CN112822218A - Access control method and device - Google Patents

Access control method and device Download PDF

Info

Publication number
CN112822218A
CN112822218A CN202110222336.2A CN202110222336A CN112822218A CN 112822218 A CN112822218 A CN 112822218A CN 202110222336 A CN202110222336 A CN 202110222336A CN 112822218 A CN112822218 A CN 112822218A
Authority
CN
China
Prior art keywords
address
terminal
dhcp
mac address
table entry
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110222336.2A
Other languages
Chinese (zh)
Other versions
CN112822218B (en
Inventor
王阳
廖以顺
邵巍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN202110222336.2A priority Critical patent/CN112822218B/en
Publication of CN112822218A publication Critical patent/CN112822218A/en
Application granted granted Critical
Publication of CN112822218B publication Critical patent/CN112822218B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/622Layer-2 addresses, e.g. medium access control [MAC] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/686Types of network addresses using dual-stack hosts, e.g. in Internet protocol version 4 [IPv4]/Internet protocol version 6 [IPv6] networks

Abstract

The application provides an access control method and a device, the method is applied to BRAS equipment with a DHCP server function, and the method comprises the following steps: when a service message sent by a terminal is received through relay equipment for the first time, whether a first IP address carried in the service message hits a statically configured IP address table item is judged; if so, acquiring the MAC address of the terminal from the relay equipment; if not, discarding the service message; if the user forwarding table entry is acquired, initiating IPoE authentication aiming at the terminal, and processing the service message when the authentication is passed to generate the user forwarding table entry comprising the first IP address and the MAC address; and if a first DHCP request message which is sent by the terminal and used for applying for a second IP address and carries the MAC address in the user forwarding table entry is received through the relay equipment, distributing the second IP address for the terminal, and responding to the corresponding first DHCP response message to the terminal. The method and the device can shorten the online time of the dual-stack terminal.

Description

Access control method and device
Technical Field
The present application relates to the field of communications technologies, and in particular, to an access control method and apparatus.
Background
The dual stack network is an Internet (Internet) network that provides Internet Protocol version 4(Internet Protocol version4, IPv4) and Internet Protocol version 6(Internet Protocol version6, IPv6) network services at the same time.
The dual-stack terminal refers to a terminal having both an IPv4 address and an IPv6 address.
At present, in a scenario that a dual-stack terminal accesses a dual-stack network in an internet Protocol over Ethernet (IPoE) authentication manner, a service packet sent by a first IP address based on static Configuration (for example, an IPv4 address or an IPv6 address) for the dual-stack terminal is relayed by a Relay (Relay) device to a Broadband Remote Access Server (BRAS) device having a Dynamic Host Configuration Protocol (DHCP) Server function, and the BRAS device initiates IPoE authentication for the dual-stack terminal, namely, the BRAS device interacts with an Authentication, Authorization and Accounting (AAA) server to realize IPoE Authentication of the dual-stack terminal, and when the authentication result is that the authentication is passed, the BRAS device processes the service message, which means that the dual-stack terminal successfully accesses the dual-stack network by using the first IP address.
The method comprises the steps that a DHCP request message which is sent by the dual-stack terminal and used for applying for a second IP address is transferred to the BRAS device by the Relay device, the BRAS device initiates IPoE authentication aiming at the dual-stack terminal, the specific authentication process is similar to the authentication process of the IPoE authentication, when the authentication result is that the authentication is passed, the BRAS device distributes the second IP address to the dual-stack terminal, and sends a DHCP response message carrying the distributed second IP address to the dual-stack terminal through the Relay device, and the subsequent dual-stack terminal uses the second IP address to communicate, namely the dual-stack terminal is successfully accessed into a dual-stack network through the second IP address. Here, the second IP address is different from the IP protocol version of the first IP address, for example, when the first IP address is an IPv4 address, the second IP address is an IPv6 address; for another example, when the first IP address is an IPv6 address, the second IP address is an IPv4 address.
It can be seen that, in this scenario, regardless of which IP address of the IP protocol version is used by the dual-stack terminal to access the dual-stack network, IPoE authentication is required, that is, the same dual-stack terminal is subjected to IPoE authentication twice, so that loads of the BRAS device and the AAA server are increased, the online time of the dual-stack terminal is also prolonged, and further the user experience of the dual-stack terminal holding the user is poor.
Disclosure of Invention
In order to overcome the problems in the related art, the application provides an access control method and device.
According to a first aspect of the embodiments of the present application, there is provided an access control method, which is applied to a BRAS device having a DHCP server function, the method including:
when a service message sent by a terminal is received through a relay device for the first time, judging whether a first IP address carried in the service message hits a statically configured IP address table item, wherein the first IP address is a source IP address of the service message;
if so, acquiring the MAC address of the terminal from the relay equipment;
if the MAC address of the terminal is not acquired, discarding the service message;
if the MAC address of the terminal is obtained, initiating IPoE authentication aiming at the terminal, and processing the service message when the authentication result is authentication passing, and generating a user forwarding table item comprising the first IP address and the MAC address;
and if a first DHCP request message which is sent by the terminal and used for applying for a second IP address and carries the MAC address in the user forwarding table item is received through the relay equipment, distributing the second IP address for the terminal, and sending a first DHCP response message carrying the second IP address to the terminal through the relay equipment, wherein the IP protocol version of the second IP address is different from that of the first IP address.
According to a second aspect of the embodiments of the present application, an access control apparatus is provided, where the apparatus is applied to a BRAS device having a DHCP server function, and the apparatus includes an IPoE module and a DHCP module;
the IPoE module is used for judging whether a first IP address carried in a service message hits a statically configured IP address table item when the service message sent by a terminal is received through relay equipment for the first time, and triggering the DHCP module to acquire an MAC address of the terminal from the relay equipment when the judgment result is yes, wherein the first IP address is a source IP address of the service message;
the DHCP module is used for triggering the IPoE module to discard the service message when the MAC address of the terminal is not acquired; when the MAC address of the terminal is obtained, triggering the IPoE module to initiate IPoE authentication aiming at the terminal, and processing the service message when the authentication result is that the authentication is passed, and generating a user forwarding table item comprising the first IP address and the MAC address; and
when receiving a first DHCP request message which is sent by the terminal and used for applying for a second IP address and carries the MAC address in the user forwarding table item through the relay equipment, allocating the second IP address for the terminal, and sending a first DHCP response message carrying the second IP address to the terminal through the relay equipment, wherein the IP protocol version of the second IP address is different from that of the first IP address.
The technical scheme provided by the embodiment of the application can have the following beneficial effects:
in the embodiment of the application, for a BRAS device with a DHCP server function, when a service message sent by a terminal is received through a relay device for the first time, it is first determined whether a first IP address (i.e., a source IP address of the service message) carried in the service message hits a statically configured IP address entry; if the judgment result is yes, the MAC address of the terminal is acquired from the relay equipment; under the condition that the MAC address of the terminal is not acquired, discarding the service message; initiating IPoE authentication aiming at the terminal under the condition of acquiring the MAC address of the terminal, processing the service message when the authentication result is that the authentication is passed, and generating a user forwarding table item comprising a first IP address and the MAC address; then, when receiving a first DHCP request message which is sent by the terminal and used for applying for a second IP address (different from the IP protocol version of the first IP address) and carries the MAC address in the user forwarding entry through the relay device, because the terminal has performed IPoE authentication once, the terminal does not initiate IPoE authentication for the terminal any more, but directly allocates the second IP address to the terminal, and sends a first DHCP response message carrying the second IP address to the terminal through the relay device, so that the terminal uses the second IP address for communication.
It can be seen that, in the embodiment of the present application, in a scenario where the same dual-stack terminal accesses the dual-stack network based on the first IP address of the static configuration and then accesses the dual-stack network based on the second IP address of the dynamic application, the same dual-stack terminal is not authenticated by IPoE twice any more, and only once authenticated by IPoE is needed, so that loads of the BRAS device and the AAA server are reduced, the online time of the dual-stack terminal is also shortened, and the user experience of the user holding the dual-stack terminal is further improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
Fig. 1 is a schematic flowchart of an access control method according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of an access control apparatus according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Next, examples of the present application will be described in detail.
An embodiment of the present application provides an access control method, which is applied to a BRAS device having a DHCP server function, and as shown in fig. 1, the method may include the following steps:
s11, when a service message sent by the terminal is received through the relay equipment for the first time, judging whether a first IP address carried in the service message hits a statically configured IP address table item; if the determination result is no, step S12 is executed, and if the determination result is yes, step S13 is executed.
In this step, the first IP address refers to a source IP address of the service packet.
And S12, discarding the service message.
S13, obtaining the MAC address of the terminal from the relay equipment; when the MAC address of the terminal is not acquired, step S12 is executed, and when the MAC address of the terminal is acquired, step S14 is executed.
S14, initiating IPoE authentication aiming at the terminal, processing the service message when the authentication result is that the authentication is passed, and generating a user forwarding table item comprising the first IP address and the MAC address.
S15, if a first DHCP request message which is sent by the terminal and used for applying for a second IP address and carries the MAC address in the user forwarding table item is received through the relay equipment, the second IP address is distributed to the terminal, and a first DHCP response message carrying the second IP address is sent to the terminal through the relay equipment.
In this step, the second IP address is different from the first IP address in IP protocol version, that is, the terminal is actually a dual stack terminal.
For example, when the first IP address is an IPv4 address, the second IP address is an IPv6 address.
For another example, when the first IP address is an IPv6 address, the second IP address is an IPv4 address.
Specifically, in the above step S13, the BRAS device may implement the acquisition of the MAC address of the terminal to the relay device by:
sending a second DHCP request message for requesting the MAC address of the terminal to the relay equipment, wherein the second DHCP request message carries the first IP address;
receiving a second DHCP response message aiming at the second DHCP request message sent by the relay equipment;
if the content in an appointed Option (Option) field carried in the second DHCP response message is default content, determining that the MAC address of the terminal is not acquired;
if the content in the appointed Option field carried in the second DHCP response message is not the default content, determining the content in the appointed Option field as the MAC address of the terminal;
the second DHCP response message is generated by the relay device in the following manner and sent to the BRAS device:
searching a local Address Resolution Protocol (ARP) table item according to the first IP Address;
if the ARP table entry corresponding to the first IP address is found, generating a second DHCP response message carrying the MAC address in the ARP table entry corresponding to the first IP address, wherein the content in the newly added appointed Option field is the MAC address;
if the ARP table entry corresponding to the first IP address is not found, learning the corresponding ARP table entry based on the first IP address, and generating a second DHCP response message carrying the MAC address in the ARP table entry corresponding to the first IP address, wherein the content in the newly-added appointed Option field is the MAC address in the ARP table entry corresponding to the first IP address when the ARP table entry corresponding to the first IP address is successfully learned; and when the ARP table entry corresponding to the first IP address is not learned, generating a second DHCP response message carrying the content in the newly added appointed Option field as default content.
Specifically, in the above step S14, the specific authentication procedure that the BRAS device initiates IPoE authentication for the terminal is the prior art, and is not described in detail here.
In addition, when the authentication result of the IPoE authentication for the terminal is that the authentication passes, a user forwarding table entry comprising the first IP address and the MAC address is generated, so that when the BRAS device receives the service message sent by the terminal based on the first IP address again through the relay device, the BRAS device can perform related processing based on the user forwarding table entry; and when receiving a first DHCP request message which is sent by the terminal and used for applying for a second IP address and carries the MAC address in the user forwarding table entry through the relay equipment, the BRAS equipment can know that IPoE authentication is performed on the terminal, does not perform IPoE authentication repeatedly, and can directly allocate the second IP address to the terminal so as to shorten the online time of the dual-stack terminal.
And when the authentication result of the IPoE authentication aiming at the terminal is that the authentication fails, the BRAS equipment discards the service message.
Further, in this embodiment of the present application, after the BRAS device performs the operation of allocating the second IP address to the terminal in step S15, the BRAS device may further add the second IP address to the user forwarding table entry, so that when the BRAS device receives the service packet sent by the terminal based on the second IP address through the relay device, the BRAS device may perform related processing based on the user forwarding table entry.
According to the technical scheme, in the embodiment of the application, for the BRAS equipment with the function of the DHCP server, when the business message sent by the terminal is received through the relay equipment for the first time, whether the first IP address carried in the business message hits the statically configured IP address table entry or not is judged; if the judgment result is yes, the MAC address of the terminal is acquired from the relay equipment; under the condition that the MAC address of the terminal is not acquired, discarding the service message; initiating IPoE authentication aiming at the terminal under the condition of acquiring the MAC address of the terminal, processing the service message when the authentication result is that the authentication is passed, and generating a user forwarding table item comprising a first IP address and the MAC address; then, when receiving a first DHCP request message which is sent by the terminal and used for applying for a second IP address (different from the IP protocol version of the first IP address) and carries the MAC address in the user forwarding entry through the relay device, because the terminal has performed IPoE authentication once, the terminal does not initiate IPoE authentication for the terminal any more, but directly allocates the second IP address to the terminal, and sends a first DHCP response message carrying the second IP address to the terminal through the relay device, so that the terminal uses the second IP address for communication.
It can be seen that, in the embodiment of the present application, in a scenario where the same dual-stack terminal accesses the dual-stack network based on the first IP address of the static configuration and then accesses the dual-stack network based on the second IP address of the dynamic application, the same dual-stack terminal is not authenticated by IPoE twice any more, and only once authenticated by IPoE is needed, so that loads of the BRAS device and the AAA server are reduced, the online time of the dual-stack terminal is also shortened, and the user experience of the user holding the dual-stack terminal is further improved.
Based on the same inventive concept, the present application further provides an access control device, which is applied to a BRAS device having a DHCP server function, and a schematic structural diagram of the access control device is shown in fig. 3, and specifically includes: IPoE module 31 and DHCP module 32.
The IPoE module 31 is configured to, when a service packet sent by a terminal is received by a relay device for the first time, determine whether a first IP address carried in the service packet hits a statically configured IP address entry, and when a determination result is yes, trigger the DHCP module 32 to obtain an MAC address of the terminal from the relay device;
the DHCP module 32 is configured to trigger the IPoE module to discard the service packet when the MAC address of the terminal is not obtained; when the MAC address of the terminal is obtained, triggering the IPoE module to initiate IPoE authentication aiming at the terminal, and processing the service message when the authentication result is that the authentication is passed, and generating a user forwarding table item comprising the first IP address and the MAC address; and
when receiving a first DHCP request message which is sent by the terminal and used for applying for a second IP address and carries the MAC address in the user forwarding table item through the relay equipment, allocating the second IP address for the terminal, and sending a first DHCP response message carrying the second IP address to the terminal through the relay equipment, wherein the IP protocol version of the second IP address is different from that of the first IP address.
Preferably, the IPoE module 31 is further configured to:
and if the judgment result is negative, discarding the service message.
Preferably, the DHCP module 32 is specifically configured to:
sending a second DHCP request message for requesting the MAC address of the terminal to the relay equipment, wherein the second DHCP request message carries the first IP address;
receiving a second DHCP response message aiming at the second DHCP request message and sent by the relay equipment;
if the content in the appointed Option field carried in the second DHCP response message is default content, determining that the MAC address of the terminal is not obtained;
if the content in the appointed Option field carried in the second DHCP response message is not the default content, determining the content in the appointed Option field as the MAC address of the terminal;
the second DHCP response packet is generated by the relay device in the following manner and sent to the BRAS device:
searching a local Address Resolution Protocol (ARP) table entry according to the first IP address;
if the ARP table entry corresponding to the first IP address is found, generating a second DHCP response message carrying the newly added content in the appointed Option field as the MAC address in the ARP table entry corresponding to the first IP address;
if the ARP table entry corresponding to the first IP address is not found, learning the corresponding ARP table entry based on the first IP address, and when the ARP table entry corresponding to the first IP address is successfully learned, generating a second DHCP response message carrying the newly added content in the appointed Option field as the MAC address in the ARP table entry corresponding to the first IP address; and when the ARP table entry corresponding to the first IP address is not learned, generating a second DHCP response message carrying the newly added content in the appointed Option field as the default content.
Preferably, the IPoE module 31 is further configured to:
and when the authentication result is that the authentication is not passed, discarding the service message.
Preferably, the DHCP module 32 is further configured to:
and after a second IP address is distributed to the terminal, triggering the IPoE module to add the second IP address to the user forwarding table entry.
According to the technical scheme, in the embodiment of the application, for the BRAS equipment with the function of the DHCP server, when the business message sent by the terminal is received through the relay equipment for the first time, whether the first IP address carried in the business message hits the statically configured IP address table entry or not is judged; if the judgment result is yes, the MAC address of the terminal is acquired from the relay equipment; under the condition that the MAC address of the terminal is not acquired, discarding the service message; initiating IPoE authentication aiming at the terminal under the condition of acquiring the MAC address of the terminal, processing the service message when the authentication result is that the authentication is passed, and generating a user forwarding table item comprising a first IP address and the MAC address; then, when receiving a first DHCP request message which is sent by the terminal and used for applying for a second IP address (different from the IP protocol version of the first IP address) and carries the MAC address in the user forwarding entry through the relay device, because the terminal has performed IPoE authentication once, the terminal does not initiate IPoE authentication for the terminal any more, but directly allocates the second IP address to the terminal, and sends a first DHCP response message carrying the second IP address to the terminal through the relay device, so that the terminal uses the second IP address for communication.
It can be seen that, in the embodiment of the present application, in a scenario where the same dual-stack terminal accesses the dual-stack network based on the first IP address of the static configuration and then accesses the dual-stack network based on the second IP address of the dynamic application, the same dual-stack terminal is not authenticated by IPoE twice any more, and only once authenticated by IPoE is needed, so that loads of the BRAS device and the AAA server are reduced, the online time of the dual-stack terminal is also shortened, and the user experience of the user holding the dual-stack terminal is further improved.
The access control method is described in detail with reference to specific embodiments.
Assuming that the statically configured IPv4 address (referred to as a first IP address) on a certain dual-stack terminal in the dual-stack network is 10.1.1.2, assuming that the Mac address of the dual-stack terminal is 1-2-3, assuming that the IPv6 address (referred to as a second IP address) to be allocated to the dual-stack terminal on the BRAS device in the dual-stack network is 2001: : 2, the BRAS device also has a statically configured IP address table entry containing 10.1.1.2.
Then, the detailed implementation flow of the access control method is as follows:
1. the dual-stack terminal sends a service message with a source IP address of 10.1.1.2 to the BRAS device through the relay device in the dual-stack network for the first time.
2. When the service message is received by the relay device for the first time, the IPoE module in the BRAS device determines whether the source IP address (i.e., 10.1.1.2) of the service message hits the statically configured IP address entry, and if so, executes step 3.
It should be noted that, for the BRAS device, if a service packet from another terminal is received by the relay device for the first time and it is determined that the source IP address of the service packet does not hit the statically configured IP address table entry, the service packet is discarded.
3. An IPoE module in the BRAS equipment triggers a DHCP module in the BRAS equipment to acquire the MAC address of the terminal from the relay equipment, and triggers the IPoE module to discard the service message when the DHCP module does not acquire the MAC address of the terminal; and triggering the IPoE module to execute the 4 th step when the DHCP module acquires the MAC address of the terminal.
Specifically, in step 3, the relevant triggering operation between the IPoE module and the DHCP module may be implemented in a notification message, and of course, other implementation manners may also be implemented, which is not specifically limited herein.
More specifically, in step 3, when acquiring the MAC address of the terminal from the relay device, the DHCP module may send a DHCP request message carrying 10.1.1.2 to the relay device, where 10.1.1.2 is carried in an Option50 field in the DHCP request message.
After receiving the DHCP request message, the relay device searches for a local ARP entry according to 10.1.1.2, and under the found condition, the relay device responds to the DHCP module with a DHCP response message carrying 1-2-3, wherein 1-2-3 is carried in an Option222 field newly added in the DHCP response message.
In case no lookup is found, the relay device initiates an ARP request with the destination IP address of 10.1.1.2.
If the ARP response aiming at the ARP request is received, the relay equipment generates an ARP table entry corresponding to the IP address of 10.1.1.2 and the MAC address of 1-2-3, and responds a DHCP response message carrying 1-2-3 (in the newly added Option222 field) to the DHCP module.
If not, the relay device does not generate related ARP list items, and responds a DHCP response message carrying default content of 0-0-0 (in the newly added Option222 field) to the DHCP module.
After receiving a DHCP response message for the DHCP request message, the DHCP module acquires content in an Option222 field in the DHCP response message, and if the content in the Option222 field is 0-0-0 (i.e., default content), the DHCP module determines that the MAC address of the terminal is not acquired, and notifies the IPoE module, the IPoE module determines that the terminal is a counterfeit terminal, and discards the service message; if the content in the Option222 field is 1-2-3 (not default content), the DHCP module determines to acquire the MAC address of the terminal, and notifies the IPoE module, and the IPoE module executes step 4.
4. The IPoE module initiates IPoE authentication aiming at the terminal, processes the service message when the authentication result is that the authentication is passed, and generates a user forwarding table item comprising an IP address of 10.1.1.2 and an MAC address of 1-2-3.
It should be noted that, when the authentication result is that the authentication passes, it means that the terminal successfully accesses the dual-stack network based on the first IP address, and a specific process of processing the service packet by the IPoE module is the same as that in the prior art, and details are not described here.
5. When the DHCP module receives, through the relay device, a DHCP request packet that is sent by the terminal, applies for a second IP address and carries the MAC address in the user forwarding entry, the DHCP module allocates 2001: : 2, sending the data carrying the 2001: : 2 so that the terminal uses 2001: : 2 to communicate.
It should be noted that once the DHCP module assigns an IP address to the terminal, it means that the terminal successfully accesses the dual-stack network based on the IP address.
An electronic device is further provided in the embodiments of the present application, as shown in fig. 3, including a processor 31 and a machine-readable storage medium 32, where the machine-readable storage medium 32 stores machine-executable instructions that can be executed by the processor 31, and the processor 31 is caused by the machine-executable instructions to: and implementing the steps of the access control method.
The machine-readable storage medium may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Alternatively, the machine-readable storage medium may be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In yet another embodiment provided by the present application, a computer-readable storage medium is further provided, in which a computer program is stored, which, when being executed by a processor, realizes the steps of the above-mentioned access control method.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (10)

1. An access control method is applied to a Broadband Remote Access Server (BRAS) device with a Dynamic Host Configuration Protocol (DHCP) server function, and the method comprises the following steps:
when a service message sent by a terminal is received through a relay device for the first time, judging whether a first IP address carried in the service message hits a statically configured IP address table item, wherein the first IP address is a source IP address of the service message;
if so, acquiring the MAC address of the terminal from the relay equipment;
if the MAC address of the terminal is not acquired, discarding the service message;
if the MAC address of the terminal is obtained, initiating Ethernet-based internet protocol IPoE authentication for the terminal, and processing the service message when the authentication result is that the authentication is passed, and generating a user forwarding table item comprising the first IP address and the MAC address;
and if a first DHCP request message which is sent by the terminal and used for applying for a second IP address and carries the MAC address in the user forwarding table item is received through the relay equipment, distributing the second IP address for the terminal, and sending a first DHCP response message carrying the second IP address to the terminal through the relay equipment, wherein the IP protocol version of the second IP address is different from that of the first IP address.
2. The method of claim 1, further comprising:
and if the judgment result is negative, discarding the service message.
3. The method according to claim 1, wherein obtaining the MAC address of the terminal from the relay device specifically includes:
sending a second DHCP request message for requesting the MAC address of the terminal to the relay equipment, wherein the second DHCP request message carries the first IP address;
receiving a second DHCP response message aiming at the second DHCP request message and sent by the relay equipment;
if the content in the appointed Option field carried in the second DHCP response message is default content, determining that the MAC address of the terminal is not obtained;
if the content in the appointed Option field carried in the second DHCP response message is not the default content, determining the content in the appointed Option field as the MAC address of the terminal;
the second DHCP response packet is generated by the relay device in the following manner and sent to the BRAS device:
searching a local Address Resolution Protocol (ARP) table entry according to the first IP address;
if the ARP table entry corresponding to the first IP address is found, generating a second DHCP response message carrying the newly added content in the appointed Option field as the MAC address in the ARP table entry corresponding to the first IP address;
if the ARP table entry corresponding to the first IP address is not found, learning the corresponding ARP table entry based on the first IP address, and when the ARP table entry corresponding to the first IP address is successfully learned, generating a second DHCP response message carrying the newly added content in the appointed Option field as the MAC address in the ARP table entry corresponding to the first IP address; and when the ARP table entry corresponding to the first IP address is not learned, generating a second DHCP response message carrying the newly added content in the appointed Option field as the default content.
4. The method of claim 1, further comprising:
and when the authentication result is that the authentication is not passed, discarding the service message.
5. The method of claim 1, further comprising:
and after a second IP address is distributed to the terminal, the second IP address is added into the user forwarding table entry.
6. An access control device is characterized in that the device is applied to broadband remote access server BRAS equipment with a Dynamic Host Configuration Protocol (DHCP) server function, and the device comprises an internet protocol IPoE module and a DHCP module based on Ethernet;
the IPoE module is used for judging whether a first IP address carried in a service message hits a statically configured IP address table item when the service message sent by a terminal is received through relay equipment for the first time, and triggering the DHCP module to acquire an MAC address of the terminal from the relay equipment when the judgment result is yes, wherein the first IP address is a source IP address of the service message;
the DHCP module is used for triggering the IPoE module to discard the service message when the MAC address of the terminal is not acquired; when the MAC address of the terminal is obtained, triggering the IPoE module to initiate IPoE authentication aiming at the terminal, and processing the service message when the authentication result is that the authentication is passed, and generating a user forwarding table item comprising the first IP address and the MAC address; and
when receiving a first DHCP request message which is sent by the terminal and used for applying for a second IP address and carries the MAC address in the user forwarding table item through the relay equipment, allocating the second IP address for the terminal, and sending a first DHCP response message carrying the second IP address to the terminal through the relay equipment, wherein the IP protocol version of the second IP address is different from that of the first IP address.
7. The apparatus of claim 6, wherein the IPoE module is further configured to:
and if the judgment result is negative, discarding the service message.
8. The apparatus according to claim 6, wherein the DHCP module is specifically configured to:
sending a second DHCP request message for requesting the MAC address of the terminal to the relay equipment, wherein the second DHCP request message carries the first IP address;
receiving a second DHCP response message aiming at the second DHCP request message and sent by the relay equipment;
if the content in the appointed Option field carried in the second DHCP response message is default content, determining that the MAC address of the terminal is not obtained;
if the content in the appointed Option field carried in the second DHCP response message is not the default content, determining the content in the appointed Option field as the MAC address of the terminal;
the second DHCP response packet is generated by the relay device in the following manner and sent to the BRAS device:
searching a local Address Resolution Protocol (ARP) table entry according to the first IP address;
if the ARP table entry corresponding to the first IP address is found, generating a second DHCP response message carrying the newly added content in the appointed Option field as the MAC address in the ARP table entry corresponding to the first IP address;
if the ARP table entry corresponding to the first IP address is not found, learning the corresponding ARP table entry based on the first IP address, and when the ARP table entry corresponding to the first IP address is successfully learned, generating a second DHCP response message carrying the newly added content in the appointed Option field as the MAC address in the ARP table entry corresponding to the first IP address; and when the ARP table entry corresponding to the first IP address is not learned, generating a second DHCP response message carrying the newly added content in the appointed Option field as the default content.
9. The apparatus of claim 6, wherein the IPoE module is further configured to:
and when the authentication result is that the authentication is not passed, discarding the service message.
10. The apparatus of claim 6, wherein the DHCP module is further configured to:
and after a second IP address is distributed to the terminal, triggering the IPoE module to add the second IP address to the user forwarding table entry.
CN202110222336.2A 2021-02-28 2021-02-28 Access control method and device Active CN112822218B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110222336.2A CN112822218B (en) 2021-02-28 2021-02-28 Access control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110222336.2A CN112822218B (en) 2021-02-28 2021-02-28 Access control method and device

Publications (2)

Publication Number Publication Date
CN112822218A true CN112822218A (en) 2021-05-18
CN112822218B CN112822218B (en) 2022-07-12

Family

ID=75862458

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110222336.2A Active CN112822218B (en) 2021-02-28 2021-02-28 Access control method and device

Country Status (1)

Country Link
CN (1) CN112822218B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113453226A (en) * 2021-06-29 2021-09-28 新华三大数据技术有限公司 Dual-stack user permission authentication method and device
CN114301670A (en) * 2021-12-28 2022-04-08 天翼物联科技有限公司 Terminal authentication method, device, equipment and medium based on IPV6 address
CN114501445A (en) * 2022-01-06 2022-05-13 新华三技术有限公司合肥分公司 Access control method and device
CN114499965A (en) * 2021-12-27 2022-05-13 北京安博通科技股份有限公司 Internet access authentication method and system based on POP3 protocol

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101175080A (en) * 2007-07-26 2008-05-07 杭州华三通信技术有限公司 Method and system for preventing ARP message attack
CN101262505A (en) * 2008-04-22 2008-09-10 杭州华三通信技术有限公司 A method, system and device for establishing ARP table items
CN102868781A (en) * 2012-09-21 2013-01-09 杭州华三通信技术有限公司 Wireless bridge and DHCP (dynamic host configuration protocol) safety implementing method
EP2680491A1 (en) * 2012-06-28 2014-01-01 Huawei Device Co., Ltd. Method for establishing channel for managing an IPv4 terminal
CN104601743A (en) * 2015-02-11 2015-05-06 杭州华三通信技术有限公司 IP (internet protocol) forwarding IPoE (IP over Ethernet) dual-stack user access control method and equipment based on Ethernet
CN105245629A (en) * 2015-09-25 2016-01-13 互联网域名系统北京市工程研究中心有限公司 DHCP-based host communication method and device
CN108243261A (en) * 2016-12-23 2018-07-03 华为技术有限公司 A kind of connection control method and access device of double stack terminals
CN109257458A (en) * 2018-10-31 2019-01-22 新华三技术有限公司 A kind of message forwarding method and device
CN110995886A (en) * 2019-12-12 2020-04-10 新华三大数据技术有限公司 Network address management method, device, electronic equipment and medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101175080A (en) * 2007-07-26 2008-05-07 杭州华三通信技术有限公司 Method and system for preventing ARP message attack
CN101262505A (en) * 2008-04-22 2008-09-10 杭州华三通信技术有限公司 A method, system and device for establishing ARP table items
EP2680491A1 (en) * 2012-06-28 2014-01-01 Huawei Device Co., Ltd. Method for establishing channel for managing an IPv4 terminal
CN102868781A (en) * 2012-09-21 2013-01-09 杭州华三通信技术有限公司 Wireless bridge and DHCP (dynamic host configuration protocol) safety implementing method
CN104601743A (en) * 2015-02-11 2015-05-06 杭州华三通信技术有限公司 IP (internet protocol) forwarding IPoE (IP over Ethernet) dual-stack user access control method and equipment based on Ethernet
CN105245629A (en) * 2015-09-25 2016-01-13 互联网域名系统北京市工程研究中心有限公司 DHCP-based host communication method and device
CN108243261A (en) * 2016-12-23 2018-07-03 华为技术有限公司 A kind of connection control method and access device of double stack terminals
CN109257458A (en) * 2018-10-31 2019-01-22 新华三技术有限公司 A kind of message forwarding method and device
CN110995886A (en) * 2019-12-12 2020-04-10 新华三大数据技术有限公司 Network address management method, device, electronic equipment and medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
杨威等: "CDMA运营商分组核心网络基于双栈技术引入IPv6组网研究", 《中国新通信》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113453226A (en) * 2021-06-29 2021-09-28 新华三大数据技术有限公司 Dual-stack user permission authentication method and device
CN113453226B (en) * 2021-06-29 2023-12-26 新华三大数据技术有限公司 Dual-stack user admission authentication method and device
CN114499965A (en) * 2021-12-27 2022-05-13 北京安博通科技股份有限公司 Internet access authentication method and system based on POP3 protocol
CN114499965B (en) * 2021-12-27 2023-07-07 北京安博通科技股份有限公司 Internet surfing authentication method and system based on POP3 protocol
CN114301670A (en) * 2021-12-28 2022-04-08 天翼物联科技有限公司 Terminal authentication method, device, equipment and medium based on IPV6 address
CN114301670B (en) * 2021-12-28 2023-12-05 天翼物联科技有限公司 Terminal authentication method, device, equipment and medium based on IPV6 address
CN114501445A (en) * 2022-01-06 2022-05-13 新华三技术有限公司合肥分公司 Access control method and device
CN114501445B (en) * 2022-01-06 2024-02-09 新华三技术有限公司合肥分公司 Access control method and device

Also Published As

Publication number Publication date
CN112822218B (en) 2022-07-12

Similar Documents

Publication Publication Date Title
CN112822218B (en) Access control method and device
US7725594B2 (en) Assigning priority to network traffic at customer premises
US6195706B1 (en) Methods and apparatus for determining, verifying, and rediscovering network IP addresses
US5884024A (en) Secure DHCP server
US7962584B2 (en) Usage of host generating interface identifiers in DHCPv6
US8400943B2 (en) IPv6 addressing over non-IPv6 systems
CN104104744A (en) IP address assignment method and device
US9118721B1 (en) Socket-based internet protocol for wireless networks
CN110995886B (en) Network address management method, device, electronic equipment and medium
US20170237769A1 (en) Packet transfer method and packet transfer apparatus
CN107547528B (en) IPv6 stateless address allocation method and device
CN112272164B (en) Message processing method and device
CN108337257B (en) Authentication-free access method and gateway equipment
CN110011919B (en) Message forwarding method, device, network equipment and storage medium
US8005080B2 (en) IPv6 address configuration method in wireless mobile network and apparatus therefor
CN109167758B (en) Message processing method and device
CN107800697B (en) Access authentication method and device
CN112637373B (en) Method and equipment for keeping dumb terminal online
CN104683500B (en) A kind of safe list item generation method and device
CN106878485B (en) Message processing method and device
CN116349320A (en) Network node, terminal device and method therein for edge application
CN106878291B (en) Message processing method and device based on prefix safety table entry
CN111314503B (en) Method and device for recovering IPoE user table
CN107547324B (en) MAC address issuing method, device, equipment and machine readable storage medium
CN113992629B (en) Address allocation method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant