CN102201967B - Method for authorizing user equipment migration and network access server - Google Patents
Method for authorizing user equipment migration and network access server Download PDFInfo
- Publication number
- CN102201967B CN102201967B CN201010132960.5A CN201010132960A CN102201967B CN 102201967 B CN102201967 B CN 102201967B CN 201010132960 A CN201010132960 A CN 201010132960A CN 102201967 B CN102201967 B CN 102201967B
- Authority
- CN
- China
- Prior art keywords
- prefix
- address
- ipv6 address
- nas
- list item
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a method for authorizing user equipment migration and a network access server. The method includes the following steps: recording corresponding relations between a distributed IPv6 address /prefix and MAC address of NAS connected to user equipment; inquiring whether the user equipment which uses the IPv6 address /prefix of original NAS exists according to the corresponding relation after the user equipment performs a physical connection migration; if the user equipment exists, rejecting to generate a port binding table entry; if the user equipment does not exist, generating the port binding table entry in current connected NAS and allowing access of user equipment. Through the technical scheme of the invention, after the user equipment performs the physical connection migration, the security of authorization migration can be guaranteed and forgery attacks implemented by illegal user equipment during the process can be effectively prevented.
Description
Technical field
The present invention relates to network security technology, espespecially a kind of method and network access server of subscriber equipment mandate migration.
Background technology
Support the DHCP (DHCPv6, Dynamic Host ConfigurationProtocol for IPv6) of IPv6 to design, be the agreement of host assignment IPv6 address and other network configuration parameters for IPv6 addressing scheme.DHCPv6 adopts client/server communication pattern, proposes configuration application by subscriber equipment to server, and server is returned as the corresponding configuration informations such as the IPv6 address of user equipment allocation, to realize the dynamic-configuration of the information such as IP address.
Referring to Fig. 1, Fig. 1 is that in prior art, subscriber equipment passes through network access server (NAS, Network Access Server) to Dynamic Host Configuration Protocol server request IPv6 address/prefix, the basic flow sheet of access network.
In step 101, subscriber equipment sends and implores (Solicit) solicited message to Dynamic Host Configuration Protocol server, request distributing IP v6 address/prefix.
In step 102, NAS receives the Solicit solicited message that subscriber equipment sends, and is transmitted to Dynamic Host Configuration Protocol server.
In step 103, Dynamic Host Configuration Protocol server returns to notice (Advertise) message to subscriber equipment, carries mark (ID) and the priority option of Dynamic Host Configuration Protocol server in Advertise message.
In step 104, NAS receives the Advertise message that Dynamic Host Configuration Protocol server sends, and is transmitted to subscriber equipment.
In step 105, subscriber equipment at the appointed time in collect all Dynamic Host Configuration Protocol server return Advertise message, then select an optimum Dynamic Host Configuration Protocol server according to priority option, send request (Request) message to this Dynamic Host Configuration Protocol server, ask this Dynamic Host Configuration Protocol server for self distributing IP v6 address/prefix.
In step 106, the Request message of receiving is transmitted to corresponding Dynamic Host Configuration Protocol server by NAS.
In step 107, Dynamic Host Configuration Protocol server is this user equipment allocation IPv6 address/prefix, sends response (Reply) message.
In step 108, NAS sets up port binding list item according to the Reply message of receiving, allows this subscriber equipment access network according to this port binding list item.Wherein, port binding list item comprises Media Access Control address (MAC) address, the IPv6 address of subscriber equipment, the information such as the VLAN under port and this port that NAS is connected with this subscriber equipment.
In step 109, NAS forwards the Reply message of receiving to subscriber equipment.
Through the flow process shown in Fig. 1, subscriber equipment has obtained the IPv6 address/prefix of distributing, and has also set up port binding list item simultaneously on NAS.NAS can allow according to the port binding list item of setting up the subscriber equipment access network of legal acquisition IPv6 address/prefix, the illegal subscriber equipment access network that obtains IPv6 address/prefix of refusal.
In the time that subscriber equipment physical connection state changes, subscriber equipment will send and confirm (Confirm) message to Dynamic Host Configuration Protocol server, is used for being confirmed whether can continue to use the IPv6 address/prefix of Dynamic Host Configuration Protocol server distribution.Fig. 2 has provided subscriber equipment and has moved to from NAS1 the schematic diagram of NAS2.Subscriber equipment was originally connected with Dynamic Host Configuration Protocol server by NAS1, had set up corresponding port binding list item on NAS1.After physical connection state changes, be connected with Dynamic Host Configuration Protocol server by NAS2, now need to be confirmed whether can continue to use to Dynamic Host Configuration Protocol server the IPv6 address/prefix of original distribution, and in the time that confirmation can be used, on NAS2, set up corresponding port binding list item, concrete handling process is as shown in Figure 3.
In step 301, subscriber equipment, in the time that physical connection state changes, sends Confirm message to Dynamic Host Configuration Protocol server, wherein carries user ID and IPv6 address/prefix to be confirmed.
In step 302, the Confirm message of receiving is transmitted to corresponding Dynamic Host Configuration Protocol server by the NAS2 that the current place of subscriber equipment link is corresponding.
In step 303, Dynamic Host Configuration Protocol server is according to the user ID of carrying in Confirm message and IPv6 address/prefix to be confirmed, check recording this IPv6 address/prefix to be confirmed and whether having distributed to this subscriber equipment of self, if, carry successfully (Success) mark in the Reply message of returning to subscriber equipment, if not, in the Reply message of returning to subscriber equipment, carry undefined (UnspecFail) mark.
In step 304, NAS2 receives the Reply message that Dynamic Host Configuration Protocol server sends, and in the time that Reply message is carried Success mark, creates corresponding port binding list item at this equipment, and subscriber equipment can pass through NAS2 access network; Carry UnspecFail mark in Reply message time, do not create corresponding port binding list item at this equipment, subscriber equipment can not pass through this NAS2 access network.
When NAS2 is successfully that subscriber equipment has been set up port binding list item at this equipment, the mandate of subscriber equipment access network just successfully moves to NAS2 above by NAS1, has realized the mandate migration of subscriber equipment.
In step 305, the Reply message of receiving from Dynamic Host Configuration Protocol server is transmitted to subscriber equipment by NAS2.
Be not difficult to find out from the flow process shown in Fig. 3, the mechanism that Dynamic Host Configuration Protocol server is processed Confirm message is very simple, only determine whether to allow subscriber equipment continuation use original IPv6 address/prefix of distributing according to the user ID of carrying in message and IPv6 address/prefix to be confirmed, brought the chance of implementing attack to assailant.
Assailant only need forge one and carry the user ID of validated user equipment and the Confirm message of IPv6 address/prefix to be confirmed sends to Dynamic Host Configuration Protocol server, and Dynamic Host Configuration Protocol server will return to confirmation, and on NAS2, creates corresponding port binding list item.Like this, assailant just can illegally occupy this IPv6 address/prefix, uses this IPv6 address/prefix access network, carries out illegal operation.
Be not difficult to find out from above-mentioned analysis, there is serious potential safety hazard in the handling process of prior art in the time that subscriber equipment physical connection state changes, is unfavorable for the operation that system is normal, stable.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of method and network access server of subscriber equipment mandate migration, applying method provided by the invention and network access server can be in the time that subscriber equipment generation physical connection be moved, the mandate migration of carrying out subscriber equipment of safety.
For achieving the above object, technical scheme of the present invention is achieved in that
A method for subscriber equipment mandate migration, subscriber equipment connects dynamic host configuration protocol DHCP server by network access server NAS, obtains IPv6 address/prefix that Dynamic Host Configuration Protocol server distributes; NAS generates port binding list item according to the IPv6 address/prefix of distributing at this equipment, allows this subscriber equipment access network according to this port binding list item, and the method comprises:
NAS forward user equipment requests distributing IP v6 address/prefix implore Solicit message time, add therein the medium access control MAC Address of self, record the corresponding relation between IPv6 address/prefix and the MAC Address of this subscriber equipment access NAS of distributing for Dynamic Host Configuration Protocol server;
NAS receives the mandate probe message taking self MAC address as object, whether has the subscriber equipment that uses this IPv6 address/prefix according to IPv6 address/prefix inspection self of carrying in this mandate probe message, if existed, returns to refusal and authorizes migration; If there is no, allow to authorize migration, instruction generates port binding list item.
A kind of network access server, this network access server NAS comprises adding device and detecting unit:
Described adding device, for forward user equipment requests distributing IP v6 address/prefix implore Solicit message time, add therein the medium access control MAC Address of self, record the corresponding relation between the MAC Address of NAS of the IPv6 address/prefix of distributing and the access of this subscriber equipment for Dynamic Host Configuration Protocol server;
Described detecting unit, receive the mandate probe message taking self MAC address as object for NAS, whether there is the subscriber equipment that uses this IPv6 address/prefix according to IPv6 address/prefix inspection self of carrying in this mandate probe message, if existed, return to refusal and authorize migration; If there is no, allow to authorize migration, instruction generates port binding list item.
Method and the network access server of a kind of subscriber equipment mandate migration provided by the present invention, corresponding relation between the MAC Address of the NAS of the IPv6 address/prefix of distributing by record and the access of this subscriber equipment, after the migration of subscriber equipment generation physical connection, inquire about the subscriber equipment that whether has this IPv6 address/prefix of use under original NAS according to this corresponding relation, in the time existing, refusal is subscriber equipment generation port binding list item on the NAS of current access; In the time not existing, on the NAS of current access, generate port binding list item.Visible, both ensured by applying technical scheme of the present invention that validated user equipment was occurring, after physical connection migration, to authorize the fail safe of migration; Also can effectively stop the forgery attack of illegitimate user equipment at this implementation Process, safeguard the right of validated user, ensure the operation that access network is normal, stable.
Brief description of the drawings
Fig. 1 is the basic flow sheet of Dynamic Host Configuration Protocol server distributing IP v6 address/prefix in prior art;
Fig. 2 is subscriber equipment moves to NAS2 schematic diagram from NAS1;
Fig. 3 is the process chart occurring in prior art after physical connection migration;
Fig. 4 is the exemplary process diagram of the inventive method;
Fig. 5 is the exemplary block diagram of NAS of the present invention;
Fig. 6 is the flow chart of the embodiment of the present invention one;
Fig. 7 is the flow chart of the embodiment of the present invention two.
Embodiment
In the detailed description of this part, only, by the example of implementing the desired best mode of inventor of the present invention, illustrate and described preferred embodiment of the present invention.It will be appreciated that and can not deviate under prerequisite of the present invention, with regard to each apparent aspect, it is modified.Correspondingly, it is exemplary in itself that drawing and description should be regarded as, instead of restrictive.
For the forgery attack that stops assailant to initiate, in technical scheme of the present invention, can be in the time of distributing IP v6 address/prefix, the corresponding relation between the MAC Address of the NAS of IPv6 address/prefix that record distributes and the access of this subscriber equipment; After the migration of subscriber equipment generation physical connection, inquire about under original NAS whether have the subscriber equipment that uses this IPv6 address/prefix according to this corresponding relation, in the time existing, refusal generates port binding list item; In the time not existing, on the NAS of current access, generate port binding list item, allow subscriber equipment access.
Referring to Fig. 4, the exemplary process diagram that Fig. 4 is the inventive method.Subscriber equipment connects Dynamic Host Configuration Protocol server by NAS, obtains IPv6 address/prefix that Dynamic Host Configuration Protocol server distributes; NAS generates port binding list item according to the IPv6 address/prefix of distributing at this equipment, allow this subscriber equipment access network according to this port binding list item, the method comprises, in step 401, NAS forward user equipment requests distributing IP v6 address/prefix implore Solicit message time, add therein the medium access control MAC Address of self, record the corresponding relation between IPv6 address/prefix and the MAC Address of this subscriber equipment access NAS of distributing for Dynamic Host Configuration Protocol server; In step 402, NAS receives the mandate probe message taking self MAC address as object, whether there is the subscriber equipment that uses this IPv6 address/prefix according to IPv6 address/prefix inspection self of carrying in this mandate probe message, if existed, return to refusal and authorize migration; If there is no, allow to authorize migration, instruction generates port binding list item.
According to exemplary flow of the present invention, as shown in Figure 2, suppose that subscriber equipment is validated user equipment, this subscriber equipment migrates to NAS2 from NAS1, must not have so the subscriber equipment that uses this IPv6 address/prefix to be confirmed on NAS1; If current user equipment is illegitimate user equipment, on NAS1 corresponding to this IPv6 address/prefix, must there is so the subscriber equipment of use.In description herein, the NAS1 accessing can be called to original NAS before subscriber equipment physical migration; The NAS2 accessing after physical migration is called current NAS.Therefore, by when distributing IP v6 address/prefix, corresponding relation between the MAC Address of IPv6 address/prefix that record distributes and this subscriber equipment access NAS, and after the migration of subscriber equipment generation physical connection, inquire about the subscriber equipment that whether has this IPv6 address/prefix of use under original NAS according to this corresponding relation, in the time existing, refusal is subscriber equipment generation port binding list item on the NAS of current access; In the time not existing, on the NAS of current access, generate port binding list item, both ensured that validated user equipment authorized migration normally, also stop the forgery attack of illegitimate user equipment.
Wherein, authorizing probe message can be that Dynamic Host Configuration Protocol server is received the message sending after the Confirm message of subscriber equipment transmission, the mandate probe message that is described reception is that Dynamic Host Configuration Protocol server is received as being confirmed whether to continue to use after the confirmation Confirm message that IPv6 address/prefix sends, obtain the MAC Address of corresponding original NAS according to this IPv6 to be confirmed address/prefix, transmission taking this MAC Address as destination address, carry the message of this IPv6 address/prefix.
Also can be the message that current NAS equipment sends.Now, NAS receives the MAC Address of the original NAS corresponding with IPv6 address/prefix in Confirm message of Dynamic Host Configuration Protocol server transmission, and taking this MAC Address as destination address, sends the mandate probe message of carrying this IPv6 address/prefix; Receiving after the instruction of refusal mandate migration, refusing on this equipment should IPv6 address/prefix generating port binding list item; Receiving after the instruction that allows to authorize migration, on this equipment to should IPv6 address/prefix generates port binding list item.
Wherein, describedly whether exist and use the subscriber equipment of this IPv6 address/prefix to be specially according to IPv6 address/prefix inspection self of carrying in this mandate probe message: check on this equipment, whether exist with authorize probe message in port binding list item corresponding to the IPv6 address/prefix of carrying; When there is the port binding list item of described correspondence on this equipment, on corresponding ports, survey whether there is subscriber equipment, if there is subscriber equipment, return to refusal and authorize migration; If there is no subscriber equipment, instruction generates port binding list item, allows to authorize migration, and further deletes port binding list item; When there not being the port binding list item of described correspondence on this equipment, allow to authorize migration, instruction generates port binding list item.
Wherein, described mandate probe message can be: the MAC that destination address is NAS, release (Release) message that uses the IPv6 address/prefix camouflage being detected to send.
In addition, referring to Fig. 5, the structural representation that Fig. 5 is a kind of NAS provided by the invention, for clear description technical scheme of the present invention, has omitted the existing capability unit in NAS.This NAS comprises adding device and detecting unit: described adding device, for forward user equipment requests distributing IP v6 address/prefix implore Solicit message time, add therein the medium access control MAC Address of self, record the corresponding relation between the MAC Address of NAS of the IPv6 address/prefix of distributing and the access of this subscriber equipment for Dynamic Host Configuration Protocol server; Described detecting unit, receive the mandate probe message taking self MAC address as object for NAS, whether there is the subscriber equipment that uses this IPv6 address/prefix according to IPv6 address/prefix inspection self of carrying in this mandate probe message, if existed, return to refusal and authorize migration; If there is no, allow to authorize migration, instruction generates port binding list item.
The mandate probe message that described detecting unit receives is that Dynamic Host Configuration Protocol server is received as being confirmed whether to continue to use after the confirmation Confirm message that IPv6 address/prefix sends, obtain the MAC Address of corresponding original NAS according to this this confirmation IPv6 address/prefix, transmission taking this MAC Address as destination address, carry the message of this IPv6 address/prefix.
In addition, described NAS further comprises probe unit and generation unit; Described probe unit, for receiving the MAC Address of original NAS corresponding to the Confirm message IPv6 address/prefix with receiving that Dynamic Host Configuration Protocol server sends, and taking this MAC Address as destination address, sends the mandate probe message of carrying this IPv6 address/prefix; Described generation unit, for receiving after the instruction of refusal mandate migration, refuses on this equipment should IPv6 address/prefix generating port binding list item; Receiving after the instruction that allows to authorize migration, on this equipment to should IPv6 address/prefix generates port binding list item.
Described detecting unit, checking self whether to exist while using the subscriber equipment of this IPv6 address/prefix, check on this equipment, whether exist with authorize probe message in port binding list item corresponding to the IPv6 address/prefix of carrying; When there is the port binding list item of described correspondence on this equipment, on corresponding ports, survey whether there is subscriber equipment, if there is subscriber equipment, return to refusal and authorize migration; If there is no subscriber equipment, instruction generates port binding list item, allows to authorize migration, and further deletes port binding list item; When there not being the port binding list item of described correspondence on this equipment, allow to authorize migration, instruction generates port binding list item.
Mandate probe message is wherein: the MAC that destination address is NAS, the release Release message that uses the IPv6 address/prefix camouflage being detected to send.
Below enumerating two embodiment is described in more details technical scheme of the present invention.Wherein, embodiment mono-article is sent the technical scheme of authorizing probe message to original NAS by current NAS; Embodiment bis-articles are sent the technical scheme of authorizing probe message to original NAS by Dynamic Host Configuration Protocol server.
In embodiment mono-and embodiment bis-, Dynamic Host Configuration Protocol server is in the time being user equipment allocation IPv6 address/prefix, corresponding relation between the NAS mark of IPv6 address/prefix that record distributes and the access of this subscriber equipment, the method of physical record can be: NAS, in the time forwarding the Solicit message of user equipment requests distributing IP v6 address/prefix, adds the MAC Address of self therein; Dynamic Host Configuration Protocol server, in the time being this user equipment allocation IPv6 address/prefix, obtains this MAC Address from this Solicit message, and records the corresponding relation between IPv6 address/prefix and the MAC Address of this NAS of distributing.
In Solicit message, add the method for MAC Address and can in message, add following Remote-id option.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION_REMOTE_ID | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| enterprise-number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
sub-optionl | MAC
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
option-code OPTION_REMOTE_ID(37)
option-len 4+the length,in octets,of the remote-id
field.The minimum option-len is 5octets.
Referring to Fig. 6, Fig. 6 is the flow chart of the embodiment of the present invention one method, specifically comprises:
In step 601, subscriber equipment, after physical connection migration, sends Confirm message to the NAS2 of current connection, wherein carries user ID and IPv6 address/prefix to be confirmed.
In step 602, NAS2 receives the Confirm message that subscriber equipment sends, and is transmitted to Dynamic Host Configuration Protocol server.
In step 603, Dynamic Host Configuration Protocol server is according to the user ID of carrying in Confirm message and IPv6 address/prefix to be confirmed, determine whether this IPv6 address/prefix to be confirmed distributes to this subscriber equipment, if, according to the corresponding relation of the MAC Address of the IPv6 address/prefix of record and NAS, obtain this subscriber equipment in the MAC Address that the NAS of access before physical connection migration occurs, in the Reply message of returning, carry this MAC Address, and carry the rental period of corresponding IPv6 address; Otherwise, in the Reply message of returning, carry UnspecfFail mark.
In the present embodiment and embodiment bis-, suppose that subscriber equipment is NAS 1 at the NAS occurring before physical connection migration.
In step 604, NAS2 receives the Reply message that Dynamic Host Configuration Protocol server returns, if wherein carry the MAC Address of NAS, obtain the MAC Address of wherein carrying, it is the MAC Address of NAS1, and use IPv6 address/prefix to be confirmed, send DHCP as destination address to NAS1 taking the MAC Address obtaining and discharge (Release) message, and carry out subsequent step; If what wherein carry is UnspecfFail mark, forward this Reply message, end process flow process to subscriber equipment.
In step 605, NAS2 receives the Release message that NAS1 sends, and whether IPv6 address/prefix corresponding to be determined exists the subscriber equipment that uses this IPv6 address/prefix in the subscriber equipment that judgement connects, if exist, return to the Reply message of carrying UnspecFail to NAS2; If there is no, return to the Reply message of carrying NotOnLink to NAS2.
The concrete steps that NAS1 realizes can be: first check whether its target MAC (Media Access Control) address is this equipment.In the time that target MAC (Media Access Control) address is this equipment, reexamines corresponding IPv6 address/prefix and whether have port binding list item in the machine; In the time that target MAC (Media Access Control) address is not this equipment, abandon the message of receiving.When there is corresponding port binding list item on this equipment, on corresponding ports, use NS to survey main frame and whether exist, if main frame exists, return to the Reply message of carrying UnspecFail, if main frame does not exist, delete binding list item, return to the Reply message of carrying NotOnLink.When not having the port binding list item of corresponding IPv6 address/prefix on this equipment, return the Reply message of carrying NotOnLink.
Here, if NAS has adopted trusted port mechanism, the port being only connected with Dynamic Host Configuration Protocol server is set to trusted port, and the port being connected with other equipment is set to non-trusted port, the NAS message that only forward process is received from trusted port, and abandon the message of receiving from non-trusted port.In this case, it is trusted port that the port connecting between NAS need to be set, and NAS1 just can process the message of receiving from NAS2 like this.
In step 606, NAS2 receives the Reply message that NAS1 returns, and in the time receiving the Reply message of carrying UnspecFail, determines the subscriber equipment that has this IPv6 address/prefix to be confirmed of use under NAS1; In the time receiving the Reply message of carrying NotOnLink, determine the subscriber equipment that does not have this IPv6 address/prefix to be confirmed of use under NAS1.Determining after the subscriber equipment that does not have this IPv6 address/prefix to be determined of use, IPv6 address/prefix that should be to be confirmed is generated to port binding list item on this equipment, and record the rental period of carrying in Reply message.Like this, current subscriber equipment just can be according to this port binding list item from this equipment access.
If existed after the subscriber equipment that uses this IPv6 address/prefix to be determined, refuse on this equipment as described subscriber equipment generates port binding list item to IPv6 address/prefix that should be to be confirmed.
In step 607, NAS2 returns to Reply message to current user equipment, in the time having generated port binding list item, carries Success mark in Reply message; In the time not generating port binding list item, in Reply message, carry UnspecFail mark.
Be more than the flow process of the embodiment of the present invention one method, subscriber equipment is carried out subsequent operation according to the Reply message of receiving.
Referring to Fig. 7, Fig. 7 is the flow chart of the embodiment of the present invention two methods, specifically comprises:
Step 701~702 are identical with step 601~602, are not described in detail in this.
In step 703, Dynamic Host Configuration Protocol server is according to the user ID of carrying in Confirm message and IPv6 address/prefix to be confirmed, determine whether this IPv6 address/prefix to be confirmed distributes to this subscriber equipment, if, according to the corresponding relation of the MAC Address of the IPv6 address/prefix of record and NAS, obtain this subscriber equipment in the MAC Address that the NAS of access before physical connection migration occurs, and taking the MAC Address that obtains as destination address, use IPv6 address/prefix to be confirmed to send DHCP Release message to NAS1.
If not, return to the Reply message of carrying UnspecfFail mark to NAS2, now NAS2 can not generate port binding list item on this equipment, now authorizes and moves unsuccessfully.This message does not illustrate in Fig. 7.
In step 704, NAS 1 receives the Release message that Dynamic Host Configuration Protocol server sends, IPv6 address/prefix corresponding to be determined, in the subscriber equipment that judgement connects, whether there is the subscriber equipment that uses this IPv6 address/prefix, if exist, return to the Reply message of carrying UnspecFail to Dynamic Host Configuration Protocol server; If there is no, return to the Reply message of carrying NotOnLink to Dynamic Host Configuration Protocol server.
Here, the relevant introduction in the visible step 605 of concrete steps that NAS1 realizes, is not described in detail in this.
In step 705, Dynamic Host Configuration Protocol server receives the Reply message that NAS1 returns, in the time receiving the Reply message of carrying UnspecFail, determine under NAS1 and have the subscriber equipment that uses this IPv6 address/prefix to be confirmed, return to the Reply message of carrying UnspecFail to NAS2; In the time receiving the Reply message of carrying NotOnLink, determine under NAS1 and do not have the subscriber equipment that uses this IPv6 address/prefix to be confirmed, return to the Reply message of carrying Success to NAS2, and carry the rental period of corresponding IPv6 address/prefix.
In step 706, NAS2 receives the Reply message that Dynamic Host Configuration Protocol server sends, carry Success mark in Reply message time, IPv6 address/prefix that should be to be confirmed is generated to port binding list item on this equipment, and record the rental period of carrying in Reply message.Like this, current subscriber equipment just can be according to this port binding list item from this equipment access.
In addition, in the time receiving the Reply message of carrying UnspecFail, refuse on this equipment as described subscriber equipment generates port binding list item to IPv6 address/prefix that should be to be confirmed.
In step 707, the Reply message of receiving from Dynamic Host Configuration Protocol server is transmitted to subscriber equipment by NAS2.
Subscriber equipment is carried out subsequent operation according to the Reply message of receiving.
What more than introduce is the flow process of the embodiment of the present invention two methods.
By being not difficult, the detailed introduction of the embodiment of the present invention finds, technical scheme provided by the present invention is after the migration of subscriber equipment generation physical connection, corresponding relation between the MAC Address of the IPv6 address/prefix of distributing by record and this subscriber equipment access NAS, and inquire about the subscriber equipment that whether has this IPv6 address/prefix to be confirmed of use under the original NAS of current user equipment access before physical connection migration, in the time existing, refusal is that current user equipment generates port binding list item to IPv6 address/prefix that should be to be confirmed on the NAS of current access; In the time not existing, IPv6 address/prefix that should be to be confirmed is generated to port binding list item on the NAS of current access, both ensured that validated user equipment was occurring, after physical connection migration, to authorize the fail safe of migration; Can effectively stop again the forgery attack of illegitimate user equipment at this implementation Process, safeguard the right of validated user, ensure the operation that access network is normal, stable.
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any amendment of making, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.
Claims (10)
1. a method for subscriber equipment mandate migration, subscriber equipment connects dynamic host configuration protocol DHCP server by network access server NAS, obtains IPv6 address/prefix that Dynamic Host Configuration Protocol server distributes; NAS generates port binding list item according to the IPv6 address/prefix of distributing at this equipment, allows this subscriber equipment access network according to this port binding list item, it is characterized in that, the method comprises:
NAS forward user equipment requests distributing IP v6 address/prefix implore Solicit message time, add therein the medium access control MAC Address of self, record the corresponding relation between IPv6 address/prefix and the MAC Address of this subscriber equipment access NAS of distributing for Dynamic Host Configuration Protocol server;
NAS receives the mandate probe message taking self MAC address as object, whether has the subscriber equipment that uses this IPv6 address/prefix according to IPv6 address/prefix inspection self of carrying in this mandate probe message, if existed, returns to refusal and authorizes migration; If there is no, allow to authorize migration, instruction generates port binding list item.
2. method according to claim 1, is characterized in that,
The mandate probe message of described reception is that Dynamic Host Configuration Protocol server is received as being confirmed whether to continue to use after the confirmation Confirm message that IPv6 address/prefix sends, obtain the MAC Address of corresponding original NAS according to IPv6 to be confirmed address/prefix, transmission taking this MAC Address as destination address, carry the message of this IPv6 address/prefix.
3. method according to claim 1, is characterized in that, the method further comprises:
NAS receives the MAC Address of the original NAS corresponding with IPv6 address/prefix in Confirm message of Dynamic Host Configuration Protocol server transmission, and taking this MAC Address as destination address, sends the mandate probe message of carrying this IPv6 address/prefix;
Receiving after the instruction of refusal mandate migration, refusing on this equipment should IPv6 address/prefix generating port binding list item; Receiving after the instruction that allows to authorize migration, on this equipment to should IPv6 address/prefix generates port binding list item.
4. according to the method described in claim 1,2 or 3, it is characterized in that describedly whether exist and use the subscriber equipment of this IPv6 address/prefix to be according to IPv6 address/prefix inspection self of carrying in this mandate probe message:
Check on this equipment, whether exist with authorize probe message in port binding list item corresponding to the IPv6 address/prefix of carrying;
When there is the port binding list item of described correspondence on this equipment, on corresponding ports, survey whether there is subscriber equipment, if there is subscriber equipment, return to refusal and authorize migration; If there is no subscriber equipment, instruction generates port binding list item, allows to authorize migration, and further deletes port binding list item;
When there not being the port binding list item of described correspondence on this equipment, allow to authorize migration, instruction generates port binding list item.
5. according to the method described in claim 1,2 or 3, it is characterized in that,
Described mandate probe message is: the MAC that destination address is NAS, the release Release message that uses the IPv6 address/prefix camouflage being detected to send.
6. a network access server, is characterized in that, this network access server NAS comprises adding device and detecting unit:
Described adding device, for forward user equipment requests distributing IP v6 address/prefix implore Solicit message time, add therein the medium access control MAC Address of self, record the corresponding relation between the MAC Address of NAS of the IPv6 address/prefix of distributing and the access of this subscriber equipment for Dynamic Host Configuration Protocol server;
Described detecting unit, receive the mandate probe message taking self MAC address as object for NAS, whether there is the subscriber equipment that uses this IPv6 address/prefix according to IPv6 address/prefix inspection self of carrying in this mandate probe message, if existed, return to refusal and authorize migration; If there is no, allow to authorize migration, instruction generates port binding list item.
7. network access server according to claim 6, is characterized in that,
The mandate probe message that described detecting unit receives is that Dynamic Host Configuration Protocol server is received as being confirmed whether to continue to use after the confirmation Confirm message that IPv6 address/prefix sends, obtain the MAC Address of corresponding original NAS according to IPv6 to be confirmed address/prefix, transmission taking this MAC Address as destination address, carry the message of this IPv6 address/prefix.
8. network access server according to claim 6, is characterized in that, described NAS further comprises probe unit and generation unit;
Described probe unit, for receiving the MAC Address of original NAS corresponding to the Confirm message IPv6 address/prefix with receiving that Dynamic Host Configuration Protocol server sends, and taking this MAC Address as destination address, sends the mandate probe message of carrying this IPv6 address/prefix;
Described generation unit, for receiving after the instruction of refusal mandate migration, refuses on this equipment should IPv6 address/prefix generating port binding list item; Receiving after the instruction that allows to authorize migration, on this equipment to should IPv6 address/prefix generates port binding list item.
9. according to the network access server described in claim 6,7 or 8, it is characterized in that,
Described detecting unit, checking self whether to exist while using the subscriber equipment of this IPv6 address/prefix, check on this equipment, whether exist with authorize probe message in port binding list item corresponding to the IPv6 address/prefix of carrying; When there is the port binding list item of described correspondence on this equipment, on corresponding ports, survey whether there is subscriber equipment, if there is subscriber equipment, return to refusal and authorize migration; If there is no subscriber equipment, instruction generates port binding list item, allows to authorize migration, and further deletes port binding list item; When there not being the port binding list item of described correspondence on this equipment, allow to authorize migration, instruction generates port binding list item.
10. according to the network access server described in claim 6,7 or 8, it is characterized in that,
Described mandate probe message is: the MAC that destination address is NAS, the release Release message that uses the IPv6 address/prefix camouflage being detected to send.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010132960.5A CN102201967B (en) | 2010-03-24 | 2010-03-24 | Method for authorizing user equipment migration and network access server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010132960.5A CN102201967B (en) | 2010-03-24 | 2010-03-24 | Method for authorizing user equipment migration and network access server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102201967A CN102201967A (en) | 2011-09-28 |
| CN102201967B true CN102201967B (en) | 2014-09-03 |
Family
ID=44662372
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010132960.5A Active CN102201967B (en) | 2010-03-24 | 2010-03-24 | Method for authorizing user equipment migration and network access server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102201967B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107659932B (en) * | 2016-07-25 | 2022-05-20 | 中兴通讯股份有限公司 | Equipment access method and device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7542458B2 (en) * | 2003-11-25 | 2009-06-02 | Qualcomm Incorporated | Method and apparatus for efficiently using air-link resources to maintain IP connectivity for intermittently active wireless terminals |
| CN100405796C (en) * | 2006-09-19 | 2008-07-23 | 清华大学 | Admittance control method for IPv6 switch-in network true source address access |
-
2010
- 2010-03-24 CN CN201010132960.5A patent/CN102201967B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN102201967A (en) | 2011-09-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101651696B (en) | Method and device for preventing neighbor discovery (ND) attack | |
| CN101415012B (en) | Method and system for defending address analysis protocol message aggression | |
| CN101378395B (en) | Method and apparatus for preventing reject access aggression | |
| CN102325145B (en) | Method and equipment for carrying out access control on dual-stack user | |
| CN101540755B (en) | Method, system and device for recovering data | |
| CN103874069B (en) | A kind of wireless terminal MAC authentication devices and method | |
| CN101222354A (en) | Intelligent terminal management method | |
| CN102055816A (en) | Communication method, business server, intermediate equipment, terminal and communication system | |
| CN101820432A (en) | Safety control method and device of stateless address configuration | |
| CN101827138A (en) | Optimized method and device for processing IPV6 filter rule | |
| CN103260161A (en) | Terminal secure state assessment method and network device and network system | |
| CN106487807A (en) | A kind of means of defence of domain name mapping and device | |
| CN112910863A (en) | Network tracing method and system | |
| CN105592180A (en) | Portal authentication method and device | |
| CN102685117B (en) | A kind of multicast safety management method and device | |
| CN101945053B (en) | Method and device for transmitting message | |
| CN101505478B (en) | Method, apparatus and system for filtering packets | |
| CN101232369B (en) | Method and system for distributing cryptographic key in dynamic state host computer collocation protocol | |
| CN102201967B (en) | Method for authorizing user equipment migration and network access server | |
| KR100856918B1 (en) | Method for IP address authentication in IPv6 network, and IPv6 network system | |
| CN101552724A (en) | Generation method and apparatus for neighbor table items | |
| CN102136985B (en) | Access method and equipment | |
| CN103188662B (en) | A kind of method and device verifying WAP (wireless access point) | |
| CN104683326A (en) | Method for preventing hostile exhausting of DHCP (dynamic host configuration protocol) server address pool | |
| JP4626741B2 (en) | Network connection participation reception system, node connection method to network, and node setting method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |