CN101141492A - Method and system for implementing DHCP address safety allocation - Google Patents
Method and system for implementing DHCP address safety allocation Download PDFInfo
- Publication number
- CN101141492A CN101141492A CNA2007101530819A CN200710153081A CN101141492A CN 101141492 A CN101141492 A CN 101141492A CN A2007101530819 A CNA2007101530819 A CN A2007101530819A CN 200710153081 A CN200710153081 A CN 200710153081A CN 101141492 A CN101141492 A CN 101141492A
- Authority
- CN
- China
- Prior art keywords
- dhcp
- client
- server
- address
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The present invention relates to a method for realizing a DHCP address safety distribution and a system. The core of the present invention is that a DHCP (Dynamic host computer configuration protocol) client side sends a DHCP finding message though an access network; when the access network gets the port information and other identification information of the DHCP client side, and a certification is performed based on the identification information; at last, a DHCP server distributes the address information only to the DHCP client side passed by the certification. Therefore, the present invention can perform an access certification to a user according to the location information, and distributes an IP address only for the legible user and the terminal, thereby to greatly enhance the safety of distributing the address though a DHCP way. Moreover, the present invention can enable the address to be managed by an AAA server, or the address is distributed after the AAA server certification succeeds.
Description
Technical field
The present invention relates to network communications technology field, relate in particular to a kind of method and system that realize the dhcp address safety distribution.
Background technology
Along with the maturation day by day of access technologies such as ADSL (ADSL (Asymmetric Digital Subscriber Line)), Ethernet, broadband access is more and more universal, and is meanwhile, also more and more in IPTV (Internet Protocol Television) video and VoIP (IP-based voice) business that broadband access network is carried out.Carrying out of each business needs to adopt special-purpose terminal to realize that need use STB (set-top box) as video traffic, voice service need be used IAD (integrated access equipment), or the like.Each special-purpose terminal needed to obtain the address information of local terminal before commencing business, afterwards, just can utilize the address information of local terminal to carry out every business.
In communication network, the mode that each terminal is obtained the IP address is usually based on DHCP (DHCP) agreement and realizes; Traditional business of networking then adopts PPPoE (Ethernet encapsulation point end-to-end protocol (EEP)) mode to realize usually, and need dock access customer by aaa server and finish authentication, and the distributing IP address.Aaa server is generally RADIUS (remote authentication) server, also may be other certificate servers.
Authenticate by radius server, and the network communicating system structure of obtaining the IP address information by Dynamic Host Configuration Protocol server is as shown in Figure 1, wherein:
Dynamic Host Configuration Protocol server: be used for the server of management ip address, the address assignment request of responsive computer is for computer distributes suitable IP address;
Dhcp client: use the DHCP agreement to obtain the terminal of network parameters such as IP address, comprise computer, STB, IAD etc.;
Radius server: remote dial-in user's authentication server, be used for the account number and the password of leading subscriber, finish the authentication of butt joint access customer;
BRAS: Broadband Remote Access Server, consumer wideband user's access-in management, to PPPoE user, BRAS initiates authentication request as radius client to radius server, and for DHCP user, BRAS finishes dhcp relay feature;
Access Network: the network in the middle of from the subscriber household to BRAS;
Access node: the equipment that directly links to each other with subscriber's line in the Access Network, as ADSL access device DSLAM;
The OSS system: OSS is used for the system of Operator Specific Service granting and service management.
In Fig. 1,, can use the DHCP agreement to distribute corresponding IP address by disposing Dynamic Host Configuration Protocol server in the network for it as dhcp client STB, IAD etc.
The handling process that each dhcp client obtains the address among Fig. 1 is specifically as shown in Figure 2:
The start of step 21:DHCP client is sent DHCP and is found message, and searching to provide DHCP the server of service;
Step 22:BRAS finds that with DHCP message relay arrives the Dynamic Host Configuration Protocol server of appointment as DHCP relay;
Step 23:DHCP server returns DHCP message is provided, and represents oneself can give client distributing IP address;
Step 24:DHCP client is sent the DHCP request message, and BRAS is relayed to Dynamic Host Configuration Protocol server with the DHCP request message;
The dhcp response message is returned in the IP address that step 25:DHCP server-assignment is suitable.
Like this, dhcp client just obtains the IP address, and can access network, obtains the network service.
From above-mentioned dhcp address assigning process as can be seen, obtain by the DHCP mode in the processing procedure of IP address at dhcp client, the disabled user can get access to corresponding IP address at an easy rate, obtains the network service.Like this, be easy to take place hacker's malice and exhaust the IP address resource, the problem of attacking network, and, behind the assault network, can't follow the trail of it.
In addition, operator need use Dynamic Host Configuration Protocol server management dhcp client user's IP address, uses radius server management pppoe client user's IP address, has two cover IP address resource management mechanism, and data are disperseed, the management cost height.
Summary of the invention
In view of above-mentioned existing in prior technology problem, the purpose of this invention is to provide a kind of method and system that realize the dhcp address safety distribution, thereby can guarantee that the fail safe that Dynamic Host Configuration Protocol server carries out the process of address assignment can be guaranteed effectively.
The objective of the invention is to be achieved through the following technical solutions:
The invention provides a kind of method and system that realize the dhcp address safety distribution, comprising:
A, dynamic host configuration protocol DHCP client send DHCP by access network and find message;
B, access network side are obtained the identifying information of described dhcp client, and based on described identifying information it are authenticated;
C, the dhcp client that passes through for authentication are that it distributes address information by Dynamic Host Configuration Protocol server.
Described identifying information comprises:
The port numbers of dhcp client, circuit number, hyphen.
Described step B comprises:
Access node in the access network or access server are determined its identifying information according to the inbound port/circuit/link information of described DHCP discovery message.
Described step B comprises:
By access node in the access network or access server, according to the identifying information of dhcp client, and the identifying information of pre-configured validated user carries out the legitimacy authentication of described client.
Described step B comprises:
Access node in B1, the access network or access server utilize the identifying information of described client to initiate authentication request to certificate server;
B2, certificate server authenticate according to the identifying information of the validated user of the preserving legitimacy to described client.
The present invention also provides a kind of DHCP certificate server of realizing the dhcp address safety distribution, comprising:
Dynamic Host Configuration Protocol server module: receive the DHCP request message that dhcp client is sent via access node or access server, and serve as to authenticate the described dhcp client of client addresses distributed information response that passes through with returning by aaa server of receiving of authentication charging AAA client modules;
Protocol conversion module: the DHCP that is used for the corresponding D HCP client sent from access node or access server finds message, obtain the information that aaa authentication needs, generate the aaa authentication message, and the authentication response message that receives according to the AAA client modules, generate DHCP message is provided, and send;
AAA client modules: be used for communicating between the message identifying that generates based on the DHCP protocol conversion module and aaa server, obtain authentication result, and give protocol conversion module and Dynamic Host Configuration Protocol server module to described dhcp client.
The present invention also provides a kind of DHCP certificate server of realizing the dhcp address safety distribution, comprising:
Identification processing module: the identifying information that is used to obtain the client of initiating dhcp process, and described client being carried out the legitimacy authentication according to the identifying information of the validated user of preserving, the DHCP of the dhcp client that authentication is passed through finds that message sends to Dynamic Host Configuration Protocol server;
Dynamic Host Configuration Protocol server: receiving the DHCP discovery message that identification processing module is sent, and provide message to described dhcp client transmission DHCP, when dhcp client is sent the DHCP request message, is that corresponding D HCP client is distributed the address in its address pool.
The present invention also provides a kind of system that realizes the dhcp address safety distribution, comprise: dhcp client, access network and DHCP certificate server, dhcp client is communicated by letter with the DHCP certificate server by access network and is obtained address information, simultaneously, the DHCP that the DHCP certificate server is used for dhcp client that access network is obtained finds that message carries out the legitimacy authentication, and will authenticate the dhcp client that passes through and carry out address assignment.
The present invention also provides a kind of method of the realization dhcp address safety distribution based on said system, comprising:
C, access node or access server receive the DHCP that dhcp client sends and find message, and the identifying information of described client inserted send to the DHCP certificate server in the described message;
D, DHCP certificate server obtain the identifying information of described client from described message;
E, DHCP certificate server utilize described identifying information that the legitimacy of described client is authenticated, and the client of only authentication being passed through is carried out the address assignment processing.
Described step e comprises:
The DHCP certificate server authenticates dhcp client according to the identifying information of the validated user of preserving in this locality, and the DHCP that will authenticate the client of passing through finds that message sends to Dynamic Host Configuration Protocol server, carries out the address assignment processing by Dynamic Host Configuration Protocol server;
Perhaps,
The DHCP certificate server utilizes described identifying information to send authentication request packet to aaa server, is authenticated by the identifying information of aaa server to described client, and distributes address information for authenticating the client of passing through;
Perhaps,
The DHCP certificate server utilizes described identifying information to send authentication request packet to aaa server, authenticate by the identifying information of aaa server described client, the DHCP certificate server receives authentication by after the information, for the client that authentication is passed through is distributed address information.
As seen from the above technical solution provided by the invention, the present invention can carry out access authentication to the user according to positional information, and only be legal users, terminal distribution IP address, thereby strengthened the fail safe that distributes the address by the DHCP mode greatly;
And, the address unification can be managed by radius server among the present invention, i.e. Dynamic Host Configuration Protocol server and radius server unified management IP address have reduced the cost of network management; And can utilize the original safety measure of radius server, the control user obtains the quantity of IP address, prevents that effectively malice from exhausting the address and attacking; Even network attack or other network security problems take place, also can track user's physical location according to the IP address, can effectively frighten the assault behavior;
Simultaneously; the present invention also has favorable compatibility; be that the present invention is in implementation procedure; do not increase any interface and order newly for the OSS system; service dispense management process to dhcp client user's service management flow and original pppoe client is in full accord, has protected the investment of operator.
Description of drawings
Fig. 1 is the structural representation of broadband access system;
Fig. 2 is for to obtain the process schematic diagram of address by Dynamic Host Configuration Protocol server;
Fig. 3 is DHCP certificate server structural representation Fig. 1 of the present invention;
Fig. 4 is DHCP certificate server structural representation Fig. 2 of the present invention;
Fig. 5 is structural representation Fig. 1 of system of the present invention;
Fig. 6 is the dhcp address assigning process schematic diagram 1 based on system shown in Figure 5;
Fig. 7 is the dhcp address assigning process schematic diagram 2 based on system shown in Figure 5;
Fig. 8 is structural representation Fig. 2 of system of the present invention;
Fig. 9 is the dhcp address assigning process schematic diagram based on system shown in Figure 8.
Embodiment
Core of the present invention is to obtain in the process of address information to Dynamic Host Configuration Protocol server at dhcp client, has increased the processing procedure to the legitimacy authentication of dhcp client, thereby has prevented the attack of disabled user to Dynamic Host Configuration Protocol server; In addition,, the address administration of Dynamic Host Configuration Protocol server and certificate server can also be united, be convenient to the management of address based on above-mentioned core concept.Described certificate server comprises aaa servers such as radius server, certainly, also can be the similar certificate server of other functions.
The invention provides the method that realizes the dhcp address safety distribution, mainly comprise:
(1) dhcp client sends DHCP by access network and finds message;
(2) identifying information of dhcp client as described in the access server of network side (as BRAS, access node etc.) is determined according to the ingress port information of described DHCP discovery message, as the port numbers of dhcp client, VPI/VCI (VPI), VLAN ID (VLAN ID) information etc., and based on described identifying information, and the identifying information of pre-configured validated user authenticates this dhcp client;
Is example with radius server as certificate server, specifically can initiate authentication request to remote dial authentication radius server, and authenticate according to the identifying information of the validated user of preserving legitimacy described client by radius server by the identifying information that access node in the access network or access server utilize described client;
Certainly, also the gateway that is specifically designed to authentication can be set, carry out corresponding authentication processing by its information according to configuration.
(3) DHCP that will authenticate the dhcp client that passes through finds that message sends to Dynamic Host Configuration Protocol server, and distributes address information by Dynamic Host Configuration Protocol server for it, and concrete address allocation procedure is identical with existing address allocation procedure, so do not describe in detail.
For realizing that said method provided by the invention can be provided with the Dynamic Host Configuration Protocol server that has authentication function accordingly in network, thereby make it find at first to carry out authentication processing behind the message receiving the DHCP that dhcp client sends, after authentication is passed through, distribute corresponding address information for it again.
The invention provides two kinds of DHCP certificate servers, be described respectively below in conjunction with accompanying drawing with authentication function.
What first kind of DHCP certificate server with authentication function adopted is to pass through certificate server, as the authentication of radius server realization to dhcp client, its concrete structure is example with radius server as certificate server among the figure as shown in Figure 3, specifically comprises:
Dynamic Host Configuration Protocol server module: be used for dhcp client distributing IP address that authentication is passed through, be specially and receive the DHCP request message that dhcp client is sent via access node or access server, and be that it distributes corresponding IP address information, what described IP address received for the radius client module is the IP address information that client that authentication is passed through is returned by radius server;
Protocol conversion module: the DHCP that is used for the corresponding D HCP client sent from access node or access server finds that message obtains the information of RADIUS authentication needs, and generation is used for RADIUS authentication message that dhcp client is authenticated; Simultaneously, protocol conversion module also needs the authentication response message response dhcp client according to the reception of radius client module, be specially the response message of the dhcp client that passes through for authentication, need protocol conversion module to generate corresponding D HCP message is provided, and send to corresponding D HCP client, represent that it can be assigned with corresponding IP address;
Radius client module: be used for communicating between the message identifying that generates based on the DHCP protocol conversion module and radius server, thereby the processing procedure that realization authenticates at DHCP client, concrete authenticate ruler can carry out the legitimacy authentication according to the rule of setting in the radius server, then, acquisition is to the authentication result of described dhcp client, comprise in the authentication result that radius server is this client IP address allocated, the Dynamic Host Configuration Protocol server module need be given in this IP address; Simultaneously, need transfer to protocol conversion module for the response message that authenticates the dhcp client that passes through and carry out follow-up processing, promptly send DHCP message is provided to dhcp client.
At this moment, the DHCP certificate server is operated under the gateway mode, and described DHCP certificate server is supported DHCP agreement and radius protocol, and from the angle of dhcp client and BRAS, the DHCP certificate server is a Dynamic Host Configuration Protocol server; From the angle of radius server, the DHCP certificate server is a radius client.
Concrete processing procedure comprises: the DHCP certificate server is handled the DHCP message that DHCP relay is transmitted, identifying information according to the client of carrying in the message, generate the RADIUS message and initiate authentication to radius server, radius server is judged user's legitimacy according to the user data of configured in advance, finish authentication, and to user's distributing IP address, after the DHCP certificate server is received the authentication response message of radius server, return the DHCP message to dhcp client, carry the IP address allocated by RADIUS, final dhcp client obtains the IP address.
What second kind of DHCP certificate server with authentication function adopted is in this locality authentication function to be set, and realizes authentication processing, and its concrete structure comprises as shown in Figure 4:
Identification processing module: the identifying information that is used to obtain the dhcp client of initiating dhcp process, and described client is carried out the legitimacy authentication according to the identifying information of the validated user of its preservation, authentication result is issued the Dynamic Host Configuration Protocol server module, the identifying information of described validated user is preserved by corresponding memory module and is got final product again;
Dynamic Host Configuration Protocol server module: obtain the authentication result of identification processing module to dhcp client, and for sending DHCP, the dhcp client that passes through provides message to authentication result, the expression Dynamic Host Configuration Protocol server can distribute corresponding IP address for it, and can be when dhcp client be sent the DHCP request message, for it distributes corresponding IP address, promptly realize the function of Dynamic Host Configuration Protocol server.
At this moment, the DHCP certificate server works under the server mode, is equivalent to have the Dynamic Host Configuration Protocol server of safety certification function, can finish independently at the authentication of client and the work of address assignment.
Above-mentioned two kinds of DHCP certificate servers with authentication function can be arranged at any need application in the network of Dynamic Host Configuration Protocol server, to realize corresponding address allocation function.
The present invention also provides has the system that dhcp address distributes the dhcp address the realized safety distribution of authentication function accordingly, the structure of described system as shown in Figure 5 and Figure 8, specifically comprise: dhcp client, access network and DHCP certificate server, the DHCP that described DHCP certificate server is used for dhcp client that access network is obtained finds that message carries out the legitimacy authentication, and the dhcp client that authentication is passed through is carried out address assignment handle.
In system of the present invention, described DHCP certificate server can adopt following dual mode that dhcp client is authenticated, and distributes corresponding IP address, is specially:
A kind of is that identifying information with dhcp client sends to radius server by authentication request packet, and it is authenticated by radius server, and be that by radius server it distributes corresponding IP address, perhaps radius server only carries out authentication processing, and still distributes corresponding IP address by Dynamic Host Configuration Protocol server; Herein, only describe concrete application example of the present invention as certificate server, and be not limited in this with radius server;
Another kind is that the identifying information of validated user that the identifying information of dhcp client is preserved according to this locality carries out the legitimacy authentication, and is that the dhcp client that authentication is passed through is to distribute corresponding IP address by Dynamic Host Configuration Protocol server.
In described system, specifically be that access node and BRAS support catching of DHCP message, and insertion Option82 option, so that the DHCP certificate server receives the identifying information that can get access to corresponding D HCP client behind the described DHCP message, identified user position information in the Option82 option as identifying information, specifically comprise port information, VPI/VCI information, information such as VLAN ID; Can in the DHCP message, insert the Option82 option at access node, can also insert the Option82 option to the DHCP message at BRAS.
Based on said system, the present invention also provides the method for corresponding realization dhcp address safety distribution, will be described in detail below.
At first, work under the gateway mode, and certificate server is that radius server is an example, described method described,, specifically describe as follows as Fig. 5, Fig. 6 and shown in Figure 7 with the DHCP certificate server:
As shown in Figure 5 and Figure 6, during this method specific implementation, may further comprise the steps:
Step 61: when the user opens an account, operator increases a user data in radius server, account number is a user position information, and coded system is consistent with the Option82 option that access node and BRAS insert, and can select to write down the MAC Address of terminal (STB, IAD).
When step 62:DHCP client need be obtained the IP address information, then dhcp client need send DHCP to BRAS and find message;
Step 63:BRAS is as DHCP relay, catch the DHCP message, and in message, insert the Option82 option, the DHCP that will carry customer position information then finds that message sends to the DHCP certificate server, described Option82 option has identified user position information, as port information, VPI/VCI, VLAN ID etc.;
Step 64:DHCP certificate server is received the DHCP message that the BRAS relaying is come, therefrom take out the MAC Address of Option82 option and terminal, generate the radius protocol message, and send to radius server, account number is the content of option82 in the message, and Calling-Station-ID (calling station point identification) attribute is the MAC Address of terminal;
Radius server is received authentication request, authenticates according to the information in the database, judges user's legitimacy according to account number, and can judge the legitimacy of terminal according to MAC Address, if authentication is passed through, distribute an IP address to give the user, the return authentication response message is referring to step 65;
Step 65: after authentication was passed through, radius server will be to DHCP certificate server return authentication response message, and is carrying the IP address of distributing to client in the message;
After the DHCP certificate server is received the authentication response message, therefrom extract the RADIUS IP address allocated, use the dhcp process of standard, give dhcp client distributing IP address, referring to following steps:
After step 66:DHCP certificate server receives described response message, then send DHCP message is provided to dhcp client;
After step 67:DHCP client receives described DHCP message is provided, then send the DHCP request message to the DHCP certificate server;
Step 68:DHCP certificate server will send to dhcp client by the dhcp response message from the IP address information that radius server is sent.
What describe in above-mentioned steps 63 is that BRAS inserts the Option82 option, in actual application, as shown in Figure 7, also can be by DSLAM (Digital Subscriber Line Access Multiplexer), promptly insert the Option82 option by access node, BRAS only makes DHCP relay, and the processing procedure of other handling processes and foregoing description is identical.
In said process, if radius server only carries out authentication processing, and still distribute corresponding IP address by Dynamic Host Configuration Protocol server, then step 65 to the processing procedure of step 68 is: radius server is when message that the Dynamic Host Configuration Protocol server return authentication passes through, Dynamic Host Configuration Protocol server sends DHCP to dhcp client message is provided, and distributes corresponding IP address by the follow-up described dhcp client that is treated to identical with existing address allocation procedure.
Afterwards, working under the server mode with the DHCP certificate server is example again, and described method is described, and as Fig. 8 and shown in Figure 9, specifically describes as follows:
Step 91: when the user opens an account, operator increases data in the DHCP certificate server, the positional information of recording user, coded system is consistent with the Option82 option that access node and BRAS insert, and can select to write down the MAC Address of terminal (STB, IAD).
When step 92:DHCP client need be obtained the IP address information, then dhcp client need send DHCP to BRAS and find message;
Step 93:BRAS is as DHCP relay, catch the DHCP message, and in message, insert the Option82 option, the DHCP that will carry customer position information then finds that message sends to the DHCP certificate server, described Option82 option has identified user position information, as port information, VPI/VCI, VLAN ID etc.;
The DHCP certificate server is received the DHCP message that the BRAS relaying is come, therefrom take out as the Option82 option of identifying information and the MAC Address of terminal, and inquiry local data base, the identifying information of the validated user of preserving according to this locality authenticates DHCP client's identifying information, if authentication is passed through, then return DHCP message is provided, referring to step 94 to dhcp client;
Step 94:DHCP certificate server sends DHCP to dhcp client message is provided;
After step 95:DHCP client receives described DHCP message is provided, then send the DHCP request message to the DHCP certificate server;
Step 96:DHCP certificate server is a dhcp client distributing IP address information, and sends to dhcp client by the dhcp response message.
Equally, what the step 93 in Fig. 9 was described is that BRAS inserts the Option82 option, in actual application, also can insert the Option82 option by access node DSLAM, and BRAS only makes DHCP relay, and other flow processs are identical.
In sum, the present invention has strengthened the fail safe that the DHCP mode is distributed the address greatly, and can carry out access authentication to the user according to positional information, and only to legal users, legal terminal distribution IP address, to prevent that effectively malice from exhausting the address and attacking.And, network attack or other network security problems are taking place, also can track user's physical location according to the IP address, can effectively frighten the assault behavior.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.
Claims (10)
1. method and system that realize the dhcp address safety distribution is characterized in that, comprising:
A, dynamic host configuration protocol DHCP client send DHCP by access network and find message;
B, access network side are obtained the identifying information of described dhcp client, and based on described identifying information it are authenticated;
C, the dhcp client that passes through for authentication are that it distributes address information by Dynamic Host Configuration Protocol server.
2. the method for realization dhcp address safety distribution according to claim 1 is characterized in that, described identifying information comprises:
The port numbers of dhcp client, circuit number, hyphen.
3. the method for realization dhcp address safety distribution according to claim 1 is characterized in that, described step B comprises:
Access node in the access network or access server are determined its identifying information according to the inbound port/circuit/link information of described DHCP discovery message.
4. according to the method for claim 1,2 or 3 described realization dhcp address safety distribution, it is characterized in that described step B comprises:
By access node in the access network or access server, according to the identifying information of dhcp client, and the identifying information of pre-configured validated user carries out the legitimacy authentication of described client.
5. according to the method for claim 1,2 or 3 described realization dhcp address safety distribution, it is characterized in that described step B comprises:
Access node in B1, the access network or access server utilize the identifying information of described client to initiate authentication request to certificate server;
B2, certificate server authenticate according to the identifying information of the validated user of the preserving legitimacy to described client.
6. a DHCP certificate server of realizing the dhcp address safety distribution is characterized in that, comprising:
Dynamic Host Configuration Protocol server module: receive the DHCP request message that dhcp client is sent via access node or access server, and serve as to authenticate the described dhcp client of client addresses distributed information response that passes through with returning by aaa server of receiving of authentication charging AAA client modules;
Protocol conversion module: the DHCP that is used for the corresponding D HCP client sent from access node or access server finds message, obtain the information that aaa authentication needs, generate the aaa authentication message, and the authentication response message that receives according to the AAA client modules, generate DHCP message is provided, and send;
AAA client modules: be used for communicating between the message identifying that generates based on the DHCP protocol conversion module and aaa server, obtain authentication result, and give protocol conversion module and Dynamic Host Configuration Protocol server module to described dhcp client.
7. a DHCP certificate server of realizing the dhcp address safety distribution is characterized in that, comprising:
Identification processing module: the identifying information that is used to obtain the client of initiating dhcp process, and described client being carried out the legitimacy authentication according to the identifying information of the validated user of preserving, the DHCP of the dhcp client that authentication is passed through finds that message sends to Dynamic Host Configuration Protocol server;
Dynamic Host Configuration Protocol server: receiving the DHCP discovery message that identification processing module is sent, and provide message to described dhcp client transmission DHCP, when dhcp client is sent the DHCP request message, is that corresponding D HCP client is distributed the address in its address pool.
8. system that realizes the dhcp address safety distribution, it is characterized in that, comprise: dhcp client, access network and DHCP certificate server, dhcp client is communicated by letter with the DHCP certificate server by access network and is obtained address information, simultaneously, the DHCP that the DHCP certificate server is used for dhcp client that access network is obtained finds that message carries out the legitimacy authentication, and will authenticate the dhcp client that passes through and carry out address assignment.
9. the method based on the realization dhcp address safety distribution of said system is characterized in that, comprising:
C, access node or access server receive the DHCP that dhcp client sends and find message, and the identifying information of described client inserted send to the DHCP certificate server in the described message;
D, DHCP certificate server obtain the identifying information of described client from described message;
E, DHCP certificate server utilize described identifying information that the legitimacy of described client is authenticated, and the client of only authentication being passed through is carried out the address assignment processing.
10. the method for realization dhcp address safety distribution according to claim 9 is characterized in that, described step e comprises:
The DHCP certificate server authenticates dhcp client according to the identifying information of the validated user of preserving in this locality, and the DHCP that will authenticate the client of passing through finds that message sends to Dynamic Host Configuration Protocol server, carries out the address assignment processing by Dynamic Host Configuration Protocol server;
Perhaps,
The DHCP certificate server utilizes described identifying information to send authentication request packet to aaa server, is authenticated by the identifying information of aaa server to described client, and distributes address information for authenticating the client of passing through;
Perhaps,
The DHCP certificate server utilizes described identifying information to send authentication request packet to aaa server, authenticate by the identifying information of aaa server described client, the DHCP certificate server receives authentication by after the information, for the client that authentication is passed through is distributed address information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710153081.9A CN101141492B (en) | 2005-04-29 | 2005-04-29 | Method and system for implementing DHCP address safety allocation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710153081.9A CN101141492B (en) | 2005-04-29 | 2005-04-29 | Method and system for implementing DHCP address safety allocation |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100694174A Division CN100388739C (en) | 2005-04-29 | 2005-04-29 | Method and system for contributing DHCP addresses safely |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101141492A true CN101141492A (en) | 2008-03-12 |
| CN101141492B CN101141492B (en) | 2014-11-05 |
Family
ID=39193230
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200710153081.9A Active CN101141492B (en) | 2005-04-29 | 2005-04-29 | Method and system for implementing DHCP address safety allocation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101141492B (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102244866A (en) * | 2011-08-18 | 2011-11-16 | 杭州华三通信技术有限公司 | Portal verifying method and access controller |
| WO2012022155A1 (en) * | 2010-08-16 | 2012-02-23 | 中兴通讯股份有限公司 | Identity authentication method and system for evolved node b |
| CN102710811A (en) * | 2012-06-14 | 2012-10-03 | 杭州华三通信技术有限公司 | Method for realizing security assignment of DHCP (Dynamic Host Configuration Protocol) address and switch board |
| CN103297562A (en) * | 2013-05-31 | 2013-09-11 | 深圳市共进电子股份有限公司 | Method, equipment and system for realizing Option82 processing based on kernel |
| CN104333854A (en) * | 2013-07-22 | 2015-02-04 | 中国电信股份有限公司 | Wifi charging method and system |
| CN104506667A (en) * | 2014-12-22 | 2015-04-08 | 迈普通信技术股份有限公司 | Method and device for allocating port resources and device for user authentication management |
| CN104754072A (en) * | 2015-03-04 | 2015-07-01 | 杭州华三通信技术有限公司 | Address allocation method and equipment |
| CN106411928A (en) * | 2016-10-28 | 2017-02-15 | 上海斐讯数据通信技术有限公司 | Authentication method and device of client access server and VDI system |
| CN107547322A (en) * | 2017-06-30 | 2018-01-05 | 新华三技术有限公司 | A kind of message processing method, device and Broadband Remote Access Server BRAS |
| CN107888460A (en) * | 2016-09-29 | 2018-04-06 | 新华三技术有限公司 | A kind of method and device of client access network |
| CN110933199A (en) * | 2019-11-28 | 2020-03-27 | 杭州迪普科技股份有限公司 | Address allocation method and device |
| CN113438333A (en) * | 2021-06-07 | 2021-09-24 | 中国联合网络通信集团有限公司 | Network address allocation method, device and equipment |
| CN113765904A (en) * | 2021-08-26 | 2021-12-07 | 新华三大数据技术有限公司 | Authentication method and device |
| CN114915612A (en) * | 2022-04-22 | 2022-08-16 | 绿盟科技集团股份有限公司 | Host access method, host to be accessed and DHCP server |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI536819B (en) | 2014-12-23 | 2016-06-01 | 宏正自動科技股份有限公司 | Communication verification system and method utilized thereof |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1643879B (en) * | 2002-03-27 | 2010-09-29 | 诺基亚西门子通信有限责任两合公司 | Method for updating information in AAA server |
| CN100417127C (en) * | 2002-04-10 | 2008-09-03 | 中兴通讯股份有限公司 | User management method based on dynamic mainframe configuration procotol |
| CN1248447C (en) * | 2002-05-15 | 2006-03-29 | 华为技术有限公司 | Broadband network access method |
| CN1231031C (en) * | 2002-06-28 | 2005-12-07 | 华为技术有限公司 | Address allocation and service method based on multi-internet service provider |
-
2005
- 2005-04-29 CN CN200710153081.9A patent/CN101141492B/en active Active
Cited By (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012022155A1 (en) * | 2010-08-16 | 2012-02-23 | 中兴通讯股份有限公司 | Identity authentication method and system for evolved node b |
| CN102378165A (en) * | 2010-08-16 | 2012-03-14 | 中兴通讯股份有限公司 | Identity authentication method and system of evolved node B |
| CN102378165B (en) * | 2010-08-16 | 2014-06-11 | 中兴通讯股份有限公司 | Identity authentication method and system of evolved node B |
| US9100391B2 (en) | 2011-08-18 | 2015-08-04 | Hangzhou H3C Technologies Co., Ltd. | Portal authentication method and access controller |
| US10050971B2 (en) | 2011-08-18 | 2018-08-14 | Hewlett Packard Enterprise Development Lp | Portal authentication method and access controller |
| CN102244866A (en) * | 2011-08-18 | 2011-11-16 | 杭州华三通信技术有限公司 | Portal verifying method and access controller |
| CN102244866B (en) * | 2011-08-18 | 2016-01-20 | 杭州华三通信技术有限公司 | Gate verification method and access controller |
| CN102710811A (en) * | 2012-06-14 | 2012-10-03 | 杭州华三通信技术有限公司 | Method for realizing security assignment of DHCP (Dynamic Host Configuration Protocol) address and switch board |
| CN102710811B (en) * | 2012-06-14 | 2016-02-03 | 杭州华三通信技术有限公司 | Realize method and the switch of dhcp address safety distribution |
| CN103297562A (en) * | 2013-05-31 | 2013-09-11 | 深圳市共进电子股份有限公司 | Method, equipment and system for realizing Option82 processing based on kernel |
| CN104333854A (en) * | 2013-07-22 | 2015-02-04 | 中国电信股份有限公司 | Wifi charging method and system |
| CN104333854B (en) * | 2013-07-22 | 2017-12-12 | 中国电信股份有限公司 | WiFi charging methods and system |
| CN104506667A (en) * | 2014-12-22 | 2015-04-08 | 迈普通信技术股份有限公司 | Method and device for allocating port resources and device for user authentication management |
| CN104506667B (en) * | 2014-12-22 | 2018-10-12 | 迈普通信技术股份有限公司 | A kind of distribution method and device of port resource, user authentication management device |
| CN104754072A (en) * | 2015-03-04 | 2015-07-01 | 杭州华三通信技术有限公司 | Address allocation method and equipment |
| CN104754072B (en) * | 2015-03-04 | 2018-07-24 | 新华三技术有限公司 | A kind of method and apparatus of address distribution |
| CN107888460B (en) * | 2016-09-29 | 2020-12-11 | 新华三技术有限公司 | Method and device for accessing client to network |
| CN107888460A (en) * | 2016-09-29 | 2018-04-06 | 新华三技术有限公司 | A kind of method and device of client access network |
| CN106411928A (en) * | 2016-10-28 | 2017-02-15 | 上海斐讯数据通信技术有限公司 | Authentication method and device of client access server and VDI system |
| CN107547322A (en) * | 2017-06-30 | 2018-01-05 | 新华三技术有限公司 | A kind of message processing method, device and Broadband Remote Access Server BRAS |
| CN107547322B (en) * | 2017-06-30 | 2020-10-27 | 新华三技术有限公司 | Message processing method and device and broadband remote access server BRAS |
| CN110933199A (en) * | 2019-11-28 | 2020-03-27 | 杭州迪普科技股份有限公司 | Address allocation method and device |
| CN110933199B (en) * | 2019-11-28 | 2022-08-26 | 杭州迪普科技股份有限公司 | Address allocation method and device |
| CN113438333A (en) * | 2021-06-07 | 2021-09-24 | 中国联合网络通信集团有限公司 | Network address allocation method, device and equipment |
| CN113765904A (en) * | 2021-08-26 | 2021-12-07 | 新华三大数据技术有限公司 | Authentication method and device |
| CN113765904B (en) * | 2021-08-26 | 2023-03-31 | 新华三大数据技术有限公司 | Authentication method and device |
| CN114915612A (en) * | 2022-04-22 | 2022-08-16 | 绿盟科技集团股份有限公司 | Host access method, host to be accessed and DHCP server |
| CN114915612B (en) * | 2022-04-22 | 2024-03-15 | 绿盟科技集团股份有限公司 | Host access method, host to be accessed and DHCP server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101141492B (en) | 2014-11-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100388739C (en) | Method and system for contributing DHCP addresses safely | |
| CN101141492B (en) | Method and system for implementing DHCP address safety allocation | |
| CN101110847B (en) | Method, device and system for obtaining medium access control address | |
| US6282575B1 (en) | Routing mechanism for networks with separate upstream and downstream traffic | |
| CN100437550C (en) | Ethernet confirming access method | |
| EP1936883B1 (en) | Service provisioning method and system thereof | |
| CN101789906A (en) | Method and system for access authentication of user | |
| CN101043331A (en) | System and method for distributing address for network equipment | |
| CN108173981A (en) | For the network address translation of the application of subscriber-aware service | |
| CN101662511A (en) | Network address distributing method, DHCP server, access system and method thereof | |
| CN103039038A (en) | Method and system for efficient use of a telecommunication network and the connection between the telecommunications network and a customer premises equipment | |
| CN110958272B (en) | Identity authentication method, identity authentication system and related equipment | |
| CN103414709A (en) | User identity binding and user identity binding assisting method and device | |
| US8335211B2 (en) | Communication system and control server | |
| CN102170395A (en) | Data transmission method and network equipment | |
| CN101252587B (en) | User terminal access right identifying method and apparatus | |
| CN102404293A (en) | Dual-stack user managing method and broadband access server | |
| CN100473037C (en) | Method for realizing distributed DHCP relay | |
| CN103069750B (en) | The method and system of the connection for being efficiently used between communication network and this communication network and customer rs premise equipment | |
| CN105577616B (en) | A kind of authentication method, system and the service managing server of terminal access | |
| KR101276798B1 (en) | System and method for offering communication provider selection service in distribution network | |
| JP4028421B2 (en) | Voice communication gate device address management method, management device, and program | |
| CN101588357B (en) | Router and method for indentifying user identity applying same | |
| CN103001931A (en) | Communication system of terminals interconnected among different networks | |
| CN103001928A (en) | Communication method of terminals interconnected among different networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |