CN101527671A - Method, equipment and system for realizing IPv6 conversation - Google Patents

Method, equipment and system for realizing IPv6 conversation Download PDF

Info

Publication number
CN101527671A
CN101527671A CN200810026558A CN200810026558A CN101527671A CN 101527671 A CN101527671 A CN 101527671A CN 200810026558 A CN200810026558 A CN 200810026558A CN 200810026558 A CN200810026558 A CN 200810026558A CN 101527671 A CN101527671 A CN 101527671A
Authority
CN
China
Prior art keywords
eap
message
dhcp client
address
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN200810026558A
Other languages
Chinese (zh)
Inventor
郑若滨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN200810026558A priority Critical patent/CN101527671A/en
Publication of CN101527671A publication Critical patent/CN101527671A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method for realizing IPv6 session. The method comprises at least three stages: (a) an identification stage, during which, when a user terminal in which a DHCP client exists is accessed to a network, an extensible identification protocol EAP identification is triggered and the identification is completed by carrying out EAP information exchange between EAP information carried in a DHCPv6 protocol and a DHCP agent or server; (b) an address allocation stage, during which, when the identification succeeds, the DHCP agent or server allocates IPv6 address for the DHCP client in a stateless address allocation mode; and (c) a visiting stage, during which, the DHCP client makes use of the allocated IPv6 address to visit the network. Correspondingly, the invention also provides network side equipment and a DHCP client and system. The implementation of the method effectively overcomes the disadvantage that the prior IP conversation cannot support dynamic address allocation and DHCP identification at the same time, and is helpful for the popularization of IPv6 technology.

Description

A kind of method, equipment and system that realizes the IPv6 session
Technical field
The present invention relates to electronic communication field, relate in particular to a kind of realization internet protocol version 6 (InternetProtocol version 6, IPv6) method of session, network equipment, DHCP (DynamicHost Configuration Protocol, DHCP) client and system.
Background technology
In Access Network, the network insertion connection session with a subscriber (Subscriber) or user's (User) IP address correlation has been represented in IP session (session), the link layer protocol of IP Session and point-to-point (Point-to-Point Protocol, PPP) Session is reciprocity, and session of subscriber (Subscriber Session) is the general designation of IP Session and PPP Session.Distinctive PPP survival testing mechanism is adopted in the PPP session, the IP session adopts distinctive two-way forwarding to detect (Bidirectional Forwarding Detection, BFD)/address resolution protocol (Address Resolution Protocol, ARP)/internet control messages agreement (Internet ControlMessages Protocol, ICMP) survival testing mechanism.
Subscriber Session goes up termination at IP edge device (IP Edge device) usually, and promptly SubscriberSession is a session connection in user terminal and the foundation of IP edge device.Subscriber Session is used for the management of network to user access network, as charging, state etc.
At present, Digital Subscriber Line (Digital Subscriber Line, DSL) network architecture can only support internet protocol version 4 (Internet Protocol version 4, IPv4), along with the exhaustion of IPv4 address, the DSL network architecture becomes an inexorable trend to IPv6 evolution.The inventor finds in realizing process of the present invention, the IP Session of prior art only supports IPv4, the authentification of user of IPv4Session adopts the DHCP authentication, and IPv6 can adopt stateless address to distribute, can not support the DHCP authentication but stateless address is distributed, promptly existing IP session can not support stateless address to distribute and the DHCP authentication simultaneously.
Summary of the invention
The embodiment of the invention is to provide a kind of method, network equipment, dhcp client and system of the IPv6 of realization session, has realized both supporting stateless IPv6 address assignment, supports the IP session of DHCP authentication again, helps the development of IPv6 technology.
In order to reach above-mentioned technique effect, the embodiment of the invention provides a kind of method of the IPv6 of realization session, and it comprises:
Dhcp client triggers Extensible Authentication Protocol (Extensible Authentication Protocol, EAP) authentication, and carry out the EAP interacting message to finish authentication by being carried on EAP message on the DHCPv6 agreement and DHCP proxy or server;
Work as authentication success, described dhcp client receives described DHCP proxy or server is its distributing IP v6 address by the stateless address method of salary distribution;
Described dhcp client utilizes the IPv6 address accesses network of described distribution.
Correspondingly, the embodiment of the invention has proposed a kind of network equipment that is used to realize the IPv6 session, and it comprises:
The EAP authentication module is used for carrying out the EAP interacting message with dhcp client and aaa server respectively, finishes EAP authentication, and EAP message bearing mutual wherein and between the dhcp client is on the DHCPv6 agreement;
Address assignment module is used for after described dhcp client is by the EAP authentication, is described dhcp client distributing IP v6 address by the stateless address method of salary distribution.
Correspondingly, the embodiment of the invention has proposed a kind of dhcp client, and it comprises:
Authentication module is used for carrying out the EAP interacting message by being carried on EAP message on the DHCPv6 agreement and DHCP proxy or server, finishes the EAP authentication;
The address receiver module is used to receive DHCP proxy or server passes through the IPv6 address that the stateless address method of salary distribution is distributed;
Access modules is used to utilize described IPv6 address accesses network.
Correspondingly, the embodiment of the invention has also proposed a kind of system of the IPv6 of realization session, comprises a network equipment and dhcp client, and wherein, described network equipment comprises:
The EAP authentication module is used for carrying out the EAP interacting message with dhcp client and aaa server respectively, finishes EAP authentication, and EAP message bearing mutual wherein and between the dhcp client is on the DHCPv6 agreement;
Address assignment module is used for after described dhcp client is by the EAP authentication, is described dhcp client distributing IP v6 address by the stateless address method of salary distribution.
A kind of method, network equipment, dhcp client and system that realizes the IPv6 session according to embodiment of the invention proposition, in setting up the IPv6 conversation procedure, by the DHCP authentication is separated with the process of IPv6 address assignment, so both realized the distribution of stateless IPv6 address, realized the DHCP authentication again, greatly improve the compatibility of IPv6 technology and DHCP technology, helped the popularization of IPv6 technology, promoted development of Communication Technique.
Description of drawings
Fig. 1 is the flow chart of first specific embodiment of the method for a kind of IPv6 of realization session of the present invention;
Fig. 2 is the flow chart of second specific embodiment of the method for a kind of IPv6 of realization session of the present invention;
Fig. 3 is the flow chart that dhcp client triggers the EAP authentication in the embodiment of the invention;
Fig. 4 is the flow chart of DHCP proxy or server triggers EAP authentication in the embodiment of the invention;
Fig. 5 is the block diagram of the system of a kind of IPv6 of realization session of proposing of the embodiment of the invention;
Fig. 6 is the structural representation of first specific embodiment of the network equipment of a kind of IPv6 of realization session of the present invention;
Fig. 7 is the structural representation of second specific embodiment of the network equipment of a kind of IPv6 of realization session of the present invention;
Fig. 8 is the structural representation of a kind of EAP authentication module of the embodiment of the invention;
Fig. 9 is the structural representation of a kind of dhcp client of the embodiment of the invention.
Embodiment
Method, network equipment, dhcp client and the system of a kind of IPv6 of realization session that the embodiment of the invention proposes comprises three phases at least in realizing the IPv6 conversation procedure:
A, authentication phase: when the user terminal at dhcp client (Client) place is linked into network, trigger Extensible Authentication Protocol EAP authentication, and carry out the EAP interacting message to finish authentication by being carried on EAP message on the DHCPv6 agreement and DHCP proxy or server (DHCP Proxy/Server);
B, address assignment stage: work as authentication success, described DHCP proxy or server are described dhcp client distributing IP v6 address by the stateless address method of salary distribution;
C, dial-tone stage: described dhcp client utilizes the IPv6 address accesses network of described distribution.
Realize the DHCP authentication in the above-mentioned a stage, realize the stateless address distribution, thereby solved the defective that existing IP session can not be supported dynamic address allocation and DHCP authentication simultaneously effectively, help the popularization of IPv6 technology in the b stage.
Below in conjunction with accompanying drawing, elaborate the technical scheme of method, network equipment, dhcp client and the system of a kind of IPv6 of realization session that the embodiment of the invention proposes in the mode of specific embodiment.
With reference to figure 1, illustrate the flow chart of first specific embodiment of the method for a kind of IPv6 of realization session of the present invention, described method comprises:
Authentication phase: S1, DHCP Client carries out the EAP interacting message by EAP message and the DHCP Proxy/Server that is carried on the DHCPv6 agreement, wherein, has comprised authentication method in the EAP message, as: EAP-SIM, EAP-AKA etc.;
S2, described DHCP Proxy/Server is mutual by AAA message bearing EAP message and aaa server, and aaa server carries out authentication to DHCP Client to be handled, and finishes the EAP authentication.
Need to prove, the interaction flow back that authentication phase is concrete will be specifically addressed in conjunction with Fig. 3, in this stage, may need to carry out twice EAP authentication, once be to be (the NetworkAccess Provider of access to netwoks provider, NAP), another time be for ISP (Internet Service Provider, ISP).
Address assignment stage: S3, DHCP Proxy/Server is DHCP Client distributing IP v6 address by adopting the stateless address method of salary distribution;
Need to prove, in this stage, can adopt existing technology about stateless IPv6 address assignment, such as: link-local address (link-local address, LLA) configuration and global IPv 6 address dispose automatically automatically, adopt the IPv6 Neighbor Discovery Protocol to realize usually; Certainly, also can adopt state I Pv6 address distribution is DHCP Client distributing IP v6 address.
Dial-tone stage: S4, set up Security Association between the node at described DHCP Client and described DHCP Proxy/Server place, the foundation of Security Association can be adopted the Internet Key Exchange (Internet KeyExchange, IKE) the three-way handshake agreement of agreement or 802.16 Security Associations foundation; Wherein, the node at DHCPProxy/Server place comprises: wideband network gateway (Broadband Network Gateway, BNG) or BAS Broadband Access Server (Broadband Remote Access Server, BRAS);
After S5, described Security Association set up and finish, described DHCP Client sent or receives the IP data by the node at described DHCPProxy/Server place;
S6, the IP data that the node at described DHCP Proxy/Server place receives or sends described DHCP Client are encrypted the access filtration treatment, and described encryption inserts the IP data that filtration treatment is specially unencrypted IP data of filtering or non-correct encryption;
S7, described DHCP Client and described DHCP Proxy/Server are by sending the existing state of IPv6 session survival monitoring message audit IPv6 session mutually, particularly, can adopt BFD to realize the monitoring survive of IPv6 session, can certainly adopt ARP or ICMP survival testing mechanism.
Termination phase: S8, the user terminal at described DHCP Client place rolls off the production line;
S9, DHCP Proxy/Server detects the IPv6 conversation end by BFD mechanism, particularly, when described DHCP Proxy/Server does not receive described IPv6 session survival monitoring message in Preset Time, triggers the IPv6 address and discharges.
Need to prove, in the present embodiment, at dial-tone stage, when network side re-authentication timer expiry or network management system triggering re-authentication, described DHCP Proxy/Server triggers the EAP authentication again, perhaps when user side re-authentication timer expiry or described user terminal re-accessing network, described DHCPClient triggers the EAP authentication again, again behind the authentication success, the backward reference stage also prolongs the current IP v6 session cycle, otherwise the IPv6 session is with deleted.Wherein, the EAP authentication that DHCP Client triggers again is identical with the EAP authentication of described authentication phase, will elaborate in conjunction with Fig. 3 follow-up; The EAP identifying procedure that DHCPProxy/Server triggers will elaborate in conjunction with Fig. 4 follow-up.
The above first specific embodiment has specifically been set forth and has been adopted the technical scheme of encrypting when inserting filter type in the IPv6 conversation procedure, describes the implementation procedure of the IPv6 session of adopting non-encrypted access filter type in detail below in conjunction with Fig. 2.
With reference to figure 2, illustrate the flow chart of second specific embodiment of the method for a kind of IPv6 of realization session of the present invention, described method comprises:
Authentication phase: F1-F2, identical with the S1-S2 of first specific embodiment, repeat no more here.
Address assignment stage: F3 is identical with the S3 of first specific embodiment, repeats no more here;
F4, the access node of network side (Access Node, AC) and the BNG at DHCP Proxy/Server place or BARS by monitoring stateless IPv6 address assignment, trigger the IPv6 address and medium access control (the Media Access Control that distribute, MAC) address binding obtains the binding relationship of described IPv6 address and described MAC Address.
Dial-tone stage: F5, identical with the S5 of first specific embodiment, repeat no more here;
F6, the IP data that the node at described DHCP Proxy/Server place receives or sends described DHCP Client are carried out non-encrypted access filtration treatment, and described non-encrypted access filtration treatment is the IP data that filtering IPv6 address and MAC Address do not satisfy binding relationship described in the F4;
F7, identical with the S7 of first specific embodiment, repeat no more here.
Termination phase: F8, identical with the S8 of first specific embodiment, repeat no more here;
F9-F10 when described DHCP Proxy/Server does not receive described IPv6 session survival monitoring message in Preset Time, triggers IPv6 address and MAC Address and separates binding, and discharges the IPv6 address.
Need to prove, in the present embodiment, at dial-tone stage, when network side re-authentication timer expiry or network management system triggering re-authentication, described DHCP Proxy/Server triggers the EAP authentication again, perhaps when user side re-authentication timer expiry or described user terminal re-accessing network, described DHCPClient triggers the EAP authentication again, again behind the authentication success, the backward reference stage also prolongs the current IP v6 session cycle, otherwise the IPv6 session is with deleted.Wherein, the EAP authentication that DHCP Client triggers again is identical with the EAP authentication of described authentication phase, will elaborate in conjunction with Fig. 3 follow-up; The EAP identifying procedure that DHCPProxy/Server triggers will elaborate in conjunction with Fig. 4 follow-up.
Be described in detail the flow process that DHCP Client triggers EAP authentication and DHCPProxy/Server triggering EAP authentication below in conjunction with Fig. 3 and Fig. 4.
Fig. 3 illustrates the flow chart of DHCP Client triggering EAP authentication in the embodiment of the invention, comprising:
S101, described DHCP Client sends the DHCPv6EAP message that carries authentication protocol option (auth-proto option) to described DHCP Proxy/Server, and described auth-proto option shows that the certification mode that described DHCP Client supports is the EAP pattern and triggers the EAP authentication;
S102 after described DHCP Proxy/Server receives described DHCPv6EAP message, sends identity lookup request (EAP Request/Identity) message to described DHCP Client, and by the DHCPv6EAP message bearing;
S103, after described DHCP Client receives described EAP Request/Identity message, send ID inquiring response (EAP Response/Identity) message to described DHCP Proxy/Server, described ID inquiring response message is by the DHCPv6EAP message bearing;
S105, the EAPResponse/Identity message that described DHCP Proxy/Server sends described DHCP Client is encapsulated in the AAA message and sends to aaa server, described AAA message specifically can adopt the carrying of radius protocol or Diameter, wherein, radius protocol or Diameter are a kind of authentication agreement;
S105-S106, undertaken alternately by DHCPv6EAP message bearing EAP message between described DHCP Client and the described DHCP Proxy/Server, and undertaken alternately by AAA message bearing EPA message between described DHCP Proxy/Server and the described aaa server, finish authentication method negotiation and authentication method exchange;
S107, described aaa server is to the authentication result message of described DHCP Proxy/Server transmission authentication success (EAPSuccess/Key Material) or authentification failure (EAP Failure), and described authentication result message is by the AAA message bearing;
S108, EAP Success/Key Material message or EAP Failure message that described DHCP Proxy/Server sends by the described aaa server of DHCPv6EAP message bearing, and send to described DHCP Client.
With reference to figure 4, illustrate the flow chart of DHCP Proxy/Server triggering EAP authentication in the embodiment of the invention, need to prove, the flow process that DHCP Proxy/Server triggers the EAP authentication is the same with the identifying procedure that DHCP Client triggers, difference is, the main body that the EAP identifying procedure triggers is different, and as shown in Figure 4, described EAP identifying procedure comprises:
F101, when network side re-authentication timer expiry or network management system triggering re-authentication, described DHCP Proxy/Server triggers the EAP authentication again;
F102-F108, identical with the described S102-S108 of Fig. 3, repeat no more here.
More than elaborated the method for a kind of IPv6 of realization session of the embodiment of the invention, by the DHCP authentication is separated with the process of IPv6 address assignment, so both realized the distribution of stateless IPv6 address, realized the DHCP authentication again, elaborated the system of a kind of IPv6 of realization session that the embodiment of the invention proposes and the technical scheme of relevant device below in conjunction with Fig. 5-9.
With reference to figure 5, illustrate the block diagram of system of a kind of IPv6 of realization session of the embodiment of the invention, described system comprises: network equipment 1 and dhcp client 2, wherein, as shown in Figure 6, described network equipment 1 comprises:
EAP authentication module 1010 is used for carrying out the EAP interacting message with dhcp client 2 and aaa server 3 respectively, finishes EAP authentication, and EAP message bearing mutual wherein and between the dhcp client 2 is on the DHCPv6 agreement;
Address assignment module 1020 is used for after described dhcp client 2 is by the EAP authentication, is described dhcp client 2 distributing IP v6 addresses by the stateless address method of salary distribution.
When specific implementation, described network equipment 1 also comprises: access control module 1030, be used for the IP data that described dhcp client 2 sends and the receives control that conducts interviews, it specifically comprises: Security Association is set up unit 1031, is used for setting up Security Association with dhcp client; Encrypt and insert filter element 1032, be used for that the IP data that dhcp client 2 sends and receives are encrypted access and filter; The existing state of described IPv6 session is checked by send IPv6 session survival monitoring message to dhcp client in monitoring session unit 1033.
When specific implementation, described network measurement equipment 1 also comprises: session stops module 1040, is used for discharging the IPv6 address when the IPv6 conversation end is arrived in described monitoring session module check.
When specific implementation, be used for when network side re-authentication timer expiry or network management system need trigger re-authentication, EAP authentication module 1010 carries out the EAP interacting message with dhcp client and aaa server respectively, finishes the EAP re-authentication.
In embodiments of the present invention, as shown in Figure 8, described EAP authentication module 1010 comprises:
First receiving element 1011 is used to receive the EAP message on the DHCPv6EAP message that is carried on that described dhcp client 2 sends;
First processing unit 1012 is used for the EAP message that first receiving element 1011 receives is encapsulated into AAA message;
First transmitting element 1013 is used for the AAA message of first processing unit, 1012 encapsulation is sent to aaa server 3;
Second receiving element 1014 is used to receive that aaa server 3 sends is carried on EAP message on the AAA message;
Second processing unit 1015 is used for the EAP message that second receiving element 1014 receives is encapsulated in DHCP EAP message;
Second transmitting element 1016 is used for the DHCPv6EAP message of second processing unit, 1015 encapsulation is sent to dhcp client 2.
Need to prove that in embodiments of the present invention, described network equipment 1 can be DHCP proxy or server or have DHCP proxy or the node device of server capability, as BNG or BRAS etc.
In embodiments of the present invention, as shown in Figure 9, described dhcp client 2 comprises:
Authentication module 2010, be used for carrying out the EAP interacting message by the EAP message and the network equipment 1 (as DHCP proxy or server) that are carried on the DHCPv6 agreement, finish the EAP authentication, it specifically comprises: receiving element 2011 is used to receive that described DHCP proxy or server send is carried on EAP message on the DHCPv6 agreement; Transmitting element 2012 is used for the EAP message bearing on the DHCPv6 agreement and send to described DHCP proxy or server.
Address receiver module 2020 is used to receive the IPv6 address that network equipment 1 distributes by the stateless address method of salary distribution;
Access modules 2030 is used to utilize described IPv6 address accesses network.
During specific implementation, dhcp client 2 also comprises: monitoring session module 2040, and by send the existing state that IPv6 session survival monitoring message is checked described IPv6 session to network equipment 1.
When specific implementation, when the user terminal re-accessing network at user side re-authentication timer expiry or described dhcp client place, authentication module 2010 carries out the EAP interacting message with network equipment 1, finishes the EAP re-authentication.
Need to prove, in the another kind of execution mode of the embodiment of the invention, as shown in Figure 7, described network equipment 1 also comprises except having EAP authentication module 1010, address assignment module 1020, access control module 1030, session termination module 1040 and re-authentication trigger module 1050:
Address binding module 1060 is used to listen to address assignment module 1020 and carries out IPv6 address and the MAC Address binding that stateless address divides timing to trigger distribution, obtains the binding relationship of described IPv6 address and MAC Address;
So, described access control module 1030 comprises:
Non-encrypted access filter element 1034 is used for the IP data that reception of filtering dhcp client and the IPv6 address that sends and MAC Address do not satisfy described binding relationship.
The existing state of described IPv6 session is checked by send IPv6 session survival monitoring message to dhcp client in monitoring session unit 1033.
In sum, by implementing the embodiment of the invention, in setting up the IPv6 conversation procedure, by the DHCP authentication is separated with the process of IPv6 address assignment, so both realize the distribution of stateless IPv6 address, realized the DHCP authentication again, greatly improved the compatibility of IPv6 technology and DHCP technology, help the popularization of IPv6 technology, promote development of Communication Technique.
The above is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also are considered as protection scope of the present invention.

Claims (20)

1, a kind of method that realizes the IPv6 session is characterized in that, comprising:
The dynamic host configuration protocol DHCP client triggers Extensible Authentication Protocol EAP authentication, and carries out the EAP interacting message to finish authentication by being carried on EAP message on the DHCP version 6DHCPv6 agreement and DHCP proxy or server;
Work as authentication success, described dhcp client receives described DHCP proxy or server is its distributing IP v6 address by the stateless address method of salary distribution;
Described dhcp client utilizes the IPv6 address accesses network of described distribution.
2, the method for claim 1 is characterized in that, described dhcp client utilizes the IPv6 address accesses network of described distribution specifically to comprise:
Set up Security Association between the node at described dhcp client and described DHCP proxy or server place;
After described Security Association was set up and finished, described dhcp client sent or receives the IP data by the node at described DHCP proxy or server place;
The IP data that the node at described DHCP proxy or server place receives or sends described dhcp client are encrypted the access filtration treatment, and described encryption inserts the IP data that filtration treatment is specially unencrypted IP data of filtering or non-correct encryption.
3, the method for claim 1 is characterized in that, further comprises utilize the step of IPv6 address accesses network of described distribution at described dhcp client before:
Distribute by monitoring described stateless address, and trigger the IPv6 address and the medium access control MAC Address of being distributed and bind, obtain the binding relationship of described IPv6 address and described MAC Address.
4, method as claimed in claim 3 is characterized in that, described dhcp client utilizes the IPv6 address accesses network of described distribution specifically to comprise:
Described dhcp client sends or receives the IP data by the node at described DHCP proxy or server place;
The IP data that the node at described DHCP proxy or server place receives or sends described dhcp client are carried out non-encrypted access filtration treatment, and described non-encrypted access filtration treatment is the IP data that filtering IPv6 address and MAC Address do not satisfy described binding relationship.
As claim 2 or 4 described methods, it is characterized in that 5, described dhcp client utilizes the IPv6 address accesses network of described distribution further to comprise:
Described dhcp client and described DHCP proxy or server are by sending the existing state of IPv6 session survival monitoring message audit IPv6 session mutually.
6, the method for claim 1 is characterized in that, the EAP identifying procedure that described dhcp client triggers comprises:
Described dhcp client sends the DHCPv6 EAP message that carries the authentication protocol option to described DHCP proxy or server, and described authentication protocol option shows that the certification mode of described dhcp client support is the EAP pattern and triggers the EAP authentication;
After described DHCP proxy or server receive described DHCPv6 EAP message, send identity lookup request message to described dhcp client, this identity lookup request message is by DHCPv6 EAP message bearing;
After described dhcp client receives described identity lookup request message, send the ID inquiring response message to described DHCP proxy or server, described ID inquiring response message is by DHCPv6 EAP message bearing;
Described DHCP proxy or server are encapsulated in the ID inquiring response message of described dhcp client in the authentication AAA message and send to aaa server;
Undertaken alternately by DHCPv6 EAP message bearing EAP message between described dhcp client and described DHCP proxy or the server, and undertaken alternately by AAA message bearing EPA message between described DHCP proxy or server and the described aaa server, finish authentication method negotiation and authentication method exchange;
Described aaa server is to the authentication result message of described DHCP proxy or server transmission authentication success or authentification failure, and described authentication result message is by the AAA message bearing;
The authentication result message that described DHCP proxy or server send by the described aaa server of DHCPv6 EAP message bearing also sends to described dhcp client.
7, a kind of network equipment that is used to realize the IPv6 session is characterized in that, comprising:
The EAP authentication module is used for carrying out the EAP interacting message with dhcp client and aaa server respectively, finishes EAP authentication, and EAP message bearing mutual wherein and between the dhcp client is on the DHCPv6 agreement;
Address assignment module is used for after described dhcp client is by the EAP authentication, is described dhcp client distributing IP v6 address by the stateless address method of salary distribution.
8, network equipment as claimed in claim 7 is characterized in that, described EAP authentication module comprises:
First receiving element is used to receive the EAP message on the DHCP EAP message that is carried on that described dhcp client sends;
First processing unit is used for the EAP message that first receiving element receives is encapsulated into AAA message;
First transmitting element is used for the AAA message of first processing unit encapsulation is sent to aaa server;
Second receiving element is used to receive that aaa server sends is carried on EAP message on the AAA message;
Second processing unit is used for the EAP message that second receiving element receives is encapsulated in DHCPv6 EAP message;
Second transmitting element is used for the DHCPv6 EAP message of second processing unit encapsulation is sent to dhcp client.
9, network equipment as claimed in claim 7 is characterized in that, described network equipment further comprises:
Access control module is used for the IP data that dhcp client sends and the receives control that conducts interviews.
10, network equipment as claimed in claim 9 is characterized in that, described access control module comprises:
Security Association is set up the unit, is used for setting up Security Association with dhcp client;
Encrypt and insert filter element, be used for that the IP data that dhcp client sends and receives are encrypted access and filter.
11, network equipment as claimed in claim 9 is characterized in that, described network equipment further comprises:
The address binding module is used to listen to address assignment module and carries out IPv6 address and the MAC Address binding that stateless address divides timing to trigger distribution, obtains the binding relationship of described IPv6 address and MAC Address.
12, network equipment as claimed in claim 11 is characterized in that, described access control module comprises:
Non-encrypted access filter element is used for the IP data that reception of filtering dhcp client and the IPv6 address that sends and MAC Address do not satisfy described binding relationship.
13, as claim 10 or 12 described network equipments, it is characterized in that described access control module further comprises:
The existing state of described IPv6 session is checked by send IPv6 session survival monitoring message to dhcp client in the monitoring session unit.
14, network equipment as claimed in claim 13 is characterized in that, described network equipment further comprises:
Session stops module, is used for when described monitoring session unit is checked through the IPv6 conversation end, triggers IPv6 address and MAC Address and separates binding, and discharge the IPv6 address.
15, a kind of dhcp client is characterized in that, comprising:
Authentication module is used for carrying out the EAP interacting message by being carried on EAP message on the DHCPv6 agreement and DHCP proxy or server, finishes the EAP authentication;
The address receiver module is used to receive DHCP proxy or server passes through the IPv6 address that the stateless address method of salary distribution is distributed;
Access modules is used to utilize described IPv6 address accesses network.
16, dhcp client as claimed in claim 15 is characterized in that, described authentication module comprises:
Receiving element is used to receive that described DHCP proxy or server send is carried on EAP message on the DHCPv6 agreement;
Transmitting element is used for the EAP message bearing on the DHCPv6 agreement and send to described DHCP proxy or server.
17, dhcp client as claimed in claim 16 is characterized in that, described dhcp client also comprises:
The monitoring session module is by sending the existing state that IPv6 session survival monitoring message is checked described IPv6 session to DHCP proxy or server.
18, a kind of system that realizes the IPv6 session is characterized in that, comprises a network equipment and dhcp client, and wherein, described network equipment comprises:
The EAP authentication module is used for carrying out the EAP interacting message with dhcp client and aaa server respectively, finishes EAP authentication, and EAP message bearing mutual wherein and between the dhcp client is on the DHCPv6 agreement;
Address assignment module is used for after described dhcp client is by the EAP authentication, is described dhcp client distributing IP v6 address by the stateless address method of salary distribution.
19, system as claimed in claim 18 is characterized in that, described dhcp client comprises:
Authentication module is used for carrying out the EAP interacting message by the EAP message and the described network equipment that are carried on the DHCPv6 agreement, finishes the EAP authentication;
The address receiver module is used to receive the IPv6 address that described network equipment distributes by the stateless address method of salary distribution;
Access modules is used to utilize described IPv6 address accesses network.
20, system as claimed in claim 19 is characterized in that, described network equipment also comprises:
Access control module is used for the IP data that described dhcp client sends and the receives control that conducts interviews.
CN200810026558A 2008-03-03 2008-03-03 Method, equipment and system for realizing IPv6 conversation Pending CN101527671A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200810026558A CN101527671A (en) 2008-03-03 2008-03-03 Method, equipment and system for realizing IPv6 conversation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200810026558A CN101527671A (en) 2008-03-03 2008-03-03 Method, equipment and system for realizing IPv6 conversation

Publications (1)

Publication Number Publication Date
CN101527671A true CN101527671A (en) 2009-09-09

Family

ID=41095375

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200810026558A Pending CN101527671A (en) 2008-03-03 2008-03-03 Method, equipment and system for realizing IPv6 conversation

Country Status (1)

Country Link
CN (1) CN101527671A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101917398A (en) * 2010-06-28 2010-12-15 北京星网锐捷网络技术有限公司 Method and equipment for controlling client access authority
CN101945144A (en) * 2010-09-14 2011-01-12 中兴通讯股份有限公司 IP address redistribution method and service node
CN102624707A (en) * 2012-02-22 2012-08-01 中兴通讯股份有限公司 Method and system for negotiating internet protocol version 6 (IPv6) information
CN103002064A (en) * 2012-11-20 2013-03-27 中兴通讯股份有限公司 Method, user node and remote access server for releasing address
CN104662863A (en) * 2012-09-24 2015-05-27 阿尔卡特朗讯公司 Triggering user authentication in communication networks
CN108702371A (en) * 2016-03-08 2018-10-23 高通股份有限公司 System, apparatus and method for generating the addresses dynamic IP V6 for being used for safety verification

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101917398A (en) * 2010-06-28 2010-12-15 北京星网锐捷网络技术有限公司 Method and equipment for controlling client access authority
CN101945144A (en) * 2010-09-14 2011-01-12 中兴通讯股份有限公司 IP address redistribution method and service node
CN102624707A (en) * 2012-02-22 2012-08-01 中兴通讯股份有限公司 Method and system for negotiating internet protocol version 6 (IPv6) information
CN102624707B (en) * 2012-02-22 2018-04-17 中兴通讯股份有限公司 A kind of method and system of negotiation IPv6 information
CN104662863A (en) * 2012-09-24 2015-05-27 阿尔卡特朗讯公司 Triggering user authentication in communication networks
CN104662863B (en) * 2012-09-24 2019-03-01 阿尔卡特朗讯公司 Trigger the user authentication in communication network
US10595199B2 (en) 2012-09-24 2020-03-17 Alcatel Lucent Triggering user authentication in communication networks
CN103002064A (en) * 2012-11-20 2013-03-27 中兴通讯股份有限公司 Method, user node and remote access server for releasing address
US10050932B2 (en) 2012-11-20 2018-08-14 Zte Corporation Method, user node and remote access server for releasing address
CN108702371A (en) * 2016-03-08 2018-10-23 高通股份有限公司 System, apparatus and method for generating the addresses dynamic IP V6 for being used for safety verification

Similar Documents

Publication Publication Date Title
US6704789B1 (en) SIM based authentication mechanism for DHCPv4/v6 messages
Droms et al. Dynamic host configuration protocol for IPv6 (DHCPv6)
EP2136508B1 (en) A method and system for network access
KR100931073B1 (en) Dynamic Host Configuration and Network Access Authentication
US6959009B2 (en) Address acquisition
EP1909452B1 (en) An access device routing decive and method thereof supporting stateless address configuration in communication network
US7962584B2 (en) Usage of host generating interface identifiers in DHCPv6
CN101471936B (en) Method, device and system for establishing IP conversation
JP2004274521A (en) Server apparatus, terminal control apparatus, and terminal authentication method
US9686279B2 (en) Method and system for providing GPS location embedded in an IPv6 address using neighbor discovery
US8392613B2 (en) Network address assignment
CN101527671A (en) Method, equipment and system for realizing IPv6 conversation
US7933253B2 (en) Return routability optimisation
CN101184099B (en) Second IP address assignment method based on dynamic host machine configuration protocol access authentication
Bound et al. RFC3315: Dynamic host configuration protocol for IPv6 (DHCPv6)
US20120166798A1 (en) Method and system for using neighbor discovery unspecified solicitation to obtain link local address
CN101436969B (en) Network access method, apparatus and system
CN105591848A (en) Authentication method and device of IPv6 stateless automatic configuration
CN115694856A (en) DHCP (dynamic host configuration protocol) -based authentication method and related equipment
CN102577299A (en) Simplified protocol for carrying authentication for network access
JP2004207788A (en) Access control method, access controller, and access control system using the same
Xiao et al. Research on next generaion Dynamic Host Configuration Protocol and security of application
Kim et al. The study on secure auto-configuration technology in IPv6
Levis Draft Authors: Gabor Bajko< Gabor. Bajko@ nokia. com> Teemu Savolainen< teemu. savolainen@ nokia. com> Mohammed Boucadair< mohamed. boucadair@ orange-ftgroup. com
Goswami IP Address Distribution Mechanisms

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20090909