CN101741924B - Service control method supporting extendible IPv6 access in IPv4 environment - Google Patents
Service control method supporting extendible IPv6 access in IPv4 environment Download PDFInfo
- Publication number
- CN101741924B CN101741924B CN2009102423546A CN200910242354A CN101741924B CN 101741924 B CN101741924 B CN 101741924B CN 2009102423546 A CN2009102423546 A CN 2009102423546A CN 200910242354 A CN200910242354 A CN 200910242354A CN 101741924 B CN101741924 B CN 101741924B
- Authority
- CN
- China
- Prior art keywords
- user
- radius
- ipv4
- nas gateway
- control method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a service control method supporting extendible IPv6 access in an IPv4 environment, which comprises the following steps that: when a user requests an access to an NAS gateway, the NAS gateway sends identification information of the user to a RADIUS server in the form of a RADIUS protocol to perform identity authentication; when the RADIUS server successfully authenticates the user identity according to information stored in a RADIUS authorized database, the RADIUS server returns a Configuration-Token attribute value corresponding to the access service type of the user to the NAS gateway in the form of the RADIUS protocol; and the NAS gateway determines whether to open an IPv6 service to the user or not according to the Configuration-Token attribute value returned by the RADIUS server. According to the service control method, the service control of the user IPv6 access in the IPv4 environment can be realized.
Description
Technical field
The present invention relates to the Next Generation Internet technology; More specifically; Relate to the service control method that extendible IPv 6 inserts under a kind of IPv4 of support environment; Be used for when IPv4 and IPv6 dual stack user exist simultaneously, the user's that opened the IPv6 function access service is carried out automatic distinguishing and control automatically.
Background technology
Along with the expansion of the technological constantly perfect and IPv6 network of IPv6, internet world has got into the epoch of a new and old replacement inevitably.But; The IPv4 network system is huge; The construction operation of IPv6 network must be the process of progressively replacing, therefore, and in quite long from now on period; Internet system all is bound to be in the state of IPv4 and the coexistence of IPv6 dual stack; And the user who uses network also can have different demands to network insertion because of the difference of self environment of living in or appointed condition, and this just makes the IAD of operator must can provide different COSs to supply user's selection, especially to new IPv6 access service the better controlling method must be arranged.The access authentication management system overwhelming majority of current operator only provides pure IPv4 user's authentication to insert, and does not consider the problem of IPv6 user access control.Based on this problem, the present invention proposes the service control method that extendible IPv 6 inserts under a kind of IPv4 of support environment, can in the IPv4 network environment, automated validation and automatic control function be provided to IPv6 user.
Summary of the invention
The present invention utilizes the Custom Attributes of radius protocol to realize the service control method that extendible IPv 6 inserts under a kind of IPv4 of support environment, can in IPv4/IPv6 dual stack environment, to dissimilar user's automatic distinguishings and setting different services be provided.
According to the present invention; The service control method that extendible IPv 6 inserts under a kind of IPv4 of support environment has been proposed; May further comprise the steps: when the user when the NAS gateway requests inserts, the NAS gateway sends to radius server with user's identification information with the form of radius protocol and carries out authentication; When radius server according to the radius authorization database in institute's canned data, identifying user identity when success, will return to the NAS gateway with the form of radius protocol with the corresponding Configuration-Token property value of user's access service type; And the Configuration-Token property value that returns according to radius server of NAS gateway, for this reason whether decision the open IPv6 service of user.
Can also comprise following subscription step according to service control method of the present invention: before the NAS gateway requests inserted, the user used the service subscription device to subscribe to access service, and specifies needed access service type the user; And the service subscription device with user's identification information and ordered access service type stores in the radius authorization database.
The access service type can comprise at least: pure IPv4 type access service type, IPv4/IPv6 dual stack type access service type.
For the user who has subscribed to the access service of pure IPv4 type, the NAS gateway is only transmitted the packet of IPv4 agreement, and filters the packet of IPv6 agreement.And for the user who has subscribed to the access service of IPv4/IPv6 dual stack type, the packet of NAS gateway forwards IPv4 agreement and the packet of IPv6 agreement.
Radius server can be a physics radius server independently, also can be the logic radius server.
Likewise, the authorization database of radius server can be physical storage data storehouse independently, also can be the logical storage database.
When the user inserts to the NAS gateway requests, to the NAS gateway username and password is provided, as user totem information.
When the user just sent packet without login, the NAS gateway hops forwarded login page to, requires the user that user totem information is provided, and carried out authentication and access service type and confirmed.
According to a particular embodiment of the invention, can realize through following technical scheme:
When the user subscribes to access service, require the user to indicate needed access service type.Current access service mainly contains these two kinds of pure IPv4 type and IPv4/IPv6 dual stack types.After subscribing to successfully, user profile is write in the authorization database of RADIUS.
When the user logined the NAS gateway with browser or special-purpose logging on client, the NAS gateway was submitted to radius server with user totem information and is carried out authentication.
Radius server is verified through the user's information in the authorization database, and authentication result is returned to the NAS gateway.If user identity is legal, then this user's COS is returned to NAS with the form of RADIUS Custom Attributes value.Being provided with of RADIUS Custom Attributes value (Configuration-Token) can be as shown in table 1:
Table 1
| The access service type | The settings of Configuration-Token attribute |
| Pure IPv4 | service.ipv6.enable=false |
| The IPv4/IPv6 dual stack | service.ipv6.enable=true |
The NAS gateway is supported the configuration control of IPv4/IPv6 dual stack agreement, and the setting of different COSs can be provided for each user.Receive the return results of radius server when the NAS gateway after, according to this user's of the configuration of the Configuration-Token property value shown in the table 1 access service type.
Compared with prior art, outstanding advantage of the present invention is: can be in the IPv4 environment to IPv6 user's access automatic distinguishing authentication and provide corresponding access to transmit service.
Description of drawings
Through below in conjunction with description of drawings the preferred embodiments of the present invention, will make above-mentioned and other purpose of the present invention, feature and advantage clearer, wherein:
Fig. 1 shows and can use typical logic deployment diagram of the present invention.
Fig. 2 is the typical flowchart according to service control method of the present invention.
Fig. 3 shows the sequential chart of user login operation.
Embodiment
For clear detailed elaboration implementation procedure of the present invention, some specific embodiments of the present invention have been provided below.With reference to accompanying drawing instance of the present invention is elaborated, has omitted in the description process that to be unnecessary details and function for the present invention obscure to prevent understanding of the present invention caused.
At first, Fig. 1 shows and can use typical logic deployment diagram of the present invention, will each logic part of the applicable access control mechanism of the present invention be explained with reference to figure 1.
The user 600 who subscribes to access service is meant the user who has registered self information and need open access service, and these users need pay correlative charges, and uses access service to subscribe to device 500 and preserve oneself ordered access service type.
Access service is subscribed to device 500 and is used for when new user subscribes to access service, in radius authorization database 400, preserving COS.COS can comprise: pure IPv4 type and IPv4/IPv6 dual stack type.When the user logined after preserving successfully, radius server 300 just can be according to the corresponding access service type of this information extraction.
Radius authorization database 400 stores all registered user profile, and it is the foundation of 300 pairs of subscriber authentications of radius server.For example, an instantiation of radius authorization database 400 can be: server independently physically, (SuSE) Linux OS platform, oracle database software.Registered users information can be stored according to the form of form, and is for example, as shown in table 2.
Table 2
| User totem information | Subscribed to the access service type |
| User AAAA | Pure IPv4 |
| User BBBB | Pure IPv4 |
| User CCCC | The IPv4/IPv6 dual stack |
| User DDDD | The IPv4/IPv6 dual stack |
| ...... | ...... |
Radius server 300 is used to handle the requests such as authentication and accounting that NAS gateway 200 sends.For example, can utilize the Free Radius program of increasing income on the Linux server, to realize, and the authenticate ruler of Free Radius can be set, make it to use the data in the radius authorization database 400 that user profile is carried out authentication.
NAS gateway 200 is responsible for user's access setting and packet access control, and supports the processing of the packet of IPv4 agreement and IPv6 agreement simultaneously.For example, NAS gateway 200 also can be realized based on the (SuSE) Linux OS exploitation.
At bottom, NAS gateway 200 is responsible for that each network is counted bag and is done filtration treatment, and processing rule can the user be set for unit.If this rule is set to different values, then the filtration treatment behavior of 200 pairs of packets of NAS gateway is also different, therefore, has realized opening dissimilar services to the user.
Message pick-up when the also responsible user of NAS gateway 200 logins, and utilize Free Radius development library to realize radius protocol, submit authentications to radius server 300, and resolve return results, user's service mode and authority is set thus.
Login user 100 is the users that want access network, can use browser page or special-purpose logging program to login NAS gateway 200.Generally, login user 100 is same entities with the user 600 who subscribes to access service, and certainly, also can have login user 100 and the user 600 who subscribes to access service is situations of different entities.
Fig. 2 is the typical flowchart according to service control method of the present invention.Next, will each step be described in detail with reference to Fig. 2.
Step S101: user's 600 subscription service
Want the user 600 of access network to subscribe to device 500 is at first subscribed to access service from specified type to operator through access service, must clearly specify the access service type: pure IPv4 type still is an IPv4/IPv6 dual stack type.
Step S102: user profile is stored into radius authorization database 400
Access service is subscribed to device 500 user profile is write radius authorization database 400.
Above-mentioned steps S101 and S102 are the access service subscription procedure, and after accomplishing the access service subscription, the user mainly accomplishes through following each step the access of network.
For the sake of clarity, drawn Fig. 3 in addition, so that the sequential chart of user login operation to be shown.Below the description of each step can be simultaneously referring to figs. 2 and 3.
Step S103: user's 100 logging in gateway
NAS gateway 200 must be logined after user's 600/100 subscription access service and access service could be opened.Specify logging program that user name and login password are sent to NAS gateway 200 through visit specified page or use.
Step S104:NAS gateway 200 is submitted authentication to radius server 300
200 of NAS gateways are responsible for receiving user profile, and actual authentication function is accomplished by radius server 300.Use radius protocol to communicate by letter between NAS gateway 200 and the radius server 300.For example, can use Free Radius development library to send authentication request.
Step S105:RADIUS server 300 is through inquiry radius authorization database 400 authenticated identity
Radius server 300 reads this user's in the radius authorization database 400 information, compares with the log-on message of gained, thus the legitimacy of checking login user information.
Step S106:RADIUS authorization database 400 returns user's access service type
When subscriber authentication was legal, radius server 300 took out this user's access service type (reference table 2) from radius authorization database 400.
Step S107:RADIUS server 400 analysis user access service types, and the Configuration-Token property value (reference table 1) of radius protocol is set, the form with radius protocol returns to NAS gateway 200 then.
Step S108:NAS gateway 200 is resolved return results, and user's IPv6 access service type is set.NAS gateway 200 is resolved the result that radius server 300 returns, if authentication success is then resolved its Custom Attributes value (Configuration-Token property value), and determines whether to open this user's IPv6 access service according to the difference of property value.
Step S109:NAS gateway will finally be logined the result and whether successfully return to login user 100.
In addition; In above description,, a plurality of cellular construction instances or step instance have been enumerated to each execution mode; Though the inventor indicates instance associated with each other as much as possible, this does not also mean that must there be corresponding relation in these instances according to corresponding label.As long as selected cellular construction instance or step instance do not have contradiction between given condition; Can be in different embodiment; Select the not corresponding instance of label to constitute the corresponding techniques scheme, such technical scheme also should be regarded as within the scope of the invention involved.
So far invention has been described in conjunction with the preferred embodiments.Should be appreciated that those skilled in the art can carry out various other change, replacement and interpolations under the situation that does not break away from the spirit and scope of the present invention.Therefore, scope of the present invention is not limited to above-mentioned specific embodiment, and should be limited accompanying claims.
Claims (7)
1. service control method of supporting that extendible IPv 6 under the IPv4 environment inserts may further comprise the steps:
When the user when network access server NAS gateway requests inserts, the NAS gateway sends to radius server with user's identification information with the form of radius protocol and carries out authentication;
When radius server according to the radius authorization database in institute's canned data, identifying user identity when success, will return to the NAS gateway with the form of radius protocol with the corresponding Configuration-Token property value of user's access service type; And
For this reason whether the Configuration-Token property value that the NAS gateway returns according to radius server, decision the open IPv6 service of user,
Wherein the user before the NAS gateway requests inserts,
The user uses the service subscription device to subscribe to access service, and specifies needed access service type; And
The service subscription device with user's identification information and ordered access service type stores in the radius authorization database,
Wherein access service type comprises at least: pure IPv4 type access service type, IPv4/IPv6 dual stack type access service type.
2. service control method according to claim 1 is characterized in that:
For the user who has subscribed to the access service of pure IPv4 type, the NAS gateway is only transmitted the packet of IPv4 agreement, and filters the packet of IPv6 agreement.
3. service control method according to claim 1 is characterized in that:
For the user who has subscribed to the access service of IPv4/IPv6 dual stack type, the packet of NAS gateway forwards IPv4 agreement and the packet of IPv6 agreement.
4. according to the described service control method of one of claim 1~3, it is characterized in that:
Radius server is a physics radius server independently, or the logic radius server.
5. according to the described service control method of one of claim 1~3, it is characterized in that:
The radius authorization database is physical storage data storehouse independently, or the logical storage database.
6. according to the described service control method of one of claim 1~3, it is characterized in that:
When the user inserts to the NAS gateway requests, to the NAS gateway username and password is provided, as user totem information.
7. according to the described service control method of one of claim 1~3, it is characterized in that:
When the user just sent packet without login, the NAS gateway hops forwarded login page to, requires the user that user totem information is provided, and carried out authentication and access service type and confirmed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102423546A CN101741924B (en) | 2009-12-09 | 2009-12-09 | Service control method supporting extendible IPv6 access in IPv4 environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102423546A CN101741924B (en) | 2009-12-09 | 2009-12-09 | Service control method supporting extendible IPv6 access in IPv4 environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101741924A CN101741924A (en) | 2010-06-16 |
| CN101741924B true CN101741924B (en) | 2012-07-25 |
Family
ID=42464807
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009102423546A Active CN101741924B (en) | 2009-12-09 | 2009-12-09 | Service control method supporting extendible IPv6 access in IPv4 environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101741924B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102437946B (en) * | 2010-09-29 | 2014-08-20 | 杭州华三通信技术有限公司 | Access control method, network access server (NAS) equipment and authentication server |
| CN104954336B (en) * | 2014-03-28 | 2019-05-17 | 中兴通讯股份有限公司 | IPv6 network parameter processing method, device, system and aaa server |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1901449A (en) * | 2006-07-19 | 2007-01-24 | 华为技术有限公司 | Method for connecting network |
| CN101150853A (en) * | 2007-10-29 | 2008-03-26 | 华为技术有限公司 | A network system, policy management control server and policy management control method |
| KR20080051673A (en) * | 2006-12-06 | 2008-06-11 | 정태우 | System and method for authenticating a user based on the internet protocol address |
| CN101400063A (en) * | 2007-09-29 | 2009-04-01 | 中兴通讯股份有限公司 | Method for negotiating IP capability by network side |
-
2009
- 2009-12-09 CN CN2009102423546A patent/CN101741924B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1901449A (en) * | 2006-07-19 | 2007-01-24 | 华为技术有限公司 | Method for connecting network |
| KR20080051673A (en) * | 2006-12-06 | 2008-06-11 | 정태우 | System and method for authenticating a user based on the internet protocol address |
| CN101400063A (en) * | 2007-09-29 | 2009-04-01 | 中兴通讯股份有限公司 | Method for negotiating IP capability by network side |
| CN101150853A (en) * | 2007-10-29 | 2008-03-26 | 华为技术有限公司 | A network system, policy management control server and policy management control method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101741924A (en) | 2010-06-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101473670B (en) | Method and system for controlling access to networks | |
| CN108337677B (en) | Network authentication method and device | |
| JP4880699B2 (en) | Method, system, and apparatus for protecting a service account | |
| EP2258098B1 (en) | Credential generation method for communications devices and device management servers | |
| US20020157090A1 (en) | Automated updating of access points in a distributed network | |
| US20110078773A1 (en) | Mobile terminal authorisation arrangements | |
| CN110417730B (en) | Unified access method of multiple application programs and related equipment | |
| CN101014958A (en) | System and method for managing user authentication and service authorization to achieve single-sign-on to access multiple network interfaces | |
| CN103200159B (en) | A kind of Network Access Method and equipment | |
| EP1690189B1 (en) | On demand session provisioning of ip flows | |
| CN101971184A (en) | Client/server system for communicating according to the standard protocol opc ua and having single sign-on mechanisms for authenticating, and method for performing single sign-on in such a system | |
| CN106534082B (en) | User registration method and device | |
| KR20150124868A (en) | Secure user two factor authentication method and system from Personal infomation leaking and smishing | |
| CN101577908A (en) | User equipment verification method, device identification register and access control system | |
| TW200523754A (en) | Method and system for plug and play installation of network entities in a mobile wireless internet | |
| CN106686592B (en) | Network access method and system with authentication | |
| EP1611725B1 (en) | Method and apparatuses for provisioning network access | |
| US7730181B2 (en) | System and method for providing security backup services to a home network | |
| CN102972004B (en) | Confidential information is revealed the leakage of anti-locking system, confidential information leak-preventing method and confidential information and is prevented program | |
| CN101616414A (en) | Method, system and server that terminal is authenticated | |
| US20080279116A1 (en) | Method For Obtaining Configuration Data For a Terminal By Using the Dhcp Protocol | |
| CN101741924B (en) | Service control method supporting extendible IPv6 access in IPv4 environment | |
| KR20050071768A (en) | System and method for one time password service | |
| CN110166404B (en) | Data access limiting method, service provider and service user network function | |
| CN114244516B (en) | System for safely verifying domain name ownership during multi-year SSL certificate application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |