CN1889577A - IP address distributing method based on DHCP extended attribute - Google Patents
IP address distributing method based on DHCP extended attribute Download PDFInfo
- Publication number
- CN1889577A CN1889577A CNA2006101066374A CN200610106637A CN1889577A CN 1889577 A CN1889577 A CN 1889577A CN A2006101066374 A CNA2006101066374 A CN A2006101066374A CN 200610106637 A CN200610106637 A CN 200610106637A CN 1889577 A CN1889577 A CN 1889577A
- Authority
- CN
- China
- Prior art keywords
- dhcp
- server
- option
- client terminal
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/5014—Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
Abstract
A method for distributing IP address based on DHCP extension attribute can realize safety certification of DHCP by utilizing self-defined attribute field Option 60 of manufacture supported by multiple extension attribute provided in standard DHCP. The said method includes discovery course, identifying and verifying course of Option 60 field, providing course, picking up and calibrating course of Option information, selecting course, right identification control course by utilizing Option 60 and confirming course for achieving purpose of distributing network IP address safety and reliably.
Description
[technical field]
The present invention relates to the IP address assignment method in a kind of broadband communications and the computer network field, particularly relevant a kind of IP address assignment method based on DHCP (Dynamic Host Configuration Protocol, DHCP) extended attribute.
[background technology]
Along with popularizing of Internet, IP network is developed in the past few years greatly, uses the IP agreement progressively to become the common recognition of broadband communications network field and computer network field as the basic agreement of network communication.
IP network communications must at first obtain the IP address just can carry out, and does not have the IP address just can't use the IP network resource.And the IP address is a kind of limited, the valuable resource in the broadband networks, provides the basis of broadband services.Therefore, the rational and orderly of IP address distributes and provides, and often control combines with the communication network access permission, is controlling user's the IP network usage license jointly.How safety, reliably, distributing IP address easily, big as far as possible limit ground improves the distribution utilance of IP address, and the user carried out access control, make IP address assignment mechanism less simultaneously to the operation and the cost impact of IP network communications as far as possible, be to influence the key factor that IP network is used and disposed always, also become one of emphasis problem of IP network technical field focal issue of greatest concern and technological innovation.
Existing IP address assignment and access control generally have multiple modes such as PPP (Point-to-Point Protocol, point-to-point protocol), DHCP, DHCP+WEB and 802.1x.But because reasons such as other agreement use occasions restriction and limitations itself, present PPP and DHCP (and the expansion of DHCP, as DHCP+WEB) are to use the most general mode.
The ppp protocol of on the basis of IETF RFC system, developing jointly by Redback network company, client software developer RouterWare company and UUNET Technologies company of Worldcom subsidiary, perfect user management and control protocol are arranged itself, can finish subscriber authorisation preferably inserts and authenticates, and the Extended Protocol support by Radius/Radius+, can carry out accurate and abundant access permission to the user and control.But the use of ppp protocol, the one, agreement itself has consumed about bandwidth cost of average 3% (under the models such as video stream traffic that continue, the accumulative total effect of bandwidth cost is clearly), PPP can produce a large amount of broadcast traffics in the discovery stage, and network performance is produced very big influence; The 2nd, need use expensive BRAS equipment, after authentication is finished, business data flow also must be through BRAS equipment, cause single-point bottleneck and fault easily, make it support there is deficiency aspect the emerging service (as the video stream media service), there is certain defective in particularly existing main flow BRAS for the performance and the function of streaming media service; The 3rd, need operator that client terminal software is provided, maintenance workload is excessive.Therefore use PPP in the face of emerging service the time, cost performance is seriously on the low side.
DHCP agreement (detailed protocol contents sees RFC document RFC2131/RFC2132) by IETF (Internet network engineers group of task) design, be BOOTP (Bootstrap Protocol, see RFC951 for details) expansion, it is based on C/S (Client/Server, client terminal/server) pattern provides the mechanism of a kind of dynamic assigned ip address and network configuration.Under dynamic-configuration mechanism, after dhcp client is rented the IP address from Dynamic Host Configuration Protocol server for the first time, and use this address non-permanently, as long as lease expires, dhcp client will discharge this IP address.Dynamically assign the IP address for this dhcp client the IP address database of the Dynamic Host Configuration Protocol server of DHCP permission dhcp client from local network, thereby avoid the configuration error that may cause by manually on every computer, keying in the IP address, also improved simultaneously the efficient of configuration, help to prevent the IP address conflict of disposing, greatly reduce the time of the IP address that is used to dispose and reconfigure computer.
Though DHCP is a kind of simple relatively IP address assignment mode, its management and use are all very convenient, also can not have extra message encapsulation overhead, still, the DHCP agreement of standard is not verified terminal use's qualification, is not a kind of very reliable and safe IP address assignment method therefore.Standard DHCP agreement also can't accomplish to give the control of suitable network legal power according to the user profile feature in addition, so let alone granted access.The expansion of DHCP as DHCP+WEB, has solved the problem of granted access by certain means, but because still do not solve the integrity problem that IP distributes, and there is certain complexity and nonstandard in agreement, therefore also can't accomplish real safe and reliable.
[summary of the invention]
The object of the present invention is to provide a kind of IP address assignment method based on the DHCP extended attribute, to realize safe, the reliable distribution of IP address, and by with the combining of various gateway devices, effectively realize user's IP network access permission authentication, and ensure that this expansion has the backward compatible of maximum for the DHCP agreement and the IP network of standard.
Below related protocol that the present invention is proposed improve and be commonly referred to as the DHCP+ agreement, be the expansion on standard DHCP basis to show the present invention.
The objective of the invention is to be achieved through the following technical solutions: a kind of IP address assignment method based on the DHCP extended attribute, can be applicable to comprise has increased the DHCP+ of authentication function client terminal, has increased in the IP address assignment system of DHCP+ server that Certificate Authority supports and aaa server, and this method comprises:
(1) discovery procedure: the DHCP+ client terminal sends the DHCPDISCOVER message that includes Option 60 fields with broadcast mode to network and seeks the DHCP+ server;
(2) discriminating and checking procedure: after the DHCP+ server is received the DHCPDISCOVER message, differentiate whether its inside includes Option 60 fields, if have, then whether verification Option 60 fields comprise the identifying information of agreement, otherwise discardable DHCPDISCOVER message or handle as standard DHCP;
(3) provide process: find that through verification Option 60 fields include the identifying information of agreement, then the DHCP+ server is from still picking out one the unappropriated IP address, and sends one to the DHCP+ client terminal and comprise the IP address picked out and IP address lease (DHCPOFFER) message of Option 60 fields;
(4) information extraction and checking procedure: the information extraction from Option 60 fields of DHCPOFFER message of DHCP+ client terminal, whether the agreement field that verification DHCP+ server is sent is legal, do not conform to rule and abandons;
(5) selection course: Option 60 fields that comprise in verification DHCPOFFER are legal, then the DHCP+ client terminal sends a DHCPREQUEST message that comprises Option 60 fields with broadcast mode to the DHCP+ server, to its selected DHCP+ server requests distributing IP address;
(6) authentication control procedure: the user totem information that is comprised in Option 60 fields of DHCP+ server with the DHCPREQUEST message received is delivered to aaa server, aaa server carries out authentication control according to user profile, returns the control information of corresponding success/failure and gives the DHCP+ server;
(7) affirmation process: if what return is successful control information, the DHCP+ server sends the DHCPACK message that comprises its IP address allocated and Option 60 fields to the DHCP+ client terminal, if what return is the control information of failure, then send the DHCPNACK message; And with in the success/error code information insertion Option60 field.
The present invention utilizes many extended attributes (Option) that standard DHCP provides to support the Custom Attributes field Option of producer 60 in (referring to RFC2132 etc.) to realize the safety certification function of DHCP, reaches network ip address safety, reliable purpose of distributing.The present invention can further combine with various gateway devices in addition, effectively realizes user's IP network access permission authentication, and ensures that this expansion has the backward compatible of maximum for the DHCP agreement and the IP network of standard.And compared with prior art, the present invention has realized the controlled IP distributorship agreement outside a kind of PPP, can substitute BRAS equipment, thereby reduce the dependence of networking to BRAS, significantly reduce network rebuilding cost, and and then promote IP network operator and promote the network rebuilding, actively develop the IPTV business.
[description of drawings]
Fig. 1 is the present invention's flow chart of distributing IP address for the first time.
Fig. 2 is the flow chart that IP re-rents the address and discharges among the present invention.
[embodiment]
The DHCP agreement of standard provides many extended attribute supports (referring to RFC2132 etc.), these extended attributes (Option) can allow each producer expand the function of use of DHCP agreement, finish some specific work, participate in sign such as carrying, carry user profile, carry positional information etc., therefore the available transmission channels that is used as control information.This transforms the DHCP agreement for us, and providing authentication mechanism to provide may.If the expanded function of Option definition is generally acknowledged and acceptance by industry, confirm with the RFC form that then as recommendation or official standard, for example Option 82 is exactly one of standard with the RFC3046 affirmation.
The standard DHCP of considering has numerous extended fields, and based on the consideration of try one's best compatible DHCP+ and DHCP, we select 60 signs as expansion.Option 60 is set to producer's Custom Attributes field in RFC, its content and realization function can be determined voluntarily to use by each producer, therefore select the compatible the best of Option60.
The present invention utilizes Option 60 extended attributes to realize the safety certification function of DHCP.
Be the present invention's flow chart of distributing IP address for the first time as shown in Figure 1, shown among the figure that method of the present invention can be applicable to comprise in the IP address assignment system of 3 equipment such as DHCP+ client terminal, DHCP+ server and aaa server.Wherein, the DHCP+ client terminal is the client terminal that has increased authentication function, the DHCP+ server is to have increased the server that Certificate Authority is supported, comprise standard DHCP processing module and AAA processing module, wherein the AAA processing module is a software module in the DHCP+ server, is responsible for the work of treatment of Certificate Authority.Aaa server is a certificate server, mainly is responsible for preserving user's information and offers the DHCP+ server and carry out authentication challenge work.
AAA is meant Authentication (authentication), Authorization (mandate), Accounting (charging), is defined as follows:
Authentication (authentication): whether the user identity that contains in the authentication request that stored user information and terminal use send in the aaa server comparison database proves, legal to confirm user identity.
Authorization (mandate): defined right and service that the user can enjoy after being allowed to insert the networking.
Accounting (charging): collect the information of relevant user resources operating position, be used for chargeing.
As shown in Figure 1, process A, B, C, D are the DHCP flow process of standard, and process 1~15 is the Extended Protocol flow process of DHCP+, below it are specified.
In process 1, the DHCP+ client terminal generates producer's identification information, perhaps generate with the DHCP+ server commitment, can allow server identification DHCP+ client terminal whether support the identification information of DHCP+ authentication by it, form Option 60 fields, and insert and to issue in the DHCPDISCOVER message of server.
Process A is the discovery procedure among the standard DHCP, and the DHCP+ client terminal sends the DHCPDISCOVER message that includes Option 60 fields with broadcast mode to network and seeks the DHCP+ server.
The DHCPDISCOVER message that the DHCP+ client terminal that process 2, DHCP+ server are received is sent utilizes standard DHCP processing module to differentiate whether message inside has Option 60 fields.If message does not carry Option 60 fields, then discardable message perhaps, under the situation of DHCP+ server-compatible standard DHCP, is handled by standard DHCP.
Be process 3 then, if include Option 60 fields in differentiating the DHCPDISCOVER message, standard DHCP processing module is presented the AAA processing module with the DHCPDISCOVER message, and writes down the MAC Address of corresponding DHCP+ client terminal.
In process 4, Option 60 field informations in the AAA processing module identification DHCPDISCOVER message, whether verification it be the identification field of producer's sign or prior agreement.
If verification is correct, then enter into process 5 subsequently, the AAA processing module produces the key (key) of encrypting usefulness, and returns to standard DHCP processing module.Key (Key) is corresponding one by one with the MAC Address of DHCP+ client terminal, to tackle a plurality of DHCP+ client terminals disposition simultaneously.If verification is incorrect, then the AAA processing module is returned error code information and is given standard DHCP processing module.If compatibility standard DHCP agreement also can return success or the special code message that defines.
In the process 6, if standard DHCP processing module obtains is error code information, dropping packets then, otherwise the key (key) that obtains is inserted in Option 60 fields of the DHCPOFFER message that will issue the DHCP+ client terminal.Whether simultaneously, also can carry server identification in Option 60, be the DHCP+ server of agreement with what make things convenient for the DHCP+ client terminal to judge to send DHCPOFFER.
One of in fact having constituted among the present invention differentiates and checking procedure for process 2 to process 6.
Process B is the process that provides of standard DHCP, and the DHCP+ server is from still picking out one the unappropriated IP address, and sends one to the DHCP+ client terminal and comprise the IP address picked out and IP address lease (DHCPOFFER) message of Option 60 fields.
Process 7 subsequently is an information extraction and checking procedure, the information extraction from the Option 60 of DHCPOFFER message of DHCP+ client terminal, if wherein include the agreement field that server is sent, then whether it legal in verification, do not conform to rule and abandon.If Option 60 fields are legal, then the DHCP+ client terminal is obtained key (key) wherein, and according to the cryptographic algorithm of arranging in advance, give the usemame/password information encryption that is kept at the DHCP+ client terminal with this key (key), obtain an enciphered message field, write in Option 60 fields of the DHCPREQUEST message that will send to server.
Selection for cryptographic algorithm, can provide multiple built-in in advance algorithm to be kept in client terminal and the server, select a kind of algorithm at random by client terminal in the time of authentication, in aforementioned process 1, send the algorithm code name to server, this code of server record selects cryptographic algorithm to get final product then.
Process C is the selection course among the standard DHCP, and the DHCP+ client terminal sends a DHCPREQUEST message that comprises Option 60 fields with broadcast mode to the DHCP+ server, to its selected DHCP+ server requests distributing IP address.
In process 8, standard DHCP processing module is extracted Option 60 fields and is delivered to the AAA processing module from the DHCPREQUEST message of sending.
Process 9 subsequently is decrypting processes, and the key (key) that the AAA processing module utilizes aforementioned process 5 to be produced is decrypted the enciphered message in Option 60 fields, restores user name, encrypted message expressly.
Process 10 and process 11 are the authentication control procedures among the present invention, and in process 10, the AAA processing module is delivered to aaa server (can use Radius agreement or other agreements) with user totem informations such as user name, password, MAC.In process 11, aaa server carries out authentication control according to user profile, returns control informations (code that definable is detailed is distinguished different situations) such as corresponding successful, failure to the AAA of DHCP+ server processing module.
Process 12, the AAA processing module is received the information that aaa server returns, carry out necessary work such as local daily record (log) record, with success/error code (this error code not necessarily with aaa server and AAA module between code identical) return to standard DHCP processing module.
Process 13 afterwards, standard DHCP processing module are according to the success/failure information that returns, and what the DHCP+ client terminal was issued in decision is DHCPACK message or DHCPNACK message, and error code information is inserted in 0ption 60 fields.
Process D is the affirmation process among the standard DHCP, if what promptly return is successful control information, the DHCP+ server sends the DHCPACK message that comprises its IP address allocated to the DHCP+ client terminal, if return be the failure control information, then send the DHCPNACK message.
At last, shown in process 14, if the DHCP+ client terminal receives is the DHCPNACK message, then the DHCP+ client terminal can be shown to the end user with error reason according to the error message that Option 60 fields are comprised.
Fig. 2 has shown among the present invention that the IP address expires and has re-rented flow process and the IP address discharges flow process.As shown in Figure 2, what comprise process 7~14 is to re-rent flow process S1, and assigning process is consistent for the first time with aforementioned IP address, only be if wrong (for example authentification failure), the error code of returning is different with information, and client terminal is also different to the error description display message, does not apply speech herein.
What comprise process 15~18 is that the IP address discharges flow process S2, specifies as follows:
Process 15:DHCP+ client terminal initiatively sends IP and discharges request.
Process E:DHCP+ client terminal sends the DHCPRELEASE message to the DHCP+ server.
Process 16: standard DHCP processing module reclaims the IP address according to the mac address information of client terminal, and the MAC information of this release information and client terminal is passed to the AAA processing module.
Process 17:AAA processing module is delivered to aaa server with user totem informations such as the MAC of client terminal, user name, passwords, and removes user's online information of self preserving, and carries out work such as corresponding daily record (log) record simultaneously.
Process 18:AAA server record user offline information generates daily record, ticket etc.
The invention described above DHCP+ flow process is a general execution mode, in the actual implementation process, can delete some processes flexibly according to concrete application, does not for example need user name, password encryption, can omit ciphering process.
Could support Option 82 problems as for the present invention, Option 82 is the expanded definition by the definite a kind of consumer positioning positional information of RFC3046, can also can to a certain degree play authentication role by Option 82 definition users' position attribution.Option 82 is generally inserted the Option field of DHCP message by the network equipment (as DSLAM), therefore, as long as aaa server is supported Option 82 information authentications, the present invention also can support in the lump to Option 82 authentications.For example, as long as define corresponding interface and information, the DHCP+ server can the two selects one with Option 60 and Option 82, or sends into aaa server in the lump, by the aaa server authentication.
The present invention also can compatibility standard DHCP flow process.DHCP+ server and DHCP+ terminal as long as the configuration order switch is provided, can select to support standard DHCP flow process, perhaps the two compatibility mode of moving simultaneously.If DHCP+ server choice criteria pattern then can not handled Option 60 or Option 82, this moment, the AAA processing module was not worked.In like manner, the DHCP+ client terminal does not then send the message that carries Option 60, does not detect the appointed information in Option 60 information yet.If DHCP+ server and DHCP+ client terminal are set to the compatibility mode that the two uses simultaneously, whether be that the agreement sign decides message how to handle then according to Option 60, if standard DHCP, by standard DHCP flow processing, if the DHCP+ of agreement then presses the DHCP+ flow processing.
If above-mentioned DHCP+ agreement is integrated on the router (Router) and L3 Switch equipment of IP communication network, and realize that DHCP+ combines with the network insertion mandate:
(1) router or L3 serve as the gateway (Gateway) of customer access network resource, and support the DHCP+ server capability;
(2) user uses the DHCP+ agreement, application IP;
(3) if the DHCP+ authentication is not passed through, gateway (Gateway) is not given this user's distributing IP address so, and does not open any authority (or part authority) of its accesses network.
So just can realize the access permission management function that the user is complete, reach the control effect that BRAS uses ppp protocol.
Claims (16)
1. IP address assignment method based on the DHCP extended attribute, can be used for comprising and increased the DHCP+ of authentication function client terminal, increased in the IP address assignment system of DHCP+ server that Certificate Authority supports and aaa server, it is characterized in that this method comprises:
(1) discovery procedure: the DHCP+ client terminal sends the DHCPDISCOVER message that includes Option 60 fields with broadcast mode to network and seeks the DHCP+ server;
(2) discriminating and checking procedure: after the DHCP+ server is received the DHCPDISCOVER message, differentiate whether its inside includes Option 60 fields, if have, then whether verification Option 60 fields comprise the identifying information of agreement, otherwise discardable DHCPDISCOVER message or handle as standard DHCP;
(3) provide process: find that through verification Option 60 fields include the identifying information of agreement, then the DHCP+ server is from still picking out one the unappropriated IP address, and sends one to the DHCP+ client terminal and comprise the IP address picked out and IP address lease (DHCPOFFER) message of Option 60 fields;
(4) information extraction and checking procedure: the information extraction from Option 60 fields of DHCPOFFER message of DHCP+ client terminal, whether the agreement field that verification DHCP+ server is sent is legal, do not conform to rule and abandons;
(5) selection course: Option 60 fields that comprise in verification DHCPOFFER are legal, then the DHCP+ client terminal sends a DHCPREQUEST message that comprises Option 60 fields with broadcast mode to the DHCP+ server, to its selected DHCP+ server requests distributing IP address;
(6) authentication control procedure: the user totem information that is comprised in Option 60 fields of DHCP+ server with the DHCPREQUEST message received is delivered to aaa server, aaa server carries out authentication control according to user profile, returns the control information of corresponding success/failure and gives the DHCP+ server;
(7) affirmation process: if what return is successful control information, the DHCP+ server sends the DHCPACK message that comprises its IP address allocated and Option 60 fields to the DHCP+ client terminal, if what return is the control information of failure, then send the DHCPNACK message; And with in the success/error code information insertion Option60 field.
2. IP address assignment method as claimed in claim 1 is characterized in that, the employed DHCP+ server of described method includes the AAA processing module of the work of treatment of standard DHCP processing module and responsible Certificate Authority.
3. IP address assignment method as claimed in claim 2, it is characterized in that, described method also is included in before the discovery procedure, the DHCP+ client terminal generate producer's identification information or with the DHCP+ server commitment can allow server identification client terminal whether support the identification information of DHCP+ authentication by it, and form the Option60 field, and insert and to issue in the DHCPDISCOVER message of server.
4. IP address assignment method as claimed in claim 3, it is characterized in that, in described discriminating and checking procedure, after the DHCP+ server is received the DHCPDISCOVER message that client terminal sends, differentiate by standard DHCP processing module whether message inside includes Option 60 fields.
5. IP address assignment method as claimed in claim 4, it is characterized in that, in described discriminating and checking procedure, if Option 60 fields are arranged, then standard DHCP processing module send the AAA processing module to handle the DHCPDISCOVER message, and writes down the MAC Address of corresponding client terminal.
6. IP address assignment method as claimed in claim 5, it is characterized in that, in described discriminating and checking procedure, Option 60 field informations in the AAA module identification DHCPDISCOVER message, its identification field that whether comprises producer's sign or arrange in advance of verification.
7. IP address assignment method as claimed in claim 6, it is characterized in that, in described discriminating and checking procedure, if Option 60 verifications are correct, then the AAA processing module produce to be encrypted usefulness and MAC client terminal key (key) one to one, gives standard DHCP processing module otherwise return error code information.
8. IP address assignment method as claimed in claim 7, it is characterized in that, in described discriminating and checking procedure, if with dropping packets, otherwise the key (key) that obtains is inserted in Option 60 fields of the DHCPOFFER message that will issue client terminal when standard DHCP processing module obtains error code information.
9. as claim 1 or 8 described IP address assignment methods, it is characterized in that, described providing in the process, whether can further comprise the DHCP+ server identification in Option 60 fields of the DHCPOFFER message that the DHCP+ server is sent out, be the DHCP+ server of agreement with what make things convenient for client terminal to judge to send DHCPOFFER.
10. IP address assignment method as claimed in claim 9, it is characterized in that, in described information extraction and the checking procedure, if Option 60 verifications are legal, then the DHCP+ client terminal is obtained key (key), and according to predetermined cryptographic algorithm with this key (key) to the username and password information encryption that is kept in the DHCP+ client terminal, obtain an enciphered message field, write in Option 60 fields of the DHCPREQUEST message that will send to the DHCP+ server.
11. IP address assignment method as claimed in claim 10, it is characterized in that, in the described authentication control procedure, after the DHCP+ server is received the DHCPREQUEST message that client terminal sends, extract Option 60 fields wherein and deliver to the AAA processing module by standard DHCP processing module, the AAA processing module utilizes described key (key) that information encrypted is decrypted, and restores username and password information expressly.
12. IP address assignment method as claimed in claim 11, it is characterized in that, in the described authentication control procedure, the AAA processing module is sent to aaa server with user totem informations such as user name, password and MAC and carries out authentication control, and returns corresponding success/failure control information.
13. IP address assignment method as claimed in claim 12, it is characterized in that in the described affirmation process, the AAA processing module is received the information that aaa server returns, carry out work such as local daily record (log) record, success/error code is returned to standard DHCP processing module.
14. IP address assignment method as claimed in claim 13, it is characterized in that, in the described affirmation process, standard DHCP processing module is according to the success/failure information that returns, what the DHCP+ client terminal was issued in decision is DHCPACK message or DHCPNACK message, and error code information is inserted in Option 60 fields.
15. IP address assignment method as claimed in claim 1 is characterized in that, described method also comprises the dispose procedure of IP address, comprising:
The DHCP+ client terminal initiatively sends IP and discharges request message DHCPRELEASE;
The DHCP+ server reclaims the IP address according to the MAC information of client terminal, and the MAC information of this release information and client terminal is passed to the AAA processing module;
The AAA processing module is given aaa server with user totem informations such as the MAC of client terminal, user name, passwords, and removes user's online information of self preserving, and carries out work such as corresponding log record simultaneously;
Aaa server recording user offline information generates daily record, ticket etc.
16. IP address assignment method as claimed in claim 1, it is characterized in that, the employed aaa server of described method is also supported Option 82 information authentications, the DHCP+ server can be selected one with Option 60 and Option 82 in the described method, also the two can be sent into aaa server in the lump, by the aaa server authentication.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101066374A CN100539595C (en) | 2006-07-18 | 2006-07-18 | A kind of IP address assignment method based on the DHCP extended attribute |
| PCT/IB2007/052836 WO2008010184A2 (en) | 2006-07-17 | 2007-07-16 | Ip address assignment method based on dhcp extension options |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101066374A CN100539595C (en) | 2006-07-18 | 2006-07-18 | A kind of IP address assignment method based on the DHCP extended attribute |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1889577A true CN1889577A (en) | 2007-01-03 |
| CN100539595C CN100539595C (en) | 2009-09-09 |
Family
ID=37578834
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006101066374A Active CN100539595C (en) | 2006-07-17 | 2006-07-18 | A kind of IP address assignment method based on the DHCP extended attribute |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN100539595C (en) |
| WO (1) | WO2008010184A2 (en) |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008098453A1 (en) | 2007-02-13 | 2008-08-21 | Huawei Technologies Co., Ltd. | A method, system and apparatus for the dhcp message transmission |
| WO2009003409A1 (en) * | 2007-07-02 | 2009-01-08 | Huawei Technologies Co., Ltd. | A method, system and equipment for network access |
| WO2009009972A1 (en) * | 2007-07-19 | 2009-01-22 | Huawei Technologies Co., Ltd. | Method and system for implementing authentication |
| WO2009079896A1 (en) * | 2007-12-14 | 2009-07-02 | Zte Corporation | User access authentication method based on dynamic host configuration protocol |
| WO2009082950A1 (en) * | 2007-12-26 | 2009-07-09 | Huawei Technologies Co., Ltd. | Key distribution method, device and system |
| CN101677279A (en) * | 2008-09-16 | 2010-03-24 | 深圳华为通信技术有限公司 | LAN device, gateway and association method thereof |
| CN101465756B (en) * | 2009-01-14 | 2011-05-04 | 杭州华三通信技术有限公司 | Method and device for making automatic avoidance of illegal DHCP service and DHCP server |
| CN102394948A (en) * | 2011-11-04 | 2012-03-28 | 杭州华三通信技术有限公司 | DHCP (dynamic host configuration protocol) address distribution method and DHCP server |
| CN102457478A (en) * | 2010-10-15 | 2012-05-16 | 华为技术有限公司 | Method and equipment for marking primary control program (PCP) and identifying user |
| CN101184099B (en) * | 2007-12-14 | 2012-06-06 | 中兴通讯股份有限公司 | Second IP address assignment method based on dynamic host machine configuration protocol access authentication |
| CN102761546A (en) * | 2012-07-02 | 2012-10-31 | 中兴通讯股份有限公司 | Authentication implementation method, system and related devices |
| CN102780790A (en) * | 2012-07-13 | 2012-11-14 | 深圳市龙视传媒有限公司 | Method and system for dynamically allocating IP (Internet Protocol) address |
| CN101447976B (en) * | 2007-11-26 | 2013-01-09 | 华为技术有限公司 | Method for accessing dynamic IP session, system and device thereof |
| CN102970383A (en) * | 2012-11-13 | 2013-03-13 | 中兴通讯股份有限公司 | Method and device for allocating internet protocol (IP) addresses and method and device for processing information |
| CN103841219A (en) * | 2012-11-21 | 2014-06-04 | 华为技术有限公司 | IP address releasing method and device and access device |
| CN105245629A (en) * | 2015-09-25 | 2016-01-13 | 互联网域名系统北京市工程研究中心有限公司 | DHCP-based host communication method and device |
| CN111478788A (en) * | 2020-02-29 | 2020-07-31 | 新华三信息安全技术有限公司 | Abnormal offline recovery method, device and equipment and machine-readable storage medium |
| CN111478879A (en) * | 2020-02-29 | 2020-07-31 | 新华三信息安全技术有限公司 | DHCP (dynamic host configuration protocol) continuation method and device, electronic equipment and machine-readable storage medium |
| CN113542444A (en) * | 2021-05-20 | 2021-10-22 | 新华三大数据技术有限公司 | IP address allocation method and device |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103188257A (en) * | 2011-12-28 | 2013-07-03 | 北京东土科技股份有限公司 | Device for realizing safe interaction between DHCP (dynamic host configuration protocol) client side and DHCP server |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20010030977A1 (en) * | 1999-12-30 | 2001-10-18 | May Lauren T. | Proxy methods for IP address assignment and universal access mechanism |
| CN1549546B (en) * | 2003-05-09 | 2011-06-22 | 中兴通讯股份有限公司 | Apparatus and method for realizing PPPOE user dynamic obtaining IP address utilizing DHCP protocol |
| KR100560744B1 (en) * | 2003-09-25 | 2006-03-13 | 삼성전자주식회사 | Apparatus and method for managing IP address based on DHCP |
| CN100544343C (en) * | 2004-06-25 | 2009-09-23 | 杭州华三通信技术有限公司 | The implementation method of user login name and IP address binding |
-
2006
- 2006-07-18 CN CNB2006101066374A patent/CN100539595C/en active Active
-
2007
- 2007-07-16 WO PCT/IB2007/052836 patent/WO2008010184A2/en active Application Filing
Cited By (32)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2106071A1 (en) * | 2007-02-13 | 2009-09-30 | Huawei Technologies Co., Ltd. | A method, system and apparatus for the dhcp message transmission |
| US8489875B2 (en) | 2007-02-13 | 2013-07-16 | Huawei Technologies Co., Ltd. | Method, system and apparatus for transmitting DHCP messages |
| EP2106071A4 (en) * | 2007-02-13 | 2010-05-26 | Huawei Tech Co Ltd | A method, system and apparatus for the dhcp message transmission |
| WO2008098453A1 (en) | 2007-02-13 | 2008-08-21 | Huawei Technologies Co., Ltd. | A method, system and apparatus for the dhcp message transmission |
| CN101340334B (en) * | 2007-07-02 | 2011-11-09 | 华为技术有限公司 | Network access method, system and apparatus |
| WO2009003409A1 (en) * | 2007-07-02 | 2009-01-08 | Huawei Technologies Co., Ltd. | A method, system and equipment for network access |
| WO2009009972A1 (en) * | 2007-07-19 | 2009-01-22 | Huawei Technologies Co., Ltd. | Method and system for implementing authentication |
| CN101447976B (en) * | 2007-11-26 | 2013-01-09 | 华为技术有限公司 | Method for accessing dynamic IP session, system and device thereof |
| WO2009079896A1 (en) * | 2007-12-14 | 2009-07-02 | Zte Corporation | User access authentication method based on dynamic host configuration protocol |
| CN101184099B (en) * | 2007-12-14 | 2012-06-06 | 中兴通讯股份有限公司 | Second IP address assignment method based on dynamic host machine configuration protocol access authentication |
| CN101471767B (en) * | 2007-12-26 | 2011-09-14 | 华为技术有限公司 | Method, equipment and system for distributing cipher key |
| WO2009082950A1 (en) * | 2007-12-26 | 2009-07-09 | Huawei Technologies Co., Ltd. | Key distribution method, device and system |
| CN101677279B (en) * | 2008-09-16 | 2014-05-21 | 华为终端有限公司 | LAN device, gateway and association method thereof |
| CN101677279A (en) * | 2008-09-16 | 2010-03-24 | 深圳华为通信技术有限公司 | LAN device, gateway and association method thereof |
| CN101465756B (en) * | 2009-01-14 | 2011-05-04 | 杭州华三通信技术有限公司 | Method and device for making automatic avoidance of illegal DHCP service and DHCP server |
| CN102457478A (en) * | 2010-10-15 | 2012-05-16 | 华为技术有限公司 | Method and equipment for marking primary control program (PCP) and identifying user |
| CN102457478B (en) * | 2010-10-15 | 2015-04-29 | 华为技术有限公司 | Method and equipment for marking primary control program (PCP) and identifying user |
| CN102394948A (en) * | 2011-11-04 | 2012-03-28 | 杭州华三通信技术有限公司 | DHCP (dynamic host configuration protocol) address distribution method and DHCP server |
| CN102394948B (en) * | 2011-11-04 | 2014-10-29 | 杭州华三通信技术有限公司 | DHCP (dynamic host configuration protocol) address distribution method and DHCP server |
| CN102761546A (en) * | 2012-07-02 | 2012-10-31 | 中兴通讯股份有限公司 | Authentication implementation method, system and related devices |
| CN102780790A (en) * | 2012-07-13 | 2012-11-14 | 深圳市龙视传媒有限公司 | Method and system for dynamically allocating IP (Internet Protocol) address |
| CN102970383B (en) * | 2012-11-13 | 2018-07-06 | 中兴通讯股份有限公司 | A kind of method and device, method and device of information processing for distributing IP address |
| CN102970383A (en) * | 2012-11-13 | 2013-03-13 | 中兴通讯股份有限公司 | Method and device for allocating internet protocol (IP) addresses and method and device for processing information |
| CN103841219A (en) * | 2012-11-21 | 2014-06-04 | 华为技术有限公司 | IP address releasing method and device and access device |
| CN103841219B (en) * | 2012-11-21 | 2017-11-24 | 华为技术有限公司 | Discharge the method, apparatus and access device of IP address |
| CN105245629A (en) * | 2015-09-25 | 2016-01-13 | 互联网域名系统北京市工程研究中心有限公司 | DHCP-based host communication method and device |
| CN105245629B (en) * | 2015-09-25 | 2018-10-16 | 互联网域名系统北京市工程研究中心有限公司 | Host communication method based on DHCP and device |
| CN111478788A (en) * | 2020-02-29 | 2020-07-31 | 新华三信息安全技术有限公司 | Abnormal offline recovery method, device and equipment and machine-readable storage medium |
| CN111478879A (en) * | 2020-02-29 | 2020-07-31 | 新华三信息安全技术有限公司 | DHCP (dynamic host configuration protocol) continuation method and device, electronic equipment and machine-readable storage medium |
| CN111478788B (en) * | 2020-02-29 | 2022-02-22 | 新华三信息安全技术有限公司 | Abnormal offline recovery method, device and equipment and machine-readable storage medium |
| CN111478879B (en) * | 2020-02-29 | 2022-05-24 | 新华三信息安全技术有限公司 | DHCP (dynamic host configuration protocol) continuation method and device, electronic equipment and machine-readable storage medium |
| CN113542444A (en) * | 2021-05-20 | 2021-10-22 | 新华三大数据技术有限公司 | IP address allocation method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2008010184A2 (en) | 2008-01-24 |
| WO2008010184A3 (en) | 2008-04-10 |
| CN100539595C (en) | 2009-09-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100539595C (en) | A kind of IP address assignment method based on the DHCP extended attribute | |
| EP1876754B1 (en) | Method system and server for implementing dhcp address security allocation | |
| CN101127600B (en) | A method for user access authentication | |
| CN1277434C (en) | Secure access method, and associated apparatus, for accessing a private data communication network | |
| CN100563155C (en) | Internet identity authentication and system | |
| CN101888389B (en) | Method and system for realizing uniform authentication of ICP union | |
| CN1184776C (en) | Method for the point-to-point protocol log-on user to obtain Internet protocol address | |
| CN1663168A (en) | Transitive authentication authorization accounting in interworking between access networks | |
| CN101043331A (en) | System and method for distributing address for network equipment | |
| CN101924801A (en) | IP (Internet Protocol) address management method and system as well as DHCP (Dynamic Host Configuration Protocol) server | |
| CN101227481A (en) | Apparatus and method of IP access based on DHCP protocol | |
| CN101110847A (en) | Method, device and system for obtaining medium access control address | |
| CN111885604B (en) | Authentication method, device and system based on heaven and earth integrated network | |
| CN102255916A (en) | Access authentication method, device, server and system | |
| CN101184099B (en) | Second IP address assignment method based on dynamic host machine configuration protocol access authentication | |
| CN1859409A (en) | Method and system for improving network dynamic host configuration DHCP safety | |
| CN1929482A (en) | Network business identification method and device | |
| CN1650554A (en) | Information routing device having an auto-configuration feature | |
| CN103634265A (en) | Method, device and system for security authentication | |
| CN103368780A (en) | Service control method and equipment | |
| CN1783780A (en) | Method and device for realizing domain authorization and network authority authorization | |
| CN1489341A (en) | Method and service device for allocating local network resource to terminal according to types of terminal | |
| CN1505345A (en) | A method for accessing user forced access identification server | |
| KR20090014625A (en) | Authentication system and method in network having private network | |
| CN103001928A (en) | Communication method of terminals interconnected among different networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: UT SIDAKANG (CHINA) CO. LTD. Free format text: FORMER OWNER: UT STARCOM COMMUNICATION CO., LTD. Effective date: 20130320 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 310053 HANGZHOU, ZHEJIANG PROVINCE TO: 100027 DONGCHENG, BEIJING |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20130320 Address after: Beihai Manhattan building 6 No. 100027 Beijing Dongcheng District, Chaoyangmen North Street 11 Patentee after: UT Sidakang (China) Co., Ltd. Address before: 310053 No. six, No. 368, Binjiang District Road, Zhejiang, Hangzhou Patentee before: UT Starcom Communication Co., Ltd. |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20181228 Address after: 518000 Lenovo Building, No. 016, Gaoxin Nantong, Yuehai Street, Nanshan District, Shenzhen City, Guangdong Province, on the east side of the third floor Patentee after: Excellent network Co., Ltd. Address before: 100027 11 Floor of Beihai Wantai Building, 6 Chaoyangmen North Street, Dongcheng District, Beijing Patentee before: UT Sidakang (China) Co., Ltd. |
|
| TR01 | Transfer of patent right |