CN102340509A - Access control method and equipment for dual-stack user - Google Patents

Access control method and equipment for dual-stack user Download PDF

Info

Publication number
CN102340509A
CN102340509A CN2011103252373A CN201110325237A CN102340509A CN 102340509 A CN102340509 A CN 102340509A CN 2011103252373 A CN2011103252373 A CN 2011103252373A CN 201110325237 A CN201110325237 A CN 201110325237A CN 102340509 A CN102340509 A CN 102340509A
Authority
CN
China
Prior art keywords
address
client
ipv4
ipv6
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011103252373A
Other languages
Chinese (zh)
Other versions
CN102340509B (en
Inventor
林涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Information Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN201110325237.3A priority Critical patent/CN102340509B/en
Publication of CN102340509A publication Critical patent/CN102340509A/en
Application granted granted Critical
Publication of CN102340509B publication Critical patent/CN102340509B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses an access control method and equipment for a dual-stack user. The method and equipment are used in a PORTAL network system, wherein a mapping algorithm between an IPv4 address and an IPv6 address is configured on a DHCPv4 server, a DHCPv6 server and a PORTAL authentication gateway respectively. The method comprises the following steps that: when the DHCPv4/DHCPv6 server receives an address allocation request of the client, the DHCPv4/DHCPv6 server judges whether an IP address of a corresponding protocol is pre-allocated to the client; if so, the DHCPv4/DHCPv6 server allocates the pre-allocated IP address to the client; otherwise, the DHCPv4/DHCPv6 server allocates an IP address to the client, and pre-allocates an IP address of another protocol to the client according to the mapping algorithm between the IPv4 address and the IPv6 address; when the PORTAL authentication gateway receives a network access request based on the IPv4 address or the IPv6 address from the client and the client passes the authentication, the PORTAL authentication gateway obtains an IP address of the other protocol according to the mapping algorithm between the IPv4 address and the IPv6 address, and performs network access right control on the client according to the IPv4 address and the IPv6 address of the client.

Description

Method and apparatus to two stack user access controls
Technical field
The present invention relates to the video monitoring technology in the communication technical field, relate in particular to a kind of method and apparatus two stack user access controls.
Background technology
IPv6 (Internet Protocol Version 6; IPv 6) is the second generation standard agreement of network layer protocol; Also be called as IPng (IP Next Generation, next generation Internet), it is IETF (Internet Engineering Task Force; Internet engineering duty group) one of design cover standard is the upgraded version of IPv4.Difference the most significantly is between IPv6 and the IPv4: the length of IP address is increased to 128 bits from 32 bits.
Can manual configuration or accomplishes through auto configuration mode in the IPv6 address, auto configuration mode comprises that configuration of ND stateless automatic address and DHCP (Dynamic Host Configuration Protocol, DHCP) have state configuration.DHCPv6 (support IPv6 DHCP) be to the design of IPv6 addressing scheme, be the agreement of host assignment IPv6 address and other network configuration parameters.Compare with other IPv6 address distribution (manual configuration, through automatically configuration etc. of the network prefix stateless in the router), DHCPv6 has the following advantages:
(1) distribution of control address better.Not only can be recorded as the address of host assignment through DHCPv6, can also distribute specific address for particular host, so that network management;
(2) except the IPv6 address, network configuration parameters such as DNS (Domain Name System, domain name system) server, domain name can also be provided for main frame.
DHCPv6 adopts the client/server communication pattern, proposes the configuration application by user end to server, and server is returned as corresponding configuration informations such as client IP address allocated, to realize the dynamic-configuration of information such as IP address.The DHCPv6 client is through the multicast address and the DHCPv6 server communication of link range, to obtain IPv6 address and other network configuration parameters.If the server and client side not in same link range, then need E-Packet through the DHCPv6 relaying, can avoid like this in each link range, all disposing the DHCPv6 server, both provided cost savings, be convenient to again manage concentratedly.
Portal is also referred to as Web Portal scheme, is made up of five fundamentals usually in the classical group net mode: Authentication Client, access device, Portal server, authentication/accounting server and Security Policy Server.
Based on above group-network construction, the flow process that user access is controlled mainly comprises:
During the unauthenticated user accesses network; HTTP (HyperText Transfer Protocol is initiated in address through a Internet of input in the IE address field; HTTP) request, this HTTP request can be redirected on the web authentication homepage of Portal server through access device the time; The user submits to after the input authentication information in authentication homepage/authentication dialog, and Portal server can pass to access device with user's authentication information; Access device is communicated by letter with authentication/accounting server and is carried out authentication and charging; After authentication was passed through, if the user is not adopted security strategy, then access device can be opened the path of user and the Internet, allowed the user capture the Internet; If the user has been adopted security strategy, then client, access device and Security Policy Server are mutual, and after detection was passed through to user's security, Security Policy Server was according to security of users authorized user visit unlimited resources.
In the PORTAL networking; Simultaneously IPv4 and IPv6 (are expressed as IPv4/IPv6 if hope; As follows) user's control of surfing the Net; Then need access device can distinguish same user's IPv4 online flow process and IPv6 online flow process, promptly can from its address allocation procedure, find out same user's IPv4 address and IPv6 address.This process can be distinguished, generate MAC+IPv4 address+IPv6 address user information table then, and then control its IPv4/IPv6 access authority based on MAC (Media Access Control, media interviews control) address.Like this, as long as the user no matter be IPv4PORTAL or IPv6PORTAL, can carry out two stack online controls through a PORTAL authentication.
In the prior art, access device need be according to MAC Address, and the IPv4 of associated user and IPv6 internet information after the PORTAL authentication is passed through, also can be controlled user's IPv4/IPv6 online flow process according to this information.
The inventor finds that in realizing process of the present invention there is following defective at least in prior art:
(1) the PORTAL authentication gateway is deployed on the convergence-level, has promptly crossed over after the three-layer equipment, and user's mac address information possibly lost by middle routing device, thereby can't set up the association between same user's the IPv4/IPv6 address.
(2) for DHCPv4 address assignment flow process; MAC Address is present in the DHCP message always; And in the DHCPv6 flow process, if do not contain MAC Address (promptly not containing like Type 2) among the DUID (DHCPv6Unique ID, the unique identification of DHCPv6 server); Then will not exist, and then can't set up the incidence relation of same user's IPv4/IPv6 address through mac address information behind the DHCPv6 server relaying.
(3) if the message in the address assignment flow process is without being positioned at the interior PORTAL authentication gateway of BAS (Broadbind Access Server, BAS Broadband Access Server), the PORTAL authentication gateway can't be learnt user's IPv4/IPv6 address correlation relation.
All can cause the PORTAL authentication gateway can't know the association between same user's the IPv4/IPv6 address under the above-mentioned several kinds of situation, and then can't carry out the access control of two stack online same user.
Summary of the invention
The invention provides a kind of method and apparatus to two stack user access controls; Can't know the association between same user's the IPv4/IPv6 address in order to solve in the prior art because of the PORTAL authentication gateway, and then the problem that can't carry out the access control of two stacks online to same user.
Method to two stack user access controls provided by the invention; Be applied to the PORTAL network system; Wherein, PORTAL authentication gateway in DHCPv4 server, DHCPv6 server and the PORTAL network system access device is provided with the mapping algorithm of IPv4 address and IPv6 address, and this method comprises:
When DHCPv4 server or DHCPv6 server receive the address assignment request of client; Judge whether to presort the IP address of being furnished with respective protocol for said client; Be then will give said client if be judged as for the preallocated IP address assignment of said client; Otherwise, be said client distributing IP address, and, be another protocol of I P address of said client preassignment according to the mapping algorithm of IPv4 address and IPv6 address;
When the PORTAL authentication gateway receives the network access request of client based on IPv4 address or IPv6 address; And after said client certificate passed through; Mapping algorithm according to IPv4 address and IPv6 address obtains another protocol of I P address, and according to the IPv4 address and the IPv6 address of said client said client is carried out network access authority control.
PORTAL authentication gateway provided by the invention; Be arranged in the access device of PORTAL network system; Be provided with the mapping algorithm of IPv4 address and IPv6 address in the said PORTAL authentication gateway; And said mapping algorithm is with identical with the mapping algorithm of the IPv4 address that is provided with and IPv6 address in the DHCPv4/DHCPv6 server that this PORTAL authentication gateway cooperates, when the DHCPv4/DHCPv6 server is client distributing IP address, according to another protocol of I P address of said mapping algorithm preassignment; Said PORTAL authentication gateway comprises: control unit, authentication ' unit, address mapping unit and access control unit, wherein:
Said control unit is used for after place PORTAL authentication gateway receives the network access request of client, indicating said authentication ' unit that said client is carried out authentication processing; After said authentication ' unit is passed through said client certificate, indicate said address mapping unit to carry out map addresses, indicate said access control unit said client to be carried out network access authority control according to the address that said address mapping unit mapping obtains;
Said authentication ' unit is used for the indication according to said control unit, through PORTAL server and authentication and accounting server said client is carried out authentication;
Said address mapping unit is used for the indication according to said control unit, obtains another protocol of I P address according to the mapping algorithm of IPv4 address and IPv6 address;
Said access control unit is used for the indication according to said control unit, according to the IPv4 address and the IPv6 address of said client said client is carried out network access authority control.
The present invention compared with prior art has following useful technique effect:
Through the mapping algorithm of IPv4 address and IPv6 address is set on the PORTAL authentication gateway in DHCPv4 server, DHCPv6 server and PORTAL network system access device; Make when the DHCPv4/DHCPv6 server is client distributing IP address; Can be according to another protocol of I P address of this mapping algorithm preassignment, thus make the IPv4 address of same client and IPv6 address have mapping relations.Owing to also be deployed with this mapping algorithm on the PORTAL authentication gateway; Thereby make the PORTAL authentication gateway obtain another protocol of I P address according to IPv4 address or IPv6 address computation; Can access the mapping relations of the IPv4 address and the IPv6 address of same client, and then can be to two stack online carrying out controls of authority of same client.
The present invention also provides a kind of Dynamic Host Configuration Protocol server, in order to solve the problem that can't set up the mapping relations of MAC Address and IPv4 address and IPv6 address in the existing IP address assignment flow process based on DHCP.
Dynamic Host Configuration Protocol server provided by the invention; Be applied to the PORTAL network system; Be provided with the mapping algorithm of IPv4 address and IPv6 address in the said Dynamic Host Configuration Protocol server; And said mapping algorithm is with identical with the mapping algorithm of the IPv4 address that is provided with and IPv6 address in the PORTAL authentication gateway that this Dynamic Host Configuration Protocol server cooperates, and said Dynamic Host Configuration Protocol server comprises:
Receiving element is used to receive the address assignment request of client;
Judging unit is used for the address assignment request that receives according to said receiving element, judges whether the sign of corresponding said client records the IP address of preallocated respective protocol;
Allocation unit, the mapping algorithm that it is provided with IPv4 address and IPv6 address is used in said judgment unit judges will giving said client for the preallocated IP address assignment of said client when being; In said judgment unit judges for not the time; Be said client distributing IP address; Mapping algorithm according to IPv4 address and IPv6 address; Be another protocol of I P address of said client preassignment, and write down the sign and the corresponding relation that is said client distribution and preallocated IP address of said client;
Wherein, when said Dynamic Host Configuration Protocol server was the DHCPv4 server, said another protocol of I P address was the IPv6 address; When said Dynamic Host Configuration Protocol server was the DHCPv6 server, said another protocol of I P address was the IPv4 address.
The present invention compared with prior art has following useful technique effect:
Through the mapping algorithm of IPv4 address and IPv6 address is set; Make when being client distributing IP v4 address; According to this mapping algorithm preassignment IPv6 address, when being this client distributing IP v6 address address, directly use this preallocated IPv6 address; Vice versa; Thereby can set up the sign and the IPv4 address of distributing for this client and the mapping relations of IPv6 address of client, solve in the existing DHCPv6 flow process, because of not containing MAC Address among the DUID; So that will not exist through mac address information behind the DHCPv6 server relaying, and cause the DHCPv6 server can't be established as the problem of the mapping relations of IPv4 address that same client distributes and IPv6 address.
Description of drawings
Fig. 1 is the Portal system group network configuration diagram in the embodiment of the invention;
The address assignment schematic flow sheet that Fig. 2 provides for the embodiment of the invention;
The address recovery process sketch map that Fig. 3 provides for the embodiment of the invention;
The access control schematic flow sheet that Fig. 4 provides for the embodiment of the invention;
The handling process sketch map that rolls off the production line that Fig. 5 provides for the embodiment of the invention;
The structural representation of the PORTAL authentication gateway that Fig. 6 provides for the embodiment of the invention;
The structural representation of the Dynamic Host Configuration Protocol server that Fig. 7 provides for the embodiment of the invention.
Embodiment
The embodiment of the invention can't be obtained to the PORTAL authentication gateway in the access device under two stack users' the situation of two stack address related informations, has proposed the technical scheme of a kind of pair of stack address association, and adopts this association to carry out user's control of surfing the Net.Specifically; The embodiment of the invention is through the mapping algorithm in DHCPv4/DHCPv6 server and PORTAL authentication gateway deploy IPv4/IPv6 address; And when being user's distributing IP v4 address or IPv6 address; Another protocol of I P address is carried out preassignment, thereby set up IPv4/IPv6 user's incidence relation, and then can on the PORTAL authentication gateway, accomplish two stack controls of authority of user.
Below in conjunction with accompanying drawing the embodiment of the invention is described in detail.
In the PORTAL group-network construction of the embodiment of the invention, the DHCPv4/DHCPv6 department server is deployed in the convergence-level in the PORTAL group-network construction, and interconnected with Access Layer.Concrete; The DHCPv4/DHCPv6 server is deployed on the same convergence device as one or different functional; Perhaps be deployed on the different convergence devices as different functional; Perhaps be connected on the convergence device as independent equipment, and interconnected with two layers of access devices, and then can be interconnected at two layers with all users.Wherein, the DHCPv4/DHCPv6 department server is deployed in the same link that inserts the user, and the DHCPv4/DHCPv6 server database is shared.If the DHCPv4/DHCPv6 server is deployed in respectively on same convergence device or the different convergence device, at this moment need DHCPv4 server and DHCPv6 server can communicate between the two.
The BAS deploy has the PORTAL authentication gateway, and PORTAL authentication gateway and PORTAL server are accomplished the PORTAL authentication jointly.
In order between all devices, to recognize two stack addresses of user synchronously, the embodiment of the invention has designed the algorithm that IPv4 address and IPv6 address are shone upon one by one, and at DHCPv4/DHCPv6 server and this algorithm of PORTAL authentication gateway deploy.Wherein, this algorithm specifically can be: with back 32 of unique IPv6 address that is mapped to fixing 96 prefixs, IPv4 address.Certainly, any can realization all should be included in the algorithm of IPv4 address and the unique mapping in IPv6 address within protection scope of the present invention.
PORTAL group-network construction sketch map when Fig. 1 shows the DHCPv4/DHCPv6 server and is deployed on the same convergence device as a functional module.
Based on above-mentioned group-network construction; Whenever the DHCPv4 server (under the situation that the DHCPv4/DHCPv6 server is disposed as functional module; Can be described as the DHCPv4/DHCPv6 server here) when dispensing an IPv4 address; Obtain corresponding IPv6 address through this algorithm, and be preassignment, the sign (such as user's MAC Address or user's name) of record respective user and the IPv4 address of being distributed and the corresponding relation of preallocated IPv6 address this IPv6 address mark; Thereby can when this user applies IPv6 address, will give this user for the preallocated IPv6 address assignment of this user.In like manner; Whenever the DHCPv6 server (under the situation that the DHCPv4/DHCPv6 server is disposed as functional module; Can be described as the DHCPv4/DHCPv6 server here) dispense an IPv6 address, be this user's preassignment IPv4 address then, and write down this user's sign and the IPv6 address of being distributed and the corresponding relation of preallocated IPv4 address through this algorithm; Thereby can when this user applies IPv4 address, will give this user for the preallocated IPv4 address assignment of this user.Fig. 2 and Fig. 3 show the idiographic flow of a kind of address assignment and management.
Referring to Fig. 2, as shown in the figure for the address administration schematic flow sheet that the embodiment of the invention provides, this flow process can comprise:
Step 201, DHCPv4 server receive the IPv4 address assignment request that the user sends through the place client.
Step 202, DHCPv4 server have judged whether to this user's preassignment the IPv4 address, are then to change step 203 over to if be judged as; Otherwise, change step 204 over to.
Concrete; Because DHCPv4 server and DHCPv6 department server are deployed in the same link that inserts the user; And DHCPv4 server and DHCPv6 server database are shared, and the DHCPv6 server is when being user's distributing IP v6 address, the IPv4 address that also has been this user's preassignment; And the sign that has write down the user and the IPv6 address of being distributed and the corresponding relation of preallocated IPv4 address address; Therefore, the DHCPv4 server can be through inquiry DHCPv6 data in server storehouse, has judged whether to this user's preassignment the IPv4 address according to this user's sign.Certainly; The DHCPv6 server also can be synchronized to DHCPv4 data in server storehouse with the IPv6 address of being distributed and the corresponding relation of preallocated IPv4 address address with user's sign; Thereby make the DHCPv4 server through oneself database of inquiry, judged whether to this user's preassignment the IPv4 address according to this user's sign.
Step 203, the DHCPv4 server will be given this user for the preallocated IPv4 address assignment of this user.
Step 204, DHCPv4 server are this user's distributing IP v4 address, and are this user's preassignment IPv6 address according to IPv4 address and the mapping algorithm of IPv6 address of configuration on it.
Concrete, behind the intact IPv4 address of DHCPv4 server-assignment, obtain the IPv6 address corresponding with the mapping algorithm of IPv6 address, and be preassignment this IPv6 address mark with this IPv4 address according to the IPv4 address that disposes it on.Then, this user's of DHCPv4 server record sign with for the IPv4 address of this user distribution be that the corresponding relation of the preallocated IPv6 of this user address is in database.Further, the DHCPv4 server also can be synchronized to this correspondence relationship information in the DHCPv6 data in server storehouse.
Referring to Fig. 3, when user's addresses discharged, its flow process also can may further comprise the steps:
After the IPv4 address that step 301, DHCPv4 server receive the user discharges request, wouldn't directly discharge this address, but be preassignment this address mark.
Step 302, the DHCPv4 server is judged the state of this user's IPv6 address, if the IPv6 address mark is preassignment, then changes step 303 over to; Otherwise, finish this address and reclaim release flow.
Concrete; The sign that the DHCPv4 server can be through inquiring about this user and the corresponding relation of IPv4 address and IPv6 address are known the state of IPv6 address label; If the IPv6 address mark is preassignment, then a kind of possibly be that this user does not also ask distributing IP v6 address, and another kind possibly be that this user has asked to distribute the IPv6 address; But this IPv6 address is discharged by this user; Which kind of situation no matter explains that all current user institute is real uses by this in this IPv6 address, this moment recyclable this user pairing IPv4 address and IPv6 address.If the IPv6 address is unmarked to be preassignment, explain that then this IPv6 address is current by this user's use, treat this moment to discharge this user pairing IPv4 address and IPv6 address more synchronously after the IPv6 address discharges.
Step 303, the DHCPv4/DHCPv6 server reclaims IPv4 address and IPv6 address, and deletes this user's the sign and the corresponding relation of IPv4 address and IPv6 address.
Need to prove, above-mentioned Fig. 2 and flow process shown in Figure 3, all distribution and the removal process with the IPv4 address is that example is described, the distribution of IPv6 address and removal process similarly repeat no more at this.
When the PORTAL authentication gateway among the BAS carries out the PORTAL authentication to the user; After this user's IPv4PORTAL authentication is passed through; If the security strategy of authenticated allows two stack online; Then the PORTAL authentication gateway obtains this user's IPv6 address according to the mapping algorithm of IPv4 address and IPv6 address, opens the access authority of IPv6 address simultaneously.Its idiographic flow can be as shown in Figure 5.
Referring to Fig. 4, as shown in the figure for the access control schematic flow sheet that the embodiment of the invention provides, this flow process can comprise:
Step 401~403; After PORTAL authentication gateway among the BAS receives the network access request based on the IPv4 address of user through place client transmission; It is redirected on the WEB certification page of PORTAL server; And after receiving the authentication information of user, send it to authentication/accounting server, and with it alternately so that this user is carried out authentication and charging through this WEB certification page submission.Its idiographic flow can adopt existing mode to realize, repeats no more at this.
Step 404, after this authentification of user passed through, the PORTAL authentication gateway judged whether to allow the two stacks online of this user according to security strategy, is then to change step 405 over to if be judged as; Otherwise, change step 407 over to.
Step 405, PORTAL authentication gateway obtain this user's IPv6 address according to the mapping algorithm of IPv4 address that disposes on it and IPv6 address.
Step 406, PORTAL authentication gateway judge whether this user is using this IPv6 address to carry out access to netwoks, are then to change step 407 over to if be judged as; Otherwise, change step 408 over to.
Step 407, PORTAL authentication gateway are opened the access authority of IPv4 address for this user.
At this moment, if access to netwoks is carried out in current this IPv6 address of using of this user, then still keep this user's the network access authority of IPv6 address constant.
Step 408, the PORTAL authentication gateway carries out network access authority control according to this user's IPv4 address and IPv6 address to this user.
Concrete, the PORTAL authentication gateway can carry out network access authority control according to security strategy, as under the situation that allows the two stack online of this user, opens the access authority of IPv4 address and IPv6 address for this user.
Referring to Fig. 5, when the user was rolled off the production line based on the network connection of IPv4 address, this flow process can comprise:
Step 501~502, the PORTAL authentication gateway among the BAS are known when the user is rolled off the production line based on the network connection of IPv4 address, judge whether this user rolls off the production line based on the network connection of IPv6 address, are then to change step 503 over to if be judged as; Otherwise, change step 504 over to.
Step 503, PORTAL authentication gateway are closed this user's access authority to this user processing of rolling off the production line.
Step 504, the PORTAL authentication gateway keeps the current presence of this user, and keeps the current access authority of this user.
Can find out through above description; Through the mapping algorithm of IPv4 address and IPv6 address is set on the PORTAL authentication gateway in DHCPv4 server, DHCPv6 server and PORTAL network system access device; Make when the DHCPv4/DHCPv6 server is client distributing IP address; Can be according to another protocol of I P address of this mapping algorithm preassignment, thus make same user's IPv4 address and IPv6 address have mapping relations.Owing to also be deployed with this mapping algorithm on the PORTAL authentication gateway; Thereby make the PORTAL authentication gateway obtain another protocol of I P address according to IPv4 address or IPv6 address computation; Can access the mapping relations of same user's IPv4 address and IPv6 address, and then can be to two stack online carrying out controls of authority of same user.
Based on identical technical conceive, the embodiment of the invention also provides a kind of PORTAL authentication gateway and Dynamic Host Configuration Protocol server that is applied to above-mentioned PORTAL network system and handling process.
Referring to Fig. 6; The structural representation of the PORTAL authentication gateway that provides for the embodiment of the invention; This PORTAL authentication gateway is arranged in the access device of PORTAL network system; Be provided with the mapping algorithm of IPv4 address and IPv6 address in this PORTAL authentication gateway; And this mapping algorithm is with identical with the mapping algorithm of the IPv4 address that is provided with and IPv6 address in the DHCPv4/DHCPv6 server that this PORTAL authentication gateway cooperates, when the DHCPv4/DHCPv6 server is client distributing IP address, according to another protocol of I P address of this mapping algorithm preassignment.
As shown in Figure 6, this PORTAL authentication gateway comprises: control unit 601, authentication ' unit 602, address mapping unit 603 and access control unit 604, wherein:
Control unit 601 is used for after place PORTAL authentication gateway receives the network access request of client, and 602 pairs of said clients of indication authentication ' unit are carried out authentication processing; After 602 pairs of said client certificates of authentication ' unit passed through, indication address mapping unit 603 carried out map addresses, and network access authority control is carried out to said client in indication access control unit 604 address that 603 mappings obtain according to address mapping unit;
Authentication ' unit 602 is used for the indication according to control unit 601, through PORTAL server and authentication and accounting server said client is carried out authentication;
Address mapping unit 603 is used for the indication according to control unit 601, obtains another protocol of I P address according to the mapping algorithm of IPv4 address and IPv6 address;
Concrete, address mapping module 603 is under the situation based on the network access request of IPv4 address in said network access request, obtains the IPv6 address according to the mapping algorithm of IPv4 address and IPv6 address; And, be under the situation based on the network access request of IPv6 address in said network access request, obtain the IPv4 address according to the mapping algorithm of IPv4 address and IPv6 address.
Access control unit 604 is used for the indication according to control unit 601, according to the IPv4 address and the IPv6 address of said client said client is carried out network access authority control.
Further, control unit 601 also is used for: after 602 pairs of said client certificates of authentication ' unit pass through, judge whether the client of asking to carry out access to netwoks is allowed to the dual-stack network visit; And, after address mapping unit 603 mapping obtains the IP address, judge that the current IP address of whether using said address mapping unit mapping to obtain of said client carries out access to netwoks.Accordingly, control unit 601 is when judging that request carries out the client of access to netwoks when being allowed to the dual-stack network visit, and indication address mapping unit 603 carries out map addresses; And when judging that access to netwoks is carried out in the current IP address of not using mapping to obtain of said client, indication access control unit 604 is opened the network access authority of the IPv4 address and the IPv6 address of said client.
Further, control unit 601 also is used for: when knowing that the network of client based on the IPv4 address connects disconnection, judge whether said client breaks off based on the network connection of IPv6 address; And, when knowing that the network of client based on the IPv6 address connects disconnection, judge whether said client breaks off based on the network connection of IPv4 address.Accordingly, control unit 601 is when judging that the network of said client based on IPv6 address or IPv4 address connects disconnection, and indication access control unit 604 is closed the network access authority of said client; When judging that said client is not broken off based on the network connection of IPv6 address or IPv4 address, indication access control unit 604 keeps the network access authority of said client.Access control unit 604 carries out handled according to the indication of control unit 603.
Referring to Fig. 7, the structural representation of the Dynamic Host Configuration Protocol server that provides for the embodiment of the invention.This Dynamic Host Configuration Protocol server is applied to the PORTAL network system; Be provided with the mapping algorithm of IPv4 address and IPv6 address in this Dynamic Host Configuration Protocol server, and this mapping algorithm is with identical with the mapping algorithm of the IPv4 address that is provided with and IPv6 address in the PORTAL authentication gateway that this Dynamic Host Configuration Protocol server cooperates.Concrete, the mapping algorithm of said IPv4 address and IPv6 address is: with unique back 32 of being mapped to the IPv6 address of fixing 96 prefixs in IPv4 address.
As shown in Figure 7, this Dynamic Host Configuration Protocol server can comprise: receiving element 701, judging unit 702 and allocation unit 703, wherein:
Receiving element 701 is used to receive the address assignment request of client;
Judging unit 702 is used for the address assignment request that receives according to receiving element 701, judges whether the sign of corresponding said client records the IP address of preallocated respective protocol;
Allocation unit 703, the mapping algorithm that it is provided with IPv4 address and IPv6 address is used for being judged as when being at judging unit 702, will give said client for the preallocated IP address assignment of said client; When judging unit 702 is judged as not; Be said client distributing IP address; Mapping algorithm according to IPv4 address and IPv6 address; Be another protocol of I P address of said client preassignment, and write down the sign and the corresponding relation that is said client distribution and preallocated IP address of said client;
Wherein, when said Dynamic Host Configuration Protocol server was the DHCPv4 server, said another protocol of I P address was the IPv6 address; When said Dynamic Host Configuration Protocol server was the DHCPv6 server, said another protocol of I P address was the IPv4 address.
Further, receiving element 701 also is used for, and the IP address that receives client discharges request; Accordingly, judging unit 702 also is used for, and after the IP address that receiving element 701 receives client discharges request, judges whether another protocol of I P address of said client is the preassignment state; Accordingly, allocation unit 703 also is used for, and is judged as when being the IPv4 address and the IPv6 address of reclaiming said client at judging unit 702; When judging unit 702 was judged as not, the state of the IP address of release of asking was set to preassignment.
In sum, the embodiment of the invention is to the situation of two stack user PORTAL authentications online, through address correlation mechanism, solves the surf the Net association of flow process of two stack users, and is convenient to user's management of surfing the Net.In addition, because user's IPv4/IPv6 address mapping relation is fixed, concerning operator, can carry out user's monitoring and management more easily.
Through the description of above execution mode, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware, but the former is better execution mode under a lot of situation.Based on such understanding; The part that technical scheme of the present invention contributes to prior art in essence in other words can be come out with the embodied of software product; This computer software product is stored in the storage medium, comprise some instructions with so that a station terminal equipment (can be mobile phone, personal computer; Server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
The above only is a preferred implementation of the present invention; Should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; Can also make some improvement and retouching, these improvement and retouching also should be looked protection scope of the present invention.

Claims (14)

1. method to the control of two stack user access; Be applied to the PORTAL network system; It is characterized in that; PORTAL authentication gateway in DHCPv4 server, DHCPv6 server and the PORTAL network system access device is provided with the mapping algorithm of IPv4 address and IPv6 address, and this method comprises:
When DHCPv4 server or DHCPv6 server receive the address assignment request of client; Judge whether to presort the IP address of being furnished with respective protocol for said client; Be then will give said client if be judged as for the preallocated IP address assignment of said client; Otherwise, be said client distributing IP address, and, be another protocol of I P address of said client preassignment according to the mapping algorithm of IPv4 address and IPv6 address;
When the PORTAL authentication gateway receives the network access request of client based on IPv4 address or IPv6 address; And after said client certificate passed through; Mapping algorithm according to IPv4 address and IPv6 address obtains another protocol of I P address, and according to the IPv4 address and the IPv6 address of said client said client is carried out network access authority control.
2. the method for claim 1; It is characterized in that; DHCPv4 server or DHCPv6 server are at the mapping algorithm according to IPv4 address and IPv6 address; After said client preassignment IP address, also comprise: write down said client sign, be the corresponding relation of said client IP address allocated and preallocated IP address;
When DHCPv4 server or DHCPv6 server receive the address assignment request of client,, then give said client with the IP address assignment of said respective protocol if inquire the IP address that the identification record of corresponding said client has preallocated respective protocol.
3. the method for claim 1 is characterized in that, this method also comprises:
DHCPv4 server or DHCPv6 server judge whether another protocol of I P address of said client is the preassignment state after receiving the IP address release request of client, are then to reclaim the IPv4 address and the IPv6 address of said client if be judged as; Otherwise the state of the IP address of release of asking is set to preassignment.
4. the method for claim 1 is characterized in that, the PORTAL authentication gateway obtains another protocol of I P address according to the mapping algorithm of IPv4 address and IPv6 address, and opens the network access authority of the IPv4 address and the IPv6 address of said client, comprising:
In said network access request is under the situation based on the network access request of IPv4 address; The PORTAL authentication gateway judges whether the client of asking to carry out access to netwoks is allowed to the dual-stack network visit; And be judged as when being; Mapping algorithm according to IPv4 address and IPv6 address obtains the IPv6 address, and when judging that access to netwoks is carried out in the current IPv6 of use of said client address, opens the network access authority of the IPv4 address and the IPv6 address of said client; Or/and
In said network access request is under the situation based on the network access request of IPv6 address; The PORTAL authentication gateway judges whether the client of asking to carry out access to netwoks is allowed to the dual-stack network visit; And be judged as when being; Mapping algorithm according to IPv4 address and IPv6 address obtains the IPv6 address, and when judging that access to netwoks is carried out in the current IPv4 of use of said client address, opens the network access authority of the IPv4 address and the IPv6 address of said client.
5. the method for claim 1 is characterized in that, this method also comprises:
The PORTAL authentication gateway is known when client is broken off based on the network connection of IPv4 address, judges whether said client breaks off based on the network connection of IPv6 address, is then to close the network access authority of said client if be judged as; Otherwise, keep the network access authority of said client; Perhaps
The PORTAL authentication gateway is known when client is broken off based on the network connection of IPv6 address, judges whether said client breaks off based on the network connection of IPv4 address, is then to close the network access authority of said client if be judged as; Otherwise, keep the network access authority of said client.
6. like the described method of one of claim 1-5, it is characterized in that DHCPv4 server and DHCPv6 department server are deployed on the same convergence device of PORTAL network system; Perhaps
The DHCPv4 server is deployed in respectively on the different convergence device of PORTAL network system with the DHCPv6 server; Perhaps
DHCPv4 server and DHCPv6 server are connected to the convergence device of PORTAL network system.
7. like the described method of one of claim 1-5, it is characterized in that the mapping algorithm of said IPv4 address and IPv6 address is specially: with back 32 of unique IPv6 address that is mapped to fixing 96 prefixs, IPv4 address.
8. PORTAL authentication gateway; Be arranged in the access device of PORTAL network system; It is characterized in that, be provided with the mapping algorithm of IPv4 address and IPv6 address in the said PORTAL authentication gateway, and said mapping algorithm is with identical with the mapping algorithm of the IPv4 address that is provided with and IPv6 address in the DHCPv4/DHCPv6 server that this PORTAL authentication gateway cooperates; When the DHCPv4/DHCPv6 server is client distributing IP address; According to another protocol of I P address of said mapping algorithm preassignment, said PORTAL authentication gateway comprises: control unit, authentication ' unit, address mapping unit and access control unit, wherein:
Said control unit is used for after place PORTAL authentication gateway receives the network access request of client, indicating said authentication ' unit that said client is carried out authentication processing; After said authentication ' unit is passed through said client certificate, indicate said address mapping unit to carry out map addresses, indicate said access control unit said client to be carried out network access authority control according to the address that said address mapping unit mapping obtains;
Said authentication ' unit is used for the indication according to said control unit, through PORTAL server and authentication and accounting server said client is carried out authentication;
Said address mapping unit is used for the indication according to said control unit, obtains another protocol of I P address according to the mapping algorithm of IPv4 address and IPv6 address;
Said access control unit is used for the indication according to said control unit, according to the IPv4 address and the IPv6 address of said client said client is carried out network access authority control.
9. PORTAL authentication gateway as claimed in claim 8 is characterized in that said control unit also is used for, and after said authentication ' unit is passed through said client certificate, judges whether the client of asking to carry out access to netwoks is allowed to the dual-stack network visit; And, after the mapping of said address mapping unit obtains the IP address, judge that the current IP address of whether using said address mapping unit mapping to obtain of said client carries out access to netwoks;
Said control unit specifically is used for, and when judging that request carries out the client of access to netwoks when being allowed to the dual-stack network visit, indicates said address mapping unit to carry out map addresses; And, when judging that access to netwoks is carried out in the current IP address of not using mapping to obtain of said client, indicate said access control unit to open the network access authority of the IPv4 address and the IPv6 address of said client.
10. PORTAL authentication gateway as claimed in claim 8 is characterized in that said control unit also is used for, and when knowing that the network of client based on the IPv4 address connects disconnection, judges whether said client breaks off based on the network connection of IPv6 address; And, when knowing that the network of client based on the IPv6 address connects disconnection, judge whether said client breaks off based on the network connection of IPv4 address;
Said control unit specifically is used for, and when judging that the network of said client based on IPv6 address or IPv4 address connects disconnection, indicates said access control unit to close the network access authority of said client; When judging that said client is not broken off based on the network connection of IPv6 address or IPv4 address, indicate said access control unit to keep the network access authority of said client;
Said access control unit also is used for, and according to the indication of said control unit, closes the network access authority of said client, perhaps, keeps the network access authority of said client.
11. like the described PORTAL authentication gateway of one of claim 8-10; It is characterized in that; Said address mapping module specifically is used for, and is under the situation based on the network access request of IPv4 address in said network access request, obtains the IPv6 address according to the mapping algorithm of IPv4 address and IPv6 address; And, be under the situation based on the network access request of IPv6 address in said network access request, obtain the IPv4 address according to the mapping algorithm of IPv4 address and IPv6 address.
12. Dynamic Host Configuration Protocol server; Be applied to the PORTAL network system; Be provided with the mapping algorithm of IPv4 address and IPv6 address in the said Dynamic Host Configuration Protocol server; And said mapping algorithm is characterized in that with identical with the mapping algorithm of the IPv4 address that is provided with and IPv6 address in the PORTAL authentication gateway that this Dynamic Host Configuration Protocol server cooperates said Dynamic Host Configuration Protocol server comprises:
Receiving element is used to receive the address assignment request of client;
Judging unit is used for the address assignment request that receives according to said receiving element, judges whether the sign of corresponding said client records the IP address of preallocated respective protocol;
Allocation unit, the mapping algorithm that it is provided with IPv4 address and IPv6 address is used in said judgment unit judges will giving said client for the preallocated IP address assignment of said client when being; In said judgment unit judges for not the time; Be said client distributing IP address; Mapping algorithm according to IPv4 address and IPv6 address; Be another protocol of I P address of said client preassignment, and write down the sign and the corresponding relation that is said client distribution and preallocated IP address of said client;
Wherein, when said Dynamic Host Configuration Protocol server was the DHCPv4 server, said another protocol of I P address was the IPv6 address; When said Dynamic Host Configuration Protocol server was the DHCPv6 server, said another protocol of I P address was the IPv4 address.
13. Dynamic Host Configuration Protocol server as claimed in claim 12 is characterized in that, said receiving element also is used for, and the IP address that receives client discharges request;
Said judging unit also is used for, and after the IP address that said receiving element receives client discharges request, judges whether another protocol of I P address of said client is the preassignment state;
Said allocation unit also is used for, in said judgment unit judges when being, the IPv4 address and the IPv6 address of reclaiming said client; For not the time, institute asks the state of the IP address of release to be set to preassignment in said judgment unit judges.
14. Dynamic Host Configuration Protocol server as claimed in claim 12 is characterized in that, the mapping algorithm of said IPv4 address and IPv6 address is specially: with back 32 of unique IPv6 address that is mapped to fixing 96 prefixs, IPv4 address.
CN201110325237.3A 2011-10-24 2011-10-24 Access control method and equipment for dual-stack user Active CN102340509B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110325237.3A CN102340509B (en) 2011-10-24 2011-10-24 Access control method and equipment for dual-stack user

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110325237.3A CN102340509B (en) 2011-10-24 2011-10-24 Access control method and equipment for dual-stack user

Publications (2)

Publication Number Publication Date
CN102340509A true CN102340509A (en) 2012-02-01
CN102340509B CN102340509B (en) 2015-04-15

Family

ID=45516007

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110325237.3A Active CN102340509B (en) 2011-10-24 2011-10-24 Access control method and equipment for dual-stack user

Country Status (1)

Country Link
CN (1) CN102340509B (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103004173A (en) * 2012-09-29 2013-03-27 华为技术有限公司 Address allocation method, device and system thereof
CN103220378A (en) * 2013-04-27 2013-07-24 杭州华三通信技术有限公司 Reporting method and equipment of unified certificated user IP (Internet Protocol)
CN105591929A (en) * 2015-10-28 2016-05-18 杭州华三通信技术有限公司 Method and device for authentication in light weight dual-protocol stack networking
CN105704104A (en) * 2014-11-27 2016-06-22 华为技术有限公司 Authentication method and access equipment
CN108718280A (en) * 2018-08-30 2018-10-30 新华三技术有限公司 A kind of message forwarding method and device
CN110995886A (en) * 2019-12-12 2020-04-10 新华三大数据技术有限公司 Network address management method, device, electronic equipment and medium
CN111162914A (en) * 2020-02-11 2020-05-15 河海大学常州校区 Internet of things IPv4 identity authentication method and system based on PUF
CN112804367A (en) * 2019-11-14 2021-05-14 北京百度网讯科技有限公司 Address allocation method and device under dual-stack environment
CN113014550A (en) * 2021-02-07 2021-06-22 南京林业大学 Access control and authentication method for IPoE IPv 4IPv6 in campus network of colleges and universities
CN114189498A (en) * 2021-12-03 2022-03-15 中国电信股份有限公司 Address allocation method and device and dynamic host configuration protocol server

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101447879A (en) * 2009-01-13 2009-06-03 杭州华三通信技术有限公司 Charging method and access equipment therefor
CN101610156A (en) * 2009-08-04 2009-12-23 杭州华三通信技术有限公司 A kind of method of dual protocol stack user authentication, equipment and system
CN101692674A (en) * 2009-10-30 2010-04-07 杭州华三通信技术有限公司 Method and equipment for double stack access
CN101719939A (en) * 2009-12-09 2010-06-02 赛尔网络有限公司 Method for accessing network and certification of IPv6/IPv4 dual stack mainframe

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101447879A (en) * 2009-01-13 2009-06-03 杭州华三通信技术有限公司 Charging method and access equipment therefor
CN101610156A (en) * 2009-08-04 2009-12-23 杭州华三通信技术有限公司 A kind of method of dual protocol stack user authentication, equipment and system
CN101692674A (en) * 2009-10-30 2010-04-07 杭州华三通信技术有限公司 Method and equipment for double stack access
CN101719939A (en) * 2009-12-09 2010-06-02 赛尔网络有限公司 Method for accessing network and certification of IPv6/IPv4 dual stack mainframe

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103004173A (en) * 2012-09-29 2013-03-27 华为技术有限公司 Address allocation method, device and system thereof
CN103004173B (en) * 2012-09-29 2016-03-09 华为技术有限公司 A kind of method of allocation address, Apparatus and system
US9882866B2 (en) 2012-09-29 2018-01-30 Huawei Technologies Co., Ltd. Address allocating method, apparatus, and system
CN103220378A (en) * 2013-04-27 2013-07-24 杭州华三通信技术有限公司 Reporting method and equipment of unified certificated user IP (Internet Protocol)
CN105704104A (en) * 2014-11-27 2016-06-22 华为技术有限公司 Authentication method and access equipment
CN105591929A (en) * 2015-10-28 2016-05-18 杭州华三通信技术有限公司 Method and device for authentication in light weight dual-protocol stack networking
CN108718280A (en) * 2018-08-30 2018-10-30 新华三技术有限公司 A kind of message forwarding method and device
CN108718280B (en) * 2018-08-30 2021-05-25 新华三技术有限公司 Message forwarding method and device
CN112804367A (en) * 2019-11-14 2021-05-14 北京百度网讯科技有限公司 Address allocation method and device under dual-stack environment
CN112804367B (en) * 2019-11-14 2023-04-07 北京百度网讯科技有限公司 Address allocation method and device under dual-stack environment
CN110995886A (en) * 2019-12-12 2020-04-10 新华三大数据技术有限公司 Network address management method, device, electronic equipment and medium
CN111162914A (en) * 2020-02-11 2020-05-15 河海大学常州校区 Internet of things IPv4 identity authentication method and system based on PUF
CN111162914B (en) * 2020-02-11 2023-06-16 河海大学常州校区 IPv4 identity authentication method and system of Internet of things based on PUF
CN113014550A (en) * 2021-02-07 2021-06-22 南京林业大学 Access control and authentication method for IPoE IPv 4IPv6 in campus network of colleges and universities
CN114189498A (en) * 2021-12-03 2022-03-15 中国电信股份有限公司 Address allocation method and device and dynamic host configuration protocol server

Also Published As

Publication number Publication date
CN102340509B (en) 2015-04-15

Similar Documents

Publication Publication Date Title
CN102340509B (en) Access control method and equipment for dual-stack user
CN102325145B (en) Method and equipment for carrying out access control on dual-stack user
CN101692674B (en) Method and equipment for double stack access
CN101447879B (en) Charging method and access equipment therefor
CN101577675B (en) Method and device for protecting neighbor table in IPv6 network
CN101729500B (en) Method, device and system for identifying IP session
CN107547528B (en) IPv6 stateless address allocation method and device
WO2002071720A1 (en) Addressing method and system for using an anycast address
CN101184099B (en) Second IP address assignment method based on dynamic host machine configuration protocol access authentication
CN107547351B (en) Address allocation method and device
CN102055816A (en) Communication method, business server, intermediate equipment, terminal and communication system
CN102594818A (en) Network access permission control method, device and related equipment
CN104270325B (en) Cpe device realizes the system and method for public network access customer number limitation based on Linux
CN106888145A (en) A kind of VPN resource access methods and device
CN104468619B (en) A kind of method and authentication gateway for realizing double stack web authentications
CN102437946B (en) Access control method, network access server (NAS) equipment and authentication server
CN102404293A (en) Dual-stack user managing method and broadband access server
US7958220B2 (en) Apparatus, method and system for acquiring IPV6 address
CN112910863A (en) Network tracing method and system
US20120166798A1 (en) Method and system for using neighbor discovery unspecified solicitation to obtain link local address
CN103220149B (en) A kind of portal authentication method and equipment
CN101184100A (en) User access authentication method based on dynamic host machine configuration protocol
CN104243625A (en) IP address distribution method and device
JP3823674B2 (en) COMMUNICATION METHOD AND COMMUNICATION CONTROL DEVICE WITH PROTOCOL CONVERSION
CN101552724B (en) Generation method and apparatus for neighbor table items

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: NEW H3C TECHNOLOGIES Co.,Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd.

CP03 Change of name, title or address
TR01 Transfer of patent right

Effective date of registration: 20230619

Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province

Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd.

Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466

Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right