CN100452701C - Access authentication method for tunnel of intra-site automatic addressing protocol - Google Patents
Access authentication method for tunnel of intra-site automatic addressing protocol Download PDFInfo
- Publication number
- CN100452701C CN100452701C CNB031785794A CN03178579A CN100452701C CN 100452701 C CN100452701 C CN 100452701C CN B031785794 A CNB031785794 A CN B031785794A CN 03178579 A CN03178579 A CN 03178579A CN 100452701 C CN100452701 C CN 100452701C
- Authority
- CN
- China
- Prior art keywords
- access
- isatap
- client
- router
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to an access authentication method for tunnels intra-site automatic addressing protocols. A portal server is accessed on a router through connection, client sides of intra-site automatic tunnel addressing protocols (ISATAP) are authenticated in a WEB authentication method, client sides which do not pass through authentication are transmitted to messages of an ISATAP router interface, and the messages are forced to be oriented to an access entry server except for messages whose destination addresses are the access entry server. The access entry server provides an interaction interface for the client sides, the account information of users is collected, and the account information is committed to a verification setting for being verified. The router unpacks and then transmits subsequent tunnel packed messages of the source IP address pass through verification. The present invention realizes access control and management to ISATAP and the operability and the manageability of ISATAP tunnels.
Description
Technical field
The present invention relates to communication technical field, relate in particular to the access authentication method in automatic addressing agreement (ISATAP) tunnel in a kind of station.
Background technology
The deployment of IPv6 (Internet protocol sixth version) is a process that progressively enlarges, and the node in original IPv4 (Internet protocol the 4th edition) network need be visited the service that IPv6 provides, and need connect the IPv6 network by tunneling technique.The IPv4/IPv6 dual stack node passes in the transitional technology of IPv4 access to netwoks IPv6 network in the IPv4 network, mainly contain basic tunneling technique, and improved ISATAP (automatic addressing agreement, i.e. the Intra-site Automatic TunnelAddressing Protocol in standing) technology.
Be illustrated in figure 1 as IPV6 packet tunnel encapsulation form schematic diagram, tunneling mechanism provides the existing IPv4 network architecture of a kind of utilization to realize the IPv6 method for communicating, and basic methods is as follows:
1, tunnel portal carries out the IPv4 encapsulation earlier to the IPv6 packet, sends then.
2, after tunnel exit is received the packet of tunnel encapsulation, confirm whether need reorganization earlier, if packet through segmentation, needs reorganization so; Otherwise needn't.Remove tunnel encapsulation (IPV4 header) then, the packet of receiving is handled accordingly.
3, in order to make packet pass through the tunnel smoothly, tunnel portal may need to safeguard the soft state information in tunnel, such as record tunnel MTU parameters such as (MTUs).The employed tunnel of network node may be a lot, and relevant soft state can be buffered etc. and just to abandon no the time.
Except add the data packet head of IPv4 for the packet of IPv6, the encapsulation node also needs:
1, decision ICMP (Internet Control Message Protocol) error message that whether needs to split packet and whether need to send " packet is long " to the source end;
2, the error message that how router on the tunnel path is returned to the IPv4 of source end is mapped to the ICMP message of IPv6.
ISATAP is one of key technology that solves the interior IPv4-IPv6 transition of Intranet (in-house network is as enterprise network or campus network), has solved the IPv6 network problem of dual stack node visit in the IPv4 Intranet better.ISATAP can make the dual stack node in the IPv4 website be linked into the IPv6 router by the IPv6-in-IPv4 automatic tunnel, and the dual stack node that allows not share same physical link with the IPv6 router is sent to next jumping of IPv6 by the IPv4 automatic tunnel with packet.
Be illustrated in figure 2 as the ISATAP principle schematic, the ISATAP router is positioned at the boundary of IPv4 and IPv6, and the ISATAP link is used as IPV6 link layer transmits data packets to the IPV4 automatic tunnel.The ISATAP client is obtained the network address prefix of router by RS/RA/NS/NA (router solicitation/router advertisement/neighbor request/neighbours' declaration), the ISATAP transit mechanism uses the IPv6 address of an embedded IPv4 address, the ISATAP interface identifier uses the EUI-64 form of revising, it adds that IPv4 address on the ISATAP link is formed after by 32bit character string " 00-00-5E-FE ", therefore, overall and local ISATAP address format as shown in Figure 3.
Because the ISATAP transit mechanism uses the IPv6 address of an embedded IPv4 address, what therefore no matter website used is the whole world or privately owned IPv4 address, can use the automatic tunnel technology of IPv6-in-IPv4 in website.The ISATAP address format both can use website clean culture IPv6 address prefix also can use overall clean culture IPv6 address prefix, so just can support site and overall IPv6 route.
Because the service in tunnel can be used as value-added service and runs, therefore, how the access in managing I SATAP tunnel is a major issue of professional control, the limitation of existing ISATAP technology is that Intra-site Automatic Tunnel Addressing Protocol does not have the scheme and the technology of access authentication, lack the access control means, the access of Intra-site Automatic Tunnel Addressing Protocol is not controlled, therefore can't carry out operation and management to Intra-site Automatic Tunnel Addressing Protocol.
Summary of the invention
Technical problem to be solved by this invention is: overcome the deficiency that existing ISATAP technology does not have access authentication, a kind of method of Intra-site Automatic Tunnel Addressing Protocol being carried out access authentication is provided, thereby, realize runing, can manage to the tunnel to Intra-site Automatic Tunnel Addressing Protocol access carrying out control and management.
The present invention solves the problems of the technologies described above the technical scheme that is adopted to be:
The access authentication method of automatic addressing protocol tunnel in this station, connected reference portal server on router (Portal Server) utilizes the WEB authentication mode that automatic addressing agreement (ISATAP) client in standing is authenticated, and may further comprise the steps:
A, the client by authentication does not mail to the message of ISATAP router interface, except that destination address is the message of access portal server, forces to be directed to access portal server;
B, access portal server provide interactive interface to client, collect user account information, and this account information are submitted to Authentication devices verify;
Transmit after C, router the follow-up tunnel encapsulation message decapsulation this source IP address by checking.
Further comprise in the described steps A, router allows router solicitation (RS) and router advertisement (RA) message to pass through, the IPv6 address that obtains client by the RS/RA message, and according to this client of this IPV6 address lookup IP address verification table look-up whether by authentication.
In the described steps A, when client forces to be directed to access portal server, set up transmission control protocol (TCP) by router imitation far-end server with client earlier and be connected, then access portal server is redirected in the access destination address.
In the described steps A, if the destination address of message is an access portal server, then access portal server directly provides interactive interface to client, collects user account information.
Among the described step B, the local user is verified by router; To non-local user, by router account information is sent to the Radius server by remote verification dialing user service (Radius) message and verify.
Further comprise among the described step C, after authentication is passed through, in IP address verification table, set up this client ip address list item, the authentication success sign is set in this list item, identify this client host by authentication.
Beneficial effect of the present invention is: the present invention utilizes the WEB authentication techniques that ISATAP is inserted to carry out control and management, unconditionally to allow the RS/RA message to pass through, to allow client to obtain the IPV6 address, to communicate by letter with access portal server and carry out the WEB authentication.To the tunnel encapsulation message that the user rs host by authentication sends, allow to transmit after the router decapsulation; To there not being the user rs host of authentication, then force to be directed to access portal server, authenticate, just allow forwarding after authentication is passed through, thereby realized access control management Intra-site Automatic Tunnel Addressing Protocol, realized runing, can managing of Intra-site Automatic Tunnel Addressing Protocol.
Description of drawings
Fig. 1 is an IPV6 packet tunnel encapsulation form schematic diagram;
Fig. 2 is the ISATAP principle schematic;
Fig. 3 is an ISATAP address format schematic diagram;
Fig. 4 is an Intra-site Automatic Tunnel Addressing Protocol access authentication principle schematic of the present invention;
Fig. 5 is WEB identifying procedure figure of the present invention.
Embodiment
With embodiment the present invention is described in further detail with reference to the accompanying drawings below:
The present invention mainly solves ISATAP access control problem, but the may command management characteristic of enhanced system, basic principle is to adopt the WEB authentication mode that ISATAP client is authenticated, only permission is transmitted by tunnel interface by the tunnel encapsulation message of the client host of the IPv4 address of authentication, other messages are then checked Target IP v6 address, if being access portal server (Portal Server), Target IP v6 address then releases the WEB page to client by Portal Server, interactive interface is provided, authenticates; If Target IP v6 address is not that access portal server (PortalServer) then forces to be directed to Portal Server, release the WEB page by Portal Server to client, interactive interface is provided, authenticate.
Be illustrated in figure 4 as Intra-site Automatic Tunnel Addressing Protocol access authentication principle schematic of the present invention, the ISATAP router is positioned at the boundary of IPv4 and IPv6, Portal Server is positioned at the IPv6 network, it is the generic server of IPv6 network, Radius Server (remote authentication dial-in user service server) is positioned at the IPv6 network, only supports IPv6Radius (remote verification dialing user service) message.
All of user rs host mail to the message of ISATAP interface, except that destination address is the message of PortalServer, be directed to Portal Server in authentication by preceding pressure, Portal Server ejects certification page, browser is downloaded Java control program or ActiveX control automatically, the user imports account name, behind the password, control program or control are sent to Portal Server with account name and password, Portal Server delivers to the ISATAP router with accounts information, the local user is verified by the ISATAP router, non-local user then by the ISATAP router with account, password sends to Radius Server (remote verification dialing user service server) by the Radius message and verifies, after checking is passed through, in the IP address of router verification table, set up the corresponding list item in this IP address, the authentication success sign is set in this list item, then the message of this source IP address is transmitted.
Be illustrated in figure 5 as WEB identifying procedure figure of the present invention, the WEB verification process is as follows:
1, the triggering stage: the ISATAP router unconditionally allows RS/RA (router solicitation/router advertisement) message to pass through, main frame sends its router advertisement (RA) by RS request local router, router periodically sends RA, declares parameters such as its availability and network address prefix.After client is obtained network address prefix by RS/RA, automatically generate the IPv6 address of IPV4 address, embedded source by client, so that realize and the communicating by letter of access portal server, the IPV6 address format is form as shown in Figure 3.
Then, the ISATAP client is sent Hypertext Transmission Protocol (HTTP) access request, the ISATAP router is according to the source IPv6 address lookup IP address of router verification table of RS, whether check this source address by authentication, comprise in the described IP address verification table that IPV6 address, source and authentication are by sign.If not by authentication, the server that the imitation of ISATAP router will be visited is set up TCP (transmission control protocol) with client host and is connected (it is counterfeit promptly to carry out TCP), after setting up the TCP connection, router sends request to client host and responds HTTP-Resp, destination address is redirected to Portal server, begins to initiate verification process; If this source IP address by authentication, then allows the tunnel encapsulation message of this client host to transmit after decapsulation on the router.
2, authentication phase: destination address is redirected to the connection that rebulids Portal server behind the Portal server, Portal server is accepted the HTTP authentication request that user rs host sends, release the WEB page to client then, interactive interface is provided, the user imports account name and password on interactive interface, click affirmation, the WEB page is submitted to Portal server with account name and password.
Portal server sends authorization requests (Auth_Request) to router, and account name and password are submitted to the WEB authentication module of ISATAP router, if destination address is the local user, is then authenticated by router; If not local user, then the WEB authentication module is initiated authentication request (Radius_Access_Request) according to account name and password to Radius Server, after RadiusServer authenticates authentication result and authorization message (Radius_Access_Accept) is handed down to the WEB authentication module of ISATAP router.
3, behind the authentication success: the WEB authentication module of ISATAP router is provided with authentication by sign in the corresponding list item of IP address verification table, simultaneously with request (Auth_Response) notice Portal server of receiveing the response, Portal server sends to the user with authentication result by the web page.The subsequent packet of this IP address user rs host all passes through, and user rs host and PORTAL server are regularly shaken hands.
The present invention is integrated into the WEB authentication techniques on the Intra-site Automatic Tunnel Addressing Protocol, realized control and management to the Intra-site Automatic Tunnel Addressing Protocol access, have only by the channel message of IPv4 address, source of authentication and can be transmitted by the ISATAP interface, whether other messages are then analyzed is the message that is forwarded to Portal Server, authenticates otherwise force to be redirected to Portal Server.The present invention has realized the control and management of ISATAP access has been realized runing, can managing of Intra-site Automatic Tunnel Addressing Protocol.
Claims (6)
1, the access authentication method of automatic addressing protocol tunnel in a kind of the station, it is characterized in that: connected reference portal server Portal Server on the automatic addressing agreement ISATAP router in the station, utilize the WEB authentication mode that the ISATAP client is authenticated, may further comprise the steps:
A, the client by authentication does not mail to the message of ISATAP router interface, except that destination address is the message of access portal server, forces to be directed to access portal server;
B, access portal server provide interactive interface to client, collect user account information, and this account information are submitted to Authentication devices verify;
Transmit after C, ISATAP router the follow-up tunnel encapsulation message decapsulation this source IP address by checking.
2, the access authentication method of automatic addressing protocol tunnel in the station according to claim 1, it is characterized in that: further comprise in the described steps A, the ISATAP router allows router solicitation RS and router advertisement RA message to pass through, the IPv6 address that obtains client by the RS/RA message, and according to this client of this IPv6 address lookup IP address verification table look-up whether by authentication.
3, the access authentication method of automatic addressing protocol tunnel in the station according to claim 1 and 2, it is characterized in that: in the described steps A, when client forces to be directed to access portal server, set up transmission control protocol TCP by ISATAP router imitation far-end server with client earlier and be connected, then access portal server is redirected in the access destination address.
4, the access authentication method of automatic addressing protocol tunnel in the station according to claim 1, it is characterized in that: in the described steps A, if the destination address of message is an access portal server, then access portal server directly provides interactive interface to client, collects user account information.
5, the access authentication method of automatic addressing protocol tunnel in the station according to claim 1 is characterized in that: among the described step B, the local user is verified by the ISATAP router; To non-local user, by the ISATAP router account information is served the Radius message by the remote verification dialing user and send to the Radius server and verify.
6, the access authentication method of automatic addressing protocol tunnel in the station according to claim 1, it is characterized in that: further comprise among the described step C, after authentication is passed through, in IP address verification table, set up this client ip address list item, the authentication success sign is set in this list item, identifies this client host by authentication.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031785794A CN100452701C (en) | 2003-07-18 | 2003-07-18 | Access authentication method for tunnel of intra-site automatic addressing protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031785794A CN100452701C (en) | 2003-07-18 | 2003-07-18 | Access authentication method for tunnel of intra-site automatic addressing protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1571334A CN1571334A (en) | 2005-01-26 |
| CN100452701C true CN100452701C (en) | 2009-01-14 |
Family
ID=34472817
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB031785794A Expired - Fee Related CN100452701C (en) | 2003-07-18 | 2003-07-18 | Access authentication method for tunnel of intra-site automatic addressing protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100452701C (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102546429B (en) * | 2012-02-03 | 2016-12-14 | 神州数码网络(北京)有限公司 | The authentication method of Intra-site Automatic Tunnel Addressing Protocol based on DHCP monitoring and system |
| CN106549918B (en) * | 2015-09-21 | 2019-10-18 | 中国移动通信集团黑龙江有限公司 | A kind of method and device of the transmission service abnormal cause page |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1087575A1 (en) * | 1999-09-24 | 2001-03-28 | BRITISH TELECOMMUNICATIONS public limited company | Packet network interfacing |
| WO2001031888A1 (en) * | 1999-10-26 | 2001-05-03 | 3Com Corporation | Method and system for dual-network address utilization by virtual tunneling |
-
2003
- 2003-07-18 CN CNB031785794A patent/CN100452701C/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1087575A1 (en) * | 1999-09-24 | 2001-03-28 | BRITISH TELECOMMUNICATIONS public limited company | Packet network interfacing |
| WO2001031888A1 (en) * | 1999-10-26 | 2001-05-03 | 3Com Corporation | Method and system for dual-network address utilization by virtual tunneling |
Non-Patent Citations (4)
| Title |
|---|
| Intra-Site Automatic Tunnel Addressing Protocol (ISATAP). F. Templin, T. Gleeson, M. Talwar, D. Thaler.NETWORK WORKING GROUP, INTERNET-DRAFT. 2003 |
| Intra-Site Automatic Tunnel Addressing Protocol (ISATAP). F. Templin, T. Gleeson, M. Talwar, D. Thaler.NETWORK WORKING GROUP, INTERNET-DRAFT. 2003 * |
| IPv4 to IPv6 过渡技术探讨. 赵生慧.滁州师专学报,第5卷第2期. 2003 |
| IPv4 to IPv6 过渡技术探讨. 赵生慧.滁州师专学报,第5卷第2期. 2003 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1571334A (en) | 2005-01-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100437550C (en) | Ethernet confirming access method | |
| US7035281B1 (en) | Wireless provisioning device | |
| CN101026519B (en) | Dynamic building of VLAN interfaces based on subscriber information | |
| KR100910818B1 (en) | Method and system for tunneling macsec packets through non-macsec nodes | |
| JP4105722B2 (en) | Communication device | |
| JP4130962B2 (en) | System and method for using a domain name to route data sent to a destination on a network | |
| US8484715B2 (en) | Method and system for network access and network connection device | |
| CN106603491A (en) | Portal authentication method based on https protocol, and router | |
| US20160212097A1 (en) | Secure In-Band Signaling Method for Mobility Management Crossing Firewalls | |
| CN107786613A (en) | Broadband Remote Access Server BRAS forwards implementation method and device | |
| CN101426004A (en) | Three layer conversation access method, system and equipment | |
| CN100534034C (en) | Access control method and apparatus | |
| JP2019515608A (en) | Access control | |
| JPWO2013069161A1 (en) | Routing method and network transmission apparatus | |
| CN101902482B (en) | Method and system for realizing terminal security admission control based on IPv6 (Internet Protocol Version 6) automatic configuration | |
| CN100433714C (en) | Method for transmission processing IP fragment message | |
| CN109005179A (en) | Network security tunnel establishing method based on port controlling | |
| CN102111289B (en) | Method and device for deploying authentication | |
| CA2565536C (en) | Supporting a network behind a wireless station | |
| CN100452701C (en) | Access authentication method for tunnel of intra-site automatic addressing protocol | |
| CN104168564A (en) | Authentication method and device based on GPRS network and integrated identification network | |
| KR20040004724A (en) | Wireless LAN service system providing proxy gateway and method thereof | |
| WO2008083572A1 (en) | A method for transfering the ip transmission session and the equipment whereto | |
| US8068817B1 (en) | Virtual address translation to support wireless access to data networks | |
| CN105591929A (en) | Method and device for authentication in light weight dual-protocol stack networking |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090114 Termination date: 20200718 |