CN108243261A - A kind of connection control method and access device of double stack terminals - Google Patents

A kind of connection control method and access device of double stack terminals Download PDF

Info

Publication number
CN108243261A
CN108243261A CN201611207827.5A CN201611207827A CN108243261A CN 108243261 A CN108243261 A CN 108243261A CN 201611207827 A CN201611207827 A CN 201611207827A CN 108243261 A CN108243261 A CN 108243261A
Authority
CN
China
Prior art keywords
double stack
terminals
addresses
ipv6
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611207827.5A
Other languages
Chinese (zh)
Inventor
欧历云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201611207827.5A priority Critical patent/CN108243261A/en
Publication of CN108243261A publication Critical patent/CN108243261A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/686Types of network addresses using dual-stack hosts, e.g. in Internet protocol version 4 [IPv4]/Internet protocol version 6 [IPv6] networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Abstract

Disclose a kind of connection control method and access device of double stack terminals.The method of the present invention includes:Message of the access device forwarding for double stack terminal distribution IPv4 addresses;Before the success of double stack terminal authentications, access device is discarded as the message of double stack terminal distribution IPv6 addresses;After the success of double stack terminal authentications, message of the access device forwarding for double stack terminal distribution IPv6 addresses.The present invention can solve the problems, such as to extend during double stack accessing terminal to network.

Description

A kind of connection control method and access device of double stack terminals
Technical field
Connection control method and access the present invention relates to Internet technical field more particularly to a kind of double stack terminals are set It is standby.
Background technology
Double stack (English:Dual stack, DS) technology be Internet protocol fourth edition (English:Internet Protocol Version 4, IPv4) network to Internet protocol sixth version (English:Internet Protocol version 6, IPv6) The transitional technology of network.In double-stack technology, IPv4 protocol stacks on terminal device and the network equipment were not only installed but also IPv6 associations are installed Discuss stack.Double stack terminals can access IPv4 networks by IPv4 addresses, and can access IPv6 networks by IPv6 addresses.
Forced gate (English:Captive portal) certification be WLAN (English:wireless local Area network, WLAN) one of authentication mode.If deploying forced gate certification, double stack terminals are after certification is completed Internet resources could be accessed.WLAN may not support the forced gate certification of IPv6.
When network does not support the forced gate certification of IPv6, double stack terminals can automatically attempt to access net with IPv4 addresses Network, to realize the access of double stack terminals.But it since double stack terminals are usually first attempted to access network with IPv6 addresses, is using When IPv6 addresses access network failure, it can just be switched to IPv4 modes.Therefore double stack accessing terminal to network when extend, influence to use Family accesses experience.
Invention content
The application provides a kind of connection control method and access device of double stack terminals, to solve double stack terminal access nets The problem of extending during network.
In a first aspect, the application provides a kind of connection control method of double stack terminals, double stack terminals support IPv4 associations View stack and IPv6 protocol stacks, this method include:Message of the access device forwarding for double stack terminal distribution IPv4 addresses.Institute Before stating double stack terminal authentication successes, the access device is discarded as the message of double stack terminal distribution IPv6 addresses;Institute After stating double stack terminal authentication successes, message of the access device forwarding for double stack terminal distribution IPv6 addresses.
Since double stack terminals are only capable of getting IPv4 addresses, so that double stack terminals can only use IPv4 addresses to access net Network.It avoids when network needs the authentication mode certification pair stack terminal using IPv4, double stack terminals are still preferentially attempted to use IPv6 addresses access network.Therefore the time delay of double stack accessing terminal to network is reduced.
In a kind of possible realization method, be double stack terminal distribution IPv6 addresses message include with next or It is multiple:The DHCP message of request IPv6 addresses that double stack terminals are sent to Dynamic Host Configuration Protocol server;The Dynamic Host Configuration Protocol server is to institute State the DHCP message for the IPv6 addresses for carrying double stack terminals that double stack terminals are sent;Router is sent out to double stack terminals That send carries the route announcement message of the IPv6 address prefixes of double stack terminals.
In a kind of possible realization method, before double stack terminal authentication successes, the method further includes:It is described Access device intercepts and captures the DNS response messages that dns server is sent to double stack terminals;The DNS response messages include institute State the IPv4 addresses of domain name of double stack terminal requests and the IPv6 addresses of domain name;The access device deletes the DNS should After answering the IPv6 addresses in message, the DNS response messages are sent to double stack terminals.
The IPv6 addresses in DNS response messages are further deleted due to access device so that double stack terminals are only capable of obtaining The IPv4 addresses of domain name are got, thus IPv4 addresses can only be used to access network.Further ensure that needs to use in network During the authentication mode certification pair stack terminal of IPv4, double stack terminals access network using IPv4 addresses first.Therefore double stacks are reduced The time delay of accessing terminal to network.
Second aspect, the application provide a kind of access device, which includes:Transceiver and processor;Wherein, institute Processor is stated to be used for:
The message for double stack terminal distribution IPv4 addresses is forwarded with the transceiver, wherein, double stack terminal branch Hold IPv4 protocol stacks and IPv6 protocol stacks;
Before double stack terminal authentication successes, it is double stack terminal distributions to abandon the transceiver and receive The message of IPv6 addresses;And
It is double stack terminal distribution IPv6 addresses with transceiver forwarding after double stack terminal authentication successes Message.
In a kind of possible realization method, be double stack terminal distribution IPv6 addresses message include with next or It is multiple:The DHCP message of request IPv6 addresses that double stack terminals are sent to Dynamic Host Configuration Protocol server;The Dynamic Host Configuration Protocol server is to institute State the DHCP message for the IPv6 addresses for carrying double stack terminals that double stack terminals are sent;Router is sent out to double stack terminals That send carries the route announcement message of the IPv6 address prefixes of double stack terminals.
In a kind of possible realization method, before double stack terminal authentication successes, the processor is additionally operable to:With The transceiver intercepts and captures the DNS response messages that dns server is sent to double stack terminals;The DNS response messages include The IPv4 addresses of domain name of double stack terminal requests and the IPv6 addresses of domain name;And delete the DNS response messages In IPv6 addresses after, the DNS response messages are sent to double stack terminals with the transceiver.
The principle and advantageous effect solved the problems, such as due to the access device may refer to above-mentioned first aspect and first party The embodiment and caused advantageous effect of the connection control method of each possible double stack terminals in face, therefore the access is set Standby implementation may refer to the implementation of the connection control method of each possible double stack terminals of above-mentioned first aspect and first aspect, Overlaps will not be repeated.
The third aspect, the application provide a kind of access device of double stack terminals, and double stack terminals support IPv4 protocol stacks With IPv6 protocol stacks, which includes:
Forwarding module, for forwarding the message for double stack terminal distribution IPv4 addresses;
Processing module, for before the double stack terminal authentications success, with being discarded as double stack terminal distribution IPv6 The message of location, and after double stack terminal authentication successes, forward the message for double stack terminal distribution IPv6 addresses.
In a kind of possible realization method, be double stack terminal distribution IPv6 addresses message include with next or It is multiple:The DHCP message of request IPv6 addresses that double stack terminals are sent to Dynamic Host Configuration Protocol server;The Dynamic Host Configuration Protocol server is to institute State the DHCP message for the IPv6 addresses for carrying double stack terminals that double stack terminals are sent;Router is sent out to double stack terminals That send carries the route announcement message of the IPv6 address prefixes of double stack terminals.
In a kind of possible realization method, the access device further includes:
Interception module, for before double stack terminal authentication successes, intercepting and capturing dns server and being sent out to double stack terminals The DNS response messages sent;The DNS response messages include the IPv4 addresses of the domain name of double stack terminal requests and the domain The IPv6 addresses of name;
The processing module is additionally operable to after deleting the IPv6 addresses in the DNS response messages, by the DNS responses report Text is sent to double stack terminals.
The principle and advantageous effect solved the problems, such as due to the access device may refer to above-mentioned first aspect and first party The embodiment and caused advantageous effect of the connection control method of each possible double stack terminals in face, therefore the access is set Standby implementation may refer to the implementation of the connection control method of each possible double stack terminals of above-mentioned first aspect and first aspect, Overlaps will not be repeated.
Fourth aspect, the application provide a kind of storage medium, and the storage medium is computer readable storage medium, described Computer-readable recording medium storage has program, and program includes instruction, and described instruction is worked as to be held by the electronic equipment with processor The electronic equipment is made to perform the access of double stack terminals of each possible realization method of above-mentioned first aspect and first aspect during row Control method.
Description of the drawings
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly introduced, it should be apparent that, the accompanying drawings in the following description is only some embodiments of the present invention, for this For the those of ordinary skill in field, without having to pay creative labor, it can also be obtained according to these attached drawings His attached drawing.
Fig. 1 is the group-network construction schematic diagram of forced gate certification;
Fig. 2 is the flow diagram of the connection control method of double stack terminals that some embodiments of the invention provide;
Fig. 3 (a) is the identifying procedure of the access control program of double stack terminals that is provided using some embodiments of the invention Processing schematic diagram before certification;
Fig. 3 (b) is the identifying procedure of the access control program of double stack terminals that is provided using some embodiments of the invention Schematic diagram in certification;
Fig. 3 (c) is the identifying procedure of the access control program of double stack terminals that is provided using some embodiments of the invention Schematic diagram after certification;
Fig. 4 is the structure diagram of the access device of double stack terminals that some embodiments of the invention provide;
Fig. 5 is the structure diagram of access device that some embodiments of the invention provide.
Specific embodiment
If network only deploys forced gate certification of the forced gate certification of IPv4 without supporting IPv6, double stack terminals Still network preferentially is accessed using IPv6 addresses, caused access network delay is long.It is whole that the embodiment of the present invention provides a kind of double stacks The connection control method and access device at end to extend when solving the problems, such as double stack accessing terminal to network, improve user and access Experience.
The double stack terminals of access control program limitation for double stack terminals that the embodiment of the present invention is provided are preceding only in certification success IPv4 addresses can be got and IPv6 addresses can not be got, so that double stack terminals can only use IPv4 addresses to access net Network.Double stack terminals access network using IPv4 addresses, trigger the forced gate certification of IPv4, thus reduce double stack terminal accesses The time delay of network.
It the technical issues of can solving in order to illustrate the embodiments of the present invention more clearly, below will be first briefly to forcing Gate verification is introduced.
Fig. 1 shows the group-network construction schematic diagram of forced gate certification.As shown in Figure 1, include in the exemplary architecture: Terminal 101, access device 102, re-positioning device 103, forced gate certificate server 104 and authentication and authorization charging (AAA) Server 105.Aaa server 105 is, for example, remote customer dialing authentication service (English:Remote Authentication Dial In User Service, RADIUS) server.Forced gate certificate server 104 and aaa server 105 can be Mutually independent physical equipment can also be realized by same physical equipment.
Terminal involved by the application can include the handheld device with communication function, mobile unit, wearable Equipment, computing device etc..The FTP client FTP for accessing network, such as hypertext transfer protocol can be installed in terminal 101 (English:HyperText Transfer Protocol, HTTP) or procotol (English:Hyper Text Transfer Protocol over Secure Socket Layer, HTTPS) browser, using (English:Application, APP) Deng to initiate to access network request.
This application involves to access device can include interchanger, router, the access point (English in WLAN: Access point, AP) etc..Access device can include the network equipment being connected with terminal direct (wired or wireless), Such as the access device 102 shown in figure 1 being connected directly with terminal 101 and positioned at access layer and the indirect phase of terminal The network equipment even.Such as access device 102 and re-positioning device 103 be in same physical equipment, re-positioning device 103 with eventually Hold indirect be connected.
Re-positioning device 103 can include wireless controller in interchanger, router, WLAN etc..Re-positioning device 103 are mainly used for the access network request from unverified terminal being redirected to forced gate certificate server.Forced gate Certificate server 104 is mainly used for providing portal service and pushing certification page, and defeated in certification page receiving terminal After the authentication information entered, with access device exchange authentication information.Aaa server 105 is mainly used for communicating with access device, exchanges Authentication information, the certification of complete paired terminal.
Based on exemplary architecture shown in FIG. 1, terminal 101 is initiated after accessing network request, and access device 102 receives the terminal The request is forwarded after 101 access network request.If terminal 101 is unverified, re-positioning device 103 is by the access of terminal 101 Network request is redirected to forced gate certificate server 104.
And then as shown in Figure 1, the access network request of unverified terminal 101 is redirected to pressure by re-positioning device 103 After portal certificate server 104, forced gate certificate server 104 can be to 101 pushing certification page of terminal, by terminal 101 Forced gate certificate server 104 (1.) is submitted to after the authentication informations such as user name, password are inputted in certification page, forces door Family certificate server 104 and then the authentication information (2.) that user is exchanged with re-positioning device 103, by re-positioning device 103 and AAA Server 105 communicates (3.), the certification of complete paired terminal 101.
Due to forced gate certification by access network request that terminal is initiated come triggering authentication process, terminal completes certification After can access Internet resources, thus if network for deploying forced gate certification, terminal needs with first obtaining IP Location, so as to initiate to access network request.In IPv4 networks to the transition stage of IPv6 networks, terminal obtains the situation packet of IP address It has included following two:
For supporting the terminal of IPv4 protocol stacks, since IPv4 addresses can pass through dynamic host configuration protocol (English: Dynamic Host Configuration Protocol, DHCP) it is configured, thus support that the terminal of IPv4 protocol stacks can To obtain IPv4 addresses by Dynamic Host Configuration Protocol server;
For supporting double stack terminals of IPv4 protocol stacks and Ipv6 protocol stacks, on the one hand, double stack terminals can pass through Dynamic Host Configuration Protocol server obtains IPv4 addresses.On the other hand, since IPv6 addresses can pass through stateful (English:Stateful) address point It is configured with mode (for example using dynamic host configuration protocol sixth version (DHCPv6) agreement) or by stateless (English Text:Stateless) address distribution (for example uses Internet Control Information Protocol sixth version (Internet Control Managemet Protocol Version 6, ICMPv6) agreement) (which specifically used IPv6 addresses distribution side is configured Formula can be configured by network administrator).Thus double stack terminals can also pass through the routing in Dynamic Host Configuration Protocol server or network Device obtains IPv6 addresses, wherein, double stack terminals belong to statelessly in a manner that the router in network obtains IPv6 addresses The location method of salary distribution.
Specifically for example, can further comprise there is Dynamic Host Configuration Protocol server in framework shown in Fig. 1, for for terminal configuration of IP v4 Location;Or can further comprise thering is DHCP service and/or router in framework shown in Fig. 1, for Ipv4 to be configured for double stack terminals Address and IPv6 addresses.In some actual scenes, Dynamic Host Configuration Protocol server can not be separately configured, for example can be set in redirection DHCP protocol is enabled on standby 103.
It can be seen that since double stack terminals can get IPv6 addresses and IPv4 addresses, and can preferentially use IPv6 Address initiates to access network request, thus if network only deploys pressure of the forced gate certification of IPv4 without supporting IPv6 Gate verification, double stack terminals can just be switched to IPv4 modes, so as to cause access when IPv6 addresses is used to access network failure Network when extend, user access experience it is poor.
To solve the above-mentioned problems, an embodiment of the present invention provides a kind of connection control methods of double stack terminals and access to set It is standby.The embodiment of the present invention is described below in conjunction with attached drawing.
Fig. 2 shows the flow diagram of the connection control method of double stack terminals provided in an embodiment of the present invention, the flows It can specifically be realized by the combination of hardware, software programming or software and hardware.
Access device can be configured as performing flow as shown in Figure 2, such as based on forced gate certification shown in FIG. 1 Group-network construction example, access device 102 can be configured to perform flow as shown in Figure 2.Performing the present invention in access device The function module of the access control program of double stack terminals that embodiment is provided can specifically pass through hardware, software programming and soft The combination of hardware realizes that hardware may include one or more signal processings and/or application-specific integrated circuit.
As shown in Fig. 2, the flow has specifically included following processing procedure:
On the one hand, in order to enable double stack terminals can get IPv4 addresses, access device forwarding is double stack terminal distributions The message (201) of IPv4 addresses.
Message of the access device forwarding for double stack terminal distribution IPv4 addresses, it may include have:Access device is to DHCP service The DHCP message and access device for the request IPv4 addresses that the double stack terminals of device forwarding are sent send DHCP service to double stack terminals What device was sent carries the DHCP response messages of the IPv4 addresses of double stack terminals;And then double stack terminals will normally be got IPv4 addresses.
Wherein, the DHCP message of above-mentioned request IPv4 addresses and carry double stack terminals Ipv4 addresses DHCP message The DHCPv4 messages that can be expressed as under IPv4 agreements.
On the other hand, it in order to achieve the purpose that the double stack terminals of limitation can only use IPv4 addresses to access network, avoids in net When network needs the authentication mode certification pair stack terminal using IPv4, double stack terminals are preferentially accessed using IPv6 addresses caused by network Access delay it is long the problem of, before the success of double stack terminal authentications, access device is discarded as double stack terminal distribution IPv6 addresses Message (202).
It is that the messages of double stack terminal distribution IPv6 addresses can include following one or more that access device, which is abandoned,: The DHCP message of request IPv6 addresses that double stack terminals are sent to Dynamic Host Configuration Protocol server;Dynamic Host Configuration Protocol server is taken to what double stack terminals were sent The DHCP message of IPv6 addresses with double stack terminals;The IPv6 for carrying double stack terminals that router is sent to double stack terminals Route announcement (the English of location prefix:Router Advertisement, RA) message.
For example, in some embodiments of the invention, if network is configured with stateful address distribution point With IPv6 addresses, since stateful address distribution mainly realizes IPv6 address configurations by DHCPv6 agreements, thus, connect When entering the DHCP message for the request IPv6 addresses that equipment receives double stack terminals transmissions, which can be carried out at discarding Reason so that double stack terminals can not get IPv6 addresses, and then can only use accessed IP v4 addresses to access net Network.
For another example, in some embodiments of the invention, if access device fails in time to transmitted by double stack terminals The DHCP message of IPv6 addresses is asked to carry out discard processing, and Dynamic Host Configuration Protocol server is caused to receive the DHCP message and to double stacks end End sends the DHCP message for the IPv6 addresses for carrying double stack terminals, then access device can abandon taking for Dynamic Host Configuration Protocol server transmission The DHCP message of IPv6 addresses with double stack terminals, so that double stack terminals can not get IPv6 addresses;
For another example, in some embodiments of the invention, if network is configured with the stateless address method of salary distribution IPv6 addresses are distributed, since the stateless address method of salary distribution mainly realizes IPv6 address configurations by ICMPv6 agreements, ICMPv6 agreements support the Address Autoconfiguration of network node, before specifically can carrying IPv6 addresses in RA messages by router Sew information for terminal distribution IPv6 address prefixes, the address prefix that terminal is announced by receiving router, with reference to the interface of oneself Can obtain a global unicast address, thus, access device receive router transmission carry IPv6 addresses before During the RA messages sewed, discard processing can be carried out to the RA messages, so that double stack terminals can not get IPv6 addresses.
Wherein, it asks the DHCP message of IPv6 addresses and carries the DHCP message of the Ipv6 addresses of double stack terminals To be considered the corresponding DHCPv6 messages of IPv6 agreements.
Which kind of address distribution distribution IPv6 address of Web vector graphic can be configured by network administrator, the application couple This will not be described further.
It can be seen that being handled by both sides above, before certification success, double stack terminals will be only capable of with getting IPv4 Location, so that double stack terminals can only use IPv4 addresses to access network, so as to avoid needing using IPv4's in network During authentication mode certification pair stack terminal, double stack terminals is caused to access since double stack terminals preferentially access network using IPv6 addresses The problem of network delay is long.
It is specific for example, in some embodiments of the invention, if deploying forced gate certification in network, double stack terminals It needs to access network request hence into verification process by initiation, Internet resources could be accessed after completing certification.Due to access Equipment can discard the message for double stack terminal distribution IPv6 addresses before certification, so that double stack terminals can only be got IP v4 addresses and IPv6 addresses can not be got, and then double stack terminals will directly using IPv4 addresses access network, trigger IPv4 Forced gate certification, realize the access of double stack terminals.Therefore, the forced gate certification for not supporting IPv6 in network is avoided When, double stack terminals still preferentially access network using IPv6 addresses, reduce the time delay of double stack accessing terminal to network.
And then in order to ensure that double stack terminals are able to access that the Internet resources of IPv4 and IPv6 after the authentication has been successful, in double stacks Terminal authentication success after, access device can forward the message (203) for double stack terminal distribution IPv6 addresses so that certification into Double stack terminals after work(can get IPv6 addresses, and then access the Internet resources of IPv6.
Before the success of double stack terminal authentications, access device abandon it is received it is any for double stack terminal distribution IPv6 The message of location.After the success of double stack terminal authentications, access device no longer screens the message for double stack terminal distribution IPv6 addresses, And discarding action is performed for this kind of message, but perform normal repeating process.Therefore it after the success of double stack terminal authentications, connects Enter the received this kind of message (message for double stack terminal distribution IPv6 addresses) of device forwards.
Access device can open the report for being discarded as double stack terminal distribution IPv6 addresses before the success of double stack terminal authentications The function of text closes the function after the success of double stack terminal authentications, and performs normal message forwarding capability, so as to just Message of the often forwarding for double stack terminal distribution IPv6 addresses so that double stack terminals after certification success are with can getting IPv6 Location.
It can be seen that by above-mentioned processing procedure, it can not be transformed and upgrade under existing IPv4 networks substantially so that is double Stack terminal smoothly completes certification access network, meets the networking policy mandates surfed the Internet after double stack terminal first certifications, and it is whole to promote double stacks The access experience of end subscriber.
Further, IPv6 agreements provide two kinds of IPv6 address styles, and one kind is global unicast address (English: Global Unicast Address, GUA), it can be used to access reachable any IPv6 node devices, Yi Zhongshi route in network Link-local address (English:Link-Local Address, LLA), link-local communication is only used for, it can be by double stack terminals certainly Oneself generates.Double stack terminals can be answered when using the client access network for supporting double stacks according to the DNS that dns server returns The address carried in message is answered to determine to access network using IPv4 addresses or IPv6 addresses.
Thus, it is contemplated that it, can if double stack terminals get the required IPv6 addresses for accessing domain name before certification success The situation of the IPv6 addresses of the link-local address access domain name of oneself generation can be used, in some embodiments of the present invention In, in order to avoid it is above-mentioned possible the occurrence of, can also further limit double stack terminals can not obtain before certification success To the IPv6 addresses for the domain name for asking to access, so as to ensure that double stack terminals can only use IPv4 addresses to access network.
Due to domain name system (English:Domain Name System, DNS) server receiving what double stack terminals were sent After dns resolution request message, IPv4 addresses and the domain name of the domain name of double stack terminal requests can be carried to the return of double stack terminals IPv6 addresses DNS response messages, thus, in some embodiments of the invention, double stack terminal authentications success before, connect The DNS response messages that dns server is sent to double stack terminals can also be intercepted and captured by entering equipment, be deleted in the DNS response messages IPv6 addresses, then the DNS response messages behind deletion IPv6 addresses are sent to double stack terminals, so that double stack terminals can only obtain The IPv4 addresses of asked domain name are got, and then IPv4 addresses can only be used to access network.
In some embodiments of the invention, double stack terminals initiate dns resolution request, to dns server request analysis domain The corresponding IP address of name, the parsing of dns server nslookup can return to the DNS responses recorded comprising A records and AAAA behind address Message gives double stack terminals, wherein, A records are recorded for translating domain names into the DNS of IPv4 addresses, and AAAA records are for will The DNS of domain name mapping to IPv6 addresses is recorded;After access device obtains the DNS response messages, the DNS response messages can be retained In A records, and delete AAAA records, be then forwarded to double stack terminals so that double stack terminals can not get AAAA records, and then It can not know the IPv6 addresses of domain name.
Wherein, in order to adapt to dispose the more difficult situations of the DNS of pure IPv6, double stack terminals can be taken by the DNS of IPv4 Business device completes IPv6 address resolution, and above-mentioned dns resolution request message and DNS response messages can be under IPv4 agreements DNSv4 messages.
It can see, through the embodiment of the present invention the access control program of double stack terminals of middle offer, access device is double Before the success of stack terminal authentication, the message of double stack terminal distribution IPv6 addresses is discarded as, and targetedly changes DNS response messages, The IPv6 addresses of wherein domain name are deleted, so as to which double stack terminals is forced IPv4 addresses can only to be used to access net before certification success Network ensure that double stack terminals use IPv4 addresses first when network needs the authentication mode certification pair stack terminal using IPv4 Network is accessed, triggers the forced gate certification of IPv4, thus reduces the time delay of double stack accessing terminal to network.
As an example, Fig. 3 (a), Fig. 3 (b) and Fig. 3 (c) respectively illustrate some embodiments of the invention and are provided Double stack terminals access control program process flow example in the application.Wherein, Fig. 3 (a) shows the processing before certification Flow example, Fig. 3 (b) show the process flow example in certification, and Fig. 3 (c) shows the process flow example after certification.
As shown in the figure, access device include the wireless access point 302 that is connected directly with double stack terminals 301 and with double stacks The indirect connected wireless controller 303 of terminal 301.Wherein, wireless access point 302 is provided to perform the embodiment of the present invention Double stack terminals access control program, wireless controller 303 be re-positioning device.
As shown in Fig. 3 (a), in double 301 certifications of stack terminal by preceding, wireless access point 302 abandons double stack terminals 301 DHCPv6 messages, but the DHCPv4 messages of double stack terminals 301 are normally forwarded to wireless controller 303, so that double stack terminals 301 can not obtain IPv6 addresses, can only obtain IPv4 addresses;Alternatively, in double 301 certifications of stack terminal by preceding, wireless access point 302 abandon the RA messages that router is sent in network, so that double stack terminals 301 can not obtain IPv6 addresses;
As shown in Fig. 3 (b), in the verification process of double stack terminals 301, wireless access point 302 intercepts dns server to double The DNSv4 response messages that stack terminal 301 is sent are sent to double stacks ends after deleting AAAA records (the IPv6 addresses of domain name) therein End 301 so that double stack terminals 301 can only obtain A records (the IPv4 addresses of domain name), records to obtain domain name according to A IPv4 addresses and the IPv6 addresses that domain name can not be obtained, so that double stack terminals 301 can not use link-local address type IPv6 addresses access network;
By the above process, double stack terminals 301 will can only get IPv4 addresses and can only get the IPv4 of domain name Location, and then ensure that double stack terminals 301 can only use IPv4 addresses to access network, and then can not support that IPv6's is strong in network During gate verification processed, the forced gate certification of IPv4 is directly triggered, realizes the access of double stack terminals.
After double stack terminals 301 pass through the forced gate certification of IPv4, double stack terminals 301 can normally surf the Internet, The Internet resources of IPv4 are accessed by IPv4 addresses, and IPv6 addresses can be obtained, the network of IPv6 is accessed by IPv6 addresses Resource, wireless access point 302 and 303 normal transmitting data flow amount of wireless controller, as shown in Fig. 3 (c).
In conclusion in the access control program of double stack terminals provided in embodiments of the present invention, access device forwarding Message for double stack terminal distribution IPv4 addresses;Before the success of double stack terminal authentications, with being discarded as double stack terminal distribution IPv6 The message of location, and after the success of double stack terminal authentications, the message for double stack terminal distribution IPv6 addresses is forwarded, so that Double stack terminals can not get IPv6 addresses before certification, and since double stack terminals are only capable of getting IPv4 addresses, thus double stacks are whole End can only use IPv4 addresses to access network.Access device also further intercepts and captures the DNS response messages of dns server return simultaneously Delete the IPv6 addresses of wherein entrained domain name so that double stack terminals are only capable of getting the IPv4 addresses of domain name, thus into one Step ensure that double stack terminals can only use IPv4 addresses to access network.It ensure that double stack terminals exist by above-mentioned a series of measures IPv4 addresses can only be used to access network before certification success, therefore need to use the double stacks of authentication mode certification of IPv4 whole in network During end, double stack terminals can access network using IPv4 addresses first, so as to reduce the time delay of double stack accessing terminal to network.
Based on identical technical concept, the embodiment of the present invention additionally provides a kind of access device of double stack terminals, the access Equipment can perform the described method flow of present invention, performing the aforementioned implementation of the present invention in the access device The function module of the described method flow of example can be realized by the combination of hardware, software programming and software and hardware, hardware It may include one or more signal processings and/or application-specific integrated circuit.
Fig. 4 shows the structure diagram of the access device of double stack terminals that some embodiments of the invention are provided, such as Fig. 4 Shown, which includes:
Forwarding module 401, for forwarding the message for double stack terminal distribution IPv4 addresses;
Processing module 402, for before the success of double stack terminal authentications, being discarded as the report of double stack terminal distribution IPv6 addresses Text, and after the success of double stack terminal authentications, forward the message for double stack terminal distribution IPv6 addresses.
Message for double stack terminal distribution IPv6 addresses includes following one or more:Double stack terminals are to DHCP service The DHCP message of request IPv6 addresses that device is sent;The IPv6 for carrying double stack terminals that Dynamic Host Configuration Protocol server is sent to double stack terminals The DHCP message of address;The route announcement report for the IPv6 address prefixes for carrying double stack terminals that router is sent to double stack terminals Text.
In some embodiments of the invention, access device further includes:
Interception module 403, for before double stack terminal authentication successes, intercepting and capturing dns server and being sent out to double stack terminals The DNS response messages sent.Wherein, DNS response messages include IPv4 addresses and the domain name of the domain name of double stack terminal requests IPv6 addresses.
Interception module 403 is additionally operable to after deleting the IPv6 addresses in DNS response messages, which is sent to Double stack terminals.
Based on same inventive concept, what the access device of double stack terminals that some embodiments of the invention are provided solved the problems, such as Principle and advantageous effect may refer to the embodiment of method shown in above-mentioned Fig. 2 and caused advantageous effect, double stacks The implementation of the access device of terminal may refer to the implementation of above method embodiment, and overlaps will not be repeated.
Based on identical technical concept, some embodiments of the invention additionally provide a kind of access device of double stack terminals, should The access device of double stack terminals can be used for performing the access control stream that the aforementioned real method of the present invention applies the described double stack terminals of example Journey.
Fig. 5 shows the structure diagram of the access device for double stack terminals that some embodiments of the invention provide, such as Fig. 5 institutes Show, which may include:Transceiver 501 and processor 502.
It can be connected, can also be otherwise attached to by bus between transceiver 501 and processor 502.
Transceiver 501 can include the interface for being connected with other network equipments.Such as, it may include with user equipment Connected interface, the interface being connected with forced gate certificate server and the interface being connected with other service equipments.Interface can To be wireline interface, wireless interface or combination.Wireline interface for example can be Ethernet interface.Ethernet interface can be light Interface, electrical interface or combination.Wireless interface for example can be WLAN (English:wireless local area Network, WLAN) interface, cellular network interface or combination.
Processor 502 can be central processing unit (English:Central processing unit, CPU) or CPU With the combination of hardware chip.Above-mentioned hardware chip can be the combination of one or more of:Application-specific integrated circuit (English: Application-specific integrated circuit, ASIC), field programmable gate array (English: Field-programmable gate array, FPGA), Complex Programmable Logic Devices (English:complex Programmable logic device, CPLD), Universal Array Logic (English:Generic array logic, abbreviation: GAL) and network processing unit is (English:Network processor, NP).
Access device can also include memory.Program is stored in memory to work with instruction processing unit.Memory can wrap Include volatile memory (English:Volatile memory), such as random access memory (English:random-access Memory, RAM);Memory can also include nonvolatile memory (English:Non-volatile memory), for example, it is read-only Memory (English:Read-only memory, ROM), flash memory (English:Flash memory), hard disk (English: Hard disk drive, HDD) or solid state disk (English:Solid-state drive, SSD);Memory may also include above-mentioned The combination of type memory.
Processor 502 is used for:
With message of the forwarding of transceiver 501 for double stack terminal distribution IPv4 addresses;
Before the success of double stack terminal authentications, it is double stack terminal distribution IPv6 addresses to abandon transceiver 501 and receive Message;And after the success of double stack terminal authentications, with message of the forwarding of transceiver 501 for double stack terminal distribution IPv6 addresses.
Message for double stack terminal distribution IPv6 addresses includes following one or more:Double stack terminals are sent out to Dynamic Host Configuration Protocol server The DHCP message of request IPv6 addresses sent;The IPv6 addresses for carrying double stack terminals that Dynamic Host Configuration Protocol server is sent to double stack terminals DHCP message;The route announcement message for the IPv6 address prefixes for carrying double stack terminals that router is sent to double stack terminals.
Before double stack terminal authentication successes, processor 502 is additionally operable to:
The DNS response messages sent with the intercepting and capturing dns server of transceiver 501 to double stack terminals;Wherein, DNS response messages Include the IPv4 addresses of domain name of double stack terminal requests and the IPv6 addresses of the domain name;
And after deleting IPv6 addresses in DNS response messages, the DNS response messages are sent to transceiver 501 double Stack terminal.
Based on identical technical concept, the access device of double stack terminals that some embodiments of the invention are provided solves the problems, such as Principle and advantageous effect may refer to the embodiment of method shown in above-mentioned Fig. 2 and caused advantageous effect, this pair The implementation of the access device of stack terminal may refer to the implementation of above method embodiment, and overlaps will not be repeated.
Based on identical technical concept, the embodiment of the present invention additionally provides a kind of storage medium, and the storage medium is meter Calculation machine readable storage medium storing program for executing, the computer-readable recording medium storage have program, and program includes instruction, and described instruction, which is worked as, to be had The electronic equipment for having processor makes the electronic equipment perform the described double stack terminals of present invention when performing Connection control method flow, for details, reference can be made to the description of previous embodiment, and the application will not be described in great detail herein.
Obviously, various changes and modifications can be made to the invention without departing from model of the invention by those skilled in the art It encloses.In this way, if these modifications and changes of the present invention belongs within the scope of the claims in the present invention, then the present invention is also intended to It includes these modifications and variations.

Claims (9)

1. a kind of connection control method of double stack terminals, which is characterized in that double stack terminals support Internet protocol fourth edition IPv4 protocol stacks and Internet protocol sixth version IPv6 protocol stacks, this method include:
Message of the access device forwarding for double stack terminal distribution IPv4 addresses;
Before double stack terminal authentication successes, the access device is discarded as the report of double stack terminal distribution IPv6 addresses Text;
After double stack terminal authentication successes, report of the access device forwarding for double stack terminal distribution IPv6 addresses Text.
2. the method as described in claim 1, which is characterized in that the message packet for double stack terminal distribution IPv6 addresses Include following one or more:
The DHCP message of request IPv6 addresses that double stack terminals are sent to dynamic host configuration protocol DHCP server;
The DHCP message for the IPv6 addresses for carrying double stack terminals that the Dynamic Host Configuration Protocol server is sent to double stack terminals;
The route announcement message for the IPv6 address prefixes for carrying double stack terminals that router is sent to double stack terminals.
3. the method as described in claim 1, which is characterized in that before double stack terminal authentication successes, the method is also Including:
The access device intercepts and captures the DNS response messages that domain name system DNS server is sent to double stack terminals;The DNS Response message includes the IPv4 addresses of domain name of double stack terminal requests and the IPv6 addresses of domain name;
After the access device deletes the IPv6 addresses in the DNS response messages, the DNS response messages are sent to described Double stack terminals.
4. a kind of access device, which is characterized in that including:Transceiver and processor, wherein,
The processor is used for:
The message for double stack terminal distribution Internet protocol fourth edition IPv4 addresses is forwarded with the transceiver, wherein, it is described double Stack terminal supports IPv4 protocol stacks and Internet protocol sixth version IPv6 protocol stacks;
Before the double stack terminal authentications success, it is double stack terminal distribution IPv6 to abandon the transceiver and receive The message of location;And
After double stack terminal authentication successes, with report of the transceiver forwarding for double stack terminal distribution IPv6 addresses Text.
5. access device as claimed in claim 4, which is characterized in that the report for double stack terminal distribution IPv6 addresses Text includes following one or more:
The DHCP message of request IPv6 addresses that double stack terminals are sent to Dynamic Host Configuration Protocol server;
The DHCP message for the IPv6 addresses for carrying double stack terminals that the Dynamic Host Configuration Protocol server is sent to double stack terminals;
The route announcement message for the IPv6 address prefixes for carrying double stack terminals that router is sent to double stack terminals.
6. access device as claimed in claim 4, which is characterized in that before double stack terminal authentication successes, the place Reason device is additionally operable to:
Dns server is intercepted and captured to the DNS response messages of double stack terminals transmissions with the transceiver;The DNS response messages Include the IPv4 addresses of domain name of double stack terminal requests and the IPv6 addresses of domain name;And it deletes the DNS and answers After answering the IPv6 addresses in message, the DNS response messages are sent to double stack terminals with the transceiver.
7. a kind of access device of double stack terminals, which is characterized in that double stack terminals support IPv4 protocol stacks and IPv6 agreements Stack, the access device include:
Forwarding module, for forwarding the message for double stack terminal distribution IPv4 addresses;
Processing module, for before double stack terminal authentication successes, being discarded as double stack terminal distribution IPv6 addresses Message, and after double stack terminal authentication successes, forward the message for double stack terminal distribution IPv6 addresses.
8. access device as claimed in claim 7, which is characterized in that the report for double stack terminal distribution IPv6 addresses Text includes following one or more:
The DHCP message of request IPv6 addresses that double stack terminals are sent to Dynamic Host Configuration Protocol server;
The DHCP message for the IPv6 addresses for carrying double stack terminals that the Dynamic Host Configuration Protocol server is sent to double stack terminals;
The route announcement message for the IPv6 address prefixes for carrying double stack terminals that router is sent to double stack terminals.
9. access device as claimed in claim 7, which is characterized in that the access device further includes:
Interception module, for before double stack terminal authentication successes, intercepting and capturing what dns server was sent to double stack terminals DNS response messages, the DNS response messages include IPv4 addresses and the domain name of the domain names of double stack terminal requests After deleting the IPv6 addresses in the DNS response messages, it is whole to be sent to double stacks by IPv6 addresses for the DNS response messages End.
CN201611207827.5A 2016-12-23 2016-12-23 A kind of connection control method and access device of double stack terminals Pending CN108243261A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611207827.5A CN108243261A (en) 2016-12-23 2016-12-23 A kind of connection control method and access device of double stack terminals

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611207827.5A CN108243261A (en) 2016-12-23 2016-12-23 A kind of connection control method and access device of double stack terminals

Publications (1)

Publication Number Publication Date
CN108243261A true CN108243261A (en) 2018-07-03

Family

ID=62703671

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611207827.5A Pending CN108243261A (en) 2016-12-23 2016-12-23 A kind of connection control method and access device of double stack terminals

Country Status (1)

Country Link
CN (1) CN108243261A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110535983A (en) * 2019-09-24 2019-12-03 锐捷网络股份有限公司 Message forwarding method and device
CN112822218A (en) * 2021-02-28 2021-05-18 新华三信息安全技术有限公司 Access control method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101692674A (en) * 2009-10-30 2010-04-07 杭州华三通信技术有限公司 Method and equipment for double stack access
CN102801685A (en) * 2011-05-23 2012-11-28 中兴通讯股份有限公司 Web authentication method and system
CN102904863A (en) * 2011-07-28 2013-01-30 中兴通讯股份有限公司 Method and gateway for controlling accessing of host of IPoE (IP over Ethernet) dual-stack user
CN104243454A (en) * 2014-08-28 2014-12-24 杭州华三通信技术有限公司 IPv6 message filtering method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101692674A (en) * 2009-10-30 2010-04-07 杭州华三通信技术有限公司 Method and equipment for double stack access
CN102801685A (en) * 2011-05-23 2012-11-28 中兴通讯股份有限公司 Web authentication method and system
CN102904863A (en) * 2011-07-28 2013-01-30 中兴通讯股份有限公司 Method and gateway for controlling accessing of host of IPoE (IP over Ethernet) dual-stack user
CN104243454A (en) * 2014-08-28 2014-12-24 杭州华三通信技术有限公司 IPv6 message filtering method and device

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110535983A (en) * 2019-09-24 2019-12-03 锐捷网络股份有限公司 Message forwarding method and device
CN110535983B (en) * 2019-09-24 2022-08-16 锐捷网络股份有限公司 Message forwarding method and device
CN112822218A (en) * 2021-02-28 2021-05-18 新华三信息安全技术有限公司 Access control method and device

Similar Documents

Publication Publication Date Title
KR102478442B1 (en) Method for setting pdu type, method for setting ue policy, and related entities
JP6085891B2 (en) Access control method and system, and access point
CN108881308B (en) User terminal and authentication method, system and medium thereof
CN102301763B (en) Method and nodes for registering a terminal
CN102739684B (en) Portal authentication method based on virtual IP address, and server thereof
US20210297402A1 (en) Methods and apparatus for supporting devices of different types using a residential gateway
EP3145131B1 (en) Data packet processing method, service node and delivery node
EP2713583A1 (en) Network address translation for application of subscriber-aware services
US9781034B2 (en) Electronic device, network relay device, and non-transitory computer readable storage medium
CN112714027B (en) Method and system for accessing terminal equipment of Internet of things to gateway
CN106507414B (en) Message forwarding method and device
CN107733764B (en) Method, system and related equipment for establishing virtual extensible local area network tunnel
EP2675117A1 (en) Routing method and device for host in multi-homing site
EP3582523B1 (en) Extending subscriber services to roaming wireless user equipment
US20220174085A1 (en) Data Processing Method and Apparatus
US8819790B2 (en) Cooperation method and system between send mechanism and IPSec protocol in IPV6 environment
CN108243261A (en) A kind of connection control method and access device of double stack terminals
CN101945053B (en) Method and device for transmitting message
CN110995763B (en) Data processing method and device, electronic equipment and computer storage medium
WO2016177185A1 (en) Method and apparatus for processing media access control (mac) address
TW201611549A (en) Network device and method for routing
WO2017166038A1 (en) Communication method and terminal
CN110324318B (en) Intranet access method and related device
WO2017091949A1 (en) Communication method, small cell base station, small cell base station controller, terminal and system
US20200287868A1 (en) Systems and methods for in-band remote management

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180703

RJ01 Rejection of invention patent application after publication