CN108243261A - A kind of connection control method and access device of double stack terminals - Google Patents
A kind of connection control method and access device of double stack terminals Download PDFInfo
- Publication number
- CN108243261A CN108243261A CN201611207827.5A CN201611207827A CN108243261A CN 108243261 A CN108243261 A CN 108243261A CN 201611207827 A CN201611207827 A CN 201611207827A CN 108243261 A CN108243261 A CN 108243261A
- Authority
- CN
- China
- Prior art keywords
- double stack
- terminals
- addresses
- ipv6
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/686—Types of network addresses using dual-stack hosts, e.g. in Internet protocol version 4 [IPv4]/Internet protocol version 6 [IPv6] networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/5014—Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Abstract
Disclose a kind of connection control method and access device of double stack terminals.The method of the present invention includes:Message of the access device forwarding for double stack terminal distribution IPv4 addresses;Before the success of double stack terminal authentications, access device is discarded as the message of double stack terminal distribution IPv6 addresses;After the success of double stack terminal authentications, message of the access device forwarding for double stack terminal distribution IPv6 addresses.The present invention can solve the problems, such as to extend during double stack accessing terminal to network.
Description
Technical field
Connection control method and access the present invention relates to Internet technical field more particularly to a kind of double stack terminals are set
It is standby.
Background technology
Double stack (English:Dual stack, DS) technology be Internet protocol fourth edition (English:Internet Protocol
Version 4, IPv4) network to Internet protocol sixth version (English:Internet Protocol version 6, IPv6)
The transitional technology of network.In double-stack technology, IPv4 protocol stacks on terminal device and the network equipment were not only installed but also IPv6 associations are installed
Discuss stack.Double stack terminals can access IPv4 networks by IPv4 addresses, and can access IPv6 networks by IPv6 addresses.
Forced gate (English:Captive portal) certification be WLAN (English:wireless local
Area network, WLAN) one of authentication mode.If deploying forced gate certification, double stack terminals are after certification is completed
Internet resources could be accessed.WLAN may not support the forced gate certification of IPv6.
When network does not support the forced gate certification of IPv6, double stack terminals can automatically attempt to access net with IPv4 addresses
Network, to realize the access of double stack terminals.But it since double stack terminals are usually first attempted to access network with IPv6 addresses, is using
When IPv6 addresses access network failure, it can just be switched to IPv4 modes.Therefore double stack accessing terminal to network when extend, influence to use
Family accesses experience.
Invention content
The application provides a kind of connection control method and access device of double stack terminals, to solve double stack terminal access nets
The problem of extending during network.
In a first aspect, the application provides a kind of connection control method of double stack terminals, double stack terminals support IPv4 associations
View stack and IPv6 protocol stacks, this method include:Message of the access device forwarding for double stack terminal distribution IPv4 addresses.Institute
Before stating double stack terminal authentication successes, the access device is discarded as the message of double stack terminal distribution IPv6 addresses;Institute
After stating double stack terminal authentication successes, message of the access device forwarding for double stack terminal distribution IPv6 addresses.
Since double stack terminals are only capable of getting IPv4 addresses, so that double stack terminals can only use IPv4 addresses to access net
Network.It avoids when network needs the authentication mode certification pair stack terminal using IPv4, double stack terminals are still preferentially attempted to use
IPv6 addresses access network.Therefore the time delay of double stack accessing terminal to network is reduced.
In a kind of possible realization method, be double stack terminal distribution IPv6 addresses message include with next or
It is multiple:The DHCP message of request IPv6 addresses that double stack terminals are sent to Dynamic Host Configuration Protocol server;The Dynamic Host Configuration Protocol server is to institute
State the DHCP message for the IPv6 addresses for carrying double stack terminals that double stack terminals are sent;Router is sent out to double stack terminals
That send carries the route announcement message of the IPv6 address prefixes of double stack terminals.
In a kind of possible realization method, before double stack terminal authentication successes, the method further includes:It is described
Access device intercepts and captures the DNS response messages that dns server is sent to double stack terminals;The DNS response messages include institute
State the IPv4 addresses of domain name of double stack terminal requests and the IPv6 addresses of domain name;The access device deletes the DNS should
After answering the IPv6 addresses in message, the DNS response messages are sent to double stack terminals.
The IPv6 addresses in DNS response messages are further deleted due to access device so that double stack terminals are only capable of obtaining
The IPv4 addresses of domain name are got, thus IPv4 addresses can only be used to access network.Further ensure that needs to use in network
During the authentication mode certification pair stack terminal of IPv4, double stack terminals access network using IPv4 addresses first.Therefore double stacks are reduced
The time delay of accessing terminal to network.
Second aspect, the application provide a kind of access device, which includes:Transceiver and processor;Wherein, institute
Processor is stated to be used for:
The message for double stack terminal distribution IPv4 addresses is forwarded with the transceiver, wherein, double stack terminal branch
Hold IPv4 protocol stacks and IPv6 protocol stacks;
Before double stack terminal authentication successes, it is double stack terminal distributions to abandon the transceiver and receive
The message of IPv6 addresses;And
It is double stack terminal distribution IPv6 addresses with transceiver forwarding after double stack terminal authentication successes
Message.
In a kind of possible realization method, be double stack terminal distribution IPv6 addresses message include with next or
It is multiple:The DHCP message of request IPv6 addresses that double stack terminals are sent to Dynamic Host Configuration Protocol server;The Dynamic Host Configuration Protocol server is to institute
State the DHCP message for the IPv6 addresses for carrying double stack terminals that double stack terminals are sent;Router is sent out to double stack terminals
That send carries the route announcement message of the IPv6 address prefixes of double stack terminals.
In a kind of possible realization method, before double stack terminal authentication successes, the processor is additionally operable to:With
The transceiver intercepts and captures the DNS response messages that dns server is sent to double stack terminals;The DNS response messages include
The IPv4 addresses of domain name of double stack terminal requests and the IPv6 addresses of domain name;And delete the DNS response messages
In IPv6 addresses after, the DNS response messages are sent to double stack terminals with the transceiver.
The principle and advantageous effect solved the problems, such as due to the access device may refer to above-mentioned first aspect and first party
The embodiment and caused advantageous effect of the connection control method of each possible double stack terminals in face, therefore the access is set
Standby implementation may refer to the implementation of the connection control method of each possible double stack terminals of above-mentioned first aspect and first aspect,
Overlaps will not be repeated.
The third aspect, the application provide a kind of access device of double stack terminals, and double stack terminals support IPv4 protocol stacks
With IPv6 protocol stacks, which includes:
Forwarding module, for forwarding the message for double stack terminal distribution IPv4 addresses;
Processing module, for before the double stack terminal authentications success, with being discarded as double stack terminal distribution IPv6
The message of location, and after double stack terminal authentication successes, forward the message for double stack terminal distribution IPv6 addresses.
In a kind of possible realization method, be double stack terminal distribution IPv6 addresses message include with next or
It is multiple:The DHCP message of request IPv6 addresses that double stack terminals are sent to Dynamic Host Configuration Protocol server;The Dynamic Host Configuration Protocol server is to institute
State the DHCP message for the IPv6 addresses for carrying double stack terminals that double stack terminals are sent;Router is sent out to double stack terminals
That send carries the route announcement message of the IPv6 address prefixes of double stack terminals.
In a kind of possible realization method, the access device further includes:
Interception module, for before double stack terminal authentication successes, intercepting and capturing dns server and being sent out to double stack terminals
The DNS response messages sent;The DNS response messages include the IPv4 addresses of the domain name of double stack terminal requests and the domain
The IPv6 addresses of name;
The processing module is additionally operable to after deleting the IPv6 addresses in the DNS response messages, by the DNS responses report
Text is sent to double stack terminals.
The principle and advantageous effect solved the problems, such as due to the access device may refer to above-mentioned first aspect and first party
The embodiment and caused advantageous effect of the connection control method of each possible double stack terminals in face, therefore the access is set
Standby implementation may refer to the implementation of the connection control method of each possible double stack terminals of above-mentioned first aspect and first aspect,
Overlaps will not be repeated.
Fourth aspect, the application provide a kind of storage medium, and the storage medium is computer readable storage medium, described
Computer-readable recording medium storage has program, and program includes instruction, and described instruction is worked as to be held by the electronic equipment with processor
The electronic equipment is made to perform the access of double stack terminals of each possible realization method of above-mentioned first aspect and first aspect during row
Control method.
Description of the drawings
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly introduced, it should be apparent that, the accompanying drawings in the following description is only some embodiments of the present invention, for this
For the those of ordinary skill in field, without having to pay creative labor, it can also be obtained according to these attached drawings
His attached drawing.
Fig. 1 is the group-network construction schematic diagram of forced gate certification;
Fig. 2 is the flow diagram of the connection control method of double stack terminals that some embodiments of the invention provide;
Fig. 3 (a) is the identifying procedure of the access control program of double stack terminals that is provided using some embodiments of the invention
Processing schematic diagram before certification;
Fig. 3 (b) is the identifying procedure of the access control program of double stack terminals that is provided using some embodiments of the invention
Schematic diagram in certification;
Fig. 3 (c) is the identifying procedure of the access control program of double stack terminals that is provided using some embodiments of the invention
Schematic diagram after certification;
Fig. 4 is the structure diagram of the access device of double stack terminals that some embodiments of the invention provide;
Fig. 5 is the structure diagram of access device that some embodiments of the invention provide.
Specific embodiment
If network only deploys forced gate certification of the forced gate certification of IPv4 without supporting IPv6, double stack terminals
Still network preferentially is accessed using IPv6 addresses, caused access network delay is long.It is whole that the embodiment of the present invention provides a kind of double stacks
The connection control method and access device at end to extend when solving the problems, such as double stack accessing terminal to network, improve user and access
Experience.
The double stack terminals of access control program limitation for double stack terminals that the embodiment of the present invention is provided are preceding only in certification success
IPv4 addresses can be got and IPv6 addresses can not be got, so that double stack terminals can only use IPv4 addresses to access net
Network.Double stack terminals access network using IPv4 addresses, trigger the forced gate certification of IPv4, thus reduce double stack terminal accesses
The time delay of network.
It the technical issues of can solving in order to illustrate the embodiments of the present invention more clearly, below will be first briefly to forcing
Gate verification is introduced.
Fig. 1 shows the group-network construction schematic diagram of forced gate certification.As shown in Figure 1, include in the exemplary architecture:
Terminal 101, access device 102, re-positioning device 103, forced gate certificate server 104 and authentication and authorization charging (AAA)
Server 105.Aaa server 105 is, for example, remote customer dialing authentication service (English:Remote Authentication
Dial In User Service, RADIUS) server.Forced gate certificate server 104 and aaa server 105 can be
Mutually independent physical equipment can also be realized by same physical equipment.
Terminal involved by the application can include the handheld device with communication function, mobile unit, wearable
Equipment, computing device etc..The FTP client FTP for accessing network, such as hypertext transfer protocol can be installed in terminal 101
(English:HyperText Transfer Protocol, HTTP) or procotol (English:Hyper Text Transfer
Protocol over Secure Socket Layer, HTTPS) browser, using (English:Application, APP)
Deng to initiate to access network request.
This application involves to access device can include interchanger, router, the access point (English in WLAN:
Access point, AP) etc..Access device can include the network equipment being connected with terminal direct (wired or wireless),
Such as the access device 102 shown in figure 1 being connected directly with terminal 101 and positioned at access layer and the indirect phase of terminal
The network equipment even.Such as access device 102 and re-positioning device 103 be in same physical equipment, re-positioning device 103 with eventually
Hold indirect be connected.
Re-positioning device 103 can include wireless controller in interchanger, router, WLAN etc..Re-positioning device
103 are mainly used for the access network request from unverified terminal being redirected to forced gate certificate server.Forced gate
Certificate server 104 is mainly used for providing portal service and pushing certification page, and defeated in certification page receiving terminal
After the authentication information entered, with access device exchange authentication information.Aaa server 105 is mainly used for communicating with access device, exchanges
Authentication information, the certification of complete paired terminal.
Based on exemplary architecture shown in FIG. 1, terminal 101 is initiated after accessing network request, and access device 102 receives the terminal
The request is forwarded after 101 access network request.If terminal 101 is unverified, re-positioning device 103 is by the access of terminal 101
Network request is redirected to forced gate certificate server 104.
And then as shown in Figure 1, the access network request of unverified terminal 101 is redirected to pressure by re-positioning device 103
After portal certificate server 104, forced gate certificate server 104 can be to 101 pushing certification page of terminal, by terminal 101
Forced gate certificate server 104 (1.) is submitted to after the authentication informations such as user name, password are inputted in certification page, forces door
Family certificate server 104 and then the authentication information (2.) that user is exchanged with re-positioning device 103, by re-positioning device 103 and AAA
Server 105 communicates (3.), the certification of complete paired terminal 101.
Due to forced gate certification by access network request that terminal is initiated come triggering authentication process, terminal completes certification
After can access Internet resources, thus if network for deploying forced gate certification, terminal needs with first obtaining IP
Location, so as to initiate to access network request.In IPv4 networks to the transition stage of IPv6 networks, terminal obtains the situation packet of IP address
It has included following two:
For supporting the terminal of IPv4 protocol stacks, since IPv4 addresses can pass through dynamic host configuration protocol (English:
Dynamic Host Configuration Protocol, DHCP) it is configured, thus support that the terminal of IPv4 protocol stacks can
To obtain IPv4 addresses by Dynamic Host Configuration Protocol server;
For supporting double stack terminals of IPv4 protocol stacks and Ipv6 protocol stacks, on the one hand, double stack terminals can pass through
Dynamic Host Configuration Protocol server obtains IPv4 addresses.On the other hand, since IPv6 addresses can pass through stateful (English:Stateful) address point
It is configured with mode (for example using dynamic host configuration protocol sixth version (DHCPv6) agreement) or by stateless (English
Text:Stateless) address distribution (for example uses Internet Control Information Protocol sixth version (Internet Control
Managemet Protocol Version 6, ICMPv6) agreement) (which specifically used IPv6 addresses distribution side is configured
Formula can be configured by network administrator).Thus double stack terminals can also pass through the routing in Dynamic Host Configuration Protocol server or network
Device obtains IPv6 addresses, wherein, double stack terminals belong to statelessly in a manner that the router in network obtains IPv6 addresses
The location method of salary distribution.
Specifically for example, can further comprise there is Dynamic Host Configuration Protocol server in framework shown in Fig. 1, for for terminal configuration of IP v4
Location;Or can further comprise thering is DHCP service and/or router in framework shown in Fig. 1, for Ipv4 to be configured for double stack terminals
Address and IPv6 addresses.In some actual scenes, Dynamic Host Configuration Protocol server can not be separately configured, for example can be set in redirection
DHCP protocol is enabled on standby 103.
It can be seen that since double stack terminals can get IPv6 addresses and IPv4 addresses, and can preferentially use IPv6
Address initiates to access network request, thus if network only deploys pressure of the forced gate certification of IPv4 without supporting IPv6
Gate verification, double stack terminals can just be switched to IPv4 modes, so as to cause access when IPv6 addresses is used to access network failure
Network when extend, user access experience it is poor.
To solve the above-mentioned problems, an embodiment of the present invention provides a kind of connection control methods of double stack terminals and access to set
It is standby.The embodiment of the present invention is described below in conjunction with attached drawing.
Fig. 2 shows the flow diagram of the connection control method of double stack terminals provided in an embodiment of the present invention, the flows
It can specifically be realized by the combination of hardware, software programming or software and hardware.
Access device can be configured as performing flow as shown in Figure 2, such as based on forced gate certification shown in FIG. 1
Group-network construction example, access device 102 can be configured to perform flow as shown in Figure 2.Performing the present invention in access device
The function module of the access control program of double stack terminals that embodiment is provided can specifically pass through hardware, software programming and soft
The combination of hardware realizes that hardware may include one or more signal processings and/or application-specific integrated circuit.
As shown in Fig. 2, the flow has specifically included following processing procedure:
On the one hand, in order to enable double stack terminals can get IPv4 addresses, access device forwarding is double stack terminal distributions
The message (201) of IPv4 addresses.
Message of the access device forwarding for double stack terminal distribution IPv4 addresses, it may include have:Access device is to DHCP service
The DHCP message and access device for the request IPv4 addresses that the double stack terminals of device forwarding are sent send DHCP service to double stack terminals
What device was sent carries the DHCP response messages of the IPv4 addresses of double stack terminals;And then double stack terminals will normally be got
IPv4 addresses.
Wherein, the DHCP message of above-mentioned request IPv4 addresses and carry double stack terminals Ipv4 addresses DHCP message
The DHCPv4 messages that can be expressed as under IPv4 agreements.
On the other hand, it in order to achieve the purpose that the double stack terminals of limitation can only use IPv4 addresses to access network, avoids in net
When network needs the authentication mode certification pair stack terminal using IPv4, double stack terminals are preferentially accessed using IPv6 addresses caused by network
Access delay it is long the problem of, before the success of double stack terminal authentications, access device is discarded as double stack terminal distribution IPv6 addresses
Message (202).
It is that the messages of double stack terminal distribution IPv6 addresses can include following one or more that access device, which is abandoned,:
The DHCP message of request IPv6 addresses that double stack terminals are sent to Dynamic Host Configuration Protocol server;Dynamic Host Configuration Protocol server is taken to what double stack terminals were sent
The DHCP message of IPv6 addresses with double stack terminals;The IPv6 for carrying double stack terminals that router is sent to double stack terminals
Route announcement (the English of location prefix:Router Advertisement, RA) message.
For example, in some embodiments of the invention, if network is configured with stateful address distribution point
With IPv6 addresses, since stateful address distribution mainly realizes IPv6 address configurations by DHCPv6 agreements, thus, connect
When entering the DHCP message for the request IPv6 addresses that equipment receives double stack terminals transmissions, which can be carried out at discarding
Reason so that double stack terminals can not get IPv6 addresses, and then can only use accessed IP v4 addresses to access net
Network.
For another example, in some embodiments of the invention, if access device fails in time to transmitted by double stack terminals
The DHCP message of IPv6 addresses is asked to carry out discard processing, and Dynamic Host Configuration Protocol server is caused to receive the DHCP message and to double stacks end
End sends the DHCP message for the IPv6 addresses for carrying double stack terminals, then access device can abandon taking for Dynamic Host Configuration Protocol server transmission
The DHCP message of IPv6 addresses with double stack terminals, so that double stack terminals can not get IPv6 addresses;
For another example, in some embodiments of the invention, if network is configured with the stateless address method of salary distribution
IPv6 addresses are distributed, since the stateless address method of salary distribution mainly realizes IPv6 address configurations by ICMPv6 agreements,
ICMPv6 agreements support the Address Autoconfiguration of network node, before specifically can carrying IPv6 addresses in RA messages by router
Sew information for terminal distribution IPv6 address prefixes, the address prefix that terminal is announced by receiving router, with reference to the interface of oneself
Can obtain a global unicast address, thus, access device receive router transmission carry IPv6 addresses before
During the RA messages sewed, discard processing can be carried out to the RA messages, so that double stack terminals can not get IPv6 addresses.
Wherein, it asks the DHCP message of IPv6 addresses and carries the DHCP message of the Ipv6 addresses of double stack terminals
To be considered the corresponding DHCPv6 messages of IPv6 agreements.
Which kind of address distribution distribution IPv6 address of Web vector graphic can be configured by network administrator, the application couple
This will not be described further.
It can be seen that being handled by both sides above, before certification success, double stack terminals will be only capable of with getting IPv4
Location, so that double stack terminals can only use IPv4 addresses to access network, so as to avoid needing using IPv4's in network
During authentication mode certification pair stack terminal, double stack terminals is caused to access since double stack terminals preferentially access network using IPv6 addresses
The problem of network delay is long.
It is specific for example, in some embodiments of the invention, if deploying forced gate certification in network, double stack terminals
It needs to access network request hence into verification process by initiation, Internet resources could be accessed after completing certification.Due to access
Equipment can discard the message for double stack terminal distribution IPv6 addresses before certification, so that double stack terminals can only be got
IP v4 addresses and IPv6 addresses can not be got, and then double stack terminals will directly using IPv4 addresses access network, trigger IPv4
Forced gate certification, realize the access of double stack terminals.Therefore, the forced gate certification for not supporting IPv6 in network is avoided
When, double stack terminals still preferentially access network using IPv6 addresses, reduce the time delay of double stack accessing terminal to network.
And then in order to ensure that double stack terminals are able to access that the Internet resources of IPv4 and IPv6 after the authentication has been successful, in double stacks
Terminal authentication success after, access device can forward the message (203) for double stack terminal distribution IPv6 addresses so that certification into
Double stack terminals after work(can get IPv6 addresses, and then access the Internet resources of IPv6.
Before the success of double stack terminal authentications, access device abandon it is received it is any for double stack terminal distribution IPv6
The message of location.After the success of double stack terminal authentications, access device no longer screens the message for double stack terminal distribution IPv6 addresses,
And discarding action is performed for this kind of message, but perform normal repeating process.Therefore it after the success of double stack terminal authentications, connects
Enter the received this kind of message (message for double stack terminal distribution IPv6 addresses) of device forwards.
Access device can open the report for being discarded as double stack terminal distribution IPv6 addresses before the success of double stack terminal authentications
The function of text closes the function after the success of double stack terminal authentications, and performs normal message forwarding capability, so as to just
Message of the often forwarding for double stack terminal distribution IPv6 addresses so that double stack terminals after certification success are with can getting IPv6
Location.
It can be seen that by above-mentioned processing procedure, it can not be transformed and upgrade under existing IPv4 networks substantially so that is double
Stack terminal smoothly completes certification access network, meets the networking policy mandates surfed the Internet after double stack terminal first certifications, and it is whole to promote double stacks
The access experience of end subscriber.
Further, IPv6 agreements provide two kinds of IPv6 address styles, and one kind is global unicast address (English:
Global Unicast Address, GUA), it can be used to access reachable any IPv6 node devices, Yi Zhongshi route in network
Link-local address (English:Link-Local Address, LLA), link-local communication is only used for, it can be by double stack terminals certainly
Oneself generates.Double stack terminals can be answered when using the client access network for supporting double stacks according to the DNS that dns server returns
The address carried in message is answered to determine to access network using IPv4 addresses or IPv6 addresses.
Thus, it is contemplated that it, can if double stack terminals get the required IPv6 addresses for accessing domain name before certification success
The situation of the IPv6 addresses of the link-local address access domain name of oneself generation can be used, in some embodiments of the present invention
In, in order to avoid it is above-mentioned possible the occurrence of, can also further limit double stack terminals can not obtain before certification success
To the IPv6 addresses for the domain name for asking to access, so as to ensure that double stack terminals can only use IPv4 addresses to access network.
Due to domain name system (English:Domain Name System, DNS) server receiving what double stack terminals were sent
After dns resolution request message, IPv4 addresses and the domain name of the domain name of double stack terminal requests can be carried to the return of double stack terminals
IPv6 addresses DNS response messages, thus, in some embodiments of the invention, double stack terminal authentications success before, connect
The DNS response messages that dns server is sent to double stack terminals can also be intercepted and captured by entering equipment, be deleted in the DNS response messages
IPv6 addresses, then the DNS response messages behind deletion IPv6 addresses are sent to double stack terminals, so that double stack terminals can only obtain
The IPv4 addresses of asked domain name are got, and then IPv4 addresses can only be used to access network.
In some embodiments of the invention, double stack terminals initiate dns resolution request, to dns server request analysis domain
The corresponding IP address of name, the parsing of dns server nslookup can return to the DNS responses recorded comprising A records and AAAA behind address
Message gives double stack terminals, wherein, A records are recorded for translating domain names into the DNS of IPv4 addresses, and AAAA records are for will
The DNS of domain name mapping to IPv6 addresses is recorded;After access device obtains the DNS response messages, the DNS response messages can be retained
In A records, and delete AAAA records, be then forwarded to double stack terminals so that double stack terminals can not get AAAA records, and then
It can not know the IPv6 addresses of domain name.
Wherein, in order to adapt to dispose the more difficult situations of the DNS of pure IPv6, double stack terminals can be taken by the DNS of IPv4
Business device completes IPv6 address resolution, and above-mentioned dns resolution request message and DNS response messages can be under IPv4 agreements
DNSv4 messages.
It can see, through the embodiment of the present invention the access control program of double stack terminals of middle offer, access device is double
Before the success of stack terminal authentication, the message of double stack terminal distribution IPv6 addresses is discarded as, and targetedly changes DNS response messages,
The IPv6 addresses of wherein domain name are deleted, so as to which double stack terminals is forced IPv4 addresses can only to be used to access net before certification success
Network ensure that double stack terminals use IPv4 addresses first when network needs the authentication mode certification pair stack terminal using IPv4
Network is accessed, triggers the forced gate certification of IPv4, thus reduces the time delay of double stack accessing terminal to network.
As an example, Fig. 3 (a), Fig. 3 (b) and Fig. 3 (c) respectively illustrate some embodiments of the invention and are provided
Double stack terminals access control program process flow example in the application.Wherein, Fig. 3 (a) shows the processing before certification
Flow example, Fig. 3 (b) show the process flow example in certification, and Fig. 3 (c) shows the process flow example after certification.
As shown in the figure, access device include the wireless access point 302 that is connected directly with double stack terminals 301 and with double stacks
The indirect connected wireless controller 303 of terminal 301.Wherein, wireless access point 302 is provided to perform the embodiment of the present invention
Double stack terminals access control program, wireless controller 303 be re-positioning device.
As shown in Fig. 3 (a), in double 301 certifications of stack terminal by preceding, wireless access point 302 abandons double stack terminals 301
DHCPv6 messages, but the DHCPv4 messages of double stack terminals 301 are normally forwarded to wireless controller 303, so that double stack terminals
301 can not obtain IPv6 addresses, can only obtain IPv4 addresses;Alternatively, in double 301 certifications of stack terminal by preceding, wireless access point
302 abandon the RA messages that router is sent in network, so that double stack terminals 301 can not obtain IPv6 addresses;
As shown in Fig. 3 (b), in the verification process of double stack terminals 301, wireless access point 302 intercepts dns server to double
The DNSv4 response messages that stack terminal 301 is sent are sent to double stacks ends after deleting AAAA records (the IPv6 addresses of domain name) therein
End 301 so that double stack terminals 301 can only obtain A records (the IPv4 addresses of domain name), records to obtain domain name according to A
IPv4 addresses and the IPv6 addresses that domain name can not be obtained, so that double stack terminals 301 can not use link-local address type
IPv6 addresses access network;
By the above process, double stack terminals 301 will can only get IPv4 addresses and can only get the IPv4 of domain name
Location, and then ensure that double stack terminals 301 can only use IPv4 addresses to access network, and then can not support that IPv6's is strong in network
During gate verification processed, the forced gate certification of IPv4 is directly triggered, realizes the access of double stack terminals.
After double stack terminals 301 pass through the forced gate certification of IPv4, double stack terminals 301 can normally surf the Internet,
The Internet resources of IPv4 are accessed by IPv4 addresses, and IPv6 addresses can be obtained, the network of IPv6 is accessed by IPv6 addresses
Resource, wireless access point 302 and 303 normal transmitting data flow amount of wireless controller, as shown in Fig. 3 (c).
In conclusion in the access control program of double stack terminals provided in embodiments of the present invention, access device forwarding
Message for double stack terminal distribution IPv4 addresses;Before the success of double stack terminal authentications, with being discarded as double stack terminal distribution IPv6
The message of location, and after the success of double stack terminal authentications, the message for double stack terminal distribution IPv6 addresses is forwarded, so that
Double stack terminals can not get IPv6 addresses before certification, and since double stack terminals are only capable of getting IPv4 addresses, thus double stacks are whole
End can only use IPv4 addresses to access network.Access device also further intercepts and captures the DNS response messages of dns server return simultaneously
Delete the IPv6 addresses of wherein entrained domain name so that double stack terminals are only capable of getting the IPv4 addresses of domain name, thus into one
Step ensure that double stack terminals can only use IPv4 addresses to access network.It ensure that double stack terminals exist by above-mentioned a series of measures
IPv4 addresses can only be used to access network before certification success, therefore need to use the double stacks of authentication mode certification of IPv4 whole in network
During end, double stack terminals can access network using IPv4 addresses first, so as to reduce the time delay of double stack accessing terminal to network.
Based on identical technical concept, the embodiment of the present invention additionally provides a kind of access device of double stack terminals, the access
Equipment can perform the described method flow of present invention, performing the aforementioned implementation of the present invention in the access device
The function module of the described method flow of example can be realized by the combination of hardware, software programming and software and hardware, hardware
It may include one or more signal processings and/or application-specific integrated circuit.
Fig. 4 shows the structure diagram of the access device of double stack terminals that some embodiments of the invention are provided, such as Fig. 4
Shown, which includes:
Forwarding module 401, for forwarding the message for double stack terminal distribution IPv4 addresses;
Processing module 402, for before the success of double stack terminal authentications, being discarded as the report of double stack terminal distribution IPv6 addresses
Text, and after the success of double stack terminal authentications, forward the message for double stack terminal distribution IPv6 addresses.
Message for double stack terminal distribution IPv6 addresses includes following one or more:Double stack terminals are to DHCP service
The DHCP message of request IPv6 addresses that device is sent;The IPv6 for carrying double stack terminals that Dynamic Host Configuration Protocol server is sent to double stack terminals
The DHCP message of address;The route announcement report for the IPv6 address prefixes for carrying double stack terminals that router is sent to double stack terminals
Text.
In some embodiments of the invention, access device further includes:
Interception module 403, for before double stack terminal authentication successes, intercepting and capturing dns server and being sent out to double stack terminals
The DNS response messages sent.Wherein, DNS response messages include IPv4 addresses and the domain name of the domain name of double stack terminal requests
IPv6 addresses.
Interception module 403 is additionally operable to after deleting the IPv6 addresses in DNS response messages, which is sent to
Double stack terminals.
Based on same inventive concept, what the access device of double stack terminals that some embodiments of the invention are provided solved the problems, such as
Principle and advantageous effect may refer to the embodiment of method shown in above-mentioned Fig. 2 and caused advantageous effect, double stacks
The implementation of the access device of terminal may refer to the implementation of above method embodiment, and overlaps will not be repeated.
Based on identical technical concept, some embodiments of the invention additionally provide a kind of access device of double stack terminals, should
The access device of double stack terminals can be used for performing the access control stream that the aforementioned real method of the present invention applies the described double stack terminals of example
Journey.
Fig. 5 shows the structure diagram of the access device for double stack terminals that some embodiments of the invention provide, such as Fig. 5 institutes
Show, which may include:Transceiver 501 and processor 502.
It can be connected, can also be otherwise attached to by bus between transceiver 501 and processor 502.
Transceiver 501 can include the interface for being connected with other network equipments.Such as, it may include with user equipment
Connected interface, the interface being connected with forced gate certificate server and the interface being connected with other service equipments.Interface can
To be wireline interface, wireless interface or combination.Wireline interface for example can be Ethernet interface.Ethernet interface can be light
Interface, electrical interface or combination.Wireless interface for example can be WLAN (English:wireless local area
Network, WLAN) interface, cellular network interface or combination.
Processor 502 can be central processing unit (English:Central processing unit, CPU) or CPU
With the combination of hardware chip.Above-mentioned hardware chip can be the combination of one or more of:Application-specific integrated circuit (English:
Application-specific integrated circuit, ASIC), field programmable gate array (English:
Field-programmable gate array, FPGA), Complex Programmable Logic Devices (English:complex
Programmable logic device, CPLD), Universal Array Logic (English:Generic array logic, abbreviation:
GAL) and network processing unit is (English:Network processor, NP).
Access device can also include memory.Program is stored in memory to work with instruction processing unit.Memory can wrap
Include volatile memory (English:Volatile memory), such as random access memory (English:random-access
Memory, RAM);Memory can also include nonvolatile memory (English:Non-volatile memory), for example, it is read-only
Memory (English:Read-only memory, ROM), flash memory (English:Flash memory), hard disk (English:
Hard disk drive, HDD) or solid state disk (English:Solid-state drive, SSD);Memory may also include above-mentioned
The combination of type memory.
Processor 502 is used for:
With message of the forwarding of transceiver 501 for double stack terminal distribution IPv4 addresses;
Before the success of double stack terminal authentications, it is double stack terminal distribution IPv6 addresses to abandon transceiver 501 and receive
Message;And after the success of double stack terminal authentications, with message of the forwarding of transceiver 501 for double stack terminal distribution IPv6 addresses.
Message for double stack terminal distribution IPv6 addresses includes following one or more:Double stack terminals are sent out to Dynamic Host Configuration Protocol server
The DHCP message of request IPv6 addresses sent;The IPv6 addresses for carrying double stack terminals that Dynamic Host Configuration Protocol server is sent to double stack terminals
DHCP message;The route announcement message for the IPv6 address prefixes for carrying double stack terminals that router is sent to double stack terminals.
Before double stack terminal authentication successes, processor 502 is additionally operable to:
The DNS response messages sent with the intercepting and capturing dns server of transceiver 501 to double stack terminals;Wherein, DNS response messages
Include the IPv4 addresses of domain name of double stack terminal requests and the IPv6 addresses of the domain name;
And after deleting IPv6 addresses in DNS response messages, the DNS response messages are sent to transceiver 501 double
Stack terminal.
Based on identical technical concept, the access device of double stack terminals that some embodiments of the invention are provided solves the problems, such as
Principle and advantageous effect may refer to the embodiment of method shown in above-mentioned Fig. 2 and caused advantageous effect, this pair
The implementation of the access device of stack terminal may refer to the implementation of above method embodiment, and overlaps will not be repeated.
Based on identical technical concept, the embodiment of the present invention additionally provides a kind of storage medium, and the storage medium is meter
Calculation machine readable storage medium storing program for executing, the computer-readable recording medium storage have program, and program includes instruction, and described instruction, which is worked as, to be had
The electronic equipment for having processor makes the electronic equipment perform the described double stack terminals of present invention when performing
Connection control method flow, for details, reference can be made to the description of previous embodiment, and the application will not be described in great detail herein.
Obviously, various changes and modifications can be made to the invention without departing from model of the invention by those skilled in the art
It encloses.In this way, if these modifications and changes of the present invention belongs within the scope of the claims in the present invention, then the present invention is also intended to
It includes these modifications and variations.
Claims (9)
1. a kind of connection control method of double stack terminals, which is characterized in that double stack terminals support Internet protocol fourth edition
IPv4 protocol stacks and Internet protocol sixth version IPv6 protocol stacks, this method include:
Message of the access device forwarding for double stack terminal distribution IPv4 addresses;
Before double stack terminal authentication successes, the access device is discarded as the report of double stack terminal distribution IPv6 addresses
Text;
After double stack terminal authentication successes, report of the access device forwarding for double stack terminal distribution IPv6 addresses
Text.
2. the method as described in claim 1, which is characterized in that the message packet for double stack terminal distribution IPv6 addresses
Include following one or more:
The DHCP message of request IPv6 addresses that double stack terminals are sent to dynamic host configuration protocol DHCP server;
The DHCP message for the IPv6 addresses for carrying double stack terminals that the Dynamic Host Configuration Protocol server is sent to double stack terminals;
The route announcement message for the IPv6 address prefixes for carrying double stack terminals that router is sent to double stack terminals.
3. the method as described in claim 1, which is characterized in that before double stack terminal authentication successes, the method is also
Including:
The access device intercepts and captures the DNS response messages that domain name system DNS server is sent to double stack terminals;The DNS
Response message includes the IPv4 addresses of domain name of double stack terminal requests and the IPv6 addresses of domain name;
After the access device deletes the IPv6 addresses in the DNS response messages, the DNS response messages are sent to described
Double stack terminals.
4. a kind of access device, which is characterized in that including:Transceiver and processor, wherein,
The processor is used for:
The message for double stack terminal distribution Internet protocol fourth edition IPv4 addresses is forwarded with the transceiver, wherein, it is described double
Stack terminal supports IPv4 protocol stacks and Internet protocol sixth version IPv6 protocol stacks;
Before the double stack terminal authentications success, it is double stack terminal distribution IPv6 to abandon the transceiver and receive
The message of location;And
After double stack terminal authentication successes, with report of the transceiver forwarding for double stack terminal distribution IPv6 addresses
Text.
5. access device as claimed in claim 4, which is characterized in that the report for double stack terminal distribution IPv6 addresses
Text includes following one or more:
The DHCP message of request IPv6 addresses that double stack terminals are sent to Dynamic Host Configuration Protocol server;
The DHCP message for the IPv6 addresses for carrying double stack terminals that the Dynamic Host Configuration Protocol server is sent to double stack terminals;
The route announcement message for the IPv6 address prefixes for carrying double stack terminals that router is sent to double stack terminals.
6. access device as claimed in claim 4, which is characterized in that before double stack terminal authentication successes, the place
Reason device is additionally operable to:
Dns server is intercepted and captured to the DNS response messages of double stack terminals transmissions with the transceiver;The DNS response messages
Include the IPv4 addresses of domain name of double stack terminal requests and the IPv6 addresses of domain name;And it deletes the DNS and answers
After answering the IPv6 addresses in message, the DNS response messages are sent to double stack terminals with the transceiver.
7. a kind of access device of double stack terminals, which is characterized in that double stack terminals support IPv4 protocol stacks and IPv6 agreements
Stack, the access device include:
Forwarding module, for forwarding the message for double stack terminal distribution IPv4 addresses;
Processing module, for before double stack terminal authentication successes, being discarded as double stack terminal distribution IPv6 addresses
Message, and after double stack terminal authentication successes, forward the message for double stack terminal distribution IPv6 addresses.
8. access device as claimed in claim 7, which is characterized in that the report for double stack terminal distribution IPv6 addresses
Text includes following one or more:
The DHCP message of request IPv6 addresses that double stack terminals are sent to Dynamic Host Configuration Protocol server;
The DHCP message for the IPv6 addresses for carrying double stack terminals that the Dynamic Host Configuration Protocol server is sent to double stack terminals;
The route announcement message for the IPv6 address prefixes for carrying double stack terminals that router is sent to double stack terminals.
9. access device as claimed in claim 7, which is characterized in that the access device further includes:
Interception module, for before double stack terminal authentication successes, intercepting and capturing what dns server was sent to double stack terminals
DNS response messages, the DNS response messages include IPv4 addresses and the domain name of the domain names of double stack terminal requests
After deleting the IPv6 addresses in the DNS response messages, it is whole to be sent to double stacks by IPv6 addresses for the DNS response messages
End.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611207827.5A CN108243261A (en) | 2016-12-23 | 2016-12-23 | A kind of connection control method and access device of double stack terminals |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611207827.5A CN108243261A (en) | 2016-12-23 | 2016-12-23 | A kind of connection control method and access device of double stack terminals |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108243261A true CN108243261A (en) | 2018-07-03 |
Family
ID=62703671
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611207827.5A Pending CN108243261A (en) | 2016-12-23 | 2016-12-23 | A kind of connection control method and access device of double stack terminals |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108243261A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110535983A (en) * | 2019-09-24 | 2019-12-03 | 锐捷网络股份有限公司 | Message forwarding method and device |
CN112822218A (en) * | 2021-02-28 | 2021-05-18 | 新华三信息安全技术有限公司 | Access control method and device |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101692674A (en) * | 2009-10-30 | 2010-04-07 | 杭州华三通信技术有限公司 | Method and equipment for double stack access |
CN102801685A (en) * | 2011-05-23 | 2012-11-28 | 中兴通讯股份有限公司 | Web authentication method and system |
CN102904863A (en) * | 2011-07-28 | 2013-01-30 | 中兴通讯股份有限公司 | Method and gateway for controlling accessing of host of IPoE (IP over Ethernet) dual-stack user |
CN104243454A (en) * | 2014-08-28 | 2014-12-24 | 杭州华三通信技术有限公司 | IPv6 message filtering method and device |
-
2016
- 2016-12-23 CN CN201611207827.5A patent/CN108243261A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101692674A (en) * | 2009-10-30 | 2010-04-07 | 杭州华三通信技术有限公司 | Method and equipment for double stack access |
CN102801685A (en) * | 2011-05-23 | 2012-11-28 | 中兴通讯股份有限公司 | Web authentication method and system |
CN102904863A (en) * | 2011-07-28 | 2013-01-30 | 中兴通讯股份有限公司 | Method and gateway for controlling accessing of host of IPoE (IP over Ethernet) dual-stack user |
CN104243454A (en) * | 2014-08-28 | 2014-12-24 | 杭州华三通信技术有限公司 | IPv6 message filtering method and device |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110535983A (en) * | 2019-09-24 | 2019-12-03 | 锐捷网络股份有限公司 | Message forwarding method and device |
CN110535983B (en) * | 2019-09-24 | 2022-08-16 | 锐捷网络股份有限公司 | Message forwarding method and device |
CN112822218A (en) * | 2021-02-28 | 2021-05-18 | 新华三信息安全技术有限公司 | Access control method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR102478442B1 (en) | Method for setting pdu type, method for setting ue policy, and related entities | |
JP6085891B2 (en) | Access control method and system, and access point | |
CN108881308B (en) | User terminal and authentication method, system and medium thereof | |
CN102301763B (en) | Method and nodes for registering a terminal | |
CN102739684B (en) | Portal authentication method based on virtual IP address, and server thereof | |
US20210297402A1 (en) | Methods and apparatus for supporting devices of different types using a residential gateway | |
EP3145131B1 (en) | Data packet processing method, service node and delivery node | |
EP2713583A1 (en) | Network address translation for application of subscriber-aware services | |
US9781034B2 (en) | Electronic device, network relay device, and non-transitory computer readable storage medium | |
CN112714027B (en) | Method and system for accessing terminal equipment of Internet of things to gateway | |
CN106507414B (en) | Message forwarding method and device | |
CN107733764B (en) | Method, system and related equipment for establishing virtual extensible local area network tunnel | |
EP2675117A1 (en) | Routing method and device for host in multi-homing site | |
EP3582523B1 (en) | Extending subscriber services to roaming wireless user equipment | |
US20220174085A1 (en) | Data Processing Method and Apparatus | |
US8819790B2 (en) | Cooperation method and system between send mechanism and IPSec protocol in IPV6 environment | |
CN108243261A (en) | A kind of connection control method and access device of double stack terminals | |
CN101945053B (en) | Method and device for transmitting message | |
CN110995763B (en) | Data processing method and device, electronic equipment and computer storage medium | |
WO2016177185A1 (en) | Method and apparatus for processing media access control (mac) address | |
TW201611549A (en) | Network device and method for routing | |
WO2017166038A1 (en) | Communication method and terminal | |
CN110324318B (en) | Intranet access method and related device | |
WO2017091949A1 (en) | Communication method, small cell base station, small cell base station controller, terminal and system | |
US20200287868A1 (en) | Systems and methods for in-band remote management |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180703 |
|
RJ01 | Rejection of invention patent application after publication |