ client terminal generates producer's identification information, perhaps generate with the DHCP+ server commitment, can allow server identification DHCP+ client terminal whether support the identification information of DHCP+ authentication by it, form Option 60 fields, and insert and to issue in the DHCPDISCOVER message of server.
Process A is the discovery procedure among the standard DHCP, and the DHCP+ client terminal sends the DHCPDISCOVER message that includes Option 60 fields with broadcast mode to network and seeks the DHCP+ server.
The DHCPDISCOVER message that the DHCP+ client terminal that process 2, DHCP+ server are received is sent utilizes standard DHCP processing module to differentiate whether message inside has Option 60 fields.If message does not carry Option 60 fields, then discardable message perhaps, under the situation of DHCP+ server-compatible standard DHCP, is handled by standard DHCP.
Be process 3 then, if include Option 60 fields in differentiating the DHCPDISCOVER message, standard DHCP processing module is presented the AAA processing module with the DHCPDISCOVER message, and writes down the MAC Address of corresponding DHCP+ client terminal.
In process 4, Option 60 field informations in the AAA processing module identification DHCPDISCOVER message, whether verification it be the identification field of producer's sign or prior agreement.
If verification is correct, then enter into process 5 subsequently, the AAA processing module produces the key (key) of encrypting usefulness, and returns to standard DHCP processing module.Key (Key) is corresponding one by one with the MAC Address of DHCP+ client terminal, to tackle a plurality of DHCP+ client terminals disposition simultaneously.If verification is incorrect, then the AAA processing module is returned error code information and is given standard DHCP processing module.If compatibility standard DHCP agreement also can return success or the special code message that defines.
In the process 6, if standard DHCP processing module obtains is error code information, dropping packets then, otherwise the key (key) that obtains is inserted in the Option60 field of the DHCPOFFER message that will issue the DHCP+ client terminal.Whether simultaneously, also can carry server identification in Option60, be the DHCP+ server of agreement with what make things convenient for the DHCP+ client terminal to judge to send DHCPOFFER.
One of in fact having constituted among the present invention differentiates and checking procedure for process 2 to process 6.
Process B is the process that provides of standard DHCP, and the DHCP+ server is from still picking out one the unappropriated IP address, and sends one to the DHCP+ client terminal and comprise the IP address picked out and IP address lease (DHCPOFFER) message of Option60 field.
Process 7 subsequently is an information extraction and checking procedure, the information extraction from the Option 60 of DHCPOFFER message of DHCP+ client terminal, if wherein include the agreement field that server is sent, then whether it legal in verification, do not conform to rule and abandon.If Option 60 fields are legal, then the DHCP+ client terminal is obtained key (key) wherein, and according to the cryptographic algorithm of arranging in advance, give the usemame/password information encryption that is kept at the DHCP+ client terminal with this key (key), obtain an enciphered message field, write in Option 60 fields of the DHCPREQUEST message that will send to server.
Selection for cryptographic algorithm, can provide multiple built-in in advance algorithm to be kept in client terminal and the server, select a kind of algorithm at random by client terminal in the time of authentication, in aforementioned process 1, send the algorithm code name to server, this code of server record selects cryptographic algorithm to get final product then.
Process C is the selection course among the standard DHCP, and the DHCP+ client terminal sends a DHCPREQUEST message that comprises Option 60 fields with broadcast mode to the DHCP+ server, to its selected DHCP+ server requests distributing IP address.
In process 8, standard DHCP processing module is extracted Option 60 fields and is delivered to the AAA processing module from the DHCPREQUEST message of sending.
Process 9 subsequently is decrypting processes, and the key (key) that the AAA processing module utilizes aforementioned process 5 to be produced is decrypted the enciphered message in the Option60 field, restores user name, encrypted message expressly.
Process 10 and process 11 are the authentication control procedures among the present invention, and in process 10, the AAA processing module is delivered to aaa server (can use Radius agreement or other agreements) with user totem informations such as user name, password, MAC.In process 11, aaa server carries out authentication control according to user profile, returns control informations (code that definable is detailed is distinguished different situations) such as corresponding successful, failure to the AAA of DHCP+ server processing module.
Process 12, the AAA processing module is received the information that aaa server returns, carry out necessary work such as local daily record (log) record, with success/error code (this error code not necessarily with aaa server and AAA module between code identical) return to standard DHCP processing module.
Process 13 afterwards, standard DHCP processing module are according to the success/failure information that returns, and what the DHCP+ client terminal was issued in decision is DHCPACK message or DHCPNACK message, and error code information is inserted in Option 60 fields.
Process D is the affirmation process among the standard DHCP, if what promptly return is successful control information, the DHCP+ server sends the DHCPACK message that comprises its IP address allocated to the DHCP+ client terminal, if return be the failure control information, then send the DHCPNACK message.
At last, shown in process 14, if the DHCP+ client terminal receives is the DHCPNACK message, then the DHCP+ client terminal can be shown to the end user with error reason according to the error message that Option 60 fields are comprised.
Fig. 2 has shown among the present invention that the IP address expires and has re-rented flow process and the IP address discharges flow process.As shown in Figure 2, what comprise process 7~14 is to re-rent flow process S1, and assigning process is consistent for the first time with aforementioned IP address, only be if wrong (for example authentification failure), the error code of returning is different with information, and client terminal is also different to the error description display message, does not apply speech herein.
What comprise process 15~18 is that the IP address discharges flow process S2, specifies as follows:
Process 15:DHCP+ client terminal initiatively sends IP and discharges request.
Process E:DHCP+ client terminal sends the DHCPRELEASE message to the DHCP+ server.
Process 16: standard DHCP processing module reclaims the IP address according to the mac address information of client terminal, and the MAC information of this release information and client terminal is passed to the AAA processing module.
Process 17:AAA processing module is delivered to aaa server with user totem informations such as the MAC of client terminal, user name, passwords, and removes user's online information of self preserving, and carries out work such as corresponding daily record (log) record simultaneously.
Process 18:AAA server record user offline information generates daily record, ticket etc.
The invention described above DHCP+ flow process is a general execution mode, in the actual implementation process, can delete some processes flexibly according to concrete application, does not for example need user name, password encryption, can omit ciphering process.
Could support Option 82 problems as for the present invention, Option 82 is the expanded definition by the definite a kind of consumer positioning positional information of RFC3046, can also can to a certain degree play authentication role by Option 82 definition users' position attribution.Option 82 is generally inserted the Option field of DHCP message by the network equipment (as DSLAM), therefore, as long as aaa server is supported Option 82 information authentications, the present invention also can support in the lump to Option 82 authentications.For example, as long as define corresponding interface and information, the DHCP+ server can the two selects one with Option 60 and Option 82, or sends into aaa server in the lump, by the aaa server authentication.
The present invention also can compatibility standard DHCP flow process.DHCP+ server and DHCP+ terminal as long as the configuration order switch is provided, can select to support standard DHCP flow process, perhaps the two compatibility mode of moving simultaneously.If DHCP+ server choice criteria pattern then can not handled Option 60 or Option 82, this moment, the AAA processing module was not worked.In like manner, the DHCP+ client terminal does not then send the message that carries Option 60, does not detect the appointed information in Option 60 information yet.If DHCP+ server and DHCP+ client terminal are set to the compatibility mode that the two uses simultaneously, whether be that the agreement sign decides message how to handle then according to Option 60, if standard DHCP, by standard DHCP flow processing, if the DHCP+ of agreement then presses the DHCP+ flow processing.
If above-mentioned DHCP+ agreement is integrated on the router (Router) and L3Switch equipment of IP communication network, and realize that DHCP+ combines with the network insertion mandate:
(1) router or L3 serve as the gateway (Gateway) of customer access network resource, and support the DHCP+ server capability;
(2) user uses the DHCP+ agreement, application IP;
(3) if the DHCP+ authentication is not passed through, gateway (Gateway) is not given this user's distributing IP address so, and does not open any authority (or part authority) of its accesses network.
So just can realize the access permission management function that the user is complete, reach the control effect that BRAS uses ppp protocol.